8716c75aff75941711aff8770836f47eb9a254416089ef3571c6fc9a338b3009

Resubmissions

10-08-2024 06:53

240810-hnsmsatfrf 6

10-08-2024 06:49

10-08-2024 06:46

10-08-2024 06:41

10-08-2024 06:38

10-08-2024 06:35

Analysis

max time kernel
169s
max time network
164s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
10-08-2024 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Module.dll
Size

1.3MB
MD5

157fd035b2a344a94166d7db3756df0e
SHA1

f221d28c1deb80b4e8d9201226435aefce6b0f75
SHA256

8716c75aff75941711aff8770836f47eb9a254416089ef3571c6fc9a338b3009
SHA512

fad0174fbd22f58dd4fcdaad8378c214270b4faeaca64d9cb306f50e9316072a4c417c5723c4123b8bf94a3dba6ef4e3303ec60f4a2cf0c3a54d8ab375ea717d
SSDEEP

24576:ZqBSLRktEBl6blwTUMD4zB1VU2bFjYWR0pMQUAqLRAovh4bSAXVVRNRfMXZO:ZqBSLRkt8l6blSU//+2bFfvA1SQVVRNk

Score

10^/10

defense_evasion discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Fagot.a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit32.exe"	Fagot.a.exe

Downloads MZ/PE file

Manipulates Digital Signatures 1 TTPs 12 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

Fagot.a.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	Fagot.a.exe

Executes dropped EXE 1 IoCs

Processes:

Fagot.a.exe

pid process

4356 Fagot.a.exe

pid	process
4356	Fagot.a.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

Processes:

Fagot.a.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	Fagot.a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Fagot.a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dllhost32 = "C:\\Windows\\system32\\dllhost32.exe"	Fagot.a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

67 raw.githubusercontent.com
78 raw.githubusercontent.com

flow	ioc
67	raw.githubusercontent.com
78	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Fagot.a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName = "COCK_SUCKING_FAGGOT"	Fagot.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AltDefaultUserName = "COCK_SUCKING_FAGGOT"	Fagot.a.exe

Drops file in System32 directory 57 IoCs

Processes:

Fagot.a.exe

description	ioc	process
File created	C:\windows\SysWOW64\MDM.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\wowexec.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\wuauclt.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\bootok.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\ctfmon.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\imapi.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\MDM.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\progman.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\systray.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\progman.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\dumprep.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\logon.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\services.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\ntoskrnl.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\autochk.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\dumprep.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\imapi.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\ntoskrnl.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\ntkrnlpa.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\ntkrnlpa.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\wuauclt.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\userinit32.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\shutdown.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\alg.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\logon.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\wowexec.exe:Zone.Identifier:$DATA	Fagot.a.exe
File opened for modification	C:\Windows\SysWOW64\userinit32.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\regedit.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\ntoskrnl.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\alg.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\recover.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\alg.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\chcp.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\userinit32.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\chkntfs.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\imapi.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\win.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\wowexec.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\progman.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\bootok.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\userinit32.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\dllhost32.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\dumprep.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\logon.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\MDM.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\services.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\dllhost32.exe	Fagot.a.exe
File created	C:\WINDOWS\SysWOW64\userinit.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\ntkrnlpa.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\dllhost32.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\chcp.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\chcp.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\win.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\wuauclt.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\bootok.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\services.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\win.exe:Zone.Identifier:$DATA	Fagot.a.exe

Drops file in Windows directory 5 IoCs

Processes:

setup.exeFagot.a.exechrome.exesetup.exe

description	ioc	process
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File created	C:\Windows\NOTEPAD.EXE	Fagot.a.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
defense_evasion

SIP and Trust Provider Hijacking
T1553.003

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Fagot.a.exe:Zone.Identifier msedge.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

Fagot.a.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fagot.a.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Fagot.a.exe:Zone.Identifier	msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fagot.a.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Fagot.a.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Fagot.a.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Fagot.a.exechrome.exemsedge.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	Fagot.a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	Fagot.a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	Fagot.a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	Fagot.a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Fagot.a.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

Fagot.a.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Main Fagot.a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Main	Fagot.a.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

Fagot.a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "www.blacksnake.com"	Fagot.a.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133677462045001654"	chrome.exe

Modifies registry class 64 IoCs

Processes:

Fagot.a.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{644D1E13-3184-4820-97C0-992134CD1D06}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F822F34-B003-55C5-B0F9-891743128CF3}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{12DCD8B7-EBFC-4DBE-A72C-3E44CDD3CBAF}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\TypeLib	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AE27B230-A0BF-47FF-A2D1-22C29A178EAC}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7031886B-61D2-4CB5-B909-00386090733B}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F22D2A32-F1F4-4D62-AF5E-E5E8253AC6A6}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{146E5396-3B32-49AC-901E-4C4A82FEE8C5}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000CD706-0000-0000-C000-000000000046}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0392-0000-0000-C000-000000000046}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0382-0000-0000-C000-000000000046}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0002E11A-0000-0000-C000-000000000046}\TypeLib	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCE035A3-D6CD-4320-B982-BE9D3EC7890F}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D919682F-BE14-4934-981D-2F57B9ED83E6}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D338C091-3E91-4D38-9036-AEE83A6E79AD}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{51973C09-CB0C-11D0-B5C9-00A0244A0E7A}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C03D6-0000-0000-C000-000000000046}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE16673E-1F04-4F95-8B90-E7F559DDE7E5}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAECB0BD-A946-4771-BC30-E8B24F8D45C1}\TypeLib	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B8007AE-4DD7-46F3-9BEC-06F777D78864}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3580A828-07FE-4B94-AC1A-757D9D2D3056}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0049619a-6b0e-5c32-92c7-db9ff7c60ffb}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms\9AB6A28C-748E-4B6A-BFFF-CC443B8E8FB4	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0002E165-0000-0000-C000-000000000046}\TypeLib	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\DirectShow\MediaObjects\Categories\f3602b3f-0592-48df-a4cd-674721e7ebeb	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE1FD9EA-6413-4183-A67D-588870014E97}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AC566344-EADD-4F1A-A84A-7ED279176BA9}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8ACA8016-B08C-4C5A-99CA-C24488385828}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0396-0000-0000-C000-000000000046}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EC529B00-1A1F-11D1-BAD9-00609744111A}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CD937743-7A55-4D3B-9021-F22E022D09C5}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C43CC2F3-90AF-4E93-9112-DFB8B36749B5}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B722BCC5-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9BE1BD30-B563-5475-8FDD-319DFEB064C4}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{305900A0-98B5-11CF-BB82-00AA00BDCE0B}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90A7734E-841B-4F77-9384-A2891E76E7E2}\NumMethods	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8CD444E8-C9BB-49B3-8E38-E03209416131}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4AC9E1DA-5BAD-4AC7-86E3-24F4CDCECA28}\c.0\0\Win64	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\1.0\0\win64	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EB41E8C1-4442-11D1-8906-00A0C9110049}\TypeLib	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC437E23-F5B8-47F4-BB79-7D1CE5483B86}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B5A2A5EA-D5AB-11D2-9033-00C04FA302A1}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{51973C22-CB0C-11D0-B5C9-00A0244A0E7A}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{18987285-971B-4C88-AEA9-2A5600861BA5}\TypeLib	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFFDC614-B694-4AE6-AB38-5D6374584B52}\ProgID	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EABCECDB-CC1C-4A6F-B4E3-7F888A5ADFC8}\Version	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79EAC9CE-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00FFD6C4-1A94-44BC-AD3E-8AC18552E3E6}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C1724-0000-0000-C000-000000000046}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0379-0000-0000-C000-000000000046}\TypeLib	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C68E3F27-AAD0-4DC4-B7E6-B3249770763D}\1.0\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60c9dc73-6fd2-58cb-b984-b03ffd47bdbf}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0311-0000-0000-C000-000000000046}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0395-0000-0000-C000-000000000046}\TypeLib	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B691E011-1797-432E-907A-4D8C69339129}\6.0\0\win64	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3720D29-8D6D-4448-8CC4-1CAACA5673F6}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{196BAB51-2C67-485A-A74F-557182263013}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C1725-0000-0000-C000-000000000046}\ProxyStubClsid32	Fagot.a.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 228035.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Fagot.a.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exemsedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeFagot.a.exe

pid	process
3964	chrome.exe
3964	chrome.exe
988	msedge.exe
988	msedge.exe
4660	msedge.exe
4660	msedge.exe
4748	msedge.exe
4748	msedge.exe
4404	msedge.exe
4404	msedge.exe
2404	identity_helper.exe
2404	identity_helper.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
3820	msedge.exe
3820	msedge.exe
2092	msedge.exe
2092	msedge.exe
764	identity_helper.exe
764	identity_helper.exe
1716	msedge.exe
1716	msedge.exe
4804	msedge.exe
4804	msedge.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe
4356	Fagot.a.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs

Processes:

chrome.exemsedge.exemsedge.exe

pid	process
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exemsedge.exemsedge.exe

pid	process
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe

Suspicious use of SendNotifyMessage 36 IoCs

Processes:

chrome.exemsedge.exemsedge.exe

pid	process
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
988	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3964 wrote to memory of 3028	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3028	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3532	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3680	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3680	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe
PID 3964 wrote to memory of 3556	3964	chrome.exe	chrome.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Module.dll,#1
1⤵
PID:1648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0x78,0x108,0x7ffd636ccc40,0x7ffd636ccc4c,0x7ffd636ccc58
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1788,i,11136671949431759836,1949192023795781643,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1784 /prefetch:2
  2⤵
  PID:3532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2128,i,11136671949431759836,1949192023795781643,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,11136671949431759836,1949192023795781643,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2216 /prefetch:8
  2⤵
  PID:3556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3228,i,11136671949431759836,1949192023795781643,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,11136671949431759836,1949192023795781643,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4528,i,11136671949431759836,1949192023795781643,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4684,i,11136671949431759836,1949192023795781643,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4332,i,11136671949431759836,1949192023795781643,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:772
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:5048
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff60c984698,0x7ff60c9846a4,0x7ff60c9846b0
    3⤵
    - Drops file in Windows directory
    PID:884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4408,i,11136671949431759836,1949192023795781643,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:3792

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd63353cb8,0x7ffd63353cc8,0x7ffd63353cd8
  2⤵
  PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,15528332704196619639,15983402090187760741,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,15528332704196619639,15983402090187760741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,15528332704196619639,15983402090187760741,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15528332704196619639,15983402090187760741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15528332704196619639,15983402090187760741,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15528332704196619639,15983402090187760741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
  2⤵
  PID:780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15528332704196619639,15983402090187760741,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15528332704196619639,15983402090187760741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,15528332704196619639,15983402090187760741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15528332704196619639,15983402090187760741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1908,15528332704196619639,15983402090187760741,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4720 /prefetch:8
  2⤵
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1908,15528332704196619639,15983402090187760741,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3388 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15528332704196619639,15983402090187760741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:1192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15528332704196619639,15983402090187760741,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15528332704196619639,15983402090187760741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,15528332704196619639,15983402090187760741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6248 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15528332704196619639,15983402090187760741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15528332704196619639,15983402090187760741,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:3052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd63353cb8,0x7ffd63353cc8,0x7ffd63353cd8
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,6303815265297570501,4204647399337214930,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1864,6303815265297570501,4204647399337214930,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1864,6303815265297570501,4204647399337214930,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
  2⤵
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,6303815265297570501,4204647399337214930,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,6303815265297570501,4204647399337214930,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:1236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,6303815265297570501,4204647399337214930,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,6303815265297570501,4204647399337214930,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,6303815265297570501,4204647399337214930,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,6303815265297570501,4204647399337214930,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1864,6303815265297570501,4204647399337214930,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,6303815265297570501,4204647399337214930,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,6303815265297570501,4204647399337214930,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,6303815265297570501,4204647399337214930,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,6303815265297570501,4204647399337214930,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4336 /prefetch:1
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1864,6303815265297570501,4204647399337214930,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5948 /prefetch:8
  2⤵
  PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1864,6303815265297570501,4204647399337214930,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5956 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,6303815265297570501,4204647399337214930,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:1304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,6303815265297570501,4204647399337214930,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,6303815265297570501,4204647399337214930,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1864,6303815265297570501,4204647399337214930,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6624 /prefetch:8
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1864,6303815265297570501,4204647399337214930,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6396 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2472

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2144

C:\Users\Admin\Downloads\Fagot.a.exe
"C:\Users\Admin\Downloads\Fagot.a.exe"
1⤵
- Modifies WinLogon for persistence
- Manipulates Digital Signatures
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
39fb502303014c5324db6611bd2e94f7

SHA1
e504b3e6a2c1c7fee255a210847a9cdaa8a3c417

SHA256
ed5f7ac28f634a5d78f02096f361913b6a6f1059fbe71ff522c280c8cb585180

SHA512
0a706ac8fe9821852337663ca4d4e0adbd49deef3d2e08caa6fc540aa5de0cb2a9f1b7e59347ca36680817ee181d589ce4723681195670780098dde9c6b8bc5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
210KB

MD5
48d2860dd3168b6f06a4f27c6791bcaa

SHA1
f5f803efed91cd45a36c3d6acdffaaf0e863bf8c

SHA256
04d7bf7a6586ef00516bdb3f7b96c65e0b9c6b940f4b145121ed00f6116bbb77

SHA512
172da615b5b97a0c17f80ddd8d7406e278cd26afd1eb45a052cde0cb55b92febe49773b1e02cf9e9adca2f34abbaa6d7b83eaad4e08c828ef4bf26f23b95584e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
89bfeff19919fa5b84efbf27e20e87a0

SHA1
30bdfe1c1e051b016aba4532d8409ae34f6596a1

SHA256
169f06f74fc58e92afa7df6820668f16f2ab64439d97ea4e58d80e6e20d0afb8

SHA512
42b4d159bd3c2bb49b325921a06eae8ef4b06794f349e4a314b6f0668116116cf8929b462b30a2038ead096ec84a388784f55197e96376241e7d78e2fdd522c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
f685d726784fe135adc8fba7b53095a6

SHA1
871f7736c090dc76ba64eb1e338329afa93820bd

SHA256
2657ac34c8ab6317e471f7373be04775e0deaaae626d4c9d2a7f48d4565a3020

SHA512
2b0d73a739781c935c412d7db9dcac7834861c67e213d6b87e4223339ae2cf103a1261dc912e047e660e05d5027ec548f955408f7b45552ccf9f9c8306e7ba63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
27d6fcd74b236b9efeb51e5794a1a416

SHA1
e949f84f04bdcac88c2a6218f1ab45c54b6cc1c4

SHA256
d9b6b486fc5a4248fe21c5bb52ecd94f8668307afb9c2edf43acbe8df605f02a

SHA512
0c8665fcffe56a4515f8715a5ce8fe4ec6ef8ded9e1e7dbaee36dbc3e05cef3c200f91bf4042146e171aaf983c0a63bcda982486705826b31c378ce9c9e0e9df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
44cc1f5e26efe39b34890fcebc5e973a

SHA1
23d2dfd6cb629873ec1cc00ccd2e0bf44f815388

SHA256
074407e1c6d01c316e324030628ae1f002166f5fa72edb7c0e626963127946d1

SHA512
070105dd91880e4b303a97e47283a4d52c0f6a86fb813103df9659bb0b63bb5702d95ec15e322e44ebcce2fe811bc5f4f15e12d137682474d6905980d10f50d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c19f9858a27f43261f55d04b58daf8ad

SHA1
d9d6de38b18ebdf5a1f49ce5af51d38265b6d7a7

SHA256
bc89f8bb5c77a7f83e75d88dd954b6329aaf2d77e792090ca324cdb276d5eab6

SHA512
7db8511da0de25a6c8c327eebf5b36886db139b07a50abfda5e41d0eee70f38cc9fd3005cdfc61623d0a059cc8c527c95cecb4d7530177ba113f768895bae6c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c2608e43be3513f71674418f94915d01

SHA1
0c51714d41445d5ef8120be3aa894c6b18b4a50d

SHA256
f70dee20fa50a07828386d86b17512839417ac49e5cc46c105d642dcb157acd8

SHA512
04cfebf754ca26036c2a4d6aa11515caec0a04005623fe17be47ef5c4445fbadf3a471f8f619e5705f3dc66c2c674eaf7d7afcbb8ad6054efa4856e72e3e2e13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
164c5bc85260d8aa4fd1ae3660a2e338

SHA1
84eee7d16b88fc047e14db1c998b747ca5e26ef9

SHA256
16015e841a5433e9fadd82de0e8904503d23dcbbac123a4c9e42d5c97b486921

SHA512
a15ed85bb77a09333d421278863e8ced683d26ccdc4b1c7f5d72313ee31ab05c4e9fdb48b61ef9c5dd97a9fbf34e9def876b258f527f8929e564d303f2ebbbc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
675f82308a17ea0f7b67fe6510fd6d8a

SHA1
cd78ed23594c74053f9e60c31401124b20972409

SHA256
85fbcc84428192b31d1c93ca85bc3e5b40373e157fa93699c94dc936fe81c7c0

SHA512
f2802abc96f967d87e83c02180127f66d03572265b61aafba3985e7d62a793445d153fab855e6135211d6efd8e4a54f4e46f37bfc5997370477b55f4f82dac1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
5e48e4d00a59c8828c54c7211a8b53ba

SHA1
6f190d625df57cfabfe451ad7a997edb8557ae12

SHA256
65efc6551fe656064c49191ad753ae3bb69bb9ca5f22f6d6b4861f74429dc522

SHA512
616c63a0a8311f10abb9d318fcb389d5c1db47674f99c6c568784fa2e16f4c492bd31c1a910edaf2f106e57a6b743fdcea123e7b131924a5b3f345b85d0aa9ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
949b1b43f886b7656b531aaf8200fb25

SHA1
e81002ebf87cbec46825d8afba1560007adacc4c

SHA256
932ef4a55256eb359112dc45fe16a909ba44fd310a5c0b6eddcd6349c68d52f0

SHA512
81395ad3cc45f6d4a05ec8d78ff43da78f588eb6d45163cd77a87935c70288733ebfa7783a60a3eedc1023781165001c6da58ad7778876da5f25b0098698e697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
03a56f81ee69dd9727832df26709a1c9

SHA1
ab6754cc9ebd922ef3c37b7e84ff20e250cfde3b

SHA256
65d97e83b315d9140f3922b278d08352809f955e2a714fedfaea6283a5300e53

SHA512
e9915f11e74c1bcf7f80d1bcdc8175df820af30f223a17c0fe11b6808e5a400550dcbe59b64346b7741c7c77735abefaf2c988753e11d086000522a05a0f7781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d30a5618854b9da7bcfc03aeb0a594c4

SHA1
7f37105d7e5b1ecb270726915956c2271116eab7

SHA256
3494c446aa3cb038f1d920b26910b7fe1f4286db78cb3f203ad02cb93889c1a8

SHA512
efd488fcd1729017a596ddd2950bff07d5a11140cba56ff8e0c62ef62827b35c22857bc4f5f5ea11ccc2e1394c0b3ee8651df62a25e66710f320e7a2cf4d1a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9cd83dce9bd4e1b5d4c3d04ae5d52ce6

SHA1
9c7829eb231203c692817f250e8d3825f3d06d92

SHA256
88658e43fd0a4f79a19995cd253debfa7befbbf3004775a59db3500540d0ed42

SHA512
9e781bb348b45d4ee526c25a99b92ee4b6b41895d64223e15195c7ced0ecb7f6437831017958e7a5a424ba9ed8cb9a17f1c86544946dc818625fbc6316cb7dba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
13d455d7cfc182fe3893d72fa983d735

SHA1
4f35c7834c54787129637a26248e7f3afa4beb39

SHA256
86cf33b3d3f38c2efee7b0de0b59c9209ea42969098d5f2cd021aea040b9e5e2

SHA512
8611481ff32e7d94caa4e2e25b158611ea18ba74d1c72538d3e83f9e4ec399dce3c3e7f0165a996672d47224d494bf3add46bb3154cfb3dee2241cf9410b0cc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
f48930bc284b7213343f2066d1228b66

SHA1
37f085d0198acdee8bc858a9c2f0ed50012955d4

SHA256
52fe6cb9c8dd2df34bcac14e593a8351f46864256fafdac9ae17bc4482a52e59

SHA512
54631dadd0b3476058e3b3dc565999367abf8c3d8eaef46affd4d1eedf0221cf89957cb6f6d07c88cf126258a1d68c58bd7c46f2892c93a24aeaf9f35ba8f8c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
42cfff53d6b9e5efdeefe45fb34fd3f2

SHA1
6c64bd6ffa098b07e758f16a3b17d4c871d27f9d

SHA256
ff7af48003517931920c21e8a0775b631c9dbc64841a501e1709166616a99748

SHA512
6290b06020e645cf63439e00ac600bd58613a3bc0273b71dee7d76333051ce73e19a1c6cbd34ea9c74082463cf6784d208ed045e1725eabb948dc566ffeb2a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
528caef39ce935108a4a6617f4daacd9

SHA1
542757749881c4a80d4cb5de35d29d8f88779a50

SHA256
5e39fb212b9a8af9179a7d0469c2b8313d9614616b85d9293537d8346af54078

SHA512
6a5f9913129b4755b551d268264d61440c37de915262b19492b2f114a95273646222c5f429bb40fe7686ebd9da809ae51359dd6b54a140fbf702b50ef649ac04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
930c91cc02f15fe53374dec8c56d07cb

SHA1
6ba12a79ed6e5ef40bbef425ad144b02a8dc26c7

SHA256
ef17fa770b31c7f7a8737424634d9f1bc37386bdc2877bf6cb79fe882ebdb900

SHA512
1d4ab37ad6a8747a868f3a704699c950a6a198f4530b7c4a82d7ebedd1e66fad4d7fc198f8729baa001824c9f6020ddf908192b5103deb7f2329f50af3bc5e73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ce901d61f4291ff3a5172815107a9b00

SHA1
70d3ca8e36e55dcfd3892905dd54894f7bf39131

SHA256
3cfdc0f763daff2ee3a8417c3ee8edceeb1e13da943476dce4405ac71e90beb2

SHA512
8ee6e55c2e94ee11bc850074d6736d687ecf412c4c79ce11adc87548a3a7a0da5ded034d6fb03ab84a69de6a57c2d8ae134cf348cc8dea79897f200b7e2ed778

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
8b4b60f37a2d562a4fd3018b3332fde2

SHA1
c1fb780d2e2219b7ac2c0d8d17c6062aa19d1cf1

SHA256
227e1eab7a9297dd95a5b104d55e5b3522a8ff4d532099fe0e3cbb302685d3ec

SHA512
130490925755baf002ef6f8c88482d8da673ce3e1afaac11f69b8dd173359ed9335b3ef89aabbdb2375a5ade9e4f7c0cb892de7a84cf743cfe413469a46ce1eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
4b97b458f9cbfe342f16852d003cd457

SHA1
f5588b286148172d734f3e41808a17f990c3566b

SHA256
304bd55555b4b8349960a279029d0cdf36cb28a414304b543bc3fc3817cb588a

SHA512
f80338aecbe014caa9c1f64538cd8bbf8902c625ef32fde5ffd828d50797822e506792f1d553cf5b00783732e0bfacdd8532a239817fbf78ca81ec9d3dce9bda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
28KB

MD5
54f7eb3053a1dbfa5efba380fa22e493

SHA1
d3452c66e0469906867689ac3eea1f3bfc0209d1

SHA256
6594d1471068c7a02ee54a3776cb5f64f841d844d1f09bfd2c8a03307e935408

SHA512
440258de4dbccbf337feb622a745de12b9b3e69279e8490d38b53d7ddd73746faa8f106fde4805ea5ce382fddb2c15396f5c0d9db04dc8bc75737f1c5c2078ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
e15cc44ce5fe07e65cbea39d4efc2b95

SHA1
99ae09185112514a05b5213e211b9f0b30371744

SHA256
1d72064b1113775d0e533a2af8abad438ebd127fd29259162d880d09787cf20e

SHA512
35944e430926cc500375590b40c575a70280f53558d9045f9ab1b6e01f1b625490f6420c01ff3ceaad8de7fc28943067316e76c83f1f55b419b6619d6fe83a83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
cd0bb552eeb05640f2648191dd668e15

SHA1
3050a023ccf382cf17b1dcdbe10b90cb481166d4

SHA256
cac12a4f651c9b9f2470ac98568b6b2c2690c56b467b8511b0738ebafd4ff5ab

SHA512
1e6e2d5524f4f29526c4790d089ceb6466c6b0407c4bbcbc78174309c3086698cca1bd6a975c1f8fee0acddd138a3c4622682cb91a49ae132040927aea0588c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
878206b883f1553b4e27abb0d287dece

SHA1
7f933dadf9098f0f9884d4a7ac312edf58cc9bc4

SHA256
2663e42e7519c9030093a35df58e0253611cde4ac9a2160731d59ee165b79ceb

SHA512
33c3d26a77506274cbb05865115cb27974b7bb0dbb15081ef4413af99f53303be674cda7c5b0a3a2a3d5d942091b951e6dd069cffe2a92356e389b1eea378c27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
1KB

MD5
b844e6b453424c38509dab920a87cc9d

SHA1
00d220722c4c2f7f7078889aeda7b1ff06bbbc9f

SHA256
075b53367454b0476600c91f009c1d502b60b1584d69caf1083b2e39e6533c4c

SHA512
88c9c1e51d0130bfeff398c5ab57108f88458b1d53c89b782207b2932b2f64ef2c7150c34cecdfa3dd204a1b0da420660991c0ca8102b6949f19ec33a1bec2e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
186B

MD5
098d499fe3a42111f98967c7a56caa84

SHA1
f1ec0b3e54cfebef39a27bca3658ae8041b18c80

SHA256
8a74de9895d3a5daa8e78780def57c46f8e92b9c73fb0336b2a956494529bffe

SHA512
5ef713ebb7e013a02d007b83027d28dfb2ed6e9e1ddb5b7ac3a9d41943d5d5701dd3542a281efbd7640a8c5d7cd1fc0d80206c82cd1a9e44ef907b0e0afd0b6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
4d4af8bf1bf5f9b8d3c118b63e73344e

SHA1
c846a0643a50e7edf60b9537428c4519a651d451

SHA256
42bbcc580d2935cae8b9415dcf6e949dccb000ddcd7051d64bf3d6cf7d2faaf3

SHA512
765890e05fab847018e0319f651da40d65d6b976460003ceb80027a7abd44e99536d695a6c9f71befe6d18548d76237b2176700ece8b132197d26592049e84d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
48c6fca425f84f1c0e8230e4ac4ef193

SHA1
cc36e0dfabcf82d71ae5ce4f8ad218fa1af7a4e7

SHA256
a0148f45005122d12bf81713c2d168115a330e93e5654dc0c7807291d2fabf90

SHA512
c46ce245f561e71611bad27f2a732052faef03b6d1f563161a5b03a6e45b1435554a85eb3c7682f8e2e90ffe31201acc177d79837174a61cf145a0fd6dee9ffd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
776B

MD5
a6ab3b33a29219d7c14dd589694ec316

SHA1
7ba84725223d6045ecc8e0b10bb4e3fdfa45fe7c

SHA256
0a26cafa8c25993c04126da181465df7b1d205e58fddff82dcac1fdf5ee79302

SHA512
69d7194ffaed8f64df31f8fc589eee601cf335db73f27e718e019c9f9c48743e7d3913cbdb7a8b063d35727c2624de402fe61994e8f7add96cd4a631982ec798

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c72107dcc468e846f585f846211e8545

SHA1
52f4284052ddff6e5fbc8da45a3e877bf5e72225

SHA256
13237bb7834788fba4660c2dfe9936c2ea380547fd002b25a49297dfdb87c24a

SHA512
785983d38f5271b60f090ccc4a7e48181760371fc66bf5a2741069c1e330e9a9275837d8a9108d9effeccf56620f99e7f48b90f8b5011314d0c41e5c4dd18404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f8565d7b0bd136fd44ddf1e54c2ee429

SHA1
b998c5b1b8eebe3fc86a3cc72582169f2e191b7a

SHA256
366d651eff0874e95d4cce7621f1f20d43b04efb0dc0139b9c2604ed12b20c6d

SHA512
695cdb3e50d0768d13ee9d7b89b737fe2b877b6500d3eb75cb7434294ecc7bcfc9da3fadab8fdfa818027c6a2c9c602021dc7ba20ac7b038ac81a2eb0a65e848

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c0d8a52b3b4aefe9b3df35ad2fd51568

SHA1
f39017d47452e792364d11573480a006e0bdaa3b

SHA256
70c95131504f54dec21ac38bffe34d892f8d515ec6ff98ec3eb5b27b68d75c8e

SHA512
3388edc7ddc19aa4f8473fecc1be83f8e0c8aef116fd0c47549da30948cc8efcb0c7b96ef3d610f47e96f7b603d8fb1cc462fed54895652386dce76ab3f1b4a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6417c4b6bb8d14f20778c198ce02ca91

SHA1
bea88a38c96eedce4a5ff4d93716e38268632eac

SHA256
7375151016ad9db01018e073667513783e0726448c5c197eb6232abdef4f49be

SHA512
595499d0a81b05b04704140090ed955093845e08710b486b056e7d05b646af18e25a13d2142236e60a85e4f2c28ef338d7d6c023bbdaac0051f6b4eded8d4988

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3cee940e3c6b44b7cf5dff69d0ae8b71

SHA1
e4413b79c6e40a4753f5ea2146910772a96869af

SHA256
e9d46d26a758392f764bb995dd95e2f4a1fdff4db4435bb3b57c26546b83b804

SHA512
d90c1f7738ed3e9d243950eda1ed55ab1ea7e316aaff2a213423ab39ba606280d22e0511362d4edafd35b1797236023dd3c5ffe84bd7a6a36940572dd05dbab6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d82345ec89d7b257f9ddcb52f953abff

SHA1
6b56533c760508eb5af7cee314d15786009eac81

SHA256
c0d1aacd788062c78287d8d07fe03d953b12321b51d6e0b6693df4d7fb31c254

SHA512
c7f2275bfac79e589686ac8aae0e52b6fe59abd0322784af0ceeedd4425f0502796d7202425c801908ef17ed7d5f4a357be640b208caca1f1b4c730c2ea4a39b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
16fbde2d8229154ff9f5a7a74fe06407

SHA1
7599604f81893037e46f00658607fa70365e9b33

SHA256
95ae14548cb8d06a928e96158e1d2c052537981d6706c7de535aaaf88049ed15

SHA512
9daf968126a6686afc649aaa2b73aba460f9280cde83f70425688845fd586725a30c906d73ec725b651abd9b2966bc84c600d523c375b31858be12fbaa4a5f26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b857e3ed19f818e76ab6c2905bee4f85

SHA1
8d6aa3d1986beb8a247eb6a43ae6747730d2be6c

SHA256
8de3669640ad8f6f60d22c48b92c8c81d734187451705c663e08e3a30659863a

SHA512
6837147cf883a36107fbd96eab59cf49f369a1de4f17b296c5be452c378a8a0f0a056eff9d622ca2f1a191cde412967a3e572a8b7bdd0d0d4daf84be0e875a86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
556B

MD5
77743ae3b0b3c23a59aecd9afe5812c7

SHA1
58627557861789c689fc7a1de3d53227587718d8

SHA256
f8184d81140946a52245282446b1af764c1fd715a8045c5d4cb950e2dc818bcc

SHA512
95fc08af7b9bd08a6647fb69b2098049bec754233d7d713f91e6e3e475424cf6c8623cceb3e69e2e7120a7e6f7bc05853ab8ecebe8caf9d74d65b23f97ad6af3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
322B

MD5
582d3b638f01c69ff8e03d15e983158c

SHA1
003206f6f57ec510655301b338713a32510bcced

SHA256
265b63775a7a50d4723f26482b3d7570839913c612577971925739bf0e31b2f3

SHA512
b1c2d4f3a59613fbe6b6cb802b6f3c9bc9680ace2e8cdacfa3118c0662062a1c01d0f9c7561682c204ecddfc5e5bc97446a7233445708dca6b7a5635ea63cb44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13367746242306582

Filesize
5KB

MD5
50af5dabe785e3f338afc7129f87f94f

SHA1
e20deeed32cf1bd3e4f1e5b8761024b2609d4467

SHA256
9e8edec2a27a9d720dd6e90a2aea45bf2f87d6945d1cd2ed9be73d6af3d1581e

SHA512
f56abdc46f966f87d292bccc3225b135c7ec6588d03a93c25dcad0d50d4339311081f0117f7a4d3744ad8dc9eee9b844cdb841ea7c141757efb5da3f96dd287a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
2366f688174d95c6df4be1d8d5e7418a

SHA1
88e4974ce781cd39e1990f8718639e826da2243c

SHA256
d8229eb362fcf41b347beb6c125c9af1c4c0ca035a97128fd3c8c012a7e9f9e0

SHA512
5e4e166852862364092be127283139415ec5f3b93aade3b8e06f86f5ce424afaa363c4e5d788b7e1b0461413edf1b3af2fd23a2d498bcc7fca3533f3b0e4cdc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
f97eb5a31f860f659337616fb05f2c0d

SHA1
945c66111314961ba36be025514131a1bc3b067d

SHA256
cecf0b582d59daade3a4dd326cbc738a8d206d8fc1c990e3c69f9de7e1edd6e3

SHA512
44281dc3085ea718f93e1dc4d2cd3609f026f261071efa8e93f3614ccf7deb39f5aa569aded46297a14e637129628c9e128c4e0ab7e980f55cf95fefc72cde73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c8da784a6b9ba57cffb2a836d07c73fb

SHA1
7cb4576c734d4050b82152fc5391f7b297023d7a

SHA256
15cc9e246b959f2099fcfb26f2291020f05d95d05dd17f2594ee9f803aa9ba2d

SHA512
81e67368641ffba5454cde192d09063cdae0fe2d86d8bb1c19ee430e1064a8c2a7907f0a68877e05bd7ac08992e5afcfe8a84cf710a3700df614b49b48620c0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
536B

MD5
649fd6261c749cb38c2993e659166be6

SHA1
dc1bf22f3cd64eef1382cc2017288d142576a7eb

SHA256
8296ddd08a3ae20e2996dcc9a8829991c8029d81c74d8d4230358b0c85246092

SHA512
9a359e43fda9f7cd743f1c6c4892f3e130e5056e9d1310e2dac4d3729196458ba8e5ea6b34b9d3c3017d1a27ebf6b4249f201af574b1c70aeec36040f2b9ed3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4d740bc90b4dd1be3f7e378c8c778029

SHA1
100a27615a200626f7b798fb1963106e9ade69c4

SHA256
e66b2cd6ad7d2bad374ca24db16a0698ca8412b4999444164e6e08a64ff8c7b9

SHA512
d2f1a2fbc0a3efef7daf7549116a1a05640eb7fe6af2bfc2c637e2be0eeac8fa03314682938485047dcc279961a57e23308bc06df855c490725f030abb088454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4dbb24bf5f30a674aec9aa98b8001af5

SHA1
75bfc6f26ae389a260b542c94d353a953bab2098

SHA256
f3c4c3cb10d1cb9c39771ac4243e7878f58428ddea6e8ee6d6bca9fa39a0cc57

SHA512
dde5b93f6a3b048c0ace8e5c3e5da4d6fbebf67d33fb348e040bac298fe9974e47e7ccdb3f4f05dfccff67e84d253f4ce3001a66e7236f9003c3250cd65f761d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
12441e4371bdf21236bf83e400cb2f31

SHA1
2497e9fe366e4ab4af044aa60d8487b8eb758238

SHA256
14fbeb7c16a497a369c621a799a54220375a5c3bc6a9ac71a104adb8c8f0c655

SHA512
40ac4ae36b4762198c9a654f8ab483ac65c25098db148154169b75c4e0291e2292ec921f4343f7841b4754039625ac98205bc81000a857c9dab5f02682a808f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
5a3071936482252a3d875e5e983a8997

SHA1
a0490aefca391dddce59bab7dc1450cfe9a5a7a5

SHA256
ddc0730d368c74e76f9849c7cb70798faa2a62cdfcc1cfc6957b69bf6c2d1063

SHA512
c1ffb8e2ea95fb5b9f00ef600258fb7ccce06679133b73453b27ad8752207d98aec404d7ced9b2d11116fec898acdaf9efdde1a2aa095891172e21bf1eb46630

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
112KB

MD5
320d93c6056ef443b4272a17af8b3667

SHA1
5ad8446beb31d389481d1a771aace4ac00bc5dd8

SHA256
5799a60bbf178bbda14171ddbc23ee715c1b03e39a530159af521a3c9564dacd

SHA512
0f86eaf770d840551ec67f69e4296e524b8a38b3a5b756b95e3c5caf8816ac59886bdf59dadf4e13f2cc8c5cc6bc4f1f3f4bca11401bf4e161c7523d48a0ebb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\df7a523c-a337-4fe7-8a4d-5dc94b40e0be.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
fbea89e0c9b60e4fd5f100efdb3c1771

SHA1
cdc141de6fff40c30ebdcd0a8b0663f35879f355

SHA256
40c670589a4c98f83f7d5bcaf7e362f1353227d653d4b1aca6751824375b58d7

SHA512
e346dc22c0928a1b556a1b8d56ac5b97cd2b15a4d4dd4a3d26dea16e2be2666b67bfb52735e7bae14f70daea2e94c47e73b8fdf332adf803a5fe554e7fd5620e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
19B

MD5
0407b455f23e3655661ba46a574cfca4

SHA1
855cb7cc8eac30458b4207614d046cb09ee3a591

SHA256
ab5c71347d95f319781df230012713c7819ac0d69373e8c9a7302cae3f9a04b7

SHA512
3020f7c87dc5201589fa43e03b1591ed8beb64523b37eb3736557f3ab7d654980fb42284115a69d91de44204cefab751b60466c0ef677608467de43d41bfb939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
52aad79053f481a4e4de08e476390375

SHA1
563a6d043c0cb6fa040b969cf1e3c1a73e0e5bd9

SHA256
b43e17bb84cbf4af8061e47d9e9927e4a95bf79775fa2e567d8785f953c096eb

SHA512
ffcdd4a9f3193cb637026245136b3a47dbc8f556c742d434b004cfd42809123810d960ed24c8dd1f84230816c8c36c62d8b8a1086b29328470888f460eaf62c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
318B

MD5
7ce0db5e153a7c961fc6418067c08261

SHA1
200caa9d7b10888d357ca802905504a322b3b45a

SHA256
974a717dec1b37d657e588fd57c2baf056fa910ed7ce8bbdca4af44d9fa95537

SHA512
94f4d56d774709fdb893d6afd731321eeb375b041da60c8a8c39935fd53697e290420b1be9c01c67dc025dff15999e97c0ba22de07a33780cc681f92f431193f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
89051516936d0ca2e324023ada9e137c

SHA1
e8df2d8935e61f9b1aa741b68f382e48a930be53

SHA256
92ac8f5aeaa8d17f36cbc55b0bf4f94985a2578149e9ed1eaf1a8009f5659fef

SHA512
493199d59a1ffde1ebecdbe0322a712dd4e4114c79d9d7a5c8b50649f76542239076a1e7d903841800bb9651af91c213d584dfa1b8485680e7c747c8a436000d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
addf697af2d2c3dccce2d63a4d3a0e67

SHA1
be938210188e64ee1438c95ade2b9ba6d972a164

SHA256
103739f9f7cde070d17d9e0312cfa2c232cd98d22ed5eacc6ae57210eba676c8

SHA512
8980a61871503f77bc83dc20316911489ee15ffc8cee6370e03dd4cba8eada9aee208748c994aa1fa0ddc0dfafc2e9d4643bba000930e7673f63172c4e0c99c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5b3f303010a1d44c95036e024694a700

SHA1
dc4e5287af8020e985876283b28ed8320b20251b

SHA256
f2b2d3d1ef4a6000acb77f852f4cb2cd5dc34a55aa4eb7049c20ac05b0b69c3f

SHA512
259252153e6eaa5590531526e93fc23e27b579999c45aa9b591fec256bfaa13a1bd16c0618b8f8c967a193772f112b7ab3076e7362d8162b74282b6ac95adc1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
53ca3aedf1fb2547330b5766a96d4f21

SHA1
ad20ce1602442f710cb218418a069a9b6c13e00d

SHA256
214f7c66b14c9aedcb1a74588cb5e1af7fa881d017fe7d1cec982c0fadee6a1c

SHA512
e4406cda4f9642eb27593fe9d0b8e77b3cd1a03a575544f70985484471204862995d53964039144ee766f1a0fe775c029adac80f230e97c3f8a7b47f9f227178

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fb8256d8ae5734c6eb51bdb78541aafb

SHA1
7f19dbd96cbee7f6ed3b5c3146caff1759dec3f0

SHA256
3be8b945a4ff5876dc57fd051df2e35d1204ecad49a8892dbe6e1eef82c8eb5e

SHA512
a24ac43b54f5aad49a5c81d0795462364a014e9eb8d3c59049047595cab4ec5fb4598cd3d61281104c5c69cc48c60cd0f144af24c7ada26677981ac1924ddda9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
030ed25d351be381d3d5e9f378086ff2

SHA1
f3e3cdd3e0ad251d410ac5bef4ae276ae755b76f

SHA256
d4cf6263156b71486939144701817d186428210cb85a18ac8c8ded63c1169af0

SHA512
4a30ffe61b550704d8f7e70f6dbda4b756c1f5189e80a5fe4581eb345d9a2a112254a8bc35a3461e27890ac4bfa332b1fa07c1b4fc0456572c28a38d514a9a7d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 228035.crdownload

Filesize
373KB

MD5
30cdab5cf1d607ee7b34f44ab38e9190

SHA1
d4823f90d14eba0801653e8c970f47d54f655d36

SHA256
1517527c1d705a6ebc6ec9194aa95459e875ac3902a9f4aab3bf24b6a6f8407f

SHA512
b465f3b734beaea3951ff57759f13971649b549fafca71342b52d7e74949e152c0fbafe2df40354fc00b5dc8c767f3f5c6940e4ba308888e4395d8fd21e402b3

Download Submit
C:\Windows\SysWOW64\ntoskrnl.exe:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Windows\SysWOW64\ntoskrnl.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
\??\pipe\crashpad_3964_ILMEBLJGOKCIBMJF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4356-1195-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download