hxxps://drive[.]google[.]com/uc?id=12WBT8qXg0FZyiIfnQfimIrN-sUpoTREP&export=download

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2024 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?id=12WBT8qXg0FZyiIfnQfimIrN-sUpoTREP&export=download

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
7	drive.google.com
104	camo.githubusercontent.com
105	camo.githubusercontent.com
118	raw.githubusercontent.com
119	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133673719083119670"	chrome.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-945322488-2060912225-3527527000-1000\{FA1BE606-672C-4911-B690-569CD588889A}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4548	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3120	msedge.exe
3120	msedge.exe
5032	msedge.exe
5032	msedge.exe
5104	chrome.exe
5104	chrome.exe
3992	msedge.exe
3992	msedge.exe
6108	identity_helper.exe
6108	identity_helper.exe
2900	msedge.exe
2900	msedge.exe
4852	msedge.exe
4852	msedge.exe
4404	msedge.exe
4404	msedge.exe
6236	msedge.exe
6236	msedge.exe
6236	msedge.exe
6236	msedge.exe
6292	chrome.exe
6292	chrome.exe
6292	chrome.exe
6292	chrome.exe
5912	mspaint.exe
5912	mspaint.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
5400	OpenWith.exe
5700	OpenWith.exe
2760	OpenWith.exe
6432	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
5032	msedge.exe
5032	msedge.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5032	msedge.exe
5104	chrome.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe
5700	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 4592	5032	msedge.exe	85
PID 5032 wrote to memory of 4592	5032	msedge.exe	85
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 2720	5032	msedge.exe	86
PID 5032 wrote to memory of 3120	5032	msedge.exe	87
PID 5032 wrote to memory of 3120	5032	msedge.exe	87
PID 5032 wrote to memory of 1208	5032	msedge.exe	88
PID 5032 wrote to memory of 1208	5032	msedge.exe	88
PID 5032 wrote to memory of 1208	5032	msedge.exe	88
PID 5032 wrote to memory of 1208	5032	msedge.exe	88
PID 5032 wrote to memory of 1208	5032	msedge.exe	88
PID 5032 wrote to memory of 1208	5032	msedge.exe	88
PID 5032 wrote to memory of 1208	5032	msedge.exe	88
PID 5032 wrote to memory of 1208	5032	msedge.exe	88
PID 5032 wrote to memory of 1208	5032	msedge.exe	88
PID 5032 wrote to memory of 1208	5032	msedge.exe	88
PID 5032 wrote to memory of 1208	5032	msedge.exe	88
PID 5032 wrote to memory of 1208	5032	msedge.exe	88
PID 5032 wrote to memory of 1208	5032	msedge.exe	88
PID 5032 wrote to memory of 1208	5032	msedge.exe	88
PID 5032 wrote to memory of 1208	5032	msedge.exe	88
PID 5032 wrote to memory of 1208	5032	msedge.exe	88
PID 5032 wrote to memory of 1208	5032	msedge.exe	88
PID 5032 wrote to memory of 1208	5032	msedge.exe	88
PID 5032 wrote to memory of 1208	5032	msedge.exe	88
PID 5032 wrote to memory of 1208	5032	msedge.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/uc?id=12WBT8qXg0FZyiIfnQfimIrN-sUpoTREP&export=download
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd48fb46f8,0x7ffd48fb4708,0x7ffd48fb4718
  2⤵
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5020 /prefetch:8
  2⤵
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:5620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:5472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6004 /prefetch:8
  2⤵
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5880 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:5556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:5928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
  2⤵
  PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2284 /prefetch:1
  2⤵
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:1
  2⤵
  PID:5632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2292 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,16637068513160401315,16422871998633986888,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd37b8cc40,0x7ffd37b8cc4c,0x7ffd37b8cc58
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1800,i,2743150554041564066,2934020405152225546,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1796 /prefetch:2
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2184,i,2743150554041564066,2934020405152225546,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2312,i,2743150554041564066,2934020405152225546,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2216 /prefetch:8
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,2743150554041564066,2934020405152225546,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,2743150554041564066,2934020405152225546,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4616,i,2743150554041564066,2934020405152225546,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4636 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4408,i,2743150554041564066,2934020405152225546,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4404 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4904,i,2743150554041564066,2934020405152225546,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:5160
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:5208
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff77dbc4698,0x7ff77dbc46a4,0x7ff77dbc46b0
    3⤵
    - Drops file in Program Files directory
    PID:5228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5116,i,2743150554041564066,2934020405152225546,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:5308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3504,i,2743150554041564066,2934020405152225546,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:6292

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:972

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5400
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\MrsMajor.md
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4548

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5700
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\MrsMajor 3.0 (1).7z"
  2⤵
  PID:5404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\MrsMajor 3.0 (1).7z"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of SendNotifyMessage
    PID:5736
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1872 -prefMapHandle 1892 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c1578b5-36d5-4938-9331-a9c11860771f} 5736 "\\.\pipe\gecko-crash-server-pipe.5736" gpu
      4⤵
      PID:5220
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8b8fb07-6245-41cb-aa2c-8d3479bc0cc7} 5736 "\\.\pipe\gecko-crash-server-pipe.5736" socket
      4⤵
      PID:5372
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2640 -childID 1 -isForBrowser -prefsHandle 3128 -prefMapHandle 3068 -prefsLen 24741 -prefMapSize 244658 -jsInitHandle 888 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d33719f-c0cc-4ae9-a7ec-bc0fb288c3b2} 5736 "\\.\pipe\gecko-crash-server-pipe.5736" tab
      4⤵
      PID:4904
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3900 -childID 2 -isForBrowser -prefsHandle 3916 -prefMapHandle 3912 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 888 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0989366e-f4e8-47a5-a0cc-11b4497f4865} 5736 "\\.\pipe\gecko-crash-server-pipe.5736" tab
      4⤵
      PID:2608
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5092 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5096 -prefMapHandle 5116 -prefsLen 29197 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ede52f2f-22e9-433d-8a4c-cb48884cf53d} 5736 "\\.\pipe\gecko-crash-server-pipe.5736" utility
      4⤵
      Checks processor information in registry
      PID:6632
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5292 -childID 3 -isForBrowser -prefsHandle 5284 -prefMapHandle 5172 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 888 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6505b216-55b1-485b-bdf5-2fb68c6c6968} 5736 "\\.\pipe\gecko-crash-server-pipe.5736" tab
      4⤵
      PID:6648
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 4 -isForBrowser -prefsHandle 5432 -prefMapHandle 5428 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 888 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4eeca242-c184-4a7b-97e2-5241c8663156} 5736 "\\.\pipe\gecko-crash-server-pipe.5736" tab
      4⤵
      PID:6684
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5712 -childID 5 -isForBrowser -prefsHandle 5632 -prefMapHandle 5636 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 888 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe49eaa5-2912-42ea-bf2e-cf680beb2c53} 5736 "\\.\pipe\gecko-crash-server-pipe.5736" tab
      4⤵
      PID:6696

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2760
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\MrsMajor 3.0 (1)(1).7z
  2⤵
  PID:3260

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6180

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:6432
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\MrsMajor 3.0 (1).7z"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
72b0c82876ae04c5dd470e392d1d9109

SHA1
e8e3d54657922c8a427f1d61aab8fdeae69c779c

SHA256
8b7e091b174e7267c14a888bf5e28b16d6e6dd74fc30838437a66f80f1de02cf

SHA512
f4fb042bba21b8697fded97d7302dba6df3e1d9a818fe9f2fe05dab8aa65a38e27c79fcd9abf4c130c3eb62182c014d830d28b1336e729575bc4ab720d8af54c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8f5ed30c1394bbefc2fe39dd7c1f2e29

SHA1
709b446e22ccab4f78aef13e5a8a8b428e125d26

SHA256
dcf97984dbccf6fafe3296a52b186f6b62d91022849328a158992f8a91a0fe8b

SHA512
4b7c901a776fb4e16b3f5f3a6fcf4c96fc696a2e5230a2826183943cfbb7f84158e30adadd89752ba8acb27da71d2d29186da659717316b54256534efc1ffc02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
5b5d8002d4e174ad7bc98549e3d0f514

SHA1
b6e9913e2a7a3762205363388a86c4a1b4ee264f

SHA256
768653b78c8ceedebb6897c30d703c9ec62298bf8b5d2f740f1a7e30ce102fc2

SHA512
c80e2d90d9964b2e028361b2aa64fd25e79b58890ae94dd9cb0b29030cacdfe9d558aa520fa824dcf3d7598c68c28949a55b3da41b6feb0c02ea5476470519fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f27b7117319e49b458a09c6a3d36fbd6

SHA1
40b1d1e52d90e946ca962adb01626bbe3ba18c7d

SHA256
07294f2356f0cf776ebf993f829041ca621997d7ad7179cc05c04bf7a3cbcfa4

SHA512
1e6169a53c144541b91dd5963c4b6fb52ddab8b49b5d11b4ecab09a586b7f630e72ce1e82ae76d159e86eb98efc66896f1de5d4afb15233c756011edf0a50464

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
24ab0fb6594268d70e2d09e2966d81ec

SHA1
eb83b2687bb720b03d3baa468d1bd3844c53217c

SHA256
28f1c02c9987637ca38d700b28bbd63d435a217352eee90231f460cbe13eafef

SHA512
cb0859f8162a8b650d7ef893e86abe6a9dda79d31d3a9225852175b73c5dfa12f02a7aa1265311fad6f187a48fd82023d587e8926be1b71f65ce8c426aa395f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
66f7cd2ee343cab9d374f8f00cabbc2a

SHA1
022efd45ad7366d8660405da1760f961ede6a680

SHA256
990fd2cb5020b8829dfbe4054785bfd9e4e6dcd267c2b32d72aa195e263c4473

SHA512
ad44627e26d92bf09a9f6cec94854d910b228463f424f0d7474b540b12804dba49298786cf579b0f0c9becf90869166698de2828ab3eca061f3ce12b036a912e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1ee8436d744cb9200c361bcbf96c240e

SHA1
f017ec3809da9a78bd0fb344ed220815a22819ed

SHA256
79f8caf2c6ccd8435e5da1180c1dd2ba7582c5b78a62f1cdfea56bbfe95af1c0

SHA512
f42e53ee6ab2e3d660a5d1632651c0775da4a44228e4c9a8ef248f93043c89d11c93433f54f7ccea2a1a83b2708b4473db40c569cc93acf444981e3337d928e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4c147d300bff9fdc3f219bd6174183e7

SHA1
29a19d6ba588f19f18964d2732a39c38f8d1e25d

SHA256
15748312b998122a48bc00fa05f9add07b9826cd0c4b31b2fce038aa6644a020

SHA512
ad370e21b423820119e3277884c3f66efc0cb10ffca79166d955217dd3a916b4b707a76c2691ab8babc1f1a4227e283774d201052adeffedb18eb21d9e961e2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c1e48aeed9a6c5d34edbf0642626d498

SHA1
e947006e515b4915c17b53de44500b9e0a59da51

SHA256
8f51b3192f32ec46aead8c9b8f4fa189a8122a01c5d948313d4f61055dc02b35

SHA512
a2be99f30449de49c9dd8f6a1c9998a79086a56ccfe98dfd43264fa6c400e7be6a6729481bfd6bca8b7a9496ed3e8f472ef0da81553eb6f9256a066e7be31022

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ce99589f84f7c132e0a233192f477a5d

SHA1
5b79cacc07ec0391cb2fecf08ca53600f8600f38

SHA256
db09644cf75f2e923192199dfdc5d2d9fc3fc71e4e29b470e40e07e4d77bc9fe

SHA512
afbf4c0ef1046a7a6fc7eefddf3e8692c02bf3f9df5346fcf286fd9b4ff516f63d6de7a27e77c7bfb9ba8a8bf39e73f76af95393a7a99ba2a9187fb9825655af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0f694b8b1626bcc8ce0ce006d7018cdd

SHA1
3316212394763742c1f8385b68faee31dac75189

SHA256
b7fea6b8da378232aa0be2461cbe164fda2d497c785a5f06aee1a66865fb62d8

SHA512
b1f0fb51a709c0215d070449c587d59b92a3cd4a110bae07efc587da67efe013d636e98836240bc07883dcb072120817a20508a7aa910e4ab59a28e158b612b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
061934f482d0fc3db5ffd0214f54f658

SHA1
8b337fff1830aba0120f0860cceeabcf0683b079

SHA256
e21cdd8691141f1df377d38b84d7454d4203a49225947af45603b6deae0f6b2e

SHA512
2763c6901a6b7ec77d46bc8c8eadf671fa8e24200ac5eecd383db24b75b88676abd51a3baba5fcc2a17897d25666e5cf74fa76b34bd3f13604a5af3096ca472f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6a8237e212f22c93c3d973678aef99ac

SHA1
09eaf6588834228bd80e626857b5c29b1e1c5eef

SHA256
eea22a1e27cfcab68643d4e5ce4c4d1bd2a4d453b5ba4b733fcdab73edb5ac90

SHA512
387e3c70a865cfddd42fe9ec6021ad304d67bd4a31f6656091f7dc5a18687b6385f671cfbb2a7fcb37334396d0d5934713a6253adcabc32b19fef47f290bdc58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
74ea7832bdf37c7112d34aad930641ad

SHA1
1e30a303d186bc25804cb6cf74f6c699f39f5d3a

SHA256
7fccfa0dc7af936a1515674fcc625b8191a1f07cef1bf208ecd82fc1eba44e39

SHA512
41cbe0bdbeaa1d47fa1446ab916f865f0b0ddf71159f84009777b630ae1bdb6ad84fadf1b3c4b6ca3158e17f4e8f593440db1e473b9db23f9371bca5597256f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
f782038118892bba09bc14b8a0335b39

SHA1
89dcc5d846dc7eb419e6793a8ef64c6090476aea

SHA256
6ba2d4c56533cb0fd6f274637f0f86fbf2197a744132178ab9068d8ad22798b7

SHA512
e781d41e6245f26fe1bfd4ff986151baf8afe5a9948403e3235ce108bee9d59cb9b10aa3cc49e9fb17a767eadd5e0a187f87df21e43d19813bb2451d00bb1573

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
d953783001b4674a02299a692fb67cfd

SHA1
32d78e37c903ce9b40313a5a276ed11281f7bc73

SHA256
cf276d5c2cace4aa1a9e9e06c760c235c74c5c87440bb03c0ed4dea01e1212ab

SHA512
99aed2ee03d4b3414dce0dd4eec9e612f3c825c476e4316363b5b273031bc1876f66de20a680be80dd665b25e97f3382a0c19473d5bfd55090c1c22ebb6fe805

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
de0e3a7c53273ca7efc42ea27226aac9

SHA1
68df61c77daa9e4840c116df55b66dfb4cc0b86e

SHA256
3ee0a15a941e4c9dcc883859cb5169fd4020a1d6f166226dfae18558ab383955

SHA512
3f764f78afeb66df24ad4d1389d9ae4c41cd0b5a64cf4b66c0e8e0c83e47fc2e64f7e2215b0dde9e8b7d9dc7e31e339a830f10a30595513dce76518b458789d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
8f2e9fb781a478102de3b95510e62c88

SHA1
03963d64986b628494375037123cff91d7d33f2a

SHA256
2bb779e847e23a29b0ee2c40772b8e47afd61ac1c72bb89311d1ff9506090d0c

SHA512
3de79d86020028a3b2e6ccb9772881fa0f989e945c73c7cee8149b24b41f27366fa675e9c92e7cd447128d7af47c11c257bbe1eb752c6d8987b23b21167b545c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f3375448d66c7b07ddc14a711478b506

SHA1
601c00d34badc810a8f43085dbdff97a4bc2cd81

SHA256
638841cfc4308cc7545ba6e2179a9b24e4fab3a7b701ac45d4c76d00b939a989

SHA512
bde50bb77a717072c0d31c3d36a40504b7800cfeb1278e0663d8b36303ffed46f9389b3c7baed34d5d8749ac67fe55123f5d109d7878fcae75a6db54356723cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
debe7985c8d779003db8f458ecd48d63

SHA1
6c361ad3239b5479e07d7b45dbdba2d9091496cc

SHA256
af767e9edc1091af879a70c97569b475ecad8f60fe1b276bc6fd20e40cae0ce3

SHA512
be2e4626d1e12603066c2c9cbcd377d915108e07150b74b16662d084409d97719e6b4ca1aaf82e5f34742cdbf687dd2f9f684871cb9c43332650b430bcac407e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
093fb1087e1adbe9ef5eb2f8fcea93f8

SHA1
a06bf6670a093a3beeca4ddecef21bbdf2288ce3

SHA256
8f66ff77f5bb78003adeea6c6e5c1994fc912896f3c0f6e78e8405da90d83281

SHA512
ce0f762962c52791deb3dd3d1afd5144bcdd6ac0c701e8f5a7a20d695c31f618f346a24aba25501de1402cfe7e4287a1e501ca6b1db50298463880ae9c3fe8dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
06417e9200dc7ae41e88043bcdc2f5fd

SHA1
197296841744274ab76f827d2db5c239be05dca9

SHA256
f11ad37e5635316db526217e038701a4fbd5fff8da08688058d0ed2b34a56389

SHA512
bc4e88e26005b1873dfc24a10f2975acafb5557d250c723bd40f279c6acb7cab0de061c8a1f5e0395e8769357e1f022a86f2c28ce807f6c90c904a8aa8d2a10b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
78edc28cab59f850132fffbf3637b388

SHA1
3adc3875e549cb764095108056d8b6cc6f58b4a1

SHA256
2b9d5d01bd8750b850a89f9e1890ac3fe53e14b35eb49f03d526d73e21ae243e

SHA512
c6eb198de5ded822678d3fceae01dae96f5df99281fcc5e8e0534ea13037d5e155e81968366191c138a2ec09858446b38c7dd428b3a6f77ee144787ccf6f8492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
715292bcbc7a1bf9ed7869c6ab12f89e

SHA1
628b27604e6c9e4de826e71f029cd3e308e17676

SHA256
66c0bd7a62bd9e6bc5e9f3bb3c0a5cc915bb9e839d0b44edf874f728fa21a987

SHA512
e586d0688e721f7e08823f902b9728e90024f080eaf8e972d86e7089c85ff4af69c44d29faedfa77cd63827f5d0b124c6b631b523aa68b459756ed7820bc4184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e08aa5ac7fafa2f439b4c9a0e9a504ca

SHA1
14e95359b2741683d388b50c4bab7cb941266d12

SHA256
a8525ffa8e87136333561ef3da3fd9f3ddbec16d534d437d7bc270cc6f660414

SHA512
caa100713490e4c8a3a58257e277b9c7d4b556518a84ea960338793b9d99c2c9f60c05b87c37b8f10e7939213ccd033cc414a92d3e26c8d6d6cabbf278c8ca21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f638baec3e83eb280513632bf18df379

SHA1
6441e9dcbe499280915e8ee4e5a30ccfb43aceca

SHA256
020e91e5bd7c52b1e502742dd2b3885754eb90130574f3db75044d64f2d593f1

SHA512
18016e2510b165b093c6786078eed7fbe299e8b2844b317393b1ac141a36240b85b304fc5a2f2a63b8e9ff93a15ce86fa121da4e1fd8dbb7ed4eda2ca785a9b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583a64.TMP

Filesize
204B

MD5
d48717b04720cc0bfef3471e3fc4b27e

SHA1
5597a051d8da6d70a37096d51bd2a89b115ff92f

SHA256
dd6f9d26b4ba28a47d2da0e3c4b759818ed6e580f6336bc45441e7d6352f07db

SHA512
6cec07bac03a430c00499cb816706cc5aca525d215a6ec2fc069c3aa2e0ce77c72eb5901f890d33ecc1374625a15d1dc153b384cdef624b2bdf41f063756c242

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8e5c7cdf9e8a660ddfcf4bb14749d8ce

SHA1
8ff1d438391a3f5cc3e5e06941ac34dcf98a32de

SHA256
99fb5657ddd469156ad484019d90203125bb8e4efc83e7f8b22229bd66a4190a

SHA512
d8748015bc451c1c6271c0b82fd67c00a9c32157094ae9ad7e9dfd0bdcbadc34c7aa1614c5ff42e842e08740b5a93ead603db7fd30976ab4b3d7fff33723ce76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
cca3b42acaeb69b0e1079c95ffa393b8

SHA1
866a180aeff81351d64163b4baee8a9140a24545

SHA256
b17a72781db41a6b96e203ed5f5d5588f915b9e195f9060db6d4a12c2550cd2b

SHA512
57d606a1cc9be95f7564d2bf96c69b33d70b9661f1ecf6cf551a8f7b8ea54ae7c4ef0ac9800fdfe32207d16a2b86e47550169b19d7782904c1f60630ebdebbf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a620c42cf9f39551144bac022d3ccc20

SHA1
60924df3e0028e9de9ad5b255955cb1d814348c7

SHA256
24dc5a4bc586196387fac54fa05c17155b5473b5104f6c47ed0ca0d4e15225ac

SHA512
fc6caeda8587d7a4abaaeeffa42329f6cd2a89c0a0f9b96b4ff4522f7a393ef6bc7886c66a9c04a9cf903a3f2b4752748a3b7729a8ad1d2cb893277fb0d26538

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9a974f3789cf39835a2b42ba08463b39

SHA1
a56f2b8a6003547940332dd17f3300dbb706ed48

SHA256
2d83cce6a5ec68f33e07f04049cdccfd3016074496752f2f3667aed472d36bcd

SHA512
c3856b9a27c93f6883a66ac70e1f13bf846cd9643ed0ae0879f1f0fa1cb319ad1757fb3ee1798ffb7efd62f85eee7904001c48c2ec98d3a67f1a3ca3456bf00c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
534ae25ad869dcbade4a46f17b97f29f

SHA1
85aa727d8e18e6b15372e658069a46dc16914ffd

SHA256
b66f3a2035d7dc0f7e9a63ab39f0c81b3d8ae1aae5ee1aa3dcd4b9418886a159

SHA512
02c4851f7726580cc83f607fbf2918ce244a1dccb2b77fc74d64ddbda459b0c4924d4707fdb62f3cdba0ac01f32933f32f27cc3e601dc9fcfc9db2bd40e7dda6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

Filesize
8KB

MD5
422107816227ac28d773874cd4d6fa9b

SHA1
d767b78d92fa7cdb0a27ed29b2f8329bd7a40fd7

SHA256
bd5eb58d32ace9df426e5e78492fca7f0f8fba62bdfb04cee3d469a5a833c165

SHA512
ec3e74d7b5a93d0647eebd5fa47fdc555e3414d3e186eebe762edc54ce38249b6989f487369befc94af6e8af6c77ed9b844151b261541c8d6c6974de23e17f29

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
d445323ad8731fb2541d74af1aaa67ca

SHA1
a3a122b06884c512473872578c318d745a3b3e00

SHA256
71378326ce162731862fce65590afe69c4c23f22cf2998b663aeffcabc58e4df

SHA512
b3a01a04e1f43df8b84111adab7ca23318bb39defc98360d0bff179d95e6cb23a857f50c96f324b55f679ae46629ea417514045e294948ea05053df775fb4add

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
c0ac52a544d8a6a30e03159a51f3b7a5

SHA1
63e705395680388240b84deb7407681a5c50f633

SHA256
e752ee8bee0635a2eddab292c1653f84d7774ffd435174e57e3fc9d1b0c27924

SHA512
d24097d2455325e990c07ae3c2906d42f8e755e3ea0c3a0e3836b5855506402d735199f9a18bd44fecd071fa12b8df33d94784e711dbf9ff7fa83f04ea7ef1f8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
7ba537c183ab69208af8357181c21e2c

SHA1
d039a0c55599540e007c4f0c33bac821cfaf921e

SHA256
436702d2bb539ec8250898ecebab858a1dd6fa95b2a4166d5d9dc2d8a6a76dd5

SHA512
1962170f7513987699697a4df771b263df11928f532c6fc421e49d748a5654ec857a133815d462f305e7f7373d093549709a8febc26004ea8625ac4024e0acdb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
54e91f77ec567ed0e8afd4dcce42f855

SHA1
b5fd0fd74fa2943ddc0ef107e5bc03905af5e0ea

SHA256
06198c9673285e06ff049974ca728fee1d1d0d7c78187c4157c58fc4f45ae410

SHA512
bb998f3632281720fb92a2075b6c47d6d308d7585d5809522963c96dc4defed3fad920ccd6ed1b52f4a6477caa6fd405fef2a2da20dad2327c194c1727961d00

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\543f94cb-5f55-4993-97c8-2f3b3183ed56

Filesize
27KB

MD5
e69ab4447de0cf1a6d1f01486eaa4495

SHA1
3eb22c719d725e453901b2ed6da40ee0c75a2ade

SHA256
302397d468b8f596651cfb6b6b9e2648f2b817be01bed3d588c2a03a2332345a

SHA512
d7fc3301289c077acce39d4a457287cc1d95d4f39e74115c19cdc7592d11b45bd6f15cc22e7924c41ca313a8743b36dc5c17f306d25cf2e966175e2e75eb75ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\e845f072-0007-4f2e-bc26-42eb2acc28f3

Filesize
671B

MD5
604c193f37ea6de27dcf905b401f38ad

SHA1
6c30670e1e04eedb3d545e78fb1e1caf7b4bd552

SHA256
452fd6e52d775e2c8a023fd9363c99ba228109f5e988ef97e438c88d5ea63aea

SHA512
431821b9b93d83d20484533367243ca90e37ae40b24606de59687f701f8e88fcd5fea76be47a11c83cc1f57757d5cedc72a2f3808a8d38acfa590921cd5919e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\f2a00c95-a606-4911-b507-8651a3558d86

Filesize
982B

MD5
aaa03bf2c07996590d44b86a7005fe52

SHA1
d2024234e4238992daf21d4091b7ce33a1c79e55

SHA256
c7fa22930edd03d14bc782669ea7ce5c7f58e269fad486d28ca7665c25054516

SHA512
12b14a2c3960f8ec77a18d406f6efd7dc7bd3b4e16634313e23717646ab44ed72b2c652718cb3a5d230aa5343e1bbd16646c5da57283286824807c4be5c446cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs-1.js

Filesize
12KB

MD5
36dfbd36589847e766bf315f06f1db77

SHA1
a4b79c719c2bbaf6912535dae9767f8bd212591e

SHA256
65af76575ad768af7e759ec37c9bd16fb3db585501a7502b3cecb3f1c6c12c95

SHA512
7585d2e7a973304f697cfe14c9026e1200a9a1737170d17ba4fe075641134deab779cd877b25ce508939d5c1cc49cb051b521ff40b2ba92813ee3b306a40ec8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs.js

Filesize
11KB

MD5
f497ca59224a88898a6ea066d9c729f3

SHA1
4b1d2a3d6f5d8a4d8628cedb45cc5eb2260b187e

SHA256
cb0971a3cee64f32e3a8bb066a8e3ca4fc640ad0f5dff19053cbb33103d7ef49

SHA512
28f44adbb3db3a41f58a10c97499cb79c9cba176fbde10b12b2a663f9dd7f3a727dbd5db2bd5dfa016ddf4f7d33c703af277733f350f703e445f7bde0f92849e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs.js

Filesize
11KB

MD5
b2c1addc132e0f6ed3ac95a152fca30c

SHA1
f27c7636b5115cf5bbf84eda35af60f0b5ef775d

SHA256
371d8eeea9742f1284754eedbb73e72638435a65d13ebbecd61b494f5d47487c

SHA512
4fca8a389e299e0083701c40f96b742a244217028e48f1dbcca9f00778f1602c47a92c0cd55e6402a5f6ba6049d05f3bd8cfa5cc9eb80a23f81f7661d49e62b1

Download Submit
C:\Users\Admin\Downloads\MrsMajor.md

Filesize
654B

MD5
d256b5ab1954e7fa2638b02bb1601ec1

SHA1
cff3618ad44a275a4b0afe6bc3865b2253faa4b7

SHA256
0119352fe24a6307f700addd4d76b8f4270361f265012cce90a362f56e1d9243

SHA512
136c2df11264a527a0b085706ea5662162ed244bc006da5e81aaf97313c13358ee00ca2c2d67a7f019d449c80aeb4fd646c3872ad3ad87501718232e8ba96603

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 900959.crdownload

Filesize
234KB

MD5
fedb45ddbd72fc70a81c789763038d81

SHA1
f1ed20c626d0a7ca2808ed768e7d7b319bc4c84a

SHA256
eacd5ed86a8ddd368a1089c7b97b791258e3eeb89c76c6da829b58d469f654b2

SHA512
813c0367f3aeceea9be02ffad4bfa8092ea44b428e68db8f3f33e45e4e5e53599d985fa79a708679b6957cbd04d9b9d67b288137fa71ac5a59e917b8792c8298

Download Submit