hxxps://uploadnow[.]io/f/QBSHhkY

Analysis

max time kernel
330s
max time network
313s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
25-09-2024 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://uploadnow.io/f/QBSHhkY

Score

8^/10

defense_evasion discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
5072	winrar-x64-701.exe
3908	winrar-x64-701.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133717782889529416"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\V1.7.1-Fixed.rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3376	msedge.exe
3376	msedge.exe
1496	msedge.exe
1496	msedge.exe
1992	msedge.exe
1992	msedge.exe
4428	identity_helper.exe
4428	identity_helper.exe
4104	msedge.exe
4104	msedge.exe
3272	chrome.exe
3272	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
5072	winrar-x64-701.exe
5072	winrar-x64-701.exe
5072	winrar-x64-701.exe
2940	OpenWith.exe
2940	OpenWith.exe
2940	OpenWith.exe
2940	OpenWith.exe
2940	OpenWith.exe
3908	winrar-x64-701.exe
3908	winrar-x64-701.exe
3908	winrar-x64-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 232	1496	msedge.exe	79
PID 1496 wrote to memory of 232	1496	msedge.exe	79
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 4988	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	81
PID 1496 wrote to memory of 3376	1496	msedge.exe	81
PID 1496 wrote to memory of 2132	1496	msedge.exe	82
PID 1496 wrote to memory of 2132	1496	msedge.exe	82
PID 1496 wrote to memory of 2132	1496	msedge.exe	82
PID 1496 wrote to memory of 2132	1496	msedge.exe	82
PID 1496 wrote to memory of 2132	1496	msedge.exe	82
PID 1496 wrote to memory of 2132	1496	msedge.exe	82
PID 1496 wrote to memory of 2132	1496	msedge.exe	82
PID 1496 wrote to memory of 2132	1496	msedge.exe	82
PID 1496 wrote to memory of 2132	1496	msedge.exe	82
PID 1496 wrote to memory of 2132	1496	msedge.exe	82
PID 1496 wrote to memory of 2132	1496	msedge.exe	82
PID 1496 wrote to memory of 2132	1496	msedge.exe	82
PID 1496 wrote to memory of 2132	1496	msedge.exe	82
PID 1496 wrote to memory of 2132	1496	msedge.exe	82
PID 1496 wrote to memory of 2132	1496	msedge.exe	82
PID 1496 wrote to memory of 2132	1496	msedge.exe	82
PID 1496 wrote to memory of 2132	1496	msedge.exe	82
PID 1496 wrote to memory of 2132	1496	msedge.exe	82
PID 1496 wrote to memory of 2132	1496	msedge.exe	82
PID 1496 wrote to memory of 2132	1496	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://uploadnow.io/f/QBSHhkY
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcff9b3cb8,0x7ffcff9b3cc8,0x7ffcff9b3cd8
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,18164935522343773220,5271311074121104198,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,18164935522343773220,5271311074121104198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2480 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,18164935522343773220,5271311074121104198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:8
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18164935522343773220,5271311074121104198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18164935522343773220,5271311074121104198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18164935522343773220,5271311074121104198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18164935522343773220,5271311074121104198,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,18164935522343773220,5271311074121104198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18164935522343773220,5271311074121104198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4420 /prefetch:1
  2⤵
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18164935522343773220,5271311074121104198,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18164935522343773220,5271311074121104198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18164935522343773220,5271311074121104198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18164935522343773220,5271311074121104198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,18164935522343773220,5271311074121104198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18164935522343773220,5271311074121104198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18164935522343773220,5271311074121104198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18164935522343773220,5271311074121104198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18164935522343773220,5271311074121104198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,18164935522343773220,5271311074121104198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6912 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18164935522343773220,5271311074121104198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
  2⤵
  PID:4568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:3272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffcff24cc40,0x7ffcff24cc4c,0x7ffcff24cc58
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,11116420787976941639,4200387586206389892,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1844,i,11116420787976941639,4200387586206389892,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1948 /prefetch:3
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2072,i,11116420787976941639,4200387586206389892,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2384 /prefetch:8
  2⤵
  PID:3428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,11116420787976941639,4200387586206389892,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,11116420787976941639,4200387586206389892,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3116,i,11116420787976941639,4200387586206389892,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3596 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4664,i,11116420787976941639,4200387586206389892,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4688 /prefetch:8
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4764,i,11116420787976941639,4200387586206389892,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4696,i,11116420787976941639,4200387586206389892,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5056,i,11116420787976941639,4200387586206389892,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5096,i,11116420787976941639,4200387586206389892,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4964,i,11116420787976941639,4200387586206389892,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5020 /prefetch:8
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:3376
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x21c,0x250,0x7ff736554698,0x7ff7365546a4,0x7ff7365546b0
    3⤵
    - Drops file in Windows directory
    PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4896,i,11116420787976941639,4200387586206389892,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3412,i,11116420787976941639,4200387586206389892,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4616,i,11116420787976941639,4200387586206389892,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5356,i,11116420787976941639,4200387586206389892,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4844,i,11116420787976941639,4200387586206389892,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3488 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:3868
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5072

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2956

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\d4849286ad70481fb65f026c5c42b954 /t 1516 /p 5072
1⤵
PID:2828

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1216

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2940

C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
db3dac9e550da37276e74dd9b42bada6

SHA1
66f8fe08d185057f6f50ffc63c9e5c58fb17463f

SHA256
e50d0e670ff5ce752fa2fbd1c603a8883aab1f3b301fc4ebd228fbccb6716284

SHA512
0dbde16c787938a32484410ee908337b1eb13b0681b9d84b0ad802d9fa15e95f2be7a27831591294aee3c90c64a565b6be681a7a1e42fee191cceb5ee8d8d242

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
88bd235210a0ab31305d5510a4ef401d

SHA1
420bfa7e077ebd6917c8124c392a4f1def48d57c

SHA256
ce7e8c239a6821b80ef30d57110b58cd60603aa0ff18c5b0a7e2a2d1fdfaa5b5

SHA512
ff33b29a8df341330666669e61d95e8aac87873271a28bec0b2ee057e3be668e186ffc0900d890344e768cbc7101ca083d1ba9892b8684ab21299ffb7f5fdbb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
db3d815c6f9e714e1ed21bbf19e8f59a

SHA1
6fedce48ef4c318c05c93ac0b60967dc4fbca913

SHA256
b6c689c06e61c3c981329449ad9ff1a87fb69741ae16d7179f2c12e336c1e172

SHA512
74135822b1aa4af5068a36e62a59f08afd098fd91107e3c3eba6c123d1b68ee01192338b3c293878f9ff178ad879379676f783a122eb0645c8ed8eadff7b2057

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
884d91f86ff34bd625caba2490542496

SHA1
6cd9e44a5a008d02c47df2b4ef6fb030601dc829

SHA256
2224f60127e7bcfc0f02a2aaa473d3f25f82bc55e6b1daee0ba031a282234fb6

SHA512
9d5d23c4b1593df69da64ff2ea42f641ff76831242d59fd5e126d17333fda80f40f54bed64397fffc2651c269ec0cab710e8f4c446d95323d379db3637b716cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
7c19a191dec7b55ca99841decd3dd816

SHA1
e88258ac4a6d327c692ef476878e18f8de3f5cb6

SHA256
f90de5636bb1120a4e9743652e03d5a414008ebb7a2566e64f6cbb68b080b3a6

SHA512
dc53d3c5bdcfa41fb9ca6e7cc31217ce193d70bc05ec8017947d7d86cf31b4b77cad82d33f78f568582dcfd007790ec04ac31f30acadd95d949a5128f9f55383

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4a93447fcb48779052b86778d2c18aad

SHA1
fd0304a85e6ebe97527404594ad4f47c3c5bd641

SHA256
fa84ac7ed265477789d418cdaad35d185cf08cfa70277850c22cc7b35e577f00

SHA512
85ca740f1efbd972142fcc3b958e0946caa12e7dbc301347287f74d2310040ba913cdc84aa1ac77e62f1db1c7cce29d1e468485a1eeac7b0c3449cf8c08b30e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
88d84d881a8641a1ac18ccc838d9e1e6

SHA1
720aa5224013a5e87ba95fde9927f05b40b11337

SHA256
1556f45938b77e77e00114bd94378bbb88b6ac437305f8fdee9718b7607a63be

SHA512
26b0bf53cbe300e93e7eaddd4cf6dd42323019470bd63e20a27ade400263f3c0c6e96f815b84c4093073145cc4e42300d5795370d6fc22452982d15d9c80a8a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
27f9d59b735c84e52e30e254b42bf775

SHA1
28ecefe983b2c20265e936e3ff2ef3377829295e

SHA256
136578a40633e9ab6e467b23dbb635c9693a15d7abf629d4ee82a2454e849d73

SHA512
c69aa6dcaf1a160f451cf037519312b61a5417c50dd49252d12ca42c71d362a113c1015e71059df3c85024177ab49839e8a2bc8ae4335fa9e51bd9bf6b6c6e30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0d540958454def13401f16ff06387e7a

SHA1
906bbb3ed4a37b3730ddb34a2dac0392a7738457

SHA256
93d664688f463e57e867cde781188543a6341dc3a402772447ddc74b23de7791

SHA512
78b1bae1c0f94f425ada90e15f8763cbb65afe148684d4b0cf678b8fcd559415ffcfdd230da80eddf0682ee8c4e541b3c7acd962bd2ecbf6660e566e139abee9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
70f6cae8f9e151fabe94b03eceb789ff

SHA1
1c2e7faaf816422990377853c268e1328e9a96ae

SHA256
6e34ee9f7636bca96cb1f9905bdd7c6ed7f8f4c2d09d9b663601f37c9f0e52fa

SHA512
2d0f619415a46a4851054161127b84b96925a314060bbfb6a4f6746aa153cc3ef7dc239d4afb7ef35ba6f2c80925c3620c13e0085f1f3d32f2198026fe7a793e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
2cf3d11c33df9f70d93e40c7c3c8d1e7

SHA1
f58974799af64bdf38235dafec2f9bffd2575d04

SHA256
1395f70eefff43708d3c8dfcd3dc395267da4f368455f5a23f9fdfb26eaa636b

SHA512
31212535fcf38909954cd85d04b69364dcae547afaf9723533bb05137ee3ec98221574316ff33f08595051217b73b9d4d80e2a88618f688b9cac9110b83a082a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1

Filesize
264KB

MD5
10df28994f31b5e1e539578083be0401

SHA1
1745f1872e7b83072b5f957a9807a3f5f7fa72b3

SHA256
b46a08b05e03531e51a47521f22052ae27b47934fa3d3cced2c5e71d7c5456e5

SHA512
36ada0aa15eebc7c57ea2795d8df2f7b58d55baa92b7e2fe28aa08e7992ac5c52bfeec192c1ffc0130241f44b3d040a183550ab4bb78056d02e05acadac1caf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
acaaa2472a3dc547abc008b8a2af0c5a

SHA1
cb2c195346765b3c2b8ed12c285e5c85a8a871f7

SHA256
dd2998188cec92d283dd6cf763a3bba7b079adf99abdcf9d0da06f0735ede1d6

SHA512
f3aca8b63c59a69fc7c04c8e54576d963ab60c2acf8684d0fd75a5e81e021a829ba46411bf4b554f6ac99b5716eb6695708737b40f36fefdd11e410eb11f84d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
4d95c148569d0c9bf749871b4d5bdeeb

SHA1
c06d0ebe584043d5c1045d27f625a2df77fde8eb

SHA256
d170d7c93581b0957df965da92a0cdcd21fad88b59043357697e723c833cbcb6

SHA512
5f3a68d72c8a5c079e0f42780cc2664aa26d9e4c0319619587ec0aa8cfdbada71ce1bdde029ca2fc60bcc63f4f3cf8c13d387b5eabbed2d921b779692078444f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
16e951db0296e10999bbb61852deec7f

SHA1
4f7cd73ec80a5c65b26c2aae634ce3dde56cbb3d

SHA256
cf3e9ebf468af613015a8bddae76c0f8476f9e0751a176ecc288dc22cf2a857c

SHA512
fe4d434bc01af90efdc531d9f3862b92344b8cf84c9ed65baa7d37789f0985b5f158ce34a07042a83769c14603e0deb6bf47792f475bead8ea74cca82d2565a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e2612636cf368bc811fdc8db09e037d

SHA1
d69e34379f97e35083f4c4ea1249e6f1a5f51d56

SHA256
2eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9

SHA512
b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8115549491cca16e7bfdfec9db7f89a

SHA1
d1eb5c8263cbe146cd88953bb9886c3aeb262742

SHA256
dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e

SHA512
851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
aa5bdd15d333fde65523bd3d1d9a3550

SHA1
225747249c2a95c7b0d091607254e30c9d5a2b34

SHA256
735df095716a88c1cb8b707caf41aabd983776898dcfd18976e19a733a6ce5c0

SHA512
791173b4c6f9afcc387e8700794e3581df655a786f4d18aba1684461bb4807365d08a3a5fffea72943b7603df104cd80f4180fa3c02e14f4769b52a072ea02c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
cbd07fcfd32d2c2dd908b87e30b15d53

SHA1
9cfe6654ada556c818bfebef959b2797ec8ce586

SHA256
1d97540ce05b759b788ae3ac269e04799fbcb8b48f57dc6fea63c0a24c6f0a61

SHA512
c3972a3510e9a09b265ada1abd2aca7fb86523e17729033550d75fb3956b75f2892b2a91101ed2d87beb292c2cf26206ac1ee3bb264d46789c9bcb17f2173823

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
37332749b6e2b23f355416168ba4ddaf

SHA1
634da6f6d5b01c1cb5a618b95d930a66e1bf86b0

SHA256
50c0e345b0d30cc362aa0ff344e34225f3eb6bf3e1a5de5f230ff17bbc25bd51

SHA512
a0eb9d2c0c90741d680e3ab0e2319d66c8c22e462afc2f1feb25ecaa96195eecd74c136e7962f37031fcf959190590ef8c17061c182bda9b39556c4806d35472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7652322eb2f5c6fbe30b48db5b0facea

SHA1
e8939caab1df39ae1c304851405be292760ff447

SHA256
bcd45d9162214cb13395b83ce74844c5b64fb7b1137a70a4046b0543408e6744

SHA512
02e5aab4b771328ae4f59090413648ad95c02c91c1ea2ebbf4e3e53c39dc67fce2088a5cc353ae78082880237beb33ffc288c52d1fa8072813d8982bd23cf175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
97f77b1582414276ebe25455b7fc4f9a

SHA1
88f0d6905c4a9e85b2cdd9002a982ee3483443f0

SHA256
d52d7e841a3a9ec952a40fe5f25380115f66701733aafb832f127e1fb925f254

SHA512
a693022c7f097f246d8d135cded35c7b88858b7f38f050145d4a3ae78950974a1f964e18a26ccbd4b74998298d169be450f442976db4955827a900ca667e6360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4e7db2c4a1fe65578948cda89762c408

SHA1
1b0b9c35db0bb511267346fdcde56387d303b5c0

SHA256
c497611cfbeb46809ff6b0561f3feae221b6db782925ad870f44ac07eaadd937

SHA512
d7eb6a5b4e5ec8edaa083abca04eacfe1f2bffc4b3c1be56c8e3a7509c21a746cd19a43e8792075e3f1d6bf6ba14fd92755d8984f511fb22e370079f6f24d1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
463cea59fd4c5c3c29631f66f3cb3b8e

SHA1
52955178531d0c42fbaa9896dd1cd5d30708b91d

SHA256
eba624063d9b50dc07f56bd8aa78775afe39ee5006674080ee5133d6353516bf

SHA512
6da642c591495d66b964f1b534868e22af16bd80b1c0e8b44b3816f493bab1230e495578783b3bf2b48be53ccdaac8d7d4038e984107acbcd3955fd31021fb23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bcb68424a7aebd60c9c473b9b8e5dd29

SHA1
7a99619b85f2643b6f318f6a3f2212561f4f124f

SHA256
f536f8afd686c96b99be55c3b09ca33704bd2b33315f17390a6ab2060377f1ea

SHA512
76404b380dbf321383671c409ab14251bbb9806614760db8bcb08a1f656f405870cde978c8e0f45a58480eb00848990febd4e29aa124b9799bf158728c48a258

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a79fcc41acf8d4c2b9ee2f15eea0697b

SHA1
331e7065f7f3e9c8ecfd46a1db1d6fa2405290ed

SHA256
416ae6fe4910676270fd4de9f84a9c93c9b952ef7d333c94e78728c8b38e4706

SHA512
b8faee7f44cebb866109bc1530f02ae22f8bcc3f0ffd73c6c0d820003e4b955eefe85eea7be1190993ab128aeef5cde06e4eb59da3b33bdb75e6bc6bf9b256ff

Download Submit
C:\Users\Admin\Downloads\V1.7.1-Fixed.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit