hxxp://freesnippingtool[.]com

Analysis

max time kernel
278s
max time network
281s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://freesnippingtool.com

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	Free Snipping Tool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	updater.exe

Executes dropped EXE 6 IoCs

pid	Process
4016	Free Snipping Tool.exe
220	updater.exe
2140	updater.exe
4632	Free Snipping Tool.exe
5416	updater.exe
6108	updater.exe

Loads dropped DLL 26 IoCs

pid	Process
3128	MsiExec.exe
3128	MsiExec.exe
3128	MsiExec.exe
3128	MsiExec.exe
3128	MsiExec.exe
3128	MsiExec.exe
3128	MsiExec.exe
4080	MsiExec.exe
4080	MsiExec.exe
4080	MsiExec.exe
4080	MsiExec.exe
4080	MsiExec.exe
4080	MsiExec.exe
4080	MsiExec.exe
4016	Free Snipping Tool.exe
3128	MsiExec.exe
4632	Free Snipping Tool.exe
5804	MsiExec.exe
5804	MsiExec.exe
5804	MsiExec.exe
5804	MsiExec.exe
5804	MsiExec.exe
5804	MsiExec.exe
5804	MsiExec.exe
5804	MsiExec.exe
5804	MsiExec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Free Snipping Tool = "\"C:\\Users\\Admin\\AppData\\Roaming\\Free Snipping Tool\\App\\Free Snipping Tool.exe\" \"/autoStart\""	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Free Snipping Tool Updater = "\"C:\\Users\\Admin\\AppData\\Roaming\\Free Snipping Tool\\App\\updater.exe\" \"/silentall\" \"-nofreqcheck\" \"-nogui\""	msiexec.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
123	3676	msiexec.exe
125	3676	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI12C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2B4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3DF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8661.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8916.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4F.tmp	msiexec.exe
File created	C:\Windows\Installer\e59ff28.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8A82.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICD.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{4550EAA1-0259-4456-8397-D033C7A8181C}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI876E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI87EC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\e59ff26.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI872F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8A12.tmp	msiexec.exe
File created	C:\Windows\Installer\e59ff26.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID38.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI86DF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI870F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8946.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8A71.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3AF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICE9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICAA.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000d5ff6f19a5757d540000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000d5ff6f190000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900d5ff6f19000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dd5ff6f19000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000d5ff6f1900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133653446192633293"	chrome.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\Local Settings	updater.exe
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\BrightData\b77cf2bb62ce2b412a461159d601ba4895e98beb\lum_sdk_session_id:LUM:$DATA	Free Snipping Tool.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3576	chrome.exe
3576	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
4972	msiexec.exe
4972	msiexec.exe
4016	Free Snipping Tool.exe
4016	Free Snipping Tool.exe
4016	Free Snipping Tool.exe
4016	Free Snipping Tool.exe
2692	msedge.exe
2692	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
4972	msiexec.exe
4972	msiexec.exe
5412	identity_helper.exe
5412	identity_helper.exe
680	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe

Suspicious use of SendNotifyMessage 49 IoCs

pid	Process
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
4016	Free Snipping Tool.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 1020	3576	chrome.exe	83
PID 3576 wrote to memory of 1020	3576	chrome.exe	83
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 3668	3576	chrome.exe	84
PID 3576 wrote to memory of 4232	3576	chrome.exe	85
PID 3576 wrote to memory of 4232	3576	chrome.exe	85
PID 3576 wrote to memory of 4288	3576	chrome.exe	86
PID 3576 wrote to memory of 4288	3576	chrome.exe	86
PID 3576 wrote to memory of 4288	3576	chrome.exe	86
PID 3576 wrote to memory of 4288	3576	chrome.exe	86
PID 3576 wrote to memory of 4288	3576	chrome.exe	86
PID 3576 wrote to memory of 4288	3576	chrome.exe	86
PID 3576 wrote to memory of 4288	3576	chrome.exe	86
PID 3576 wrote to memory of 4288	3576	chrome.exe	86
PID 3576 wrote to memory of 4288	3576	chrome.exe	86
PID 3576 wrote to memory of 4288	3576	chrome.exe	86
PID 3576 wrote to memory of 4288	3576	chrome.exe	86
PID 3576 wrote to memory of 4288	3576	chrome.exe	86
PID 3576 wrote to memory of 4288	3576	chrome.exe	86
PID 3576 wrote to memory of 4288	3576	chrome.exe	86
PID 3576 wrote to memory of 4288	3576	chrome.exe	86
PID 3576 wrote to memory of 4288	3576	chrome.exe	86
PID 3576 wrote to memory of 4288	3576	chrome.exe	86
PID 3576 wrote to memory of 4288	3576	chrome.exe	86
PID 3576 wrote to memory of 4288	3576	chrome.exe	86
PID 3576 wrote to memory of 4288	3576	chrome.exe	86
PID 3576 wrote to memory of 4288	3576	chrome.exe	86
PID 3576 wrote to memory of 4288	3576	chrome.exe	86
PID 3576 wrote to memory of 4288	3576	chrome.exe	86
PID 3576 wrote to memory of 4288	3576	chrome.exe	86
PID 3576 wrote to memory of 4288	3576	chrome.exe	86
PID 3576 wrote to memory of 4288	3576	chrome.exe	86
PID 3576 wrote to memory of 4288	3576	chrome.exe	86
PID 3576 wrote to memory of 4288	3576	chrome.exe	86
PID 3576 wrote to memory of 4288	3576	chrome.exe	86
PID 3576 wrote to memory of 4288	3576	chrome.exe	86

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://freesnippingtool.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb9234cc40,0x7ffb9234cc4c,0x7ffb9234cc58
  2⤵
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,13181452647626171776,7589795437637239263,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:3668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,13181452647626171776,7589795437637239263,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,13181452647626171776,7589795437637239263,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2416 /prefetch:8
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3036,i,13181452647626171776,7589795437637239263,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3052 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3040,i,13181452647626171776,7589795437637239263,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3092 /prefetch:1
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3856,i,13181452647626171776,7589795437637239263,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3640 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4372,i,13181452647626171776,7589795437637239263,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4720 /prefetch:8
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=940,i,13181452647626171776,7589795437637239263,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=724 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4888,i,13181452647626171776,7589795437637239263,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5024,i,13181452647626171776,7589795437637239263,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3308,i,13181452647626171776,7589795437637239263,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5680,i,13181452647626171776,7589795437637239263,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5240,i,13181452647626171776,7589795437637239263,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5156,i,13181452647626171776,7589795437637239263,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1776
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\Free Snipping Tool - 7.6.0.0.msi"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  PID:3676

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:1564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1916

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4972
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 03C4C83ED35C61FD3B002F531EB7A952 C
  2⤵
  - Loads dropped DLL
  PID:3128
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2148
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 249989F1E5101CB1848AF43D0FDCE0C9
  2⤵
  - Loads dropped DLL
  PID:4080
- C:\Users\Admin\AppData\Roaming\Free Snipping Tool\App\Free Snipping Tool.exe
  "C:\Users\Admin\AppData\Roaming\Free Snipping Tool\App\Free Snipping Tool.exe" /autoStart
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SendNotifyMessage
  PID:4016
- - C:\Users\Admin\AppData\Roaming\Free Snipping Tool\App\updater.exe
    "C:\Users\Admin\AppData\Roaming\Free Snipping Tool\App\updater.exe" "/silentall" "-nofreqcheck" "-nogui"
    3⤵
    - Executes dropped EXE
    PID:220
  - - C:\Users\Admin\AppData\Local\Temp\8065ee2cd0a437e22636d7a469e25413\updater.exe
      "C:\Users\Admin\AppData\Local\Temp\8065ee2cd0a437e22636d7a469e25413\updater.exe" /install silentall "C:\Users\Admin\AppData\Local\Temp\8065ee2cd0a437e22636d7a469e25413\updater.ini"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      PID:2140
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\RSpark, Limited Liability Company\Free Snipping Tool\updates\updates\Free Snipping Tool - 7.6.0.0.msi" /qn
        5⤵
        
        PID:5740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{CEA3679E-9D26-44D5-B243-1FAA0460EAEB}..bat" "
        5⤵
        
        PID:5524
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\{CEA3679E-9D26-44D5-B243-1FAA0460EAEB}..bat" "
        6⤵
        
        PID:5576
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" cls"
        6⤵
        
        PID:5592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://freesnippingtool.com/compare-versions
    3⤵
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of SendNotifyMessage
    PID:1564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb7e5e46f8,0x7ffb7e5e4708,0x7ffb7e5e4718
      4⤵
      PID:2804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,9537573532439059325,15681938087593304755,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
      4⤵
      PID:4772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,9537573532439059325,15681938087593304755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,9537573532439059325,15681938087593304755,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
      4⤵
      PID:5104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9537573532439059325,15681938087593304755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
      4⤵
      PID:5280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9537573532439059325,15681938087593304755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
      4⤵
      PID:5288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9537573532439059325,15681938087593304755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
      4⤵
      PID:5564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9537573532439059325,15681938087593304755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
      4⤵
      PID:5788
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9537573532439059325,15681938087593304755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
      4⤵
      PID:1192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,9537573532439059325,15681938087593304755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:8
      4⤵
      PID:6020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,9537573532439059325,15681938087593304755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9537573532439059325,15681938087593304755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
      4⤵
      PID:5748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9537573532439059325,15681938087593304755,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
      4⤵
      PID:5408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9537573532439059325,15681938087593304755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
      4⤵
      PID:6008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9537573532439059325,15681938087593304755,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
      4⤵
      PID:3024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9537573532439059325,15681938087593304755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2072 /prefetch:1
      4⤵
      PID:1764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9537573532439059325,15681938087593304755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
      4⤵
      PID:456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2128,9537573532439059325,15681938087593304755,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=3596 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9537573532439059325,15681938087593304755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
      4⤵
      PID:5568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9537573532439059325,15681938087593304755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
      4⤵
      PID:5852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9537573532439059325,15681938087593304755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2052 /prefetch:1
      4⤵
      PID:6004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9537573532439059325,15681938087593304755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
      4⤵
      PID:3444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9537573532439059325,15681938087593304755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
      4⤵
      PID:3624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9537573532439059325,15681938087593304755,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
      4⤵
      PID:5524
- - C:\Users\Admin\AppData\Roaming\Free Snipping Tool\App\updater.exe
    "C:\Users\Admin\AppData\Roaming\Free Snipping Tool\App\updater.exe" "/silentall" "-nofreqcheck" "-nogui"
    3⤵
    - Executes dropped EXE
    PID:5416
  - - C:\Users\Admin\AppData\Local\Temp\8065ee2cd0a437e22636d7a469e25413\updater.exe
      "C:\Users\Admin\AppData\Local\Temp\8065ee2cd0a437e22636d7a469e25413\updater.exe" /install silentall "C:\Users\Admin\AppData\Local\Temp\8065ee2cd0a437e22636d7a469e25413\updater.ini"
      4⤵
      Executes dropped EXE
      PID:6108
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5F7B170DA0BF69CBAFEFC1B7ACE61C09
  2⤵
  - Loads dropped DLL
  PID:5804

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2532

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Free Snipping Tool\App\readme.txt
1⤵
PID:3120

C:\Users\Admin\AppData\Roaming\Free Snipping Tool\App\Free Snipping Tool.exe
"C:\Users\Admin\AppData\Roaming\Free Snipping Tool\App\Free Snipping Tool.exe" /icon
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e59ff27.rbs

Filesize
1.3MB

MD5
aa4cd861a4eef568f6f72f075f247da6

SHA1
70108d02f3650d31aca51e9608c2e3d444b939fc

SHA256
47d8f4a0647bfa9730869b8fd1201786ad676d7f4339ace599ab0dc6ce8a7d88

SHA512
76a4f683f8eb821c27d13cf9b8c48eca2ee8e3ded961c3422842a505e05b5013835983e3ece9a90c6736d27a52967d4b0ffbbadac63ab4ee4892d6815ed3fd4b

Download Submit
C:\Config.Msi\e59ff29.rbs

Filesize
564B

MD5
fc0d2f18ad7819309873676038b7d7e5

SHA1
618fb058c251923910fc6967e31f9708ed5f8b5f

SHA256
1a43a49ed61517ade5327834f79e96033cb8b826032878ff89bf08a1c02ae01e

SHA512
33866c1a601eb83d23aecd5e48c9d1318cf314d6d696976313de785e874f74ed97fcbeeca528d51449da831a0b06b8a993c6c732a439b36b8fe12b2ac99aeea2

Download Submit
C:\Config.Msi\e59ff2c.rbs

Filesize
1.3MB

MD5
2c315f24f286b029b76c833e80da6e38

SHA1
9f3e5c23c9e71004d4238623d953769c8bd0bb7d

SHA256
3a2e4ee37ae979996af46b9425a83d1a948ee21885c93f13e9eddc103a32ecc2

SHA512
dffb2885427639b8bdb3bcd44ce2ba116860d882fd7b68f807755eef65ef1b59854977363d4962b2d8ac88bacc22d815d3faad995167a50723230c0897fe52af

Download Submit
C:\Config.Msi\e59ff2d.rbs

Filesize
564B

MD5
95797d5f9781b27ab45d9ba289e9e1f6

SHA1
8acd8650b537f0e86e32b50a3987284a1f168f3e

SHA256
4126829e31e8270ffd0cee9c7c12abaaa0956e5192198dea87af2110eb657c64

SHA512
8a3ded995ab53f5deef84ae8dafe5608834bfe2efaaebbd8a19e23441aceed6fc4d27598e96ab6980d3ec6e6b1f2f0d9013a167f10fb7b550678b4703532b996

Download Submit
C:\ProgramData\BrightData\b77cf2bb62ce2b412a461159d601ba4895e98beb\lum_sdk_install_id

Filesize
33B

MD5
b8cd7be0f5b0fcf9873a4d0346c1c6d8

SHA1
2b24e4ec687bad8f6bbe0228c5ecca44e0d05419

SHA256
5d2fe73d49a81f73c37cc4d403dd626ce64156426d98f5082a010ba3e3c50d71

SHA512
fbf611aa3c88c52f8d519d3f7c8d7b6af4cfa660057c237031b85f9157a3ae486bbbf4f5c274a29eb370e618e3cba6a22fc4db8f5756a47e8a84dfb83bcf5fae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Filesize
765B

MD5
c38464185c007597b902373b6bc3f16d

SHA1
811d1d799fab32725c67bccfb5e50373f8d50d46

SHA256
b836ccca39d4bbc3e6c6f92ce37dc7e6577f4bc0f23d20dd691b764414ab8bf5

SHA512
0e004f96691b1a200820016b961766bc277a723ecda95b7ac466dbbdb103c6cb34744f8258b2acb76588db3e950187da88936b04b226f8b6921e638ae825a145

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_33B5B52098E54CBEA944A96393851F49

Filesize
638B

MD5
ba87770a2b4fa349617e0f6ab5755e78

SHA1
8471f7080271657b45fa386c04d39a78cd3772ac

SHA256
f199ea1b6265949c324048ae7ae8756dec6f6d7978175eecaa7f255395999880

SHA512
b7a06a6ae1d4de93f3ce654ab690e2e6cf12218fd884d2a07a9ea46cf18f3e40a2b0538305a924c86cb96840d440fdaa785767c0fc4933a3e66d12128a471a29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
1KB

MD5
bd74c70f9bc42e7bea8ba5d971a05b37

SHA1
0080fbc1e2d756c4ab6fd0e1848bf5866ca43304

SHA256
cd0ed93faf4da76b1a3c7e815444b70b25a03a4eb7ffa00c418d0201c0b78657

SHA512
adef1f65dc1fb58451d2985828377791be198052f99fc23b34a9935e79e307570b9eb29cfc4da60e5cc610e51beb7fc112a7b1ab7017e101e90e9f820e24aaa5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Filesize
484B

MD5
6f25334850c56f8a38f9fbba28d943d6

SHA1
f320c923bcdebb0a29f1342f06c97b6d92d6a097

SHA256
57c20c95d84586b8dd80768ed16c5ba8129c4bf78f8c41cd100ecc4d5ffa9eeb

SHA512
50bf0667e426f73cf110e091c1442b2537d5f4898338b4901593086b652d38d7e7d7b9f9c8156ff76166b14d20ee46a0b585698b9aa491b9cc9c12c63d9d446b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_33B5B52098E54CBEA944A96393851F49

Filesize
480B

MD5
ce1289425fd90ea7f170a88c9018c783

SHA1
4de48a3fbddf1ceee8e41c0014b05b60a704d37d

SHA256
b637bca9a61ba22aabfb99bca344d70ad491a6d1f289b021d960aaf4c874f1fa

SHA512
c86dd88e71bdcd55b5d6c6ef4938ea7b5e6f781502ec545ac9af8ac322c8bb8a62a0f75032c8921394666aadbd7ed1c6354c4d0fa0dab99d6db32720452192c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
482B

MD5
90c8b322502d15a8c787afd181ea8cc4

SHA1
d9a8d05a7e75bc219407af2ca144a753d3453bcf

SHA256
c5ae6834720b28b5a3e9a62f005b22136f2022e70e8b6a5b6c6f3ff96a5f786e

SHA512
af0c518754be8641326295a2327e4746f94663185b55b689d380d6783c1ec42d319f7eadd48179a706fb99547084df09aab1f4b0c6034bd32c8a719a6dbe95b2

Download Submit
C:\Users\Admin\AppData\Local\Free_Snipping_Tool\Free_Snipping_Tool.exe_Url_32dexyvqr20avhyh4i4qs4fvx5ujfws1\7.6.0.0\azsgkzuv.newcfg

Filesize
2KB

MD5
7052a755f6c5ab8e7f2accf5e10de2eb

SHA1
ea6c8f10b5d7948e8b690f447f5f80efacb56698

SHA256
86522e054046384bffd084e0f7d494c25ec248411f363c184cdf83efc6167f75

SHA512
1c8451458ef54d15a70799acf589e9b8cd7c2986b756a981c5ecafb7fd57155217e8001309dc50443a3945cd7c2a428c0a592c33de566c85d8caaaae07dc24a9

Download Submit
C:\Users\Admin\AppData\Local\Free_Snipping_Tool\Free_Snipping_Tool.exe_Url_32dexyvqr20avhyh4i4qs4fvx5ujfws1\7.6.0.0\eni1ucbq.newcfg

Filesize
1KB

MD5
eafb8fb0b7202273710493de12c60659

SHA1
79a95bc6d1d0a08268c2d0163409538aa5fb88e8

SHA256
95e5535fc53d3c9eb6672fa791b3940c0532b4dd3261973fe8f8e407b8f02a39

SHA512
059c3e1e4a303801f9c3ba045fb39e6f7f3a06688bb49b56ba4803c7b35f5726f1949d38eb865f4dee812aefc84ddaa782dcad85a4bf5a8db3ae209350ee2bae

Download Submit
C:\Users\Admin\AppData\Local\Free_Snipping_Tool\Free_Snipping_Tool.exe_Url_32dexyvqr20avhyh4i4qs4fvx5ujfws1\7.6.0.0\iypkpt11.newcfg

Filesize
736B

MD5
bec75dedabc8c7fc54b04eef74378f56

SHA1
5ee3ff9e1d93a734d7e002e4bb69a3783d759b52

SHA256
15a7eb259f6ccbc241b548f8041f9114158ab87c35bb219b56d8419f09ce223b

SHA512
266a5079728340d6b7c8e81383687e2c7041757a0ea2b71b4804daf366a72f0b1e9a404c368b019c46784a0b70613ce1670a05ee29177534124d79269d9d6b78

Download Submit
C:\Users\Admin\AppData\Local\Free_Snipping_Tool\Free_Snipping_Tool.exe_Url_32dexyvqr20avhyh4i4qs4fvx5ujfws1\7.6.0.0\juw0tsfw.newcfg

Filesize
581B

MD5
ba2e73b128b0f71467afed85c0591fe4

SHA1
119213ecf01b23c67b3f2581b9c3cf1160df9e0f

SHA256
17f65d0c01e8fb4e914fc2ca5c50d0387f9710ef46ef8b0523e1469ffb544a16

SHA512
b7b2d82c95b3818f1f51256a749c227a245d8138a8905b8045657a2e7f4d917c62a44cd9c3ed160cf73013428a7ba14adf9af237608208169f423e02575d865a

Download Submit
C:\Users\Admin\AppData\Local\Free_Snipping_Tool\Free_Snipping_Tool.exe_Url_32dexyvqr20avhyh4i4qs4fvx5ujfws1\7.6.0.0\rtdulzfv.newcfg

Filesize
1KB

MD5
77da4d3e256c015ad57e87726d3c5484

SHA1
d1047dd41a0589c121e49a65d822221d2063756b

SHA256
89885ba90ab8cea1304da1630747e2bc4fb44269e9992d4cd83f5163bc4788ee

SHA512
b76c539215b5acebd662ed11dd249c546337287c53aabea82dc615078711b984ae39b0a77bc3fc45bee504c7f6a41fbc8a242745feef48189ad8c0be90e9c8a9

Download Submit
C:\Users\Admin\AppData\Local\Free_Snipping_Tool\Free_Snipping_Tool.exe_Url_32dexyvqr20avhyh4i4qs4fvx5ujfws1\7.6.0.0\user.config

Filesize
2KB

MD5
8ac410c2fd2c377e42890f5dbe459904

SHA1
76af35e899815435c998bf28a19dae23ea8f9463

SHA256
ddbd267e8513cf9f7270fe810b426310edda1656209d5a7edbaf94bd35ea5278

SHA512
6d209a5b8451c0b7bfc34985ca2a47b23fc38047f0f7448e6ee0086915703fb43e34317712e601cd34d8f35d4422f03c188251df4d6f543699a849c0651550ff

Download Submit
C:\Users\Admin\AppData\Local\Free_Snipping_Tool\Free_Snipping_Tool.exe_Url_32dexyvqr20avhyh4i4qs4fvx5ujfws1\7.6.0.0\user.config

Filesize
343B

MD5
3c5711f3f3fe30d9eec3d677e581dd77

SHA1
ca09c9d338a681d2bbf4b5e66db643bec2e279f1

SHA256
42045c57c393306f9fb41f27781953c575b27bedf7a8f46529cdc45607960227

SHA512
57410faea622fe9ea242ae7f973d049a46b85c446720fa7cb6a1f30e44989641db010972e8768b117dad2b24a8308eb1b46ccc413de4746da0103e6327fbbceb

Download Submit
C:\Users\Admin\AppData\Local\Free_Snipping_Tool\Free_Snipping_Tool.exe_Url_32dexyvqr20avhyh4i4qs4fvx5ujfws1\7.6.0.0\user.config

Filesize
1KB

MD5
4183bbae8f046b4324ca77ca83d33489

SHA1
2fea9e94869f51137a0ea7c145aee030b66035e3

SHA256
1a81ecddd45f0a48cbe06f581e2d62eb6b9138d0cf3c4a23555d16ce444b2732

SHA512
fd4536f64d0a45a361d618f44c94640296fd017ff311a5084aa9d9056e0eb976affa029b96cf9be1ef10757881e01e60a29d5a90e6b2ff4fce32e6c599f77167

Download Submit
C:\Users\Admin\AppData\Local\Free_Snipping_Tool\Free_Snipping_Tool.exe_Url_32dexyvqr20avhyh4i4qs4fvx5ujfws1\7.6.0.0\user.config

Filesize
920B

MD5
3289416a7a21a95b492941b3bad96bfe

SHA1
f5276d5110efef0e3042366916df75fa280faffa

SHA256
840b7a85cf6e5eacdae56b6f1d1191a11fefdf4ad1e12deb04a2762e3a5b9ae4

SHA512
cde40c953dfd3fc7ba4d1b48e25e3f9d353c600cb5d246548489234c352a1fd671e7a7397168d0a1f18339a0f1ae70b57abeb2065db794f1c673d3846b8d1d8e

Download Submit
C:\Users\Admin\AppData\Local\Free_Snipping_Tool\Free_Snipping_Tool.exe_Url_32dexyvqr20avhyh4i4qs4fvx5ujfws1\7.6.0.0\xxejoi3i.newcfg

Filesize
1KB

MD5
36c12670c15218f3d320f8eee1e6beb7

SHA1
099efc969d3ae3c19cbeb5cfa39abcab617e8dd4

SHA256
15612a73f2cceec85245d4dabea8db063ef01650ae14fedee4bed51b8b893074

SHA512
e2cfeda339a359e4fdb18c44ac5744f77169d6bbcd8638d80be64f261158fa976146157f721e51f49a278694de677a3a308a63f9f85d337672c1b74b3c8af55a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
20KB

MD5
7f8965bc4a6541189bb000b832b3ba4b

SHA1
2cfc6a12844c3ec89d571ec5d87cdd5a0cdc26ad

SHA256
57e9504e17918efff5f382ae00f64cf1203fbc3190adc3774f43f49a883a16da

SHA512
7763d57e238ff0cf43550cada4c6d941a673e0e9ce8020e0b6b1a99af54217c7180c2354edf9138cd50461c07de5e0ad09527e3fc7ef87a73003ac3847dbf306

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ba150f74780a8748946261e281779d59

SHA1
3bae0f6d8ca1965fa583a829f1175b84ff8ebdb3

SHA256
29eb3da0d7c8bd06d54fd325cdc7c45fa6c8400a1abbdcfeea9a3471cc4d34cc

SHA512
698e0e358c2dc43680da2a343be0a805888c6180aa3c0893db65d8b6a69806c5ff599e6355bb0a2229ced4d57dde60ab680351f0ff2eecfb81bac134ffe0086b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
525880396a2b72f6f8303f26e97e272c

SHA1
7399bad117bc8ab95f311f566e5ca9284ad8ab6f

SHA256
dbade32663e3a9813b4196c5134f78ca77df8fd0c084dda4981d20ee850af5a4

SHA512
c9ab3b7eaac70fa080a5f7e44f7df7762fb53705af6c03b4e83d88d8e248378c51da23a68c6a7c76fdd878f2c5ed83769ca9d829cc596e68698d600cc6621c44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
60795911231ddeeb8e55bacb9e9575b7

SHA1
39fd3c45cd20dddf0ec7012726465ef58ccd6793

SHA256
8485bcd828f15bba50b294fd27257c8995f578527f0396ba2a5fb4761e8cc4bb

SHA512
5fc315316aa18bde938392699f1aa8177eaf7e73586cc2d4cf363ebf92bb575f39449bf89bbcf2be6da0aa4dcf8c0e3513d1d0b8694cd0007814cfaa81e1c230

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
cf84234c934208d0f7d9714912b15337

SHA1
3b8eadefc35727f1710319b5bee9cc4c5c12fcba

SHA256
1a608d9c0eb685cb09d1a0dc00636edf9c1c54659c7e494c855abe15d78f1fe5

SHA512
cb12999f07d09c8b16adc03e0b9364060046add39747491a51bd938479ba7f2a1d2d2fdb2589353872cb72f4290d96ee4785300e07ccc4a3c8a7b6c65fdd225c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
2e1e42d4fea20534fba786c90dd89e77

SHA1
b2a83244c39bfff5e69eba3ff43267aff7318894

SHA256
bb90bb5b80d39fe7e666ef680f06d3832f0f0d40f6558c9aefe34311d188363c

SHA512
a3e7342f1690b302fa78cebf3497fe7d39b9c776c17f3f10b44d338f9b67353da25db9978ddf734715737ae25104574899c58c65cf0d9e8b492696fbfa6b5201

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
0b29ef890439a483f9efdd8d2c2f3065

SHA1
7fe020bbadd3ebf653831f1a502652d8732acac9

SHA256
edf1095d0bed3a460c7bcc6badf2012c908508c393021e52ea06c91a5cabb442

SHA512
de2e78d2ee0af4620248d7dad3f404cc277ebbdb91e6f60893a4bff4a8017c06e820c34235a680c29c5e87f9ed4ab89e9db04fe5bcf70b71c5188ef878060eba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
3786486be31503007ac350f90dbae3e6

SHA1
65c3c52a90669905cb3e15b5d7706d5fe6807e0d

SHA256
65b3d41152a205c147bf6ea9df4233d2c73d599ce9dd77bddfdf24124f3bf3e3

SHA512
570c7db44e0083527a9918c4ec775e808e695b396e99babf8d431f5cd46c342592792a5cb0f5e6cad98c069592de87a3cc355f2edeef32a9e3e5dd751e9a443c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4ad049d0a67e5b15ed8e6ddbc2004867

SHA1
1395524cf47b0c5122dc1a5ecf90263eebd72bc4

SHA256
ed4bb58c83f6b581857d4252f571bbad7b8820d2960e7ae406046b4ed897dc1d

SHA512
4997f791a7fd97ca6256b64f3fbd059a9e8a9a848dd66a3cd34c01644bb411476644a69fe3f087fa479966a180d4b379e3b85dacf32e950e43c72b78e1432799

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
defa339aae4a75a01f46904034a63044

SHA1
79a222634f0100f2ae320ead20f02914f1328a26

SHA256
d2842fd1d520b9300b473a74442d4a053706c9f89840e85d8f1dcdcad98eea53

SHA512
755d709ef4128ddf1c0666a46184b71d3be4825f96f9f97ac620c7dbb0e41e06ffab7b5e2b46ebce2feedf6533fd071f372f2a23d70a0b82f8c6122cd786f052

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
40e9eac5af0947af326c5d2986f81b4e

SHA1
52871657ddb2935e5604a3f77bf2780c82bd9933

SHA256
63da5a4b0d32b65acc7ca8dc213168e43d288cd5b89a1290315756b0dca85fc2

SHA512
8263642184e11bfa49db406f95e41b812d39410aa8c566bdf625b6070f5e105cc70c45e42a966fd846738a710b17b1cb6eda209c3c159f018e1b05f34a7ce4ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
247871913c831e339c72df2b02290148

SHA1
7c0768ef0dd8d019c2cc8286e2f4d930ccc3bda1

SHA256
be5262dcade4614c1654ebabec2118ff42da5ccb901ae764a86341d51e26bb56

SHA512
de8d7073e28f5b92b7cbf6d369e9adc6bd7147e152e81d84e1761f1b72fba871178634d794565a60a6c18a59a7d0ce9643f7021145aac34c12e101ce20fa19d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f8a486f6662494f176be53e3a7ce1bda

SHA1
3a3aa16bc0618a5c91ab4b638437a7097827fd79

SHA256
8be97e06f273d82d70bb72cb8367ec7d6cc0a2b5dd303fc6d3bb872fc00fa444

SHA512
223a8ca6d7b92dfdc28e01c92d7b9b2babdac75b8ffcb227b73c5a80ba3e4016c21eb3e39311051a6f09c96fb844a3eb9d776d33c1f6f5195a76b5cdb9df1286

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
01c3f18221fa2082dda0a7ca95b4f7ea

SHA1
f3e0983b23bdec2dd10c2cff6ebc4e8045ba2582

SHA256
27176c3697ee748ec32ca9307a688984c90c65c8434450a7ce419e6f6c0275e6

SHA512
f5ea72e0e2c18ef60a40128aa20d2fecfb4fdb77a7a7f5f798695d274e172054e4194e419ff9d68a412a5db05249063f3bfa325fa7af4ef5b283d76076cb743e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
85b0bbbb354513f2f17a83e872c38b5f

SHA1
d32c1333aa92c4dc5a5e55f327a6887dbb9a3496

SHA256
48f92083394ba5f502494e43c1633f2132c137c4d58d0f70f1d290defa1176da

SHA512
f1b11abbaa8227638fb6d03515e611f1b86ca5a52654b08aa9cb95a7af27d85056ab4cc0b0408e9c0dfbea14b46c2a777abb7704c007992431ff1b8f7925ba2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3279e01961a97d112f15a29bb4668f0c

SHA1
ace175f7db7b2e91f7862fd01b85104c239d5ef8

SHA256
85048cf26dd090727ce986ba3c166c4c9696c2953bb532e4c4a6d3ff93486ff8

SHA512
f5a2b8f672001fe9ab4921ec2d1a2532f918c680c9927ba8ab9c98d5f4d68793497e2e62f5589d7738e1ddf2e7ae60ebc497791a71c71fbc6f3df6e366864edf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bc0ad8bf0c9a452174242cb4c34f4306

SHA1
3c3e909308bf36b8222084a0091ff7046e816171

SHA256
8cc13b9bc2bf74c9388d8cb56da12a01e2de12a72e97df4ef3abfcd0a8197d8f

SHA512
4f191cff4c50e5b93941256cabceb09e7735a18070b8f956feae32f9f89175bf29954898d0b14bd842e4f8464f800b0a5ad38f2fea8e82b5147213c0b6143fb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
44d181305b799f44ecabcce51ec8a21e

SHA1
16b2b240c221898f8a14036cd6bf7a2e7fc6b71c

SHA256
43174f04538f57e32d287cee475cf8fd216ec4330730418df348b9ed12c68a53

SHA512
586801bc79e157f31cfed13c9b587e5c328288ce495336ec274b3dbed34f3c041161d23304109ff1e8fdf25de8bfb51141935529bec41f0a8c37772c73f6999e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
07fc03f1015e91f5449bb844786a90c2

SHA1
0aec74d2995f961aaa407fc748be6b89481ba807

SHA256
bd78123e22beb68a6a5735da6450d4bd9df50293110cd854248ba94e23f04791

SHA512
0656547d3886b867b0ef4247c4fab45bf526e56a7afbaff81bb32abbc0094da546728577eed32b5dec655df580987115eb8e0c98db9cf2d622c9479370d86027

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
558ef8d84fac8a1b1385368c4a34db16

SHA1
3c46d29c10e708e105e57bbb6c5961d70546ece4

SHA256
d3c043cbb8cb457a2c2310f96d5faf7dffcfc921d1eac85dc44e7ec4986b3a1e

SHA512
31e11eead90eb1fbfb9082b94d96e5b6b31a27a9b34e9d31d9097871bb50ca3429ec9647ca751a7662a05eb7ae256c565a385b45a457c2a6f4ce97997daddd57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ee65c00311f9035768357630eb0b0c84

SHA1
63c148b4b54db8e0efe0bd5da379e478ea26a98d

SHA256
961e936904ae29fb8f7afa7fe306b58a7e91478e1e371ff94866850b36ff747a

SHA512
c204ca2f0f1c7b6f8170f140ebef3e54a062536f501ade99701c203d147d454ac6924c3d8b0c993497a45ac1d07acb9ce5aefea27b3bec3db53d320572ff7690

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5269a753b82f537f0be03d17585f58db

SHA1
8ca33765a4a3fbf3e40501f6575bdc9d05169a88

SHA256
79494ee70661f86ab04a007da60f4fe7d0d3659bf575c5663cf4ed56fd474f09

SHA512
cb706e997f5b6604a10b6196bba7f3888d8e26b058e7d15cb29c3da5eb591fb336de4fadf62d55a9b5f00187623f540f99ecd5a1d9312720c783cb2da774da42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2a547609767def0b510aeef1e3399026

SHA1
4aef50c0511bf7a85959c444383227fc27aec254

SHA256
7246b7ef7d9fcde1310066a5ce79cbab5ec8523289b581cff3fd5b7268d17d99

SHA512
c3bb9bac7fba5741c243f766c454cd46f1428f9e70d49fcdb3d8dd03b31af660453745ae62ba7369d85bd0d262d6f6e8671649bd656b8ef4e64052ffc9e6e06a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ed6606ee605d4bff5da0d1caa81fe31e

SHA1
230f5c16eece6ae433c3dd2aa5904f5e82682df9

SHA256
adec02aa3038a7a3502f71b6937ac8ec2cb79a0debbb760537393deebc7814bf

SHA512
a5e777959316ae753834628c23a597dc43bd2031694223121b575c137db0cf56099925faf612bab77f3ef96c8bd0f7890447816cd50945808e210270f8c47605

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1

Filesize
264KB

MD5
34100e9788e0705a866574455ae96219

SHA1
c29f12615ebb1e56f3520838244a1f2fb644e735

SHA256
f5bc332877a1e8dd806d9221189bf8d33a10f44cf7b57aa30d35f759c9f8636d

SHA512
9b457c204e1f41cf5f068d45affb0793ee02f5579a3a51e2ddd82b9edaa1cad7fafaa6dca8e35b3927b4acc299b35f267c7acc993bf5f05f028b948ee49d1c88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
6fd92d3f12890fdb2b1890d55f1aec9b

SHA1
b4970cf9294ab299a96361d924e3bf38039f648e

SHA256
5cbb0b606bfba84be798256b43c4ee44acccc8bb5cac65581b1b7cc8645c3c23

SHA512
dcc66338acb054edfe9136978a1e084cbccc8807e6678891c09671d2f0428386402367ca2062b5de5f197c1079e6791ea2bdb66d47275f7d9acfcc5cd7f5efc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
687c22e5d43afc4b0d0f3606153d59cc

SHA1
1218304cdfed8420074a63e3057ce873ecd7f3c2

SHA256
ee6de9d940a0c1b566d70f290915255e8672ec712d08b4df7408b38f35ddd15d

SHA512
20be0653870897e67ac371ac3fdad344eae1eb7c0f8cd5b9285a9c0a765ee6c846abe8489ef2942462e7172a7ec5b9fea792a00236187b3f807bc0ff45de62b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\d06227e5-495f-4930-83c1-33d12f302d89.tmp

Filesize
92KB

MD5
7a2ca00fd7f2ee16beaa9a4b6a333477

SHA1
7057e7feb0a4296cdfa40f8e10e6ba3140b65690

SHA256
643c4a2b67906c0c7f739b652edb2e6dd101bd4a6d10e880bd0cc304aed5eb7f

SHA512
009ed210f51279b22465a38ca4246136933a448943232e9fe2796e7649ebe577f12160e98991da05ae29da15eb62ad5d9cf4057da42a59fbdc1b37e09dedbeb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27f3335bf37563e4537db3624ee378da

SHA1
57543abc3d97c2a2b251b446820894f4b0111aeb

SHA256
494425284ba12ee2fb07890e268be7890b258e1b1e5ecfa4a4dbc3411ab93b1a

SHA512
2bef861f9d2d916272f6014110fdee84afced515710c9d69b3c310f6bf41728d1b2d41fee3c86441ff96c08c7d474f9326e992b9164b9a3f13627f7d24d0c485

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6c86c838cf1dc704d2be375f04e1e6c6

SHA1
ad2911a13a3addc86cc46d4329b2b1621cbe7e35

SHA256
dff0886331bb45ec7711af92ab10be76291fde729dff23ca3270c86fb6e606bb

SHA512
a120248263919c687f09615fed56c7cac825c8c93c104488632cebc1abfa338c39ebdc191e5f0c45ff30f054f08d4c02d12b013de6322490197606ce0c0b4f37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
19KB

MD5
547b53ce0aaa5aa18e01e2a30b672058

SHA1
24761fc6f1611a0dff5d3c02aded9538e9349d8f

SHA256
353881c4eb7b6faebdf105dabf0857aa0924dc87bd0e61604b6d7e6e28bdd720

SHA512
7a881bc6eae8e5a71c24d364555ede7f486a5e59bc23e4d4871ee94df8513fd4ab835a4324d12757621dbedfa4b43df40917094d3374f5a38e29901cee4ffc41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
29KB

MD5
731d42f0af3c21189d8591c8a1e9407d

SHA1
6913b58eac4a6c555403022f0cfa8dff1477a6d7

SHA256
d65d4c60bc96f4fb28221f7f468bd41e786202a6d7c8d6c4e06d3b6d83e92788

SHA512
ba433e729c5a4360a8c68a3144d809fcea532ba27f9c746ee81574e905654ba543502f02a99f56743b0acb5f310c03ee5665a40942ce998a2eddf04441da77b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
75KB

MD5
af7ae505a9eed503f8b8e6982036873e

SHA1
d6f48cba7d076fb6f2fd6ba993a75b9dc1ecbf0c

SHA256
2adefcbc041e7d18fcf2d417879dc5a09997aa64d675b7a3c4b6ce33da13f3fe

SHA512
838fefdbc14901f41edf995a78fdac55764cd4912ccb734b8bea4909194582904d8f2afdf2b6c428667912ce4d65681a1044d045d1bc6de2b14113f0315fc892

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
960B

MD5
daf5ae9d0d194bef050d261b93381f40

SHA1
ffe6639ac03c54f86250158e276197c9bc743b51

SHA256
11656357f04ae7860ec39a5056f7686ad1682b733188823d912e723251d3ca6e

SHA512
dea8ff37f131518357c1e0d7a8984198edc2ec9219de264e5ca62a983fe74dd34dbccdbc63931a58ddfe159ea2ce93c07031259442254058b034b8943489b1d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
30ae017f31acf1a52e9323d662bff2c2

SHA1
a8048b07b277e77451cdbeb1ec1262ada8db347c

SHA256
c800bf329e14215cf5d656e315590fc816bbde5eba9447a165611e837d44f26c

SHA512
dbe56addf9f79e4bdf0ca947fc853997583ea2e2e391576f02d9db0e2b7518e02e63ae3a2825bd6f78aedcde403a852e083c0f881128a7fe8be1729da8c985ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
390d1e73550c8add66e022a33ca90ba0

SHA1
5290b284d2403bd6bac064378c3dddf73b94c0a3

SHA256
99186a8a9a1a6714e34aade17e3f07d503f8ec2b4c9535693b2e8e8fed8727d5

SHA512
b25f51aec7e8a4ed9e6cd1158055681b9de141d6c8a6704be04b622672ffe2fe63d0bcc1f5b58b41fd275fa5b1a795171d0d3f0ccbf86a9bda356d88039f571b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e7136bed52153d88795ea7ffed7a91ae

SHA1
810e1f05ae527551ff491eaa348ae4a3805088d9

SHA256
09fc9a28e4d4de3745c2f894b82d1b3600ab98129c13f303289d3dad8797dd1f

SHA512
3ac6696f962737639fa2e167ac0c7d7588bc63f278f5b4cc39dc9b526ecd5bdb492d8030924ffca8cc07a1ac2079cdc4ea096997106b6a4306defea837259661

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
81681d2459b230e4a8fb307e1f7a3ea2

SHA1
f65a8f082de9616589662bb6d42c913ef264cc87

SHA256
225b2fa6ff519464460eee561a30c4f246e5431f40f231708f9f13bc2b1a0867

SHA512
af6eeab3139ee7e68f2830cc2701af028398c2fe92c0391349647706b495257069cfdbc2d1533e457587f8b9c8cd2d1d74cef327b4947eb5f19b65e6ffb46f33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b1c23bcf8b60afcf6f2890837e4b5353

SHA1
a0c8d4604f7df4fceb4c878f649357fb47411df5

SHA256
ba31a6bfe1fe4b1d934f3bd6b1824b0bfdee43a1cb3ae5c65a63df6c4a53a039

SHA512
99197b2e600a6ccf2280553689e1e177053f4107817cdffc9f882d311b0cd8faf7db9f97fbbaced133ab1bcb91f3cfa5dc5cb8f40bb9b089fd465974e89013d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
0d031c035dc013bb6a347d857b22344b

SHA1
81fca65a9168ef86f5c17321ec97626eb51885da

SHA256
b606ee8b7b6ba1fb67d8ed384aecfb94a8a9c561825f71314e599d13435b4424

SHA512
e84c42e775a2fe027fb70cf9e6ad22e048cb375f4c551003556a8566164f236056b10d6e2029aa06801821736e167ec1dedfc51ff7956a4307f5bf70928f7d28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f35b76833944d45e7bf62af6f72b7f44

SHA1
c5706077110f7938ee274dac80197c8a43e2a099

SHA256
e17c86aed44b251cf5e221295afb64ea4bbc162e1c804febb26c076642f3f1b1

SHA512
20b09e72b901ee6dab06f80dc153678542a819e595f1ec119884d5b45171f574d472d761e6b073f9526316aea4fabcfe2b01277bc3ec29b488060ba774517749

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5b370a.TMP

Filesize
371B

MD5
55dd968935ce7081c8597f4903a29223

SHA1
3731cf7641a6d22cb85d6ddff6ec98dd18e430cb

SHA256
dc1add0bf2d1f4c089cccb6327698df79cfe4026eeb6d11b5ee47b2cc7d354b9

SHA512
7dbd808abdd1c57c618408cd3636b0054d35ff8248aa4838e9686bf5ef32f6a53c85d7687b81d90f5e34e7648144d94b46f5d0e26aabd5d1013f828448f235e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
87d65ddef6d4c0e31a91b174a0032095

SHA1
fe8a091246007cefccd4e3ad17f19f500eb2373e

SHA256
ab9866491e97c0f47de927b608aef16bb341e9107b0035677226ea8333491052

SHA512
ee1903d273d73d6f62056d97d03c2c09f106c7dafe463f7cd9986c03c90232dc474b025182123970ab4ca25d0c5fc8beba417b77cf92db2044e9d9c9a2a54803

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
08b0f5e82b85c7508c187567d775d0ea

SHA1
7c2423295d127652dbfb94f6eadcb8b49d058bfa

SHA256
a339a6e169cdd8e2a01066fd1fa1576b0d20f4f4662ee463bcd99483171b44e2

SHA512
7447446bce07a2b96f0a986e9ccd435cd6bc0da2638e5e9b63d4460146eae755f0c32eaffc7f885caddbce4b8702e55445f5c4d81699db8868aad104cf5ededf

Download Submit
C:\Users\Admin\AppData\Local\Temp\8065ee2cd0a437e22636d7a469e25413\updater.dat

Filesize
224B

MD5
94dd1050431349fa270b9628750e2d30

SHA1
2b68a6ed54cf0df60ab7d580d9b0fead431a6239

SHA256
8d3cd8ede36f59e95a37de7670ffbd851aa508750f60c0800b812e6593f58e2b

SHA512
19279f1fb3bdd9ab201ccabd0e09cb99c493b8f4cbf833b0f4278e938272983de6a3ecbabfee28db080d1b5b1b5169046aa156d04ab483619d4d6c1e1306463b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8065ee2cd0a437e22636d7a469e25413\updater.dat

Filesize
506B

MD5
d30fd41c8a69c0d19ed9ccc3d519fb13

SHA1
a059efb4fd5fe85ed085025f6b994228aedbeead

SHA256
aaa9a205a561775497ebee9a08033fd6b29c4f461747a73286bb58b2f09ca7f9

SHA512
6c9f22b8b02854597995795c66015f737acb33507607aae603b4eb7416e94837e5679d1c379dda86f0273270d978bd944d085785bab301d1e20491fbcb102e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA464.tmp

Filesize
436KB

MD5
5788efa607d26332d6d7f5e6a1f6bd6f

SHA1
e7749843cc3e89bc81649087de4ad44c93d48bc6

SHA256
9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

SHA512
ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA60F.tmp

Filesize
575KB

MD5
8c1a778e0754301c97a660dbf3e8303b

SHA1
f489c45cde796de0d23ee862948f5e50379dee60

SHA256
000b773a448b107cbf3268fea3a0eec388daa71c5f911979c5d21f0cd8d6da54

SHA512
010e76ed659f73cc263ce9b2d2635d775b296c10e53ba133fba6aacde02ed409b19f4c4e2ba6df7730ddc8669c818e99773f25854a1916ccf8acf9e459482fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect2a3d628b.dll

Filesize
826KB

MD5
2a3d628b8e04f48a8aea26a687cdc545

SHA1
e44b4764e00b4e3607f226ab0388403ee785e0bd

SHA256
ee5d8d19b12e43459490c9c27024416c670a133fc3f1972fc8f24c6f2b80544c

SHA512
3ff86dbcb22a815eeeddaffbaa60ff37e39da7b0850eae86041ec6e9b26ec9a7825d955a7d7e44fdca0a98dfbd7ef136e639d11881bbf7be01143e68be1237a8

Download Submit
C:\Users\Admin\AppData\Roaming\Free Snipping Tool\App\Activatar.dll

Filesize
15KB

MD5
37b341c9aa0a7810ad438e0c686aab9d

SHA1
627fdb8b35b54115e8047ffdd6f46e2754a81570

SHA256
c0083ec0db1ec5b942a144f604d8a70b3ea95c0f244f22abd813d25069b5a717

SHA512
40ca2bb531660427f260afc0f66aa539b15580478668fae74e250ee48894d73af10c183f6edd4f0ab4402c34ffb8fca51f31a51db983546933adc3b90ae9593c

Download Submit
C:\Users\Admin\AppData\Roaming\Free Snipping Tool\App\BrightDataWrapper.dll

Filesize
22KB

MD5
2fc6b358ba59be84bf84bee529fc41bf

SHA1
b7262471d2f3759154737ada6e06b749a73a4bb8

SHA256
6346cc654432c52303b61c79952ccf2890e698080bca1e9d96e263ebd050acf2

SHA512
56d7d750faa10e52b8aebe1b17bfed5c069227a19111d5ac0fc992bb0cf21da87fdc9aac2ab308d14d5569b16c9c9a5f0789fa38c7c51a01f4420c505fec00ff

Download Submit
C:\Users\Admin\AppData\Roaming\Free Snipping Tool\App\FlickrNet.dll

Filesize
400KB

MD5
e16e1cc6971fc0a7ede1c8dea1fa263c

SHA1
3c29f19021d6f98266e689eafc51d2394e5a2743

SHA256
916f72f888747ae6837ee22aa1f072befe9d74b101f9111cd28fe0ed1568a700

SHA512
b36ce919cff81cf0040d4a994082f12f85d9c5ee3c5f64410e526e0d17c24990659216c885d4702ee3cb698f7869379eccd41ba14298d6fd605c658bf818980b

Download Submit
C:\Users\Admin\AppData\Roaming\Free Snipping Tool\App\Free Snipping Tool.exe

Filesize
4.7MB

MD5
2daaa3d5fcaf7725bdd48ee486e7d3ab

SHA1
1c10b28da7de8b48491cac220c21f8b2099ad0e4

SHA256
125bf9abebf6a7f7f9662e08264f96969109608ca5f7632599e96b9cbb929bc5

SHA512
2c18c142c1131d981e8e5794ff9c9000d2c3fc641a123d95f7f47543efadbbc7be38ff4f805bed3230e1a88d7667c003194eb031aeada35146e88f6c28ab6f39

Download Submit
C:\Users\Admin\AppData\Roaming\Free Snipping Tool\App\Free Snipping Tool.exe.config

Filesize
18KB

MD5
db4098fc6efc1ae00ad9e4d3d591ddc0

SHA1
17b2fd3efac250592b7a007834f8a3aad9cbf0db

SHA256
8a49ae4ba7a352156550ba1344933f290d696165b118f30c0e329eafc923911c

SHA512
f4166819698e66887e910e29cb40ed0fa47552d0df9ba3152205e4c0446cc7620703394f8ea4b81e58fab342622ef7296bc0be617aefac27e670519b09685607

Download Submit
C:\Users\Admin\AppData\Roaming\Free Snipping Tool\App\NHotkey.WindowsForms.dll

Filesize
6KB

MD5
c2e7937c91bcef2e6240e77f33e6dc03

SHA1
c9ccbb912caf70785e7d9d7b73ffb9d174eaaf61

SHA256
f828367ce0d7a3d03bbf4a80cde142ab702045abafc6632974334b8435d76661

SHA512
2dd508008946d12454ada79584382e7107beff872d480a4048c649fe9653cc5c66dea3621db91f2630e17b821fbc5a26822769f17b0cff4c76cbd901c3869f74

Download Submit
C:\Users\Admin\AppData\Roaming\Free Snipping Tool\App\NHotkey.dll

Filesize
9KB

MD5
388d719c966bf2eec6482f37e225980a

SHA1
c7e96305f36a52b899ca093fbf77b2880aabcba8

SHA256
0e1772ffa80a0c6ce7e64ef6427f6cb69f698773eb54e9b92f14aab56b4185ec

SHA512
2de6679ba0c3280f23b290d3fa55113b2fa9543a0a603f587872bef191618955b4fac543023e2f6673eb7952365e054b745f6c999e2de7238fee1674175d7af5

Download Submit
C:\Users\Admin\AppData\Roaming\Free Snipping Tool\App\Newtonsoft.Json.dll

Filesize
637KB

MD5
a6be9efdaa744e9947f4ee18de5423bd

SHA1
258e57ba953cfadf9fdb00c759e8152a6ae7d883

SHA256
6cc0cbcd5c4709c6a1c97f5581c347d93e586e7cc0d64bffb4d32c6e753476a4

SHA512
be94cb3d150a2066db44031ad81921813cb841786fa827fdb36fc09bf06bf48939ee71fffd2d76c5b805b59d6c0f9a3e2dc6927aeaf0b4ac062c92c9205f55b0

Download Submit
C:\Users\Admin\AppData\Roaming\Free Snipping Tool\App\freesnippingtool.com.sqlite

Filesize
28KB

MD5
dad4050915b01199d4f54bbe6e497fcf

SHA1
568f6a2fc1fb22153a71ac442343a739c59fd08e

SHA256
ddd671ea9268e62fcf48c1c10a90e10846a28ef7c0f4eaf6a857910ed712e284

SHA512
fec3982629d30aba484343da33dbb022f4d16eaad0ad2d9481422b67cf3cb54c857d3693f42d72578e44a5a3bd3e55cd9c4ad74fe4aea0a450f9a73b63298f30

Download Submit
C:\Users\Admin\AppData\Roaming\Free Snipping Tool\App\lum_sdk.dll

Filesize
6.6MB

MD5
4fcf9f3cc24002d6f18e2dfaaf097402

SHA1
9354f4e95561957fcd4f621e0e4d9165d777dfda

SHA256
43dacd821a67e98b4e78fdd8f6aa55bae3aeee1db6de73930ba3afd862a974ce

SHA512
d13a6afd3c0573d8adef18305943775b5bd0dc94c38defbede4a7ea91825e736ada3f3671c1324858e32738e288c9ff3deae2431c2f802faa8480e968394d482

Download Submit
C:\Users\Admin\AppData\Roaming\Free Snipping Tool\App\updater.exe

Filesize
1.0MB

MD5
7cf63d8a86fa39f8b7e548fe89823ae7

SHA1
252448de60395838e9e54e70e6705bc81180c38b

SHA256
e76d5443834c5a1a5900384a8d40c16d2b008cee5a1581d74540dc6d0025cf81

SHA512
91cfe658d6fd8371d1ae331541de873543ae858e989d3f099f127bfdc1d7fa625cf535da11b55aeec2aa5d75c1460d0269e8398d0d439d3e7e7aa4ce57423002

Download Submit
C:\Users\Admin\AppData\Roaming\Free Snipping Tool\App\updater.ini

Filesize
106B

MD5
422b3292054e9f9ea92e6fda62915e70

SHA1
757293327925c3aca427a9fc1ac269a04fdf8e01

SHA256
08e58fd4eb34b715debde9862bf46693813b0e9d3c677fe22548d8b9c11c7b83

SHA512
c4b7642957c735344d76a06394863756e017c6968f306afe23b33afec62a7208ffeb101f0832ee122e51d0e416ea6686a5cfb652e1f575ea109bb71f1ab70fc4

Download Submit
C:\Users\Admin\AppData\Roaming\Free Snipping Tool\App\updater.ini

Filesize
177B

MD5
2071c8bee45b98954e2f1c867f0b06f0

SHA1
d560a10894dfd8e216de2a2aa97c46a6bdce4519

SHA256
357fc7a800fb4aece949e6fa55c744b2f0eb1dabc8c9e75f5def6cfbc91de146

SHA512
bac8a40df9b4e84826ec4374199a90c9863b76659d5c01a97f544d91f532b2fced71bcf4f46a4fc96076b7bf03d14934b5be2d2513dfb6d5b7e7cd684e4ab31e

Download Submit
C:\Users\Admin\AppData\Roaming\Free Snipping Tool\App\updater.ini

Filesize
226B

MD5
e15db921810cbaa4f9f455dfe83b64a2

SHA1
9b42e7bdead90fa17492f6fc63ce4ab1c0de5442

SHA256
f290e87a163335d2268fd8b3fa1ba19b6cbbe80bdad5eec25a1e2f2afa910ebb

SHA512
f43b9da8d1c9f80e636b6a59e06a28aabb18405338b7c3f19af6ece550bdd500e06ab12df892377c486638012b6e67303b86b265e99c933ce5bc95617575ec01

Download Submit
C:\Users\Admin\AppData\Roaming\Free Snipping Tool\App\updater.ini

Filesize
483B

MD5
0130b9922cfc2f6f499f912f753a638f

SHA1
835e390bcc62a521f5fc432e4183b27f2cb379bb

SHA256
59df34e03d7d46c9a8636ff75a204521b8832c120877c3c33af7ffbe15e2139b

SHA512
15441a983426cd0e53d33cc2d6a6bafae597b7089f7cd30cc6a09bdec3bc88a05b30718bcbb3e379c71b7392a5908fd0f19298a1fdc6c10d7cb2b1dcefaccce7

Download Submit
C:\Users\Admin\AppData\Roaming\RSpark, Limited Liability Company\Free Snipping Tool\updates\updates.aiu

Filesize
447B

MD5
d989780185b93118c798fede0ac30de0

SHA1
d8c620acd2292a8fd64d7143d1292ef6d514d392

SHA256
65849204e8d699d8e302d86f19aa177c6edf178a4a2800a4d8e941c3f5073dd9

SHA512
599bc529fa19557cf317c86eee542d938109218d6c44d744d0914bba20ebd8a7b75bc502eebbfe585e3d247cb095fb34550a6fe216d1bafd321111e32266b6e9

Download Submit
C:\Users\Admin\Downloads\Free Snipping Tool - 7.6.0.0.msi

Filesize
45.0MB

MD5
18f9f4c425c212b8c73873eee61456f9

SHA1
18aee06c70ca94301ab22be19847856d9959b866

SHA256
a5e5bcd79f8a79f579e9771c60f42cfd07461ce0c8bfe595c58b551c85129055

SHA512
383b4b89a69fd1b117ad3b3f9c29504d01c77ccb365addaf7993b897c90d0c7ae749c0d6268c1228080c5d5f291bf4faca6d553b4cbf2ddb18a38157e4d7ae5d

Download Submit
C:\Windows\Installer\MSI2B4.tmp

Filesize
661KB

MD5
b65f2432259cbad499dadf30453a0a39

SHA1
990ce8e49e97aea6b015fc29d3f97a00d75aedfd

SHA256
83de6b3428caa6ae10077c19dd405a2795742789d98cdaab4effa4c5f65b57ea

SHA512
7c3f2920c37982eed8c0810f6cda0c515ea9f7beadd08a149d9cda908ae01815240b76c29411ac325e479f00da029fd3cbbe5869bdc5128669bffed0f82ecf1a

Download Submit
memory/4016-697-0x000001E8D1220000-0x000001E8D18B6000-memory.dmp

Filesize
6.6MB

Download
memory/4016-691-0x000001E8B3A60000-0x000001E8B3A70000-memory.dmp

Filesize
64KB

Download
memory/4016-817-0x000001E8D2420000-0x000001E8D2428000-memory.dmp

Filesize
32KB

Download
memory/4016-699-0x000001E8D0BF0000-0x000001E8D0C58000-memory.dmp

Filesize
416KB

Download
memory/4016-748-0x000001E8D18C0000-0x000001E8D1F4A000-memory.dmp

Filesize
6.5MB

Download
memory/4016-749-0x000001E8D0BB0000-0x000001E8D0BD2000-memory.dmp

Filesize
136KB

Download
memory/4016-928-0x000001E8CED10000-0x000001E8CED18000-memory.dmp

Filesize
32KB

Download
memory/4016-686-0x000001E8B3040000-0x000001E8B34FA000-memory.dmp

Filesize
4.7MB

Download
memory/4016-695-0x000001E8CE5B0000-0x000001E8CE5BC000-memory.dmp

Filesize
48KB

Download
memory/4016-800-0x000001E8D2260000-0x000001E8D2306000-memory.dmp

Filesize
664KB

Download
memory/4016-1555-0x000001E8CEEF0000-0x000001E8CEF10000-memory.dmp

Filesize
128KB

Download
memory/4016-693-0x000001E8CE280000-0x000001E8CE28A000-memory.dmp

Filesize
40KB

Download
memory/4016-815-0x000001E8D2240000-0x000001E8D2248000-memory.dmp

Filesize
32KB

Download