3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
01/09/2024, 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ.exe
Size

16KB
MD5

1d5ad9c8d3fee874d0feb8bfac220a11
SHA1

ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA256

3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512

c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
SSDEEP

192:M2WgyvSW8gRc6olcIEiwqZKBkDFR43xWTM3LHf26gFrcx3sNq:JWgnSmFlcIqq3agmLH+6gF23sN

Score

8^/10

bootkit defense_evasion discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com
16	raw.githubusercontent.com
63	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Float.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 444662.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Float.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2976	MEMZ.exe
2976	MEMZ.exe
2976	MEMZ.exe
2976	MEMZ.exe
4308	MEMZ.exe
4308	MEMZ.exe
1616	MEMZ.exe
1616	MEMZ.exe
2976	MEMZ.exe
2976	MEMZ.exe
1960	MEMZ.exe
1960	MEMZ.exe
4308	MEMZ.exe
4308	MEMZ.exe
2640	MEMZ.exe
2640	MEMZ.exe
4308	MEMZ.exe
4308	MEMZ.exe
1960	MEMZ.exe
1960	MEMZ.exe
2976	MEMZ.exe
2976	MEMZ.exe
1616	MEMZ.exe
1616	MEMZ.exe
2976	MEMZ.exe
2976	MEMZ.exe
1960	MEMZ.exe
1960	MEMZ.exe
4308	MEMZ.exe
4308	MEMZ.exe
2640	MEMZ.exe
2640	MEMZ.exe
2976	MEMZ.exe
2976	MEMZ.exe
1616	MEMZ.exe
1616	MEMZ.exe
4308	MEMZ.exe
4308	MEMZ.exe
1960	MEMZ.exe
1960	MEMZ.exe
1960	MEMZ.exe
1960	MEMZ.exe
4308	MEMZ.exe
4308	MEMZ.exe
1616	MEMZ.exe
1616	MEMZ.exe
2976	MEMZ.exe
2976	MEMZ.exe
2640	MEMZ.exe
2640	MEMZ.exe
2640	MEMZ.exe
2640	MEMZ.exe
2976	MEMZ.exe
2976	MEMZ.exe
1616	MEMZ.exe
1616	MEMZ.exe
4308	MEMZ.exe
4308	MEMZ.exe
1960	MEMZ.exe
1960	MEMZ.exe
1960	MEMZ.exe
1960	MEMZ.exe
4308	MEMZ.exe
4308	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs

pid	Process
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2976	1488	MEMZ.exe	83
PID 1488 wrote to memory of 2976	1488	MEMZ.exe	83
PID 1488 wrote to memory of 2976	1488	MEMZ.exe	83
PID 1488 wrote to memory of 4308	1488	MEMZ.exe	84
PID 1488 wrote to memory of 4308	1488	MEMZ.exe	84
PID 1488 wrote to memory of 4308	1488	MEMZ.exe	84
PID 1488 wrote to memory of 1960	1488	MEMZ.exe	85
PID 1488 wrote to memory of 1960	1488	MEMZ.exe	85
PID 1488 wrote to memory of 1960	1488	MEMZ.exe	85
PID 1488 wrote to memory of 1616	1488	MEMZ.exe	86
PID 1488 wrote to memory of 1616	1488	MEMZ.exe	86
PID 1488 wrote to memory of 1616	1488	MEMZ.exe	86
PID 1488 wrote to memory of 2640	1488	MEMZ.exe	87
PID 1488 wrote to memory of 2640	1488	MEMZ.exe	87
PID 1488 wrote to memory of 2640	1488	MEMZ.exe	87
PID 1488 wrote to memory of 3040	1488	MEMZ.exe	88
PID 1488 wrote to memory of 3040	1488	MEMZ.exe	88
PID 1488 wrote to memory of 3040	1488	MEMZ.exe	88
PID 3040 wrote to memory of 4752	3040	MEMZ.exe	91
PID 3040 wrote to memory of 4752	3040	MEMZ.exe	91
PID 3040 wrote to memory of 4752	3040	MEMZ.exe	91
PID 3040 wrote to memory of 1848	3040	MEMZ.exe	92
PID 3040 wrote to memory of 1848	3040	MEMZ.exe	92
PID 1848 wrote to memory of 4784	1848	msedge.exe	93
PID 1848 wrote to memory of 4784	1848	msedge.exe	93
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94
PID 1848 wrote to memory of 3472	1848	msedge.exe	94

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2976
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4308
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1960
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1616
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2640
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=g3t+r3kt
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd24c53cb8,0x7ffd24c53cc8,0x7ffd24c53cd8
      4⤵
      PID:4784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,12327767944071421030,6298532887498405880,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
      4⤵
      PID:3472
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,12327767944071421030,6298532887498405880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
      4⤵
      PID:996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,12327767944071421030,6298532887498405880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
      4⤵
      PID:2796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12327767944071421030,6298532887498405880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
      4⤵
      PID:4384
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12327767944071421030,6298532887498405880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
      4⤵
      PID:4504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12327767944071421030,6298532887498405880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:1
      4⤵
      PID:2888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12327767944071421030,6298532887498405880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
      4⤵
      PID:1444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,12327767944071421030,6298532887498405880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:8
      4⤵
      PID:3172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,12327767944071421030,6298532887498405880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3708 /prefetch:8
      4⤵
      PID:852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12327767944071421030,6298532887498405880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
      4⤵
      PID:4104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12327767944071421030,6298532887498405880,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
      4⤵
      PID:1424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12327767944071421030,6298532887498405880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
      4⤵
      PID:2748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12327767944071421030,6298532887498405880,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
      4⤵
      PID:3340
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12327767944071421030,6298532887498405880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
      4⤵
      PID:2156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12327767944071421030,6298532887498405880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
      4⤵
      PID:1076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+remove+memz+trojan+virus
    3⤵
    PID:4576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd24c53cb8,0x7ffd24c53cc8,0x7ffd24c53cd8
      4⤵
      PID:4412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=virus+builder+legit+free+download
    3⤵
    - Enumerates system info in registry
    - NTFS ADS
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd24c53cb8,0x7ffd24c53cc8,0x7ffd24c53cd8
      4⤵
      PID:3368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,570429854695612512,7768705474523251476,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
      4⤵
      PID:1428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,570429854695612512,7768705474523251476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
      4⤵
      PID:1964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,570429854695612512,7768705474523251476,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
      4⤵
      PID:1448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,570429854695612512,7768705474523251476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
      4⤵
      PID:3340
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,570429854695612512,7768705474523251476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
      4⤵
      PID:3244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,570429854695612512,7768705474523251476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
      4⤵
      PID:1864
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,570429854695612512,7768705474523251476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
      4⤵
      PID:3796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,570429854695612512,7768705474523251476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 /prefetch:8
      4⤵
      PID:4836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,570429854695612512,7768705474523251476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:8
      4⤵
      PID:2992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,570429854695612512,7768705474523251476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
      4⤵
      PID:3244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,570429854695612512,7768705474523251476,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
      4⤵
      PID:3192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,570429854695612512,7768705474523251476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
      4⤵
      PID:5184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,570429854695612512,7768705474523251476,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
      4⤵
      PID:5192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,570429854695612512,7768705474523251476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
      4⤵
      PID:5348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,570429854695612512,7768705474523251476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4332 /prefetch:1
      4⤵
      PID:5420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,570429854695612512,7768705474523251476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
      4⤵
      PID:5960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,570429854695612512,7768705474523251476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
      4⤵
      PID:6112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,570429854695612512,7768705474523251476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
      4⤵
      PID:6120
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,570429854695612512,7768705474523251476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
      4⤵
      PID:5576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,570429854695612512,7768705474523251476,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6492 /prefetch:8
      4⤵
      PID:4948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,570429854695612512,7768705474523251476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 /prefetch:8
      4⤵
      Subvert Trust Controls: Mark-of-the-Web Bypass
      NTFS ADS
      PID:5944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,570429854695612512,7768705474523251476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
      4⤵
      PID:4552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,570429854695612512,7768705474523251476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
      4⤵
      PID:1888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=internet+explorer+is+the+best+browser
    3⤵
    PID:5872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd24c53cb8,0x7ffd24c53cc8,0x7ffd24c53cd8
      4⤵
      PID:5892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=john+cena+midi+legit+not+converted
    3⤵
    PID:5308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd24c53cb8,0x7ffd24c53cc8,0x7ffd24c53cd8
      4⤵
      PID:4852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffd2486cc40,0x7ffd2486cc4c,0x7ffd2486cc58
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1724,i,17330660515953783650,2221011114789530034,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1740 /prefetch:2
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,17330660515953783650,2221011114789530034,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2068 /prefetch:3
  2⤵
  PID:3900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,17330660515953783650,2221011114789530034,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2208 /prefetch:8
  2⤵
  PID:3852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,17330660515953783650,2221011114789530034,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,17330660515953783650,2221011114789530034,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3560,i,17330660515953783650,2221011114789530034,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3512 /prefetch:8
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4564,i,17330660515953783650,2221011114789530034,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4572 /prefetch:1
  2⤵
  PID:3220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=228,i,17330660515953783650,2221011114789530034,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:3148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4304,i,17330660515953783650,2221011114789530034,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4892 /prefetch:8
  2⤵
  PID:5124

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1412

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004D4
1⤵
PID:4112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
17c976d07ba08d9bba36ea05deeae131

SHA1
711a1fb8ad6d42e8a3151ac6e3f7729297887cec

SHA256
d3c9768dfbb224d61b5ea427e546280704cb7fe814a85123ed155dc48cc0c918

SHA512
2412f6531734a4f8f724fb31ffe9788d29e6a3d9250d0498ecbbc1d4b6ddea84bce11f6d4c4a2dea44d7d9a0785b82969d5a9b131a06f3ef64b52506ec2f0a1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5698eab3666de07474ec8c298521d478

SHA1
08c865c41753abedadc697e9a97a6dd3ffdf041f

SHA256
36df21f3080328ab1cf44590a7cce1fd7c310bfef2a9ffe72711663b1c21622c

SHA512
cfbbaf5be2b58906ddd81df477845f9861a533e846e6788848b3b29b46599ae9066faf72edeb5aa4491b829c38d9a42b4dfea9e4e5fa0e0222cdeca2a2d2c769

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b28f34a02dfcdf3aca1653565222b3b7

SHA1
54e3bd32ca8316e7ad9b21b4dfdfba8a9673edd1

SHA256
ca579eee2e8f9de5140e6b7c091d25d4586986e75097c98b665e1484e6007666

SHA512
28664c3cffcc4de8056f39e6005fc86526be5d7f7940baecbe0c2b3f3f0eebe5c885776c1975272592073aa9baf0496ec796e7f0ad3f4159f65db0cf83a29015

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0ee468e7d27f8554d129cf149b215b25

SHA1
a53236cab573912082de568f229855f8269477dc

SHA256
7a79af2e0dd6e1bfe93e2a28a38c5f60b2da57a89bfe6351e570b41f0bf86062

SHA512
bd9fc0f67efc12b53597853f6c132a827f6e13f4d1cc6823c790122b13da934b827396b2c39264a369b965063bf5d2872d6cabe448afd383ab6ae1f8d8a80c4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c8be11e1e8956320770bc732049c916e

SHA1
989a2111a81aeb9775ee35985b8c13deb6e73ae5

SHA256
a3004ade7a927a149236d95409a80eb41f0adeb9e085baebe120e89a6cbd5f17

SHA512
cb7093b27f74c1677087e5c7104056d02dfbe0d63de048ca8f51799c248820a4d413c15fc54c17da897f193dc4d947687474fef4a4dff63af510bb243ff536f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
05d083ca9d0915b459c475fdaa2567e9

SHA1
53640b106ed35146a30eb2519e2644d5179c2d48

SHA256
f89a9c470577ec6c671ec0504b670b8ba47816e72ab044b0643f6b4252e671e2

SHA512
d00d0902a6be753d06a0e9b024b4f708c76465edf86ad74296c8a0d5a55ec5e33c0324ddc8911e5ff75d52e9f2cd67b0e4351547a7fedbf16defcce348520028

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
102KB

MD5
3eeb184698adedf294691a2f5792783c

SHA1
05c3c284f8febfd903310b8c1a948f0f4a7245ac

SHA256
ded36556359388f965c10329cd06cc2b1693dad14cde776e6ceee3c593a0b141

SHA512
507bf1676608b5df966ff903f9438dc493250239b96fad4b69d5a775d4831b25b6a5b8ccdd3e2bf1296dc3f2361fd73a5aa0790e6471285b419923b12063fb7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
102KB

MD5
a8ab763210e5413d2dae6e15dda75528

SHA1
60351e53efdcfbd6baa63894783bac2ec536f7b8

SHA256
9dcaf9e056a8eff667ad497a420f563cc684e9edf4efbab55eac966e64a91828

SHA512
ce8b4c2ecdfdf01cae541cfdeebadc878588040cc8f6adfb25c7d34c7396975ada826a33fb4f23ffdafd1e044ce489617a731252d8ec723c6c140c6ae0a0fe4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
81a5c04733dc16515521f729b10bdb79

SHA1
580c910345175d3cf616b26f6d3812c002253a81

SHA256
29b08dcba37b54cb3aa144ebccebb71b91526e6fc4dd9f2803c42adb74bd541b

SHA512
d43ed8a2db9cd799db9d08fb8d68b2c82ba5ae0cc4d64124e6486af731af08d37b7717c97212fa71e5b11e1a703de857558ddc673df79ec762d71fb29639a146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c3889d3f0d2246f800c495aec7c3f7c

SHA1
dd38e6bf74617bfcf9d6cceff2f746a094114220

SHA256
0a4781bca132edf11500537cbf95ff840c2b6fd33cd94809ca9929f00044bea4

SHA512
2d6cb23e2977c0890f69751a96daeb71e0f12089625f32b34b032615435408f21047b90c19de09f83ef99957681440fdc0c985e079bb196371881b5fdca68a37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1831c75abc96dae4fb474e6ce0029c30

SHA1
26ca085100a362f943f9d6df0f5f845c85e04c6a

SHA256
37c5739ce3ef084f87c1a882c13339db588c56f677844ed9c0f93bede84743ad

SHA512
3c6859a5eec8e67767c04e9e9e43a0a0dd3ace96a82ce098137bf9137804e2159f8e3e67285c01a1247f303e6f15c86b249f257d0316e26b8c15ba9a4e448088

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
951977b170c280f1eff2adfb114bdcef

SHA1
21b005c13ca85901d6986345a555d0561e4b0faa

SHA256
1d82508bebea9f0dca8613b7f2da947805fa152c25294e9a9f14260eb4d75e07

SHA512
55ffabe0efef00d7b0dc02c4ceab1c36ce6f253b6f8066b03de9bb7d39d0d3886fb6fa55d0082e1351f0241d6acd44fb264411f70c6ec72c7b51ea606ee36762

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c4a10f6df4922438ca68ada540730100

SHA1
4c7bfbe3e2358a28bf5b024c4be485fa6773629e

SHA256
f286c908fea67163f02532503b5555a939f894c6f2e683d80679b7e5726a7c02

SHA512
b4d407341989e0bbbe0cdd64f7757bea17f0141a89104301dd7ffe45e7511d3ea27c53306381a29c24df68bdb9677eb8c07d4d88874d86aba41bb6f0ce7a942c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
79879d6727218e27c1056c7a004a4ee7

SHA1
9fc2b11dd110da6bccbb41349845dd19bbac4fbd

SHA256
eb366e381597c71e65895c882c327c3a98e9d5488912a692ae67441b4ba5bad0

SHA512
ee44b919a906260a997e4a0717dbd174f01c257c689100bb5efda28cf470aa4b634fe8e2169628a9fdedaf4bcc50cf5e74baf80649759f1544495627995b97d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
e27c04d9fdd88fac3ca2d8bb04defa3c

SHA1
4c2cafb0eee17292e49544d43bbb6ceb06794bcc

SHA256
117edd0e7848be701e8a0e3f07cd256f7dae7b5f9f64a3b40c83799c95607e51

SHA512
66466dcabf37c691b04285fb358c9505b2b95d1210a9f3c14586d501c5aafa1325826ffe26bffec9b63caf259fe5e882b0e3a38c0b62289d4589b05b5a1e4f4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
55c1dd8240457c56907255cd086a7bf3

SHA1
4cec7f24361ac554e8a521bb3b067973c68986f0

SHA256
f290f03028d8897ed18c6bcf59699a8d682706ffdcb617c10697872e7282c617

SHA512
9c2470a458b8ddd2e04a0ff0626e47dcd1baf3212538f5dcc4d7640d04707fc29f5e9ac91db5bb6622a5c50138930e3a80cfcb3cbd82a703232b603de61eedd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
90513f9c2ece7d3e317873a9d9eb9b82

SHA1
031b05d8fb8f8b41ea9964c9e39b2fa853473f18

SHA256
b5a89765e4f5fd74f7a858ba998aa9f6288822708d32dcca58783e13530b3ed8

SHA512
8e3b945ac98d15bbafaf55c1ecc96de4683bcc30f28212472e4447a4e8b11485618b06eca3aae4ecccf129c10888214ad4af74a6fb3f40b6603a9bb161a306ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
211KB

MD5
e7226392c938e4e604d2175eb9f43ca1

SHA1
2098293f39aa0bcdd62e718f9212d9062fa283ab

SHA256
d46ec08b6c29c4ca56cecbf73149cc66ebd902197590fe28cd65dad52a08c4e1

SHA512
63a4b99101c790d40a813db9e0d5fde21a64ccaf60a6009ead027920dbbdb52cc262af829e5c4140f3702a559c7ac46efa89622d76d45b4b49a9ce01625ef145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\41cac50800f22e4a_0

Filesize
288B

MD5
3cde167045dd34caff581c892591f915

SHA1
7a6c84b286a7753b9780f375cc1220677ffd325b

SHA256
d013081fc8d837d72764d6142126d83d215f5ca90b77bcbd3658d464e111a315

SHA512
2b101238f0a26bbe371f71a5cb522efd7a513cbc690c81bba15b613f474d8c1e1ed895bfd85c885175fc594b49b23eb8c61cffad6b2cd067025096312e20072a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
5d50cbcaa577eb70ec17002dd628404d

SHA1
da3687b8d8239124fa1982c5e1b847095d3ba652

SHA256
bb1eb47e10243edb290223a4572c2e7dea46653b71cf0254f9f50577f5f7c683

SHA512
7ee73456d90010841145fbd2dba39c496b761a4292a5a59a250b74238cf3d38c80aff630bdf969da635634ca9524698d91ea6f74fb3473f05e786b891432ef6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
23b3ace3255967ee2e11ccde128d4ad6

SHA1
8e0a2ffd26a45235b656eb601565b63257519316

SHA256
4c30f3665eab11746107073a23c43aa3c3c86c86e710a8dcce08db068b6ac74a

SHA512
08f6b7b6380fba333d32e04229ec17de88777adfd56575991222d7aa1600b8f67af31e9042cd286f0e75bdb7bba9e81f815530aae3fdb74b3ef1f5b43a8e6bc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
8029f727aab012fe9b66ffdaebe97288

SHA1
c06ae94ceeb406884f5bf1cbe25fa7514a835496

SHA256
b298c1ee7c7a605f9128d4061fe3a34d0b3f37fc448bed178633bf11249ae495

SHA512
65506f3234f9eec5f1405e5631033b01f42313d897c1d9eaacabd3bc4e06c4b9ad61dfc7f385f7dc8f831f3376f9c65edcbfac6de23f6c4c05551260121a5591

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
f6d1ca826f66561c67990fe094810b3b

SHA1
b8b1902b1a8b8baeb9f6d036c95f9d53356a6075

SHA256
9c4d75e72eceddc1c19d7ed028a82bda2b2c7bbd4eb7fb4511eec362c9b13a67

SHA512
81c9510aff77bbe27bd72344fb276fde01194e1cb3057cfaf7ca489365a448e985ee7259764476215a055c8ef951d44f3a09214c5d6ca81973419392a1b3d498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
2ede0cc01859e22c28c5ed0f22f58281

SHA1
0aeb175ee57fdb86d6219b6fa9915330ba8b07ed

SHA256
6c2c8f61f9bf90294af298c98a1e6bf75065887a39355ccd007cd37854e42e6e

SHA512
c9b92ee762b5196d4923020932a4a49f9ccfbd58b4bb7239cbd1f571d5b25a3115587017c0548f4cb7d3d8fbba634885ab7bb4cf872d0aa7f2896c9e8ff990b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
28KB

MD5
b89098e9bdf193f444e6ac00081864f0

SHA1
b3e6d7f70247d0688d48be6fdeaa1393330cfd77

SHA256
42b04689413658252f39c8d91f79a25bf58655fb7605712c98c84bfdc6056ba2

SHA512
b07bc66e0986d972408db2ca4da2e4187119c1571bbb80f81724adb29dc313952b3d40d39313074d7ef9bf4d9348ccdc471cdbcf5ee6ca2515f0b0512361ea61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
338B

MD5
a37afeaeb6545a2ec2b64bee0e88256d

SHA1
5842871c568c3e3f9f1f85f135b679b88e6425d6

SHA256
086e374ca7c48f2ebd44c34a66a3ab6d646817816e3183a16f151c6d503e5a4e

SHA512
00d2c6559255cf6ad56ff4e7d413b5e74fd47e34dc1e3514d3618a89ee306a0b5ac5d0714bdd87a5158ca4503adfefd8fdbe4f4310c2027d3c93f1c3326c218c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
d6930880fc964e340a98319b32968cbd

SHA1
995951c0a25f7e3e529194f132dcf67297a6ed6b

SHA256
3c52bcf7c7f24a271ca5baeb29ef613d1fe412bf7c7c80d327bfc6888b504b10

SHA512
9c56c0709117482a8b6fb6883ac48fa2a0544c16d10049ffb66b92be198e1577cb71767c9c79af5d55099270fc6806ff68414cdbd120364034ecccc56dff6fbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
846B

MD5
bbfda6e5c0bf6e7eb3c9b0c5ea851d9d

SHA1
b2abfc36ba38ef2d8e612b3f57edd30b491bef33

SHA256
90840888f747f59d0a7df723898a49fe456fb78e0dfb9ce01007290829804c46

SHA512
9aff98622e1c77b41cb35e8594d7441126d63cb466959059c0ad4693baf88bf6ce44fe93a5658031eda4d2ea07baf06b3ca0b5004e5e82ef669954e3e596e53b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e8250fea625140d084cf8ef761909838

SHA1
3a11e72e38606a38fbd0a3a86c8aacc8dba6a654

SHA256
62f13cf951dd12f6e822651f6ecbd0ab58eff17f12e7455b6d4bf2c6619a0b58

SHA512
e58f6fdbffe83057f92fe7744a3757523731c985938e03f5d3cd43e6eb85c559e06ff064ebb23fa2238daaf9c6d90419e90b7fc0d1a6b97ea5da1c129e8479e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7ca29dfcc304825e4c7a97b0499788a2

SHA1
d796c606837a1560328833610349223f24fc7946

SHA256
4677964917b3959d33eb21530b0a6e59aad72e096b180c464ee19f80df5836cb

SHA512
521956b35bd7e7453bdc6cd599a4af7c046be188d71e4c6ab8e039b0c133f93b61f9eeeb6cab381c184805f87608f4a3f0b87d20ed99dcf0343390a3174b94a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
276c052c82a79fbb971855ca50eb576c

SHA1
a9d1b74f12161487e1f860ef7939e9aa1481874b

SHA256
4a10eb6ee50817e6a3f463a014c95f22e6bee6f9a74f6561168c0950899f14ee

SHA512
23fd4ec7aa88d7c21f7e917fdc80e19ab906c1c3e0a715e4fb7d10b8032cd209e3a3a8d05bf1babfd49494ae9c1a6b3bb9786a09ececad0a1882ffec46f3ed82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
633539756edb0137b176b572d19c664f

SHA1
c450e58dfda4e4b2f5977d4c9b386baa361cb606

SHA256
84f10d8012ca68b18609fc1cf845a4f6da67caae6631bedfd3e6ea25629f7a57

SHA512
b547a0d28c7330eb94e564d8467f0fb0725dd860064596d1706a69287f7e61fc0578e1cdb4b9aa75abd62d64dffcea00993f81cf515439568535f16da8cd6758

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
64b0b690eb890c524b3ba12c9c150bda

SHA1
d88ca8d2102f4cdd01fcaba9c16ce8fbb0ee23c3

SHA256
44ce28f907051484e708148ffd7fc76507f950dd6bc9a9c6a60b86b3aa209c55

SHA512
1db7e329bc5aa0f0bbf9f48e257c9736c7ed28193c699ebb07ca2ecff0bb94029269aab5b4b2841e2df94ca708a6bb2f88c24b796b057569a9d577a07c2d92ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8e46b77cc1b4fe466b2c2231617ccd2b

SHA1
ce994fc85bf53e67f975a6be56c66eeb64c75dbe

SHA256
7d7e8c0df97e30bb0dc9714ee2d246f395d46837471a75877d56e4e249e04db2

SHA512
dff0ac22cbf4fc34bc154ec840d1c83505745a61e09775e28bc7b6ca550f613be0617c5acf2566420bf53230bf621e47a85563633f7be605982551b33ff9b9dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4357e36df7bb17775339b1adec96fe25

SHA1
9cb9f57161625e5294feaf43caaa94e8b7e91fd8

SHA256
851f0a79d763ae9bbd4a642c2d45b4ca4015f9e5b4d370c775330685b865b7f3

SHA512
6bb3cadd4d72633eeadf34ee1e4ea3018ac38e32cb82af8a212e3d4b7cd8653af6d0de3ec4b627d891f9e67317e7f17ffa5227c57dbf8b238a1ec81219660257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
1KB

MD5
644fa77b0b470405a6e826c29225906d

SHA1
7209eddc9192dd2214f41108b7bf03f42f57f3cd

SHA256
caa68da70225823bc3e9b2d8a58d2e4a7e6f9fd8f9ed51fee70d3b1d179d5807

SHA512
9ab1acd26a256adf26a1d95a4ec282f7264c5a61fbe98d002a860348e718aa2260731542896cf9003b2d19a3ae031295e1ef0cbbb4d9bf4b1dd3b3977935765c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
eb8ae2dd3de06588b08f6cefbfbdff02

SHA1
1ac93028e70ec0da6ed29e45d467c51af7010145

SHA256
337e2005196d021d181e7324a02ae22a6835fc8a4751a8034f28a62149d6c6e8

SHA512
ab4d7d0dd7635669b325eaf386f4248daf3cf6e89cad53fc4e5dbae0308048c7895946bc185014579469ce80bdc91cc5b53b622704460c6c700a361550da493e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13369644155327662

Filesize
3KB

MD5
5bd2581df0b5b522bd43b26ec7be219c

SHA1
f8f23f4136c524bcbab31acf29680a7fa535dab3

SHA256
1b737ef258078cd64330e6548f65c8ad594e36fbcb7bf9d291143046d43644eb

SHA512
5e5964a46b67bb827807e05dcc77780540ac6d5ae0290fa7c7093e4c22b16745d22d0223c3d52cb80478294cb0ca430010818032fecbbb2eb854a1d2634bdc06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
765b0c2f8088442160a3682acbdea5db

SHA1
1559bfceb76bfb6308088326ec6c4a33511a3249

SHA256
81c256c80d05a3686314cf8c1ce6d56b60c99ffbebd87778344c25db64ab686c

SHA512
72e6f094e5ff98a0362a3ea85dcc96a396078431bae5b93acb9f905fb91674272d6fd77b71e948a747041437623f912902aacc674e0663b166144723dcb5fe60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
08b13bfd8eea7b7ac15b66e2d5111bfc

SHA1
f72a2885462c960124dde3388b7b62d7cdd49e59

SHA256
063d63f9b3c605b18874ba9c0e1f88ed5643786a74b0665e4f21a06401770eff

SHA512
b664dbb8f1898d8f578ba446092e20a1453cb5af3449d3d1b18017f5b378e2f9df64148e50d3517813c33b93dfa0040361bb2249e036ed7db164bcd85da46e2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
a39c5ec50ba6896401dac315da34a243

SHA1
c97e03a16b0f8e1aad57f89cccaa60405786b4ab

SHA256
c2fed25f63114ed8538eae6d9bc1dceb755a5a157c8a43ce30880394147c9506

SHA512
85fdecb04869f6185bd6cd443cb5d52ed6d5572e98ba6a7c267cdd8d7fd04f7cdd7afc8ba44ba254f428a7b7a0388388b1bcd941c528fafc54f08efcccc66758

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6dc14cd3308a36b9bc9573ce84692415

SHA1
2df0e68e625356d6162dd670b3c3a69d1f21e972

SHA256
99d8051a368b3570c2c3aed4d3732414e9a05e1c769fafb914e9229904a4f395

SHA512
afa063acb1e9d67307a0813fc37674eaa7012d8aceb17bcd1b6774b388a96b5705e6be43de90a5853d01700534e16f0b60f741914a2347b98185cf6bd3d47cfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe598265.TMP

Filesize
874B

MD5
55c6e536e9670f7d413d035c47d27961

SHA1
8ee98d8a8907bd8f88ebef7117ebe7c566750dd3

SHA256
3c1f224fe0da21f4b6bee4b0d7a4e959fd1666add81c8dac8340812e1b3244c0

SHA512
75c6d92dbae1a97b703682a436d2bc6b34b77642655f374b70def61a02fc5bb5920a7de4c8599d0cc8f35ae6391533705d620476631cc5fa02fd87c93495d3a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
3ccc3995a9e898d7c20fb6c029231bf0

SHA1
782b8d1e6daf6c6ca3d96847b528bfa599e38218

SHA256
e6a632043cc13e4b5ae0acfe526e97cab71e5eb8fb3f9bd5b5c6c765b75f96bd

SHA512
9184c3191f56616daa5226d9a6b0f3dd9f780e4475e2cc728714792f02cdabf82693c8d33bd5347384f3a9a6effcf26d24176a5883c96f76509e7fd86afac8f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d964ae6e-f5c3-4542-abb1-967b8682aebf.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
d9cbe51b5c6e55624f5a21c0e912ecbb

SHA1
72d13abb15b56a73c6410ed6eb97304517c6f55a

SHA256
8096cffe3818b99cffe4011ad988f2e5e36bc5aea1f0a4ed91488e87a5b322f7

SHA512
f66f93f0959217ac4f0ef288c78f204af3c7c182bee181815b36cd6e73d8f0129c35778b231082e813b8a7b085a6ca838b97a8b2ad51224f0a211a6e6d08b520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
19B

MD5
0407b455f23e3655661ba46a574cfca4

SHA1
855cb7cc8eac30458b4207614d046cb09ee3a591

SHA256
ab5c71347d95f319781df230012713c7819ac0d69373e8c9a7302cae3f9a04b7

SHA512
3020f7c87dc5201589fa43e03b1591ed8beb64523b37eb3736557f3ab7d654980fb42284115a69d91de44204cefab751b60466c0ef677608467de43d41bfb939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
42e5055252e6d7d61879d6f8e5fe6483

SHA1
806950ec2db602b7e641ae5ac178c0a5876ad218

SHA256
0da4d52dd9be1c5c52ae610ca578b6b6f00153cc6278f7043abd9af0e536b416

SHA512
337eaf7eff6c88bf015df6458cb91675060c9fc34076c35715b63f79abf327fcd7182c1244286552bef7a5dc79d60a8cf71375a01e4089594cdfa7eebec2a537

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
318B

MD5
3c653be292a5305e3765f975ffb03155

SHA1
8a4c3003c70b040c092bc2180e839187ab017b24

SHA256
2df8fe0df3a6db396ad581b0bd602edcd7d6a197f5a2bdb77967cdbbe4105c5e

SHA512
6d1c4f2ed1f554f2dd3894eb6270a56f1fc4d2e311ae601839db4dea88159c148a91750e83ff90b4e5f4b451a81737f345cdaaa378208f9b08c4b5d9c573baf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
1a0e866c615c51fea49078f826b8238a

SHA1
e0e6f45f387fda26488fc44bd476af97f9c15551

SHA256
e5b8eb01470f9aa0c8957fe69c1abd86fbabaedbe5c7f0ae2bda22ae278ffe1b

SHA512
fd30102e1ac6cc1aa3ebd878ccbc804b6ae36a758090c91b8925a5161de3ec6e9127605e3b8c93138ab2548fbba715a62456136e43a576fb09a871c99932a866

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
b4e2d20550323f73bffc780b84b71d0c

SHA1
c070223d9437ad4c6a203aa6907b33fcd523bf5b

SHA256
34b6361aeee95d82e42a7994ce2ae03457855b02178587e6de7a9f79ed316436

SHA512
a4cde92d9944000ea25168e1c274e1287d659145b4ebd8520129b02f9640761432c1e4336a2c649b96458f3b8b6d5970d2a35e7f886d3365fa2605134406b030

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
3fffdd459196cc3610eb3fa1459997a0

SHA1
e5681ee30490ea0305f1caf19bbca78997163a4b

SHA256
b90be2518280d0f520c0b0a141ae062dd7fb483097a203dbec244ddebd6c4dde

SHA512
a9211377cc4dc8c72974ae16a6763c920e550a02a0080ab43fcabb00f3c9bbf1bfbb130c8091e6bc209e339049ca5d178bae0452c0d2b33d8ca3771bb6be2356

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
d81e95696c4aefd0b69b753c816f27b3

SHA1
8d5ad0794d03ec584d49b949471d25036a91494c

SHA256
73668a19043afa380965ee7466d4495fa7fec39c7b8173c1f228489a42d5ae1b

SHA512
8081b1c01827ad5e5abaf90a1a0d62b0ffd027dd824537b5c9ee98006654f1df7583598dab6750eca00c38c26b4d3deaaefdb7eed377ddf0609b89c750502907

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e80ac030fb9230261bbe7c928e89efd7

SHA1
3075d2fdab5ca44a6c311e920a8343702aac88b0

SHA256
cca1cca0ce6ad14b926eaee3c51dafa7156a31c2db64f6372a086c93ee234801

SHA512
0f42441b8517102dbd3c5db40f18c7b4b250fb428a4fa6464ca5d03afa2f234ba6089c35673552cac5d81157666cdb464e8ff5644d4374f0752369498e669791

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e3c819db980cd334680cd7c376ff100f

SHA1
828a6e4ab551b09130a7bfacdf1606bf6b1d6c31

SHA256
6a4ffbbcdffd8ca0fd11faf82bbaae85a118127650e82808cd47b51c35bc6de7

SHA512
4d2419967063381439b02117863af71ba4da0fd490b6f6608dc563b0480c1c63a37494eef4aae53757015fd7d0c3f894f35cc3df853b48706994d73d2228f02f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
7e8de218052e201b6921d7302882e9f7

SHA1
a00c59d5b8eaa7aafecaa4dfa4394a886f28a5fb

SHA256
dda224319ede7cdb05ad2a9f46a9fc81aafe33c8614e79507195b5589ef4377e

SHA512
3daee175c93778df634948c5fdda693bda783f01027efe5886fb6cd229a2234fb12184ed4ccf7c6b929cda5e03f394a54c2ca213ecb0027222127d3754db36d5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 444662.crdownload

Filesize
70KB

MD5
a4acba21befe2c7f8f9e7fe6e9d5a0be

SHA1
67d1d9d7f22a0cb0292d65e65c1688d9ae8b6a25

SHA256
2409b6d86bfa4a696c053370938d6dfa20422d44bd27deffcc33656d8eedaefd

SHA512
34ad8894f43241abed8e655cb6965c068d7fbfd084d52af8661bfc00933807e0320421f3623cf44e33bbee03c13872448930e9be90986d2a81b0fd8f6f09af2c

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit