hxxp://drive[.]google[.]com

Analysis

max time kernel
519s
max time network
520s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 01:35

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://drive.google.com

Score

10^/10

discovery evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
13	drive.google.com
233	drive.google.com
376	raw.githubusercontent.com
377	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeXMP.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroSup64.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeLinguistic.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\widevinecdmadapter.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXSLE.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudt.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGM.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIBUtils.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ScCore.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pe.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqlite.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libcef.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libGLESv2.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\DirectInk.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt40.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\chrome_elf.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\nppdf32.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\CoolType.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\logsession.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libEGL.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_asym.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_base.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_ecc.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt58.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ACE.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icucnv58.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\rt3d.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\d3dcompiler_47.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ahclient.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIDE.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIB.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_base_non_fips.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\A3DUtils.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\d3dcompiler_43.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXE8SharedExpat.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	7zG.exe
File created	C:\Program Files (x86)\Adobe.7z.tmp	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ExtendScript.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\JP2KLib.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFPrevHndlr.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ViewerPS.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Onix32.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Acrofx32.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Res.dll	7zG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	7zG.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File created	C:\Windows\winnt32.exe	NoEscape.exe
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoEscape.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "91"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133684188738783328"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\20\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	7zG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\26\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	7zG.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlg	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\27\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	7zG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\2\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	7zG.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\ComDlg	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	7zG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	7zG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\20\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202020202020202	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\27\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f44471a0359723fa74489c55595fe6b30ee0000	7zG.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	7zG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	7zG.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	7zG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0	7zG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	7zG.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000010000000200000003000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\NodeSlot = "17"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 6c003100000000000259006510004143524f42417e310000540009000400efbe025900651259880c2e0000005f07000000000200000000000000000000000000000009a83b004100630072006f006200610074002000520065006100640065007200200044004300000018000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	7zG.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1852	msedge.exe
1852	msedge.exe
3704	msedge.exe
3704	msedge.exe
3136	identity_helper.exe
3136	identity_helper.exe
5680	mspaint.exe
5680	mspaint.exe
5588	msedge.exe
5588	msedge.exe
5588	msedge.exe
5588	msedge.exe
1028	msedge.exe
1028	msedge.exe
4444	msedge.exe
4444	msedge.exe
3092	msedge.exe
3092	msedge.exe
3344	msedge.exe
3344	msedge.exe
3460	chrome.exe
3460	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1028	msedge.exe
3092	msedge.exe
3640	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3704	msedge.exe
3704	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3648	7zG.exe
Token: 35	3648	7zG.exe
Token: SeSecurityPrivilege	3648	7zG.exe
Token: SeSecurityPrivilege	3648	7zG.exe
Token: SeRestorePrivilege	1048	7zG.exe
Token: 35	1048	7zG.exe
Token: SeSecurityPrivilege	1048	7zG.exe
Token: SeSecurityPrivilege	1048	7zG.exe
Token: SeRestorePrivilege	1976	7zG.exe
Token: 35	1976	7zG.exe
Token: SeSecurityPrivilege	1976	7zG.exe
Token: SeSecurityPrivilege	1976	7zG.exe
Token: SeRestorePrivilege	5680	7zG.exe
Token: 35	5680	7zG.exe
Token: SeSecurityPrivilege	5680	7zG.exe
Token: SeSecurityPrivilege	5680	7zG.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3648	7zG.exe
1048	7zG.exe
1976	7zG.exe
1976	7zG.exe
5680	7zG.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5680	mspaint.exe
5680	mspaint.exe
5680	mspaint.exe
5680	mspaint.exe
1048	7zG.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
1976	7zG.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe
3640	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 1396	3704	msedge.exe	83
PID 3704 wrote to memory of 1396	3704	msedge.exe	83
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 700	3704	msedge.exe	84
PID 3704 wrote to memory of 1852	3704	msedge.exe	85
PID 3704 wrote to memory of 1852	3704	msedge.exe	85
PID 3704 wrote to memory of 2832	3704	msedge.exe	86
PID 3704 wrote to memory of 2832	3704	msedge.exe	86
PID 3704 wrote to memory of 2832	3704	msedge.exe	86
PID 3704 wrote to memory of 2832	3704	msedge.exe	86
PID 3704 wrote to memory of 2832	3704	msedge.exe	86
PID 3704 wrote to memory of 2832	3704	msedge.exe	86
PID 3704 wrote to memory of 2832	3704	msedge.exe	86
PID 3704 wrote to memory of 2832	3704	msedge.exe	86
PID 3704 wrote to memory of 2832	3704	msedge.exe	86
PID 3704 wrote to memory of 2832	3704	msedge.exe	86
PID 3704 wrote to memory of 2832	3704	msedge.exe	86
PID 3704 wrote to memory of 2832	3704	msedge.exe	86
PID 3704 wrote to memory of 2832	3704	msedge.exe	86
PID 3704 wrote to memory of 2832	3704	msedge.exe	86
PID 3704 wrote to memory of 2832	3704	msedge.exe	86
PID 3704 wrote to memory of 2832	3704	msedge.exe	86
PID 3704 wrote to memory of 2832	3704	msedge.exe	86
PID 3704 wrote to memory of 2832	3704	msedge.exe	86
PID 3704 wrote to memory of 2832	3704	msedge.exe	86
PID 3704 wrote to memory of 2832	3704	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://drive.google.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9115346f8,0x7ff911534708,0x7ff911534718
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,12764604854221925449,18102547632966929401,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,12764604854221925449,18102547632966929401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,12764604854221925449,18102547632966929401,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12764604854221925449,18102547632966929401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12764604854221925449,18102547632966929401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12764604854221925449,18102547632966929401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,12764604854221925449,18102547632966929401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,12764604854221925449,18102547632966929401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12764604854221925449,18102547632966929401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12764604854221925449,18102547632966929401,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12764604854221925449,18102547632966929401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12764604854221925449,18102547632966929401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12764604854221925449,18102547632966929401,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
  2⤵
  PID:460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,12764604854221925449,18102547632966929401,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4740 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2100,12764604854221925449,18102547632966929401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2100,12764604854221925449,18102547632966929401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2100,12764604854221925449,18102547632966929401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2100,12764604854221925449,18102547632966929401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2988 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12764604854221925449,18102547632966929401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2580 /prefetch:1
  2⤵
  PID:5916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12764604854221925449,18102547632966929401,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1300 /prefetch:1
  2⤵
  PID:4280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2968

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6008

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap21409:60:7zEvent19737 -ad -saa -- "C:\Program Files (x86)\Adobe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3648

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Program Files\ClearRegister.bmp"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:1752

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap17257:76:7zEvent16113 -ad -saa -- "C:\Users\Admin\AppData\Roaming\Adobe"
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1048

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap32369:72:7zEvent9282 -ad -saa -- "C:\Users\Admin\AppData\Local\Adobe"
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1976

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap32411:72:7zEvent1262 -ad -saa -- "C:\Users\Admin\AppData\Local\Adobe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5680

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8ffdecc40,0x7ff8ffdecc4c,0x7ff8ffdecc58
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1836,i,7508331227276824302,66595537515552243,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1832 /prefetch:2
  2⤵
  PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2072,i,7508331227276824302,66595537515552243,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,7508331227276824302,66595537515552243,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2472 /prefetch:8
  2⤵
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,7508331227276824302,66595537515552243,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:2304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3432,i,7508331227276824302,66595537515552243,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4580,i,7508331227276824302,66595537515552243,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4860,i,7508331227276824302,66595537515552243,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5204,i,7508331227276824302,66595537515552243,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  PID:5560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4056,i,7508331227276824302,66595537515552243,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3400,i,7508331227276824302,66595537515552243,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5268,i,7508331227276824302,66595537515552243,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5088,i,7508331227276824302,66595537515552243,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3348,i,7508331227276824302,66595537515552243,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3344,i,7508331227276824302,66595537515552243,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3416,i,7508331227276824302,66595537515552243,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:1076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4880,i,7508331227276824302,66595537515552243,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4544,i,7508331227276824302,66595537515552243,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:3852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5496,i,7508331227276824302,66595537515552243,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5472,i,7508331227276824302,66595537515552243,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=4564,i,7508331227276824302,66595537515552243,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5792,i,7508331227276824302,66595537515552243,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5748 /prefetch:8
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4704,i,7508331227276824302,66595537515552243,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  PID:5560

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1304

C:\Users\Admin\Downloads\NoEscape\NoEscape.exe
"C:\Users\Admin\Downloads\NoEscape\NoEscape.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4476

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38fe855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
PID:3960

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:5728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\47679e83-191f-44b9-88d7-8d05cb7c68e8.tmp

Filesize
11KB

MD5
1417f60ba133dffbf8481f18d39eee4a

SHA1
195b3c161175bdcec4f2a2995047605e37c5f9a8

SHA256
9523c9c8654253baa36020f70b6bd02e0eb7cad2d32e70ca1f64b6745303f703

SHA512
790b0ae482cb071487d350f0a948b14d1b85660a1f82b4a49a64034eab1f7bd2beb53dec92cbbfab160d36b938036bb820cb79d197e0d80a3d524992e1dbb9b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3d03123fc63fc26b03023a8b1ec64f9c

SHA1
5420d94a7efa9f10a1df7f8bd4df6cf4befe5172

SHA256
c0f65f64a9c3e42ab436fb81341c64c23b561c337279673a53e3f3e5f3635a80

SHA512
5896435ba00c07a8b69c7f1b9804a808922f1c06456d7788c8004602323c9b8be56bd7cf318684846c8ef559c5888d1ca78f1ae7ceac66109d6220e511302424

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
5aba7669c39178c4ad916ea0b89f0ebe

SHA1
c92e1ab49c65294de77180e3a27ecde6deff0b90

SHA256
aefe320af2ba02d9277ec43301e1d15f1bd874cee32bdc2854ca8f27137eb364

SHA512
5f9450efa3d43fc0a02aa8df6343530540b8a2c6eb00a09864e8357f72589c3f598c286cb69dd77a7f7b2fd57fe417d598074331c312f3cbd6f3850acb6544e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c87f461a53e33ebc62f863d96708ba4f

SHA1
a75f0ecab5783419a989360590984d78c7c724a4

SHA256
98736238131deeb44b7a89afd39cd01df8279a92c2ee5f46766f20a932df4fd4

SHA512
b51a9882d272e0d8fb8982eb9ea2d7dc7ebe43d084a36133c3d5591a0468a15f8c5d37a968f484a994a764a47360203f1670ea443109a9673dbb85fd67004089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
eef23157b8e5453d5657ea1cb901e896

SHA1
0552bb6201c36fbb63a10db295c96ffffe8fb4e0

SHA256
d282d5da08442981fcf3da61b430797f2caa023e123d85837a4d82ed40f0b5d1

SHA512
c1cc4d8c352ef3a3e0107c50077d73985c5fbca17e2a1c8d4920f87000dc78962f3d6209166ea9b1ae5791e40dcf61e1c5d296ef41e7f62fcbcf3d3359519f6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
c02907145f6e89c618e7032f98358de2

SHA1
2472054cc02bbb828b7b2ae71cd83fb12e7a8d3e

SHA256
25f415e4fcc55c3e2b2d95d4b69bdb2ec759266e623c0ce74989d0362e824ee9

SHA512
1fcdc4dc09fffbfc0a73a4c4248e15b023fb494207846143393013a60ac3e785ece339b2a5e557d88900d59fcd0f5b90e67449fc1862e5681624f821a68bb445

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2cfac172fdfbd9cd473119158ac175b9

SHA1
5e5737684061b5aa15c812dfd6f56c8a61b3e425

SHA256
a415d2abd151d2ed3d7f58fd7e7c24e378fb85a6f7f14dccc1f8d2f753ebfa26

SHA512
ef2e8e89a2a183762c480b96b48d56a97ec9e2e1bf93d51f549fc68186aa9b8ade60dd0e6a9bb57aa89227505a166e7337f6d7e1344c7a50650e0e27f7003742

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
146a193913a11fe36d6f5a990a7c7280

SHA1
4c291443020899959dede204b15f3a8bebfbe3a8

SHA256
4f546be29be5b69a97997ce2a4a128022e32689bc755f7b153acc514e6305fa6

SHA512
6c70430aa17cf198d731da909f537eacc6439de170f4f62b146b4c6b81aa5ff67054a3fda9cd757409816722573d30759c6acde3f6836c03a2002ebd625e0668

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d85da32bb3cae3786d5888c56e9824da

SHA1
cb1060e00020da38b400f4eafddb10f8dc284e9c

SHA256
f5fa3c47e895962d73b8d24bafbe59d665b0e7ad60bd90176b627a88c411f8ba

SHA512
2d5d76cd6cb6603d1e13244a46e7073cdb2baf75fb065f8a99e524bf70e1b222268e0fce51139d020711353d5c20bb29c8637c2ad48f44309ca5e1f8b5712bdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
61ac4ddb71aa6e209edff017e4a3a715

SHA1
56b1568c926c2657e7653ec010f9999ce09f9541

SHA256
904d98802a17f6e35d37d26b3052b9c0adc20cee5de33cdfbce13509ba76fed1

SHA512
4c8b76a51975bf9940b26a7212200431632453ce7b3d7a992b234a42c0b9072d5cfb62cf8043a2b9c5b7aaf7c4c9293f3fe1ad78f13d4053f128e846175c7354

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e70932364d0571b29162f1351855c475

SHA1
2e6feb2e6d09093563cf81f8bb80421b01e0c364

SHA256
71cce332d53ef8c5a704bf6ffde944a8bf0f83f1a61ff469450b9d5fb0312d52

SHA512
ea74c728e272ccf73aec37be37f2b1780bb4123c372e7d9867a964ca55d90a9c2ccf829385a28936996299a8342dfc8b2acdff60befcc4a6d3a79c6d884182aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
9a392bc8c207f7122760a2cd9ce54d86

SHA1
dc3e857b8179dcd75d40aeceb5cb03a6c308b888

SHA256
37f937611f7d395fc7901dbfa28f3e3f11ac2b1b7ebc41fe967b1fac199f0fd4

SHA512
e29a4b812ec1a19f606ffb8db71986663ed744643439812e4980086f5a1ce0ff7892d537695ca928a4472df946b9ff74043ec4f87c9e693c05f200f6d2f8766f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ffa26352901eb8fcd4e9229c3d1b0969

SHA1
7fa045e2f52280568d8b4bcca4354a869e1807a8

SHA256
235fcbf8883a1edc5eeb2b5da42c60517dd9daac7154d3716839917cb0fcf67d

SHA512
8cfd195bd8acfdfc66d75d0f7de3a4e5fb293839ba28aefd714582c0bf4b44dd01f252e6c1bcbddd85fd345277a07e7d205f62f45e01efa42875ff920a855f69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
392f0bc76d852819accc5b34e0f902ac

SHA1
22a3a71a0b35e83b19a9e08a38f6b94116375184

SHA256
90fbb47e97cb7639fa34e50a64361cba0984a32e63c6a1fb051abc8e62ef0ca9

SHA512
28e54dba18e9d3ad94dab106aa7463202f7af63dbc775f71357d8a9018e758b6395f8a6c408490c2e972a975110fbe3b0d4c3c55973c84b5318b95a6e59efbf7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
77a9d1bb16836a81063fc3b7d2fb1d4b

SHA1
e20d759183f378f322a6799ded817bfea9097c8b

SHA256
5b762c01af635099503dc568f96382336c7a8ab0e3bad79ed61ccda442c75107

SHA512
65148199f18d8ceae112da8de7a4a07357227f6d2fce8fb7417a42ae33ce249ed4aad3ecc62fd5d27d6821dde29b7c984577383df3ef652add5b7ae0f4c6221c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
9ca4fa390a21beff93f176c269055947

SHA1
89fad7598c0d3026ed73d5f61b321a90b7f24663

SHA256
97d0a3bfdad395207b6057ae00aa8b9f0700d73ae9e204bd879a23985d18faa5

SHA512
41668fe04a3e9f6a428972718bc1051c88824ac25389953ec44c98a13eb046560acffa29b4be78a5a776be595e2438321607aac7789cf449f81f8a24b5ad8fd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
7ad6f5cef31dbba373dd67be310394aa

SHA1
fec12173b0277702ac3290af585c9518df279dd0

SHA256
57f35a4218980f396ed1afff920121a83da927c4b5331e6198af7ca12cc83540

SHA512
fb162761ca5fa69010522ebe6334a5ff6c3b58a4472b6a02ea25144ec27549bf942aa0d5e8d0e86e1b84fd739433539ae61024a592eba81a9ff0388eb2daceaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
82B

MD5
9c12ec41b948e46a5108b7dbfaf1d16c

SHA1
860c5126809bae1950aa06800c5c1bcdf05f6c53

SHA256
34291f16a0ca09f3129132c388fbf0d909778432ae92059c6d85f77a622dc004

SHA512
a93099ce7e7896b91fe111c44df3beece4828d40705f08f403c63502cf778822f276a3d40f01bee3433b8b1de32cfeef9c8b445bfcfaf56befae6b3ec43f463c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe5dc055.TMP

Filesize
146B

MD5
0d2587bab52eecc1223f00f1b6797bb0

SHA1
26a477076f2e9b66dfa0e51b0e898c9e7d0aa904

SHA256
f0b21f399e60d115f4fb2d80e60e8a9dff09ceedcf3abae4e853593d65463cad

SHA512
88d777d5fd57d6e8f209c69ca14cdb543f3f90f21eb7b34ff1c3c27eb7bf68f23261a789f362af930d70445e0f7c02710b74e72a2dc5263a0592c64c737bfb50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\IndexedDB\indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
90b8ff8b3c0a5eb900e76363d9fda5bf

SHA1
439e6fa6f23fecf5592bddf092172e13bad4188a

SHA256
bc663e0d0ef14cb7e7f4b76b905be434f67bb9029732236964213157f4cf8b1d

SHA512
146c244dca622b83952247715bf3369296e019bc5003241c99f7c29edf531a44c08de33fe5dc6b3fbd92103af11d735ba666eab0cfd7148bb9dd2062725494b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
b2778f16506ccb66011bed2563920875

SHA1
3150eff2e4f8d657783af6c0cd103701f55ec1d7

SHA256
c46bf5b9e93e8dd5e4a10bccf43ba0ce6ab401555fd9b79cbe9503e3a7e57ba5

SHA512
6509533e71a7dc92e09ffc7c4893a2f0566d893673acc1a85dd78feedf9fe389945629e856af964936f5951ebafda86b9b1f073d30e4742e1905b7e734a18fbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
16270146ad14a528e475273312378112

SHA1
541ba5938029a37747bd3127add312c463734c2b

SHA256
70d6fa838c9a6403dcbff706d7e758f3fdecc8fc945385a59f5713511fb83f9d

SHA512
9d467c296f7c6342b996609d6712e76b42475a79f49e7baa177f26df19c1499170a65cfed6112e2eb4c565a0d666b76752ccab2611d515fe34948ea1d1095719

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
81ff62d5b710bcd9f3cc71c987dfa2ce

SHA1
1a5b65992b947b62ed9564ac1cafd59da68e9412

SHA256
63f272a297b87461187ee2aab0c0ce7373fe9d5804ffc8b067d7c94686650b06

SHA512
f37188a0b6478039afd3cdc10041e426a003f8d4562e07aa3c2537cf15c9f490bc87580face66ff23b82cfa75c7e724eaa005ed405572a83747559f1c01fd391

Download Submit
C:\Users\Admin\AppData\Local\LOCALADOBEtemp.7z

Filesize
64KB

MD5
e73a32445de703e4f3471b5a10efb287

SHA1
706199762077b6e63b75ef7f5c5180491e3189a9

SHA256
5d9301b218d8855903ec4a224a42e8e5048435e3d6a4a909a1d1aeeda7c75eea

SHA512
b281c28428a2b33334eb6790df6b032e64176aced01f7604c09e79c43a9e99adb7ac9a945fab35c73b2f3b8e8758a3b0f3291f08f774d6753f9f582ab0537ffd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0b7252fe-d3be-43b0-8cf4-e4a16df144be.tmp

Filesize
6KB

MD5
e5a5c18c31e3713f894bc9d4b19ca7f7

SHA1
837edbb4692e650a8ca49f91588ff14d9a990cd0

SHA256
1596c6aee4c254c0c698898a52dd1fbaceba87f8436b7124467e913a193b5fb7

SHA512
ec390907d0fed0ab2ae88f321fca1cbed55580d4dfd397997e2b330331eb7daf900a658f29adadad667ddb44e49f9c35ef62b45737c498a805718744049d152e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
51KB

MD5
f61f0d4d0f968d5bba39a84c76277e1a

SHA1
aa3693ea140eca418b4b2a30f6a68f6f43b4beb2

SHA256
57147f08949ababe7deef611435ae418475a693e3823769a25c2a39b6ead9ccc

SHA512
6c3bd90f709bcf9151c9ed9ffea55c4f6883e7fda2a4e26bf018c83fe1cfbe4f4aa0db080d6d024070d53b2257472c399c8ac44eefd38b9445640efa85d5c487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
34KB

MD5
696e100df8f294c254717b230782623d

SHA1
ff6b65f23746345e470f8182d97f09811334876e

SHA256
d9b88866ba07e243025c6c59a50745e014f7179f7f6da9e84ee7c3e46bcd6566

SHA512
384c5dcee3c50d93d1cc6a3ab0b1181e78dd2f10be0347c974d4a70e7bee6684ded1445c20b7244c6bf5d4600a785aae32d6ea0d4de8b57e388ba0480966e150

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000061

Filesize
28KB

MD5
bfb4ad144233248db8f0b493c9f53943

SHA1
75f204ac49008ca945d35db03568db5ffa2ee27d

SHA256
57819395af403b8697d446c0ef64388fd0f4b33af5647bf8a79d0616cd903393

SHA512
0f5f4ffdc046a81da203998f22ce0f156036b3c14646faa1b1c30d6bd0cf5138b70b3d5ac60b2b6eed36d2beadc108b78119f757bea84705ac71a8f1b3d4dd6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d6a7fb980bd095d34ad394c59ff11668

SHA1
0b81e8200774931b3bda581fa1dd2f2afa1fac4a

SHA256
7ea053ced83e508182ae15d903378bf2b1c7327a9f36db503b96258747280768

SHA512
65ce291295c3eb897ebbb2b4343ebff40b128dd57c6543029559a4b04599fb1ccfe76b9140831d8d5136a2cdc94233709da1999476b2a6964ef919ddf25154c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
fd2b07833f65a5d855bf4e9a2656aaad

SHA1
ef601d109e412845c1a47371b0d757bcc6b1ac8d

SHA256
abd15d70e075b4fca419a96d05a5a65be29a86c8299d915402f2ca2942823674

SHA512
09e97cb450cbac6578500ccef130f50881a6a36d71c84d3708d401e7b6abe0309a3019316a0ab9060ae663c6f641a05c34c9241a093d32efa8f9822d609861d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0b20194813fc20ae20a9969e0fc540a3

SHA1
5b2620d233774673d075a15de0a3994eaa1ad298

SHA256
318fe21cf3976408fe5f3513fd76d34328ea2ef7db1efefafd91c8dbffd8292c

SHA512
a22385c017392816bb88e7747bb083dcd410ae47d294582fa916fbc31b47e1102a3b2a6dd9aca90b2476ba09e85d7c79f1db63da436572fcb68d7eda270b0684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
d57a44cd96291eec62e2aa14035a6007

SHA1
ec8a5a732e04e4a17f49c464d690bdf634553ae1

SHA256
36cad990046222e6ad4262000d45024196294e961d17611544ccd7540714a620

SHA512
ac42223f94d643f7c3f5f6a24c7cd4ff5afc5df910b6f8705c83c91a49609c77dd33fc0c4adf93a5d6166fa39d70cf0ecccbcb5870fe8ac6a6c4c264e72c8347

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
99c6c7feffa645b5c462be8fbba715d9

SHA1
67a873d069cc3b7cf539166c807bbb107e9590bc

SHA256
ead2775184d97628a95d8cb26988316cbbff7603906d35d0d78a33eb8ffae577

SHA512
b53b749a649faae74c7463fa42d3928a5087cb713b0b3e57b4e574ef4d2b4ad8351c7a088dc60c97a5ebc76291ff0140eaa341da4e735e025a8eb1dfdd3f7d0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_docs.google.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
3125188752881ee9503e08ee393f8095

SHA1
8690838c5606dd32bba842127ba4e97b5b3c54d3

SHA256
987e991863828d05164c08de88af4a9cd497dcaa877979bfb97fa9a3f5044707

SHA512
a2754431b254220201a6abeedb60f7a61438512846733db94887a2b1c5391ad0bed9df8d5f401120155dfa53ac2557b4dbe361a7c20a1838e0209c562bd9ff0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
4e758c6aaac6cb2ee2a5c616e5f45f5d

SHA1
885d8c38d4886266670f193be63b7cddf21e5bf7

SHA256
19fa829f480ed7de71872f612bd961d709fd6c199b13c573ddd4fd7edca24ea6

SHA512
e03a914cb3580f2e1e9b6eff84c7814ac66dd068eabcc0fc77dc19568f41f7701c5d2f18f5d25d0cb529e009b522679111d18566f554a64f78a51854a9fa6967

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
4f6fe008d40df37eaa1dd679f52cdda7

SHA1
0e6cd9fc59836b618e49345d1f4a5bb79ad6818e

SHA256
5909c235c026ed51f697ea8f3087e6f4d00272d682c389aaf6002fd4236daaaf

SHA512
111428a3898385fc1e4186d01c803ed7910ac76c7ebe4cc1617becf441011eb569140d4ee8986237bff2d18305512bd841c02fd2480e6a0614a84703101689f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
26fdc7a8557fea891385892513ded2d1

SHA1
1ab31d0dcdaa0154df2723fb85086d3fb79496a8

SHA256
1e5ae9c3f3c27a18fced6945b4e5a7142477eb894e502ef2843d5af9f0de4837

SHA512
a7a6dfefebaa36536935ebc67d36a5b8f87326182deb85aa68e2a2be57b2ed9c37ab1b1b6e060a085b799ce97bede3ab3de0bb8dd9d1e5d6c125758fa4d07e08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
8c0fc25a5262f348b157c3e2839e2963

SHA1
b7d9ca42e8cb95e3c471fc5b46835c55c9219955

SHA256
c1407dd1d8def5aba637a726f6761bebd001b0a7672fa91c87fbb8323c251e39

SHA512
834edd654a6be13f0a373a7b9d438bfbc62adcc7d0d0ef98a9dc2127b6b3946c39f720e743d6d079e04fcabb65c61b6b050a8447468f02e04e2c2aa428140841

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
2b6f5e216edbf2441b4515b93a956189

SHA1
d919df790579154761be8718f9f4618d954bde07

SHA256
4bfc771ec4f051570bcc9f66e4438e8e0efc0d20219fda85991447af11edd6df

SHA512
2906a4333bfdbb1b98614b2904cb11bcd6cc3e35e75f369c276c03901a31ed5c3a93e345ec5533b6a8e08cc6b14e13b5466a98f75e96e04862220f8daf6ccdcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
c5d0440ae4ee5e7e2d99d1ff48033643

SHA1
bb014330e68690c2e486cdb699cb0c94e270dc58

SHA256
e6cb9d49abd30c9c90893d09d3741decfaf8f6720d1066ee8a03859fb6bea292

SHA512
42d73bc965a08a53f39ca420cc3cde51234fc290d4e0e40a8540047decc102ac365adfa035eb804ccd37abbd5a13be6509ee08da8a918070f74e676f524af182

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
70134cdf1495603b3c50da48eb0664e1

SHA1
125954cc396d62446b6de04f7e85f32d2bc2f7f0

SHA256
d2477fc85e93f7bb0744329994f48833277db70fc8c28b22463baba8e8ecb918

SHA512
ef8abf795e2e9ca510d86426f19043be3857bebbc13375198237810533e140a941243cc08b64549b75a599155aabebef19977aa11a8e3d1113fdae341ea8b4cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4c6f110cbed1bd017a50caf39f2280a7

SHA1
7065211207272a378197145464a366759777d1e9

SHA256
1680e21545eeb7d1f39684364308ff3ae35fd829842ee2ded5675ed72e24624b

SHA512
719239c2a221ed72dd037c300c11313bf42f94ad784e9c518b331f474dea12deb6f167ce8d7eda8e403b5e9c6a3056b3424926ac7b6c275d27cba5f260099615

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b1bf81f6ceadb8b684692de4b7b471b7

SHA1
962c61038afaca6f4b439e71f927cddea3b66bc6

SHA256
427023310d2415acc5008c53063f576bd74d1edd2dc94bec7dbf5428525c0ade

SHA512
bd9b5cd83b274174dc78b1ca260417d19a82cbe2d189ff3830e3e9684ea0bb75d1c068f6b621fd548c4fabdd335e24885b5cddc70694977d3fb488d3972d3d14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
127aedd23e2511b682eb1ca9cac78423

SHA1
1d819398ef6468eef5cba23a551bbfc72a3657d5

SHA256
9e177f9e2a54e9a4de39dcd89e4329521cd5ac502662833df9ea691602c1045d

SHA512
eb723abbdc9fe9993b4a2a3bc925619db0960d87a2104c2b245988c2531734624cde325cdd2a75486548ab1355865e3f458210cb903619bfdafa9d08ef27176c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3f4bf50c49f7d53a57b6de4a6f1c9007

SHA1
888e36478e4385d18d4643a2e8c75f598f302f24

SHA256
791725de03b5b9306e85a63771ddef1b6dbf680554c54a992109b41aed020c1a

SHA512
95424c3fbe15eb7b4ca253228211f7f69643fa9aae2e378eb56f444c3152e7dc1b170ae0cf8e788ddd152087b0a3abea0feefe81e5dfe257d4a85958393f2078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a9350d69a153e3965b7bcaa85b076583

SHA1
0b6293e7b310c7093a885d495e9454e0942201bf

SHA256
73b1de042727559c4e3f9dfb58b87031cbe18bbbafd67007b31a423330599289

SHA512
1cb595c316caddf7458e050d663af37197f13df9f42cc873da859647a87c57b9e2a4cdb8603fca6ac611ca27d6c3e5e4535a14d430c7575b4cf6b0eeac942961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1389a3198e775ae07f40ec46de6d4b05

SHA1
2962230e73cca9dc6b71a69edd7a5bd5b1d57447

SHA256
cb9d1dc6ad1aaf5df7e49c362fc565937ad1d7529fd68b2ce17b8089a87945b6

SHA512
a4cabfad958cc0c82e0d2e5b2171130134300085b4c4b95b2c3831031296839c7725fca67d5a50124d118b9d9f5fade80bd604312f8bee97fbfdd0f950787e76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d69e8cd64794508ba52ce1255693458f

SHA1
6f00c25d4e81aab2aa96b8b21aa41092482709dd

SHA256
053722b29a024043a8401b4061588faaba5e86d04dc8430766826ec14992ae30

SHA512
154b0e51b53d6348b54816a3bb0d18a2a5ff38db021f9b3b866727bff23ed04c6c26c729d271f653a915c68934b1fd7434aab0ed7d89b40cd7caa5e12c263ff7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c23d89478c6552a0c24c2575d1f80803

SHA1
d5559865c353ea7011728803ec56f2be22359bfc

SHA256
884fe1ea46bbd353699fa617e6556938992943a1877c1d3b3de451944244ff6f

SHA512
809b7954e5340df20ff1d9c963ffaa993e3c16c5ae8d2694679675bb5176b74231e2c6e9cdac080e409de6bf9fb8479511d60aa2795fb04d132cd6b4fece06dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b0116a941ab8520a99d48c533d21ef93

SHA1
74498871929b023b2310249d815f46cddb67d294

SHA256
f93ab23a10756ab52cf52f3685208a8b27440c520ce9062c79d0c71976ebf808

SHA512
ab4a327b532de5d97e9ec5e34a981a28625afbe060313ef1a970c666b646621f358658dd63f441fe21e231de9a1fa7e819ce4481ec2f1f0103edee0578dc4c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d0ff1f822497e6630930fda9daabac6d

SHA1
c25f67ac9ec719890093974a6493939e88f06bb5

SHA256
4e27de5fa9d360ab59b3a54b0d13905b28f0bc0bfc830fd9b4a6d31122a0ee80

SHA512
57d04b6e032dcb168050020a1965b0f7031ab2773554443fedd9dd3065d8ce7cef643250bfa7cfb86eaa7bbb3a68bd4a120e98cc9883c2dad57a8636f679c0a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d0d3871b3c65e27ee23b7f4e4c4527b6

SHA1
6b554cce26163280ccaacbcf238c5ff0f9557f8f

SHA256
f987726e873ac972dfd3f0337b107391868d0e2d4cdeedf08476c72e60356434

SHA512
392f5b9198c7e8e97574ecca657ee8cab2c8ad42cd32c1a0af0c27a2d2531742f5e88732f9dc0faf7f946b0ebac441e5418f19a7ac65282862af411eb762f0ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d5476fe8856f995c829b1915ad5a3a56

SHA1
92115c20a448183acb9fdc6c66146597447eb2a8

SHA256
54da4ea468aae86592d1545cfe1f4d93f9c64a22494c7feeb4f8341ae1d368b3

SHA512
834df34e217754ac5b7719da24f944fede0ddfcb36c70d3b308a29949d6c3fcc4b74a4bca2258bf7bff7b0c05637dc4ae3deb4391169fc2a18921438ad10b8f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1d934e73d8a09efe6adf9b3124b91b49

SHA1
286ef9719ff6d46ab4fd54ff9a5bdc8b55c59542

SHA256
34d3196a421d45bc0f8a848fb8ff24f1beca8b1a6a70ea2529ef8ee11f64cbf9

SHA512
1189af24f23e87d2aafac1ee718eb556b85f87b4824a4fd6a82e1d3ae957091cc6464a9237be02007ccba5324189b37a264a92bab598bd8df24d8508cf096b3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d5b67eef9b5950d58fc641c6d245884e

SHA1
b1d8ad46331756ea01e14c64f12a2651cb7dacc6

SHA256
802e4438e61ea476dda2d7960ca0302ce84fb98e85ed5ed05fc4e61532ee7b3a

SHA512
b22b988ede7cb9a7ee2baa7a24a63746a5fe667f3b3d3a7c152bfad2256528e855c48d406583831524e535ed2b03128955fe0553b220a477bf9cb3dba67008f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cee45c08f0fe659428136cadc8f31d06

SHA1
0f75716f3af5491e1f3bfee68dc15b2f88d7f394

SHA256
bd70f94f3824872c84b14e7ff6f95e98e94eeb5319796e64a32830abcec970a6

SHA512
bcf223cdf27fa9b0f935e8ab94da79197e31ef9a33c1724bf3ff52ee4e57114f61ead30a9a168c7139a84c3d4b51f334b66eb31738e018219c665e229b680d3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cfd80aaab5c55240bd3d3b1f5796ddfe

SHA1
c83711fbf96af6f4fe55fee4aa01794157a6576b

SHA256
ea0aa38433217a1685e93100beb70d6a5b979661fdcc19a5ef7bb74f3b49358e

SHA512
9ba8b0b19315336119c1f4e03d9bca907e223c2e1df3ed65a68db16ab8dae0b991c96adb9cdfe6386870276ccd174593bb5184d49ecdacfc42f6cb0bda91a80e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bf172548267d1106aa22553969a8700b

SHA1
da8ac360277d09024f10396c0cb9670469049669

SHA256
70bc79b929e9b293de90850edf52f1d1987b4b99a8d6a8daa4faf1e367237a5e

SHA512
14f8511aafa631662b87f243e54205e60c65b26babf7ae5e43461c3983a89afd2ebf4ea562fedc30b3b31b91209c05ab0a30ba4aa695fb2e86c91aeafd16261d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
520370f22badc41c9464c77d51044749

SHA1
e620ebf8fe135a795cd3956f3997121ecf6c1e24

SHA256
7ae697481c22092b5493fef517938142ca264e6906a4fa8de25e3f4a5b93d74e

SHA512
72f832776cb84f0dbe2f6673987b86315c0b6f7c514f2e7f050585f744399488ae5e13c0b817c95557eb5360c310c2584355bdc143a47b81e4383796c8c946de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
47ca85415ddda96702b2ef613764482e

SHA1
95bba23ee98802935da768301d384f0386bfe853

SHA256
67b4fb54b88aeb722bace988ebeb00184b5166fe827577e6dc1e5fbc9804cc1d

SHA512
687cd477c9cff3f136055362e50abf8ee895a32370587254d3f0031b09b31bb79cf7423c60eda14997da6a0a54abfb6faf90498d61d5a642b2345129a0eb5ac1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584c85.TMP

Filesize
371B

MD5
cb3b95b08802d76fa5744156cd2201bb

SHA1
93f6e72f454fcff305ef5556f778a89be85b930f

SHA256
cfb0850becf2b6a3e89584d96ae65d8c8892759f78dc4e1cad236aa6683ab4d4

SHA512
2e1da361aadff85061a8a4adbd995911972ff30e8fd18905a5c2eda87b5b7c5d565a2a8b7a3882febc5bd49df86aff01deddc39524e160c8936b77f3f1043614

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\affb96a2-cd6e-4be6-aabe-7073dd2ef3de.tmp

Filesize
1KB

MD5
758069aa182d979ae7b3193d11b0cd8f

SHA1
b50af9d68d81a253a4d9553f5761af2dc2299eb1

SHA256
72db5028b7f2e7415bff26d58cfb370dec984e71e7e008844c673c789ed8f034

SHA512
c60c64baa84e21b6b7aa51423b5271054029a89f3ecd4d3ca1431eeef106703c45fbcc680fedc2ba17e0e2b14cf6db477a8bb0aceeef8f0f58df4ec3643af629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
dc59b1e1629f8e83c5869393853f686f

SHA1
12b82d4ce542019ea4f78b3fdf511b18f60354c7

SHA256
9b404a7f791e7736fcd8dd261421a9414111683afa0f412ad0c0a34ae6dbbc04

SHA512
d4ce9a0baf183e3be2517bc5013006fe322583924c1d8d476e4d34fee925534d1aa027f2746c38fe4cc9fea14cf070e78624a35bf1972f58b2ec027b0ebacf6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9b3c395ee7ca9edf17565385d98c4e23

SHA1
d36434ab0b89a44f2f0005eac18b7cad8139256a

SHA256
9e500ef925e99ad81a6e511432b61f79bd5cf8e7eaa9d67bbd15f2510554a06e

SHA512
cc15c6c9398000b837733ee81669d68ec7febd76fa33fc7838072e33a71772414bf2573a5cc398ab543d663367f885e1593da017f39c7a2d2f9e49b5ff63d00f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5b13728e9009e967dc5f339b24b1162c

SHA1
57ff4c7fa1c33d0bdaad18ed7ee355412907987c

SHA256
63e2aeac0ab51aa869b46fd272a535091159861e578973a97aa51b9645a24e75

SHA512
68ee3ad7e734cb279074532d1c4da9cd593a53498f90f44d16e2232d833ccb38951e655402e7e72f8152a4485689d462b4d5e196a52e3c59b97e4fb6e1ac0ea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
bcf152ed253b11e1b76d2baaa374cf4e

SHA1
897d5db5d72ccaf5fe366f9c1c3f5d62bb3954f1

SHA256
cc6b2e1660ae0ef6a64b94884625ace60416e9143bdf42049210984368005a49

SHA512
bf61eaffd325c8943cc8c6ae949a70f6d649da5ee10febad45d1bb8a07ef6b42e713a97ec3eb0fa9888f7d56a9634064d3d541c6b14c988c0d44755fafa7fdf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
7f6593cfe78f26d6039c57854b65b5fd

SHA1
6ee37948b5876136bbec5c3b7dc9bc11f4d8ab6d

SHA256
b0ef89bcddf1689d4a8ac52ff8d5403b863a6d72622db5be19ab208e1fb85a20

SHA512
369063bdb1c3d1aed108735aa9dae785060ba7b22a2deb5c31b0cabfb3b83592f14a36206994ea185ad754a800132d82eeca2ae2fc33706ca24c63751fc1711a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
fb7adfbf865034e17c56a32ef370c70f

SHA1
087e7e439465db8ac07304122a576d236668e52e

SHA256
1e85cdde5d635f3b00f57b9d5d86dbd8edc79d16b1ed923822c71cac06db7d4f

SHA512
b578de6b4f81181fa3dac4b69a8833fec7c25e046ad38ade8e37392ce5de0273a0768731dbc4cfc0c427e0a11a779adba90cc08f7d623a9588f5250b56395144

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b4d0a3e5e565abbb2b93b88fab9083f5

SHA1
db02ceb83485e14f9acde0c3bd197aca35ca9a4c

SHA256
dffc17a182271e38e097beee3b465bd6e0c9cac0a902d93359ff1d382d002c99

SHA512
c081f14c99347c0f807bfda00e568e452e6d53e52fe91b48b8659b673c2912567909fff095bd2c2843e66705e379a27f5251384fe728d348eddb1bedc2033600

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
30017433bc03a662ecc1bd4365c6d5ef

SHA1
3ee2e38dd631535d7b88a85ef915c3538520ff9d

SHA256
9de6adbc118f959d7a1ae9eb0b4e4c6fb4df6f431ff9914e82cb1491f6a8cecd

SHA512
7b1b48552db5f530836edabad2cd5cc7c26ef5a8db4a52eb5b035126160a75af3958e9c0e9a43a3038de842488f183ddd2dc7605ea21796e9f5f4705d9e77e2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ff520c7b-a7a8-45bd-8fea-e240de9ba709.tmp

Filesize
12KB

MD5
379e86fdea1a8106cbd50db4b8090915

SHA1
bfff9704857262328d055bbe7f68ab5cdcf8db45

SHA256
bfeb2dc8f48762b8c1117260e6eb3fcf5b66a0e9dd86d57fe418952248c4cbcc

SHA512
68a27aca05e942dc431aaca48e3f55acb07fcf51e2f37e3c3bd52b82745d9801d3d3f6a24807c29ac128be7a33b2fb2d53f8a64d062fcca107a1f7b9d0d929f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
28KB

MD5
09131b9ff35fbde07a6be354bb89eb62

SHA1
4d399e0cefc30fbd03bf50507eded45c3c816927

SHA256
3b327e8daa483f529a8044d91bc6c4ef75954c47b5bd8899147538092709b500

SHA512
aa0f540d48eefbb747353981725e860a288bba97d1323343f69f2c4895c5bc041cfb2f9e486904e3d37752c8a5e01db20181cd2ee18ffe52ad642b0ec5e59bd4

Download Submit
C:\Users\Admin\Desktop\Adobetemp.7z

Filesize
2KB

MD5
8e978e540423140c6609cd49d41c4019

SHA1
9579eb0dcfe35740ce180a501e24bb4cbe626662

SHA256
41abe5924ec3bf5331d3c3acc55257f4a7f6c0b195022d9cd2064096ef74b004

SHA512
6bf05f4f8114b3926485a8592e6c255d980c20940611130ebe92d43b07150481fc0885ebda96815a6edba9c6b2e351950fd5f80ac09bec1831b38e07451b97ca

Download Submit
C:\Users\Admin\Downloads\NoEscape.zip

Filesize
616KB

MD5
ef4fdf65fc90bfda8d1d2ae6d20aff60

SHA1
9431227836440c78f12bfb2cb3247d59f4d4640b

SHA256
47f6d3a11ffd015413ffb96432ec1f980fba5dd084990dd61a00342c5f6da7f8

SHA512
6f560fa6dc34bfe508f03dabbc395d46a7b5ba9d398e03d27dbacce7451a3494fbf48ccb1234d40746ac7fe960a265776cb6474cf513adb8ccef36206a20cbe9

Download Submit
C:\Users\Public\Desktop\ౚↇᒣ⼐ᤨՆጪᐎ⛭᳼≼ණໂԹᱰ⟀ᦅ’⪇⡵ߤډᵫࣜऐજ୤ऩ

Filesize
666B

MD5
e49f0a8effa6380b4518a8064f6d240b

SHA1
ba62ffe370e186b7f980922067ac68613521bd51

SHA256
8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

SHA512
de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

Download Submit
memory/4476-1707-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/4476-1885-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads