2e0c46ab1c5d954024d794629354ab7651c2a5f4ec25ae838769d0231dec7758

Analysis

max time kernel
124s
max time network
125s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
21/07/2024, 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Scooby logger.exe
Size

170KB
MD5

c5c80fe6de9dadf3f5e7a5bb88009923
SHA1

6a848d9626199d589a50ffd4ddf131a2ef9a79d2
SHA256

2e0c46ab1c5d954024d794629354ab7651c2a5f4ec25ae838769d0231dec7758
SHA512

f30fb62cd116d45f8fa29bbee962fa021a8a5f4977750344f15e51b320c8fdc7bfeb70a4f30b16c1f079212e0be397cd698e5b83cebb1a7dcd6c91ec7cd501c4
SSDEEP

3072:E6A9gn36+v3pJ1hZudQln+ETgyzi/xsbzpGBisagmlDDDybbMli32bf1G5tpL/Sa:E6Pn36G5J1hEdQln+2gDs/piisagmlDB

Score

8^/10

execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
976	powershell.exe
1496	powershell.exe
4736	powershell.exe
1040	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.lnk	Scooby logger.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.lnk	Scooby logger.exe

Executes dropped EXE 2 IoCs

pid	Process
6380	dllhost.exe
6456	dllhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\dllhost.exe"	Scooby logger.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	discord.com
56	discord.com
57	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-514081398-208714212-3319599467-1000\{B242CA5D-8014-48CF-8058-34EBD00F51B7}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
472	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
8	msedge.exe
8	msedge.exe
2928	msedge.exe
2928	msedge.exe
1040	powershell.exe
1040	powershell.exe
976	powershell.exe
976	powershell.exe
1496	powershell.exe
1496	powershell.exe
4736	powershell.exe
4736	powershell.exe
2984	msedge.exe
2984	msedge.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe
1144	Scooby logger.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1144	Scooby logger.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1144	Scooby logger.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	1144	Scooby logger.exe
Token: SeDebugPrivilege	4360	firefox.exe
Token: SeDebugPrivilege	4360	firefox.exe
Token: SeShutdownPrivilege	5348	chrome.exe
Token: SeCreatePagefilePrivilege	5348	chrome.exe
Token: SeShutdownPrivilege	5348	chrome.exe
Token: SeCreatePagefilePrivilege	5348	chrome.exe
Token: SeShutdownPrivilege	5348	chrome.exe
Token: SeCreatePagefilePrivilege	5348	chrome.exe
Token: SeShutdownPrivilege	5348	chrome.exe
Token: SeCreatePagefilePrivilege	5348	chrome.exe
Token: SeShutdownPrivilege	5348	chrome.exe
Token: SeCreatePagefilePrivilege	5348	chrome.exe
Token: SeShutdownPrivilege	5348	chrome.exe
Token: SeCreatePagefilePrivilege	5348	chrome.exe
Token: SeShutdownPrivilege	5348	chrome.exe
Token: SeCreatePagefilePrivilege	5348	chrome.exe
Token: SeShutdownPrivilege	5348	chrome.exe
Token: SeCreatePagefilePrivilege	5348	chrome.exe
Token: SeShutdownPrivilege	5348	chrome.exe
Token: SeCreatePagefilePrivilege	5348	chrome.exe
Token: SeShutdownPrivilege	5348	chrome.exe
Token: SeCreatePagefilePrivilege	5348	chrome.exe
Token: SeShutdownPrivilege	5348	chrome.exe
Token: SeCreatePagefilePrivilege	5348	chrome.exe
Token: SeShutdownPrivilege	5348	chrome.exe
Token: SeCreatePagefilePrivilege	5348	chrome.exe
Token: SeShutdownPrivilege	5348	chrome.exe
Token: SeCreatePagefilePrivilege	5348	chrome.exe
Token: SeShutdownPrivilege	5348	chrome.exe
Token: SeCreatePagefilePrivilege	5348	chrome.exe
Token: SeShutdownPrivilege	5348	chrome.exe
Token: SeCreatePagefilePrivilege	5348	chrome.exe
Token: SeShutdownPrivilege	5348	chrome.exe
Token: SeCreatePagefilePrivilege	5348	chrome.exe
Token: SeShutdownPrivilege	5348	chrome.exe
Token: SeCreatePagefilePrivilege	5348	chrome.exe
Token: SeShutdownPrivilege	5348	chrome.exe
Token: SeCreatePagefilePrivilege	5348	chrome.exe
Token: SeShutdownPrivilege	5348	chrome.exe
Token: SeCreatePagefilePrivilege	5348	chrome.exe
Token: SeShutdownPrivilege	5348	chrome.exe
Token: SeCreatePagefilePrivilege	5348	chrome.exe
Token: SeShutdownPrivilege	5348	chrome.exe
Token: SeCreatePagefilePrivilege	5348	chrome.exe
Token: SeShutdownPrivilege	5348	chrome.exe
Token: SeCreatePagefilePrivilege	5348	chrome.exe
Token: SeShutdownPrivilege	5348	chrome.exe
Token: SeCreatePagefilePrivilege	5348	chrome.exe
Token: SeShutdownPrivilege	5348	chrome.exe
Token: SeCreatePagefilePrivilege	5348	chrome.exe
Token: SeShutdownPrivilege	5348	chrome.exe
Token: SeCreatePagefilePrivilege	5348	chrome.exe
Token: SeShutdownPrivilege	5348	chrome.exe
Token: SeCreatePagefilePrivilege	5348	chrome.exe
Token: 33	1300	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1300	AUDIODG.EXE
Token: SeShutdownPrivilege	5348	chrome.exe
Token: SeCreatePagefilePrivilege	5348	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1144	Scooby logger.exe
4360	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 1756	8	msedge.exe	82
PID 8 wrote to memory of 1756	8	msedge.exe	82
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 240	8	msedge.exe	83
PID 8 wrote to memory of 2928	8	msedge.exe	84
PID 8 wrote to memory of 2928	8	msedge.exe	84
PID 8 wrote to memory of 832	8	msedge.exe	85
PID 8 wrote to memory of 832	8	msedge.exe	85
PID 8 wrote to memory of 832	8	msedge.exe	85
PID 8 wrote to memory of 832	8	msedge.exe	85
PID 8 wrote to memory of 832	8	msedge.exe	85
PID 8 wrote to memory of 832	8	msedge.exe	85
PID 8 wrote to memory of 832	8	msedge.exe	85
PID 8 wrote to memory of 832	8	msedge.exe	85
PID 8 wrote to memory of 832	8	msedge.exe	85
PID 8 wrote to memory of 832	8	msedge.exe	85
PID 8 wrote to memory of 832	8	msedge.exe	85
PID 8 wrote to memory of 832	8	msedge.exe	85
PID 8 wrote to memory of 832	8	msedge.exe	85
PID 8 wrote to memory of 832	8	msedge.exe	85
PID 8 wrote to memory of 832	8	msedge.exe	85
PID 8 wrote to memory of 832	8	msedge.exe	85
PID 8 wrote to memory of 832	8	msedge.exe	85
PID 8 wrote to memory of 832	8	msedge.exe	85
PID 8 wrote to memory of 832	8	msedge.exe	85
PID 8 wrote to memory of 832	8	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Scooby logger.exe
"C:\Users\Admin\AppData\Local\Temp\Scooby logger.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Scooby logger.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Scooby logger.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4736
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dllhost" /tr "C:\Users\Admin\AppData\Local\dllhost.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7fff57c13cb8,0x7fff57c13cc8,0x7fff57c13cd8
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,8840195511182453214,6808198418176092373,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:2
  2⤵
  PID:240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,8840195511182453214,6808198418176092373,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,8840195511182453214,6808198418176092373,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2500 /prefetch:8
  2⤵
  PID:832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8840195511182453214,6808198418176092373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8840195511182453214,6808198418176092373,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8840195511182453214,6808198418176092373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8840195511182453214,6808198418176092373,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1868,8840195511182453214,6808198418176092373,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3348 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8840195511182453214,6808198418176092373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8840195511182453214,6808198418176092373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,8840195511182453214,6808198418176092373,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8840195511182453214,6808198418176092373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1868,8840195511182453214,6808198418176092373,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3432 /prefetch:8
  2⤵
  PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1868,8840195511182453214,6808198418176092373,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  - Modifies registry class
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8840195511182453214,6808198418176092373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8840195511182453214,6808198418176092373,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8840195511182453214,6808198418176092373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8840195511182453214,6808198418176092373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8840195511182453214,6808198418176092373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8840195511182453214,6808198418176092373,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8840195511182453214,6808198418176092373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8840195511182453214,6808198418176092373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1656 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8840195511182453214,6808198418176092373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8840195511182453214,6808198418176092373,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8840195511182453214,6808198418176092373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2988 /prefetch:1
  2⤵
  PID:6364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8840195511182453214,6808198418176092373,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
  2⤵
  PID:6372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8840195511182453214,6808198418176092373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1
  2⤵
  PID:7096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,8840195511182453214,6808198418176092373,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6880 /prefetch:2
  2⤵
  PID:3032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1564

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3376
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1960 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1872 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3878cee9-a3f1-4521-bd67-8065733d3ca9} 4360 "\\.\pipe\gecko-crash-server-pipe.4360" gpu
    3⤵
    PID:3452
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2360 -parentBuildID 20240401114208 -prefsHandle 2352 -prefMapHandle 2344 -prefsLen 25787 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {300b65ce-c9fa-4c9f-997a-4f3c6e53c88a} 4360 "\\.\pipe\gecko-crash-server-pipe.4360" socket
    3⤵
    PID:4164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3512 -childID 1 -isForBrowser -prefsHandle 3504 -prefMapHandle 3500 -prefsLen 25928 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a178590-a471-49cb-8509-c6d7112e5b57} 4360 "\\.\pipe\gecko-crash-server-pipe.4360" tab
    3⤵
    PID:3680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2988 -childID 2 -isForBrowser -prefsHandle 2936 -prefMapHandle 2872 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f58996f-28bf-4b3c-8b10-67183771d6d9} 4360 "\\.\pipe\gecko-crash-server-pipe.4360" tab
    3⤵
    PID:1544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4252 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4144 -prefMapHandle 4440 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0db19f16-5262-4ccb-a097-2a406d9b556d} 4360 "\\.\pipe\gecko-crash-server-pipe.4360" utility
    3⤵
    - Checks processor information in registry
    PID:5808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5504 -childID 3 -isForBrowser -prefsHandle 5500 -prefMapHandle 5492 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {963e750c-937f-4774-aa6f-cfe14614ed34} 4360 "\\.\pipe\gecko-crash-server-pipe.4360" tab
    3⤵
    PID:2288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5728 -childID 4 -isForBrowser -prefsHandle 5648 -prefMapHandle 5656 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6b5d6ea-0ada-416f-90bf-b56d1d01690d} 4360 "\\.\pipe\gecko-crash-server-pipe.4360" tab
    3⤵
    PID:5272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5876 -childID 5 -isForBrowser -prefsHandle 5616 -prefMapHandle 5620 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1064884c-7dfd-4320-89e7-a32686283398} 4360 "\\.\pipe\gecko-crash-server-pipe.4360" tab
    3⤵
    PID:6060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff3ebbcc40,0x7fff3ebbcc4c,0x7fff3ebbcc58
  2⤵
  PID:5332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2004,i,13409457904269454324,6783336393946624240,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2000 /prefetch:2
  2⤵
  PID:5500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1788,i,13409457904269454324,6783336393946624240,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2064 /prefetch:3
  2⤵
  PID:5508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,13409457904269454324,6783336393946624240,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2220 /prefetch:8
  2⤵
  PID:5536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,13409457904269454324,6783336393946624240,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:5700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,13409457904269454324,6783336393946624240,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:5712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4416,i,13409457904269454324,6783336393946624240,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:6048

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:5308

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004E0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Users\Admin\AppData\Local\dllhost.exe
C:\Users\Admin\AppData\Local\dllhost.exe
1⤵
- Executes dropped EXE
PID:6380

C:\Users\Admin\AppData\Local\dllhost.exe
C:\Users\Admin\AppData\Local\dllhost.exe
1⤵
- Executes dropped EXE
PID:6456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c13e66d55fd8941f07f3de754795abf3

SHA1
35f655ef6d50cac23f9a4dd49e42504face859fa

SHA256
e0436e21e12be681097c4c89a02624740870dd263cb7806d43b92560c216ceef

SHA512
127d3323b689bf7e37ed0f20864bf96314ca10d89d487b7caa46cb3850a4453f5319b77a2f59fc3302e2e4265f6f5c22ef75424751431f02d9ae7c91c3c6bf9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4087669c45d57736175321ed8769afe0

SHA1
d289d1d615f7b9da3af708173c7a9c2dd3973ea0

SHA256
8f62da6cf78a2b51f1455d74c58eb071a2e6f750ff3e07c20c5225c6033f45d5

SHA512
b3a25e05b0ad00ab10bdd4ab5e2dd36f769715d66a4fab73330be1d56db84e4ef698d3c29ada65a9bab01a8bdab27a0a3b27b8ee79b3eaabde72dbfe04175ee7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
538b2218ce12638df6dde73b4c8674ed

SHA1
16fcc8889d3fa47dc39b0e02d1090d7fc7d4fb47

SHA256
cbb281ea732d5e19ce2677c181c12d9dbb5b2421e4453972ecde1099ad876df8

SHA512
7b5005b96a0844641b896b6b63382627a6e7e2f3cfced1a91a11bce7e140a7e301e47542a70c1a237f1cc9fc7ce455a0dcc9c78119a11de0854971dd9d679e09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9a367ac7de4eb1788cf3d267d1a29277

SHA1
3f7885a99219064146fe59fdd47aae552ecd3162

SHA256
c908fe9ac193cd9b749153fb5f0719dce6fb9b40e90bb4a46efe584fee425aed

SHA512
46fd118dff442c01ce94e1014f44c076f5bef193440e9cdeaad5fb95ee7c0a6afe24ae398608adf72ea2dc56a2c3ea5c6592b3f9dba5bdac433229a45d90e7c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aba710f986ff47c63d342476983ad234

SHA1
f2f541be5d1af77452fc24f804c4a6f2c8c00f6f

SHA256
57be3938fa2ddbe19c63820cabfaf3ef2617fbf592e223079f552ae1b4bda133

SHA512
bd947acebf5b9aa24b3b6bf47639a4b308270b7b9b2ce9d552dd442c40dc435a061b8f27a75122a6667a7df8df0122e60c5a63eebc6299966c0f6aec609f4888

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
2483223f349ed073d1e7fcb2f5c9f52b

SHA1
c8315e049092279eb6106a4a74d228168a1c3192

SHA256
7b29abacd222127c7843d1805697bc7f16e66827a2e1d7894690c9cd9f1a700a

SHA512
bb0c698c1050abd5471b09810f41707bda51be69b057e6b08a8ab9283cdbc7665f37db4799f2e8b7180239e0eeec3a9f5c63112ee5e7f57682271257d933979e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f8ef31ae7770ca3c9cb2640fdc275e8a

SHA1
a9c7b5f55d3f2f4cf81e34156085b6586d46213a

SHA256
d2f4c9004a2e2db2b5d4a3ac009ef3d71ea111de074d3129826ff4beae7f7c45

SHA512
33c2b5a6cd02191f3952fb5b48b130dbffc026ca9430cd9f1fd133912e480382f8680be68d035d6c5e1d9f77abbe59be8479f92452c5eb4d77c48a0d73f3abe3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dcd22f8109cd28d11002bb603cbd8228

SHA1
38ba6dc50b5fd3086835fa95b08ff40b9e219ccc

SHA256
7b6468fdb102536296e374755aa6adffea3184d78a643f042ca61a03dcdf8a70

SHA512
55f279f8df325797aaeb0a85893b0e961c485da1322430cc1f40a5ba532fc72de3c68e066951d5b8237b3833a78ea23bc0fbaad3402a61894a2f1d976b70fca3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
7c3c69ef90b4ac132ed4a7231dde6faa

SHA1
369cd42366e2b42d57fd7c11f7b7871696f9824a

SHA256
029458bbfd594eb479de0e9ecf1af3cd0728ff3f4a165989a97982c7ff78c653

SHA512
6bfac3537e9ce56bfd0ae22709e695bb3f0db0478fa29e68c22c6db2efcc01036966eb641b0e4a00fc86b9dcfdfcacb5b7eca416d9745da257b097e2d1f4ef42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\a4af3aa5-c4d7-4a1d-a0b8-d595116208e2.tmp

Filesize
92KB

MD5
f8e1be787971600c3534102fed136000

SHA1
b7b326523c6ac8791b7fe759c74f6c10980416a7

SHA256
2e77dc2cbe245665ff4226a1bd8a66aedf56796c6f136f2be8630b422f4f2197

SHA512
77bedaa70b21ed17a3ba12c65633d3629c29a12c07ee0d5eb940d594a8108067f3e0e937fcc2c645e5b3a9415ad92f887cef13e6b6209eefa3e7e9c54f88ef95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0f062e1807aca2379b4e5a1e7ffbda8

SHA1
076c2f58dfb70eefb6800df6398b7bf34771c82d

SHA256
f80debea5c7924a92b923901cd2f2355086fe0ce4be21e575d3d130cd05957ca

SHA512
24ae4ec0c734ef1e1227a25b8d8c4262b583de1101f2c9b336ac67d0ce9b3de08f2b5d44b0b2da5396860034ff02d401ad739261200ae032daa4f5085c6d669e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6f3725d32588dca62fb31e116345b5eb

SHA1
0229732ae5923f45de70e234bae88023521a9611

SHA256
b81d7e414b2b2d039d3901709a7b8d2f2f27133833ecf80488ba16991ce81140

SHA512
31bacf4f376c5bad364889a16f8ac61e5881c8e45b610cc0c21aa88453644524525fd4ccf85a87f73c0565c072af857e33acffbbca952df92fedddd21f169325

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
67KB

MD5
1d9097f6fd8365c7ed19f621246587eb

SHA1
937676f80fd908adc63adb3deb7d0bf4b64ad30e

SHA256
a9dc0d556e1592de2aeef8eed47d099481cfb7f37ea3bf1736df764704f39ddf

SHA512
251bf8a2baf71cde89873b26ee77fe89586daf2a2a913bd8383b1b4eca391fdd28aea6396de3fdff029c6d188bf9bb5f169954e5445da2933664e70acd79f4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
43KB

MD5
3e4c95c68f28bfed38f6f12a8c2f197e

SHA1
0e29b9a92f4cff6fd69522f4b972d7dbf000f306

SHA256
256e9bba80d098d0a90f0a4e9f6bf7ea0a6a50a4847caf5e5954a921fdceb8c7

SHA512
01edfcfa99b35c1d60e29c0299e800c47163b4382c5144351b6635f4a6092b5be87ac9b83893724b98653acf8af1277fb794da4e7c9f5b53df00eb7b4f43378a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
1.2MB

MD5
931d16be2adb03f2d5df4d249405d6e6

SHA1
7b7076fb55367b6c0b34667b54540aa722e2f55f

SHA256
b6aa0f7290e59637a70586303507208aca637b63f77b5ce1795dfe9b6a248ff3

SHA512
41d44eafc7ade079fc52553bc792dace0c3ed6ee0c30430b876b159868010b8676c5302790d49bed75fa7daa158d4285e236a4be3d13f51ff244c68ca6a479ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
63KB

MD5
5d0e354e98734f75eee79829eb7b9039

SHA1
86ffc126d8b7473568a4bb04d49021959a892b3a

SHA256
1cf8ae1c13406a2b4fc81dae6e30f6ea6a8a72566222d2ffe9e85b7e3676b97e

SHA512
4475f576a2cdaac1ebdec9e0a94f3098e2bc84b9a2a1da004c67e73597dd61acfbb88c94d0d39a655732c77565b7cc06880c78a97307cb3aac5abf16dd14ec79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
69KB

MD5
d91bac1b60b58c54f87f1d1b7b16d445

SHA1
9ed78d3cf7553e3180bcbcd2ea9779e1e1a141e1

SHA256
4dd5f57067798bd3132643930620ccde1e4140289d52fcbc4fcf7b252876fe8f

SHA512
eb474a57cce34e17d00972b927846f087c55a76f5fc1fdbea0e43111f9d9a5af848862984431402a6a043e5a1a96815be84e114fc03c0372a03285fcf0c2623c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
43KB

MD5
c0178046469154d165068d3f45cc0def

SHA1
41055d5a769c7bbd0db2a9f3d50a0fb713016b66

SHA256
e2e4d3d188e2f42aa873e96b74834c266eb2fb22ac9806dda9dd7cee21aa412f

SHA512
56f21250a3e82aad6af1008c3b3f3921db602c73a8ba32e79db96329170a0e7c356a0d75fa9ae3908d445d68a14d025e0b89c06a76e7d003666ca2c11f94d64e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
391ceea5ea88505d4ae4ca4d796dfb82

SHA1
83bdd93f51bd8c6812d82efe16d89ce91da516e9

SHA256
5eb3f7bb9a8357d91e957ecc7b0515d27551db0f6f098c584a88d50a4e07fed4

SHA512
21e594ca16fdf03d2cee99c0f6199d1d7700d9f388b45f1329150c46f54038056e7aa15e4c7f873a4c547f2bda89b0255ff3b29691b5d890359f405419c14858

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
548cd35df112f5fbd8d20c9a8091a7f5

SHA1
a5ed81178021aa1e4c75d5fa2c06214695e3ce7e

SHA256
7eaad7b1e2963685859cd791c5887d899927adb32c653f35b77ea2e39077f0cc

SHA512
16b6a218fd12400f53a0ee29dbb1d723e2b2662e6ff4c98b5b7be1c09cecc9affd20038992b6f9dacad2c7a0df570bec0b851d004cae3dbe45076255d4a6e0cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
b7ff0e875943c5d2ea6a32577aec4697

SHA1
d9204f5963097909938a5829363b7a9f8f4cc7c3

SHA256
6042030b6c0446cb318bb2454f8d149a1dbfa36b1d36fafe01333f7f0a3491bd

SHA512
6f4ddb79b7fc5381f0038315b30530169641521ca16f969928ff10498948a77cf0e223b62bd50e2d7972852779e6eca9e2a398433e3dda16686fdae8074fc74d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
310a91e59b74d4151430da3b969623d6

SHA1
5545bffc539a06738f9dd44ff8c40cb6a0d62774

SHA256
3903d1e59badac29cef7f88cc60e9706cdcf2de67efb4b87e8bbb0b8820c00af

SHA512
bb474a68df8ef4e6710f1a858ec57ea57001bab4d877f3861c889a2f90874700c2327a550d7c7b7f532faed74dca4601f5a6ee313fc8318c383f073e3cd85f25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
99905a5663e8bcc1bd371fe6e8eaff13

SHA1
f69f4adb928831da8b41e5a3e8de6c6566ef4005

SHA256
01456ef1a73554c39c647e1aa7c875b59bc7524083f91cf083a8e10cae121c67

SHA512
d34ea7df72339265850640dcdb9fdfb1d332ace8a0d365fc924a05fcb7ae93fcd38db1b92f934b86a81f27e22517d9929f468a3019788f1ccdfe40f7047191eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c1cec918cbc94a493ab9a9b6420a24ea

SHA1
87c2409aad8a68704056171df70b8c3c900a866c

SHA256
781af8c7e938b2eda41077af4bd7e836ca3876567a1111a08f4a7b70ccd003e3

SHA512
2b056ba98d2c9d9d408597529229fe394ac4a40aa55a662864375977da96cecce7e1ec34226b77e8d5d72d041da4d45bc2936ff4ecb05380594209e1fb930492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
117853181a25185fa074cbc1d224f9c6

SHA1
d38af5dec5acbd9e48d9acbb7dcbf7ead7e9a2ab

SHA256
5a06b355a153a067eb6643765a85b4eee2f3f779627fd33efeada81aa4643935

SHA512
b7d6da7f93e15cbad683f99db7c60ad2c53c7ada8d636e083c925f576ca92246a61c13f000e48a0183d6391b7553a65b7bc26e9c351c491724d78876afdd68c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cbb79ea50fa01c6f8c4031130bbf9e69

SHA1
55dbdb60a7576329790b91ae26bd8663e39efd32

SHA256
6d6b2007856bd71c34c12d58d4ac737847f1dd9269759a52932b22518f8b054e

SHA512
619418136aee2ea22c4cd37b09cf205b125dfe18c734555ec5738933ecc6433cd7931e893dc943f5a1c63b6047f6dffe3d2791d5f41e66c24b624f498da8d01a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
944a47a2692af4bfdb223024596bdf99

SHA1
6b374b043089ebab10e4c1e62dbf0724dc25acf0

SHA256
bf87798068b209d58d2086e755354ac9319779ced6115972bf6b13e3d22549fd

SHA512
e8fecf1036ca23238039bb3762a6f4951c4717be05033b0eedc3ca58d75aa480241c45233d1ab9e15fe67df4da2e4c16b81625f7c0c24cb6220619331bdac60d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a3c9c9ef6fcaa6265e57435c0d71584d

SHA1
d4377d1eb7322d23ace5530dc6d635e599a434de

SHA256
6085d0d2b5ff67af863014ceeb1566a91ab00b5e20acd0a2bb0744476883f64a

SHA512
53c5a7299ca43526c41964e108978c71d417a57dbcb34e23934f8a9f29bf1a9ca32e895d904a1eee7e9f6822b91c93854019181adc3987e58d72cbc091eca11c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
51d6c377a78191514702315e158e5204

SHA1
1a37224e9a7f1e4b2e6867ca2219ce604bf521c8

SHA256
fa764840a0d1a3300f17ccda6037bfd91cbe1e2001001152f353ea8e575c6705

SHA512
c2f20a0ea5ff678473d6e513a9bec1d5865a35015d661955e299be698430fa6acacaa952b4f929efdd5b05b50dc37d7b0179cf6f815fdc5f2b1185e733f4519f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f999b74dd9eb9ea50040de201e19ef05

SHA1
d2d33740b780c85de3ff729f039fcb690c8f67f3

SHA256
6cb7b3bc1f81fe1ead82a54746969d356105c330cff1b823241ac06f61bd02e2

SHA512
7cf74724076cead54c0a897dcabfec405f1fa6b7b1bf8e6bf1ac00370808cceee5977e8192a6d78a011ab0ea316c0694de31024ed083ac8142f490a3e59bad9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
97bcfb61bf06595e5d823ac2a67f8728

SHA1
9d87ffb43d30ab195f903cefe664a27218524479

SHA256
83d2a7485d6a04b309fc844e517a7a89b7dc003f1dbfdd0c491a5e8db7fb0da0

SHA512
a769cfa24191bba96f70c82e9629761b4b19d6d5d40fbcb9bfd433e8dd434b328b4dbecfc7b89025051bcad15abe5007fcf7fd0674774763ffcd1260fdff5945

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589834.TMP

Filesize
536B

MD5
e1e7c427c6bcc38304ba3696d0b14768

SHA1
fb50ab645d95d61165e12509b6f172f3e11504fc

SHA256
22625b078118c0c50626c8d4bfe7304b3f097e3243d606f9e6dae0ef457266b3

SHA512
aa54a6b783bd9d7cda1c98b2e893102752fd31f595447429bb688136f7de4c0714c098b2f4eba830ea33cb1a6f3bfb963609bf85b8bae6aedb457d38b3a20f33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
86686b1e64b187df460457bd8313c9a4

SHA1
1a8fd87a5cd283ca1a490cd50c79085b1306d1b9

SHA256
0f8bab442fa2a730ed7ff0b3ec5320efea683241a528e7e584efdc9eeeee34f3

SHA512
a207c9ea9ba63d52c3c6cdec53c3ee5efdbdd378430e8ba36e26759c1867ef82018551862f87ed0495117447c7bc5a1119c416840f89fd9e658031259ee72c66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
05b3cd21c1ec02f04caba773186ee8d0

SHA1
39e790bfe10abf55b74dfb3603df8fcf6b5e6edb

SHA256
911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8

SHA512
e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
050567a067ffea4eb40fe2eefebdc1ee

SHA1
6e1fb2c7a7976e0724c532449e97722787a00fec

SHA256
3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

SHA512
341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34e3230cb2131270db1af79fb3d57752

SHA1
21434dd7cf3c4624226b89f404fd7982825f8ac6

SHA256
0f162f27548a84db1638bcf46d03661b5bcb3032e765fafdb597cc107639ba39

SHA512
3756cb01e82dbda681b562eae74d0b8ef8b3787b126119a51a92c51a78204a7805b9bdd60c00c50a3be23b843e78bb153b656540767069f739ce421b9bc02335

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\activity-stream.discovery_stream.json

Filesize
18KB

MD5
bd009f321ec77c2b2a0f84bad6a98f36

SHA1
47eb70d64c9788590d5592c4cdb2e87bfa8d5c20

SHA256
5a932496b82698b1ddd881d6099bf7c53eeeac0c80dca3ed27b9fdf755832302

SHA512
7e17e5d211e0e9e87e2b6f7871f27cf1c3e7f80262842be3705e7677c9b51e0d96606fbff3029e534bba63b25e037ae51efd8aec1a7b959d0ac62b80471bc193

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n4qboj5w.bfo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\dllhost.exe

Filesize
170KB

MD5
c5c80fe6de9dadf3f5e7a5bb88009923

SHA1
6a848d9626199d589a50ffd4ddf131a2ef9a79d2

SHA256
2e0c46ab1c5d954024d794629354ab7651c2a5f4ec25ae838769d0231dec7758

SHA512
f30fb62cd116d45f8fa29bbee962fa021a8a5f4977750344f15e51b320c8fdc7bfeb70a4f30b16c1f079212e0be397cd698e5b83cebb1a7dcd6c91ec7cd501c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
12KB

MD5
bc781e514dcce755ee8f4af85dead2f4

SHA1
32d21a0503a169be5c7f204cd760b2919d97875d

SHA256
ec9793a4c508931de5b9121cd9617555c84376da0bd11047b512abaf712f18ac

SHA512
d0e25019311a415d507ee6a1c3ed22bbef294c8197c0d68b217f7f3fb82cead80af9597355b719995989a3a8e382c5da8a28bcf99e7d638b8864f3f4e3ea8ec1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
14KB

MD5
ccf48fcd5d99661c371499785794a91b

SHA1
49c137f1d79e874f2e5e7a80a411f0e6c6a4b558

SHA256
d47247495b1a3433dae256ecf37800adbd34f0cd807928005f73cc4093300d7b

SHA512
4f639ba225cfe0a659bf8ec23d30be37a0d529cef35d71d5d304033b06446ea89f877ddeb070fc849beec0f4d7a9dbc4e8d8534273049ee10e5f4fa3404ffff4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.lnk

Filesize
962B

MD5
1b3bd3ffad9d656a4f30537637187840

SHA1
fed44fd92d59712be65a8bf1d9aabbb265d5b55c

SHA256
ad2a8c2fe492bb727f6b4d16480ec6885771f046577ec1e0f22401b3375463dd

SHA512
81f6e54ba9b281f429943123502a5504dfb830a6aa435fc23d0beed4aa259e11f51bc361c1fb2d24c9a974671d4fdeddb83203eb2790e86726de422645ac7ecb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\AlternateServices.bin

Filesize
8KB

MD5
fb4f22a838f932418838fdb8c03de6d2

SHA1
e2616b9013cc80e848d7b8cf706665c32302b478

SHA256
03c3a60053605a57d53b0f52b1bc82fce5ffdc9816d5a1109bdd645146c84e9e

SHA512
2b958d41287fb4d6f671b2e6c41dfc77c94a41df20c0d6cea503af01369c804d780d824644980794243ac2463ae3bdc5786ae5da58bcdb39869ce58734c5a5b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
c2491f97f59e5021777f165b8d3ef57e

SHA1
6fc0a3dac35e256c75de4a15c260ef0f7b9fa430

SHA256
9656aac07c4effd30ede71301a574ee034586cdb043ce463a916e71f05410d8b

SHA512
d3f6e24fc4c6b4bb07f708396a08510282332e806805351db81e9d414f5928978ee15311008eb00617e9f55f0378508be2153fa312d22534d2a0df4c61ab0a1b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
d8caef9ebf1072d03eca7a0736d8e8f3

SHA1
02b7e3e406771cbcfd8b98e4f192cf2de9d597fe

SHA256
dc57cefb08fa1de181dc83bad73c7f5c076d4337c064063fa41f262b0f3f87dd

SHA512
ea6bb8db2adac0f744739f847ad485d5c4db050f9b69be3a0be11ae1765d232cfef16e17864d884c76d3eea1cc73bb87cd0678df854e41e47ef952f8a7cf775c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\pending_pings\0e4ed0b7-337e-4c3e-9997-a96dd46ef435

Filesize
982B

MD5
b058500a405061a08766f55a57a1c016

SHA1
4cad1850d686ae3c8c1aaea19eef971c0df4092d

SHA256
6c3f65207b7b8476cf420a1c957212a64845fd909124262add1d07ce109f84d5

SHA512
17e47c710dcaabdc67fb7d22003f964767b92cad8053938726aac1238c0617019dc0d98db7a2644154df9e3b6ebc1affaf500db654f0ef9493a8775e52d507c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\pending_pings\a3a818fd-21ab-4565-a06e-68972a14d2b9

Filesize
26KB

MD5
57a7a4abb5e423edb001fcf170d951b3

SHA1
065a98e540fedb4b4a999c41468b9be8d9da0867

SHA256
f8023dc80cbf0fea3fc5dc0034834cda0970fd1304d9db220d2d3daae9c76880

SHA512
16175457c63a33b41cf1491c00e1a2ed698c2f73f59f9236db48b255755c7ce8ece745d02f83a21569d63f9c35909041768834a861630190566498f10aebafcc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\pending_pings\d0c75bb2-c84b-4ad3-b5ab-e74dd630e73a

Filesize
671B

MD5
ebe6155f8b99a7d9a815f15d1e5c07cf

SHA1
82a3cc68f4a6d1ce132e25d204fc67db6e2eee4d

SHA256
43e207b1ef79225ae8bafb54cd0e9e3707e387742cf1406b77d22bef96856c7d

SHA512
40d6e1c6b68be7d7cb44049ebc51c85ce4a7c61c9c99c5f218a2debaa4302eb28eb03df371bd96b97fa10d2f68f0dd0a7c3a6065d43bdee817f28ae1f309920f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\prefs-1.js

Filesize
12KB

MD5
5d381918f6b2522b60c1e4e23a2839b2

SHA1
e267708ed803cb7e9d7a172f245c526fc78f8098

SHA256
469de20ee9c57f39f0cf1dc5c896260a106e99af38510f8067c400448cf2ce7f

SHA512
3e9fab86cdd7fea3fd3e491ac59e7d161903ec85a638530537d592e70c789e18621ba7c6acb1c08fd73af0c48a22a471651ea0a221465d1f540ad32ac0c94ac6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\prefs-1.js

Filesize
11KB

MD5
edc338ae099cb3bcb15170315c543272

SHA1
295385eddf70adfd49a0030b446050420b00a5e4

SHA256
3fc2b3b0384e54bbfd491b7544e059a572b7e82d72f334b51a6d10a43890d9e8

SHA512
0634fd8a636bc0df8a2219d8c0d9218feafa51ab20652afb96d9b355fe2d7ec30f52263e0d905571a359fb6862266338df9950b7048cae5df7fb39ac575b1246

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\prefs.js

Filesize
11KB

MD5
a0469aaffe639fb9014ed5deae247e19

SHA1
ceff259b4789f5305a677e5ec8a9705040c8729c

SHA256
f069e2ffb610e956b10ba441c439ced9b85976068d8c730e999babd81d9469c8

SHA512
453f771becf221b06eecf1a2d1a605663721f96e23c43618ebc3a748b9fb023ede5d55b0a3a1e0e9b74b371c3a396244526b5fa11a43a30662a5e277ce7d4759

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\prefs.js

Filesize
8KB

MD5
090c2fcb9f9235b65c335c46da200c85

SHA1
b1420bbf60ec37b6b6ec7154e8414e752e65dc35

SHA256
44f3b828e36ca3305f657fb7d9dd84fd9c57b1e878af148811625214ab34b01e

SHA512
de3438de05eb49943c07e5824992d6f77a73bf15bd728e1693988236ac4fb970e9652f642c44aeb0d0a3ff01baa63c875fea69d8e2265790c2ea0a60213dde8b

Download Submit
memory/1040-28-0x000001E6FC410000-0x000001E6FC432000-memory.dmp

Filesize
136KB

Download
memory/1144-406-0x00007FFF46453000-0x00007FFF46455000-memory.dmp

Filesize
8KB

Download
memory/1144-1175-0x000000001C950000-0x000000001C95A000-memory.dmp

Filesize
40KB

Download
memory/1144-767-0x0000000002540000-0x000000000254A000-memory.dmp

Filesize
40KB

Download
memory/1144-0-0x00007FFF46453000-0x00007FFF46455000-memory.dmp

Filesize
8KB

Download
memory/1144-410-0x00007FFF46450000-0x00007FFF46F12000-memory.dmp

Filesize
10.8MB

Download
memory/1144-24-0x00007FFF46450000-0x00007FFF46F12000-memory.dmp

Filesize
10.8MB

Download
memory/1144-407-0x000000001BFD0000-0x000000001BFDC000-memory.dmp

Filesize
48KB

Download
memory/1144-1-0x00000000002B0000-0x00000000002E2000-memory.dmp

Filesize
200KB

Download