hawkeye | ef41d4fb862241ccaf6d02e35157e391436c69b0d33230120227c46414f4764f

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19-10-2024 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63Rl7D.html
Size

512B
MD5

09488fe5978b285f6eb427385a60330a
SHA1

a4c33163c12571070bef54151cbd53a821d2d59f
SHA256

ef41d4fb862241ccaf6d02e35157e391436c69b0d33230120227c46414f4764f
SHA512

f2ead5778353df33ddaeaff947f766afe3ca943228dc66e367397b1c3d399c14b3591b26c1ca346f1492ff9a622244aa6b67f68a0b93b516d7691d79f4615944

Score

10^/10

hawkeye xworm defense_evasion discovery keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

longer-respect.gl.at.ply.gg:12320

Attributes

Install_directory
%AppData%
install_file
WindowsUpdate.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001b00000002ab4f-202.dat	family_xworm
behavioral1/memory/588-240-0x0000000000F10000-0x0000000000F60000-memory.dmp	family_xworm

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.lnk	iiStupidFixer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.lnk	iiStupidFixer.exe

Executes dropped EXE 1 IoCs

pid	Process
588	iiStupidFixer.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\iiStupidFixer.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133738305073904606"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 94337.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\iiStupidFixer.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1636	msedge.exe
1636	msedge.exe
2956	msedge.exe
2956	msedge.exe
3372	msedge.exe
3372	msedge.exe
960	identity_helper.exe
960	identity_helper.exe
4196	msedge.exe
4196	msedge.exe
5100	chrome.exe
5100	chrome.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe
3452	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeDebugPrivilege	588	iiStupidFixer.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2376	2956	msedge.exe	77
PID 2956 wrote to memory of 2376	2956	msedge.exe	77
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1124	2956	msedge.exe	78
PID 2956 wrote to memory of 1636	2956	msedge.exe	79
PID 2956 wrote to memory of 1636	2956	msedge.exe	79
PID 2956 wrote to memory of 3584	2956	msedge.exe	80
PID 2956 wrote to memory of 3584	2956	msedge.exe	80
PID 2956 wrote to memory of 3584	2956	msedge.exe	80
PID 2956 wrote to memory of 3584	2956	msedge.exe	80
PID 2956 wrote to memory of 3584	2956	msedge.exe	80
PID 2956 wrote to memory of 3584	2956	msedge.exe	80
PID 2956 wrote to memory of 3584	2956	msedge.exe	80
PID 2956 wrote to memory of 3584	2956	msedge.exe	80
PID 2956 wrote to memory of 3584	2956	msedge.exe	80
PID 2956 wrote to memory of 3584	2956	msedge.exe	80
PID 2956 wrote to memory of 3584	2956	msedge.exe	80
PID 2956 wrote to memory of 3584	2956	msedge.exe	80
PID 2956 wrote to memory of 3584	2956	msedge.exe	80
PID 2956 wrote to memory of 3584	2956	msedge.exe	80
PID 2956 wrote to memory of 3584	2956	msedge.exe	80
PID 2956 wrote to memory of 3584	2956	msedge.exe	80
PID 2956 wrote to memory of 3584	2956	msedge.exe	80
PID 2956 wrote to memory of 3584	2956	msedge.exe	80
PID 2956 wrote to memory of 3584	2956	msedge.exe	80
PID 2956 wrote to memory of 3584	2956	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\63Rl7D.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9a8e43cb8,0x7ff9a8e43cc8,0x7ff9a8e43cd8
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,16228110632689699722,15766516809960232432,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,16228110632689699722,15766516809960232432,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,16228110632689699722,15766516809960232432,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,16228110632689699722,15766516809960232432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,16228110632689699722,15766516809960232432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,16228110632689699722,15766516809960232432,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3912 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,16228110632689699722,15766516809960232432,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,16228110632689699722,15766516809960232432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,16228110632689699722,15766516809960232432,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,16228110632689699722,15766516809960232432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,16228110632689699722,15766516809960232432,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,16228110632689699722,15766516809960232432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,16228110632689699722,15766516809960232432,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,16228110632689699722,15766516809960232432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1932,16228110632689699722,15766516809960232432,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,16228110632689699722,15766516809960232432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,16228110632689699722,15766516809960232432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,16228110632689699722,15766516809960232432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:1284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,16228110632689699722,15766516809960232432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
  2⤵
  PID:984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1932,16228110632689699722,15766516809960232432,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6616 /prefetch:8
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,16228110632689699722,15766516809960232432,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6492 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4196
- C:\Users\Admin\Downloads\iiStupidFixer.exe
  "C:\Users\Admin\Downloads\iiStupidFixer.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,16228110632689699722,15766516809960232432,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1332 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1784

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:3556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99020cc40,0x7ff99020cc4c,0x7ff99020cc58
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1768,i,7279914098023563334,2463283127960081752,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1764 /prefetch:2
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,7279914098023563334,2463283127960081752,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,7279914098023563334,2463283127960081752,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2204 /prefetch:8
  2⤵
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,7279914098023563334,2463283127960081752,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,7279914098023563334,2463283127960081752,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4476,i,7279914098023563334,2463283127960081752,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4472 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4424,i,7279914098023563334,2463283127960081752,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4436 /prefetch:8
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4496,i,7279914098023563334,2463283127960081752,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3544,i,7279914098023563334,2463283127960081752,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4324,i,7279914098023563334,2463283127960081752,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5004 /prefetch:8
  2⤵
  PID:5208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4952,i,7279914098023563334,2463283127960081752,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4940 /prefetch:8
  2⤵
  PID:5372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5028,i,7279914098023563334,2463283127960081752,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  PID:5456
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:5520
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff7e1374698,0x7ff7e13746a4,0x7ff7e13746b0
    3⤵
    - Drops file in Windows directory
    PID:5552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4748,i,7279914098023563334,2463283127960081752,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:5724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4796,i,7279914098023563334,2463283127960081752,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4736 /prefetch:1
  2⤵
  PID:6060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4552,i,7279914098023563334,2463283127960081752,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5288,i,7279914098023563334,2463283127960081752,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5304 /prefetch:2
  2⤵
  PID:5508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --pdf-renderer --lang=en-US --js-flags=--jitless --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5444,i,7279914098023563334,2463283127960081752,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:5596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99020cc40,0x7ff99020cc4c,0x7ff99020cc58
  2⤵
  PID:2636

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
063a70c56c872342bb34d646b997ad7f

SHA1
57ba2bf64c76fdae2fa1b8f5f69239ddb39331f9

SHA256
c2d22be07eaf720a45f0d118c4676a6402ef7e4e60f64b88ea38d2e9854e24e1

SHA512
28c3854e631425fdec1d81c1eeb1b744925f380a2bab584432ca86e5bd3e28f37b9906311bfb5385411506598f3c3fca063e9321bf02949137a5e216c6240344

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
18c46416e4671f5ee75313dd04b5ce3a

SHA1
b777ce68e12f7ced6a8e362b0552cc9d1b73d2bb

SHA256
03ee426cc78c761552e6ce943a077ef5c77ff4da6a22dee477e1c494e2b8c1d9

SHA512
2388e2e04833531bf729315a9678cc40234b1be59908a729f0806415e9590e8aaf777be9c80216640e8ae69ca333464ad2560c5db03574f95d3a65ab8a799108

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
3d4be783def0119b3c3ef69d93261682

SHA1
0f35c2292ae955ae92a600ac89f350a18e5667d1

SHA256
4201120e40190cc469ba972ba82e8ee45855c79c96e903f802229fb8f1f925c9

SHA512
6acc1835d572989fb5389b23dbd9126de9e604509beb3ab881b12bb7fd3cf7e41d8306fae68a90877d98d7204b230b5f3ed3ede22403260079c0a9b7b21f4749

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
d128f9cbba1d67f65bc314d074e894f0

SHA1
3bb204a3f15d456fa0ab9353f42337d4e1ba174a

SHA256
256a91b506bce5463b9eafc1e89613945537df4e4ad56ead58ec1b3f94620f3a

SHA512
f8f651b89a905eebc2d89125d7531bb39e9257a48dbbe68a6cf2cc3d7f3ef04c99558e1b7441d8900713d077ab255acbe4f8ef106464d235b295f2565cc49bd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
01d123b9b26c9c90d8383bd17829fea7

SHA1
7a964b8828cc883284d99a6d044c482ddeb8b5d4

SHA256
c3c0952fec8c09d76c9c908d3c0695eaeaf999c6e7ab04100965cf587f2c2941

SHA512
bbf737c6dc2746e3d07b290c0aaf4ab3fd144cad0f1e9951daf615ccc3fbcf42e2ed7a6a44a9a47eb2df30df18f8a471a22134d47d11caa9a903bdf97010ff3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
01acb4be6483fd3c9068042eae24532c

SHA1
5e9171cb3ab8632311c91667b98037caf3480c4c

SHA256
6491f9020120a191d293d03439e80455e6aadb09dd70451940f7067e23187e4c

SHA512
7c80eb409b409eb7743285aab51fc7469d49508375d1a6158cef089988b9976aaf84397212dbcda3d3d044ab994c9cbd159ccb2e29b6bf558a250eb948a52413

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
1152f8b2937244d3c5992412dc9509d1

SHA1
d4f296d38ca3321319511da7cc1f988baff1c3de

SHA256
53f7feadefb21b1bfd62aaaffc2f90b1dc812104080691cc6ab2ae8690ba5318

SHA512
d7a0dd44a6f69b50987d1a744d7f92aa0f2fbdd6fcf328b8f52d98683e168a0f761f19ee228e54502803c3b5db21b9bfe4133bef38508940ad9bca8fae42c281

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
229KB

MD5
739443b84d9b5eb055c6f2265545375d

SHA1
ceadd2c01d84dd179c3582b600997d3334b93fb4

SHA256
4e5d2e45a34ce9ea7cab5de141756d88ebce07d1ed67a7109daddaa6b57f3cc0

SHA512
f6124d12e77130183259825ef95d2150f6d17c2eb28a88cf5951b8e7b112144d0e52b6ef9f174a181a9a241c50bf9939f2de7be6ab1dccb80d2650df18d1c99e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
003b92b33b2eb97e6c1a0929121829b8

SHA1
6f18e96c7a2e07fb5a80acb3c9916748fd48827a

SHA256
8001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54

SHA512
18005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
051a939f60dced99602add88b5b71f58

SHA1
a71acd61be911ff6ff7e5a9e5965597c8c7c0765

SHA256
2cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10

SHA512
a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
7286830e942a05d1e0a6362d52e19f5c

SHA1
492aee98ae8eed79400790dd7d489ddde85cd71e

SHA256
91dd2599ae12974170211eddf819fe401711031fce4c34f396f655c236ee3ed6

SHA512
2b5751cc799ee8ce0af3ba7a9c38549b2cfea1ab36611f2ca62c9b3d6cacfc5f37f7e1637d29e0973c2787892663bbe78c82f819e8efd5b1a6011f63efeb2372

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
461B

MD5
01c83ee183e0e55fc549aabd1cbd1e34

SHA1
f8f1ee123c47fef17c13c6eee1e15f9a412a1ecf

SHA256
c36f262917eba5be8a3a746b5d3970a736f9fab103c7fba0f659e8632fd79a3a

SHA512
bc5a8f7ea844f9178994b67f2a9b8c0f0296bded6801aae113e7f99a6756ce65b58326d1ff61618adff9ff32291e42f1bcf6404ddd898385b1c0fe9658e3179e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4d4065b065291fa460c84fa0a43e42b8

SHA1
62055ba4326d552c5c481db1dda08eaafaf12b53

SHA256
54baf7e599d06bbf7868606dfd9ec2d37d9f1b972d05f5b8c833b051dac8bea6

SHA512
cbad628b91fda19547ee09391d642857495bada697903f8112ad6e925c74dfbc83ae6626d04f0ec3bf6510a4c8bbda19869f64cc33be4092e54c07db34812f0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
40bdc5caa6855e52684a8065eae7843f

SHA1
b64b23b82072aef9c8e3713d3b7f8e74a5262702

SHA256
19f450e042558530749a6a2f8bbc2f571ab91f8360d0e85b5ca684a70b23ad77

SHA512
38d36f9480b378304fcd6ffc31c7030aef8664bb975fd137cf0f0360270b7f6bdd1960a977e359b03fa92e1393d2e0065d15acf9ac3e790734cd8d61c78b5aa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
49aecaa1be6dca6b72a84a82a247af4d

SHA1
a74b526a342f8f446d00a4567df8bafc63f37171

SHA256
7fa8327546323b3c2a14026d026d6e797f9b964d60e465b3641d6db81d021168

SHA512
69dd0bf909118aa59973fe104ec44b06f963b6c8f99087f487cae485db545b272e93dfb48297105992336816cb1e416936fba83f097933a0332443d388322cd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e7f38bc086a8e75452b472c2fc412a3d

SHA1
2f017555b73e4cf935bae4a875322bfd9df1996b

SHA256
3d5c2347950bcbb30301a8da8578d17ec41745d4d4a863764162f016e3411ce2

SHA512
f4f9b4cd4e76d6b8fd9e895703a77316f6a036356cef825b5113d7b59a311b7eaed88d647c720d987767c2a7e34a698b32931e989d8056ee87663caf0879d7dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f6c081480964a739dfdf04572a51b53a

SHA1
806f163301d796e56b3d3e2812e774c20eaf051c

SHA256
3db9274c187f964bf69d5fe01b6cf32c0c5f4b702696db7e588ed9c41f2088a3

SHA512
3322022cad66ac6c12c40e47c0cf222b306355111dee6ff1c6222331bbb71199b164558942d1865a4c3f724419493d2ea4013d565b441b7fa5df0cd46e00180e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1853416e7b83b1adbd79ff472e451010

SHA1
45bd5c2f78baba0a403e68d9e6e0c3a27c79b8ee

SHA256
553d64d4244e1fd46e1bc1c2cbd859fbbbc30eef0b1ba287132f3db1b6c1324a

SHA512
feae20b3beaac69fe373d0d2324cbe03ddcb02db7b039bb4e3f6e74d020d1efd402cd9b26dd07d6850aee0fb7e92bd5d29eff2b71ee30d70c8a377687744f981

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
bf5a2b5b02e5a5e7109265f9a312e558

SHA1
9fbb2eba44b2427dfc635cdfe48975cfbdbe74bd

SHA256
e05bad0e592a37f334fe33bd541bae73bc848d3016d8a627da609c78b7f28cfa

SHA512
9f6c9fcf741ab99290c2f48a7727efd43ffe6054e5c5f7db1e7e92c4c4fdcd608f467d65f6dfee1129e9a64c0a53cfe444fef04533a051b8b759794199d09c1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58896f.TMP

Filesize
370B

MD5
d61775620e40765637edb5b7844db375

SHA1
9477e00c79a853143951729da239603bfd0bbf07

SHA256
c20661e7fe8af83925f7f2695ee0e0a8fffba790e189e1db4805cea27f9142fa

SHA512
9c48c13eb815c99c001e27e37706c8e844fa36b01559352da7887c0886efd81e72cffe7314ac19185d87f6a3c6f49a4573d89847a8e4eb71c3855fdede57e4db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c67e6ad92051e20b06bc45a9d0192e5a

SHA1
cdc13e6bbc434b5d5eba47148ae158cb2901a7e9

SHA256
3ca39bb27f1f301623d39e5c3dc640e77ef9641069ebe5072b9900205efe1f95

SHA512
0aee224cba5d040b37284fde4c3938e42ea8445866dd1232d15cf70b4e2f065f417267837143ecbc2cc26c8ba1129eb1b000e78bc1b4fac96b0d488b70f196da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
66bfc109efe77bd5d3031859e8fb7c93

SHA1
b6fd4b82ceff32245f938b5da8786a433d1ad14b

SHA256
33059fd2a926db8ca4f264ff9bbac6e071a6643212e3252517266458aea3bc5f

SHA512
be0f6e4a515746dad0f38eeacb950b63a0ab6dcb35c2d6fe7b66288a0cd71c4ac24b16ba07477c4b1b926bdb17e242f2043f835e9dfb57978493668da782615d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ba2ce002-1b16-4f38-83ff-9ed1262fd6bf.tmp

Filesize
11KB

MD5
66d88b0fb658f12e9062005f7b7a366d

SHA1
38d91d977a9669ec1dca30bc21420e70a3748e27

SHA256
4913da8a2c372490f250b9f971ba94bcc01ca5a91d19c085a7f4dc689ca27ac6

SHA512
c76dbac54c4aad4ef43be6a502e70a1c7c6808c3ced1c64e51fc68efdc9f12c29bdc77f5f0cd91e66d8f4096293d02a8c89bb8c9d5d26fe83a2a9b523fddd2dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\f518831f-49e8-4fda-a1c2-5d85c08e5aeb.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 94337.crdownload

Filesize
295KB

MD5
b822a828a667344f5beb6d8eddabe1ed

SHA1
46c238add9e00d06a34cf13842590129d402985d

SHA256
48b931e77c4911c224e2f7ba30d514f8262195ff12019106940adc5c226522fa

SHA512
67e2716dc2d581da2874d9ecc8a8956c3dd3aa74f4c3f16f3578aac01cf1b1daad5775350f3b77ab89b352f2a9b16df615dde955729e34219e189b5a7af35f66

Download Submit
C:\Users\Admin\Downloads\iiStupidFixer.exe:Zone.Identifier

Filesize
58B

MD5
f328e184c322cba91dc3c014fe2ef3e9

SHA1
2aab1f0a70009051dcc87350e0f3b079da02fbb2

SHA256
fe25e31061b432c3a3fdd8f797c6dadad253e83dfb305ee997a7302cd70b618d

SHA512
e59501b550ea64155d134ae832812004ec298a44519eb03183542599174b7691be3225f6fa5064d45ed7ec81f0a93721eb8f401d7e2a49c4b91a70ded006c97e

Download Submit
memory/588-271-0x00000000030E0000-0x00000000030EC000-memory.dmp

Filesize
48KB

Download
memory/588-240-0x0000000000F10000-0x0000000000F60000-memory.dmp

Filesize
320KB

Download