d3b1623d3be54832a44b509d1d0b7a8685abeea26b42c7e09a87467927dd8f7b

Resubmissions

15-11-2024 16:47

241115-vavans1pcl 10

15-11-2024 16:46

241115-t96x3s1pbn 10

Analysis

max time kernel
1712s
max time network
1715s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-11-2024 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

drum kit_sound.wav
Size

187KB
MD5

cc3076fd52cb56a0e8b5736edf9355c7
SHA1

deaa3a347763021649e8aae1c5c5f23b8f8a8143
SHA256

d3b1623d3be54832a44b509d1d0b7a8685abeea26b42c7e09a87467927dd8f7b
SHA512

ab54ea1315d70f88e4f7c0afc4f321ccfd056daeb77a53644eb8f31ee82aeef47a0af9d109fc95b779add7f61e900d6f703d9781370a251b5adb54962e540519
SSDEEP

3072:uul7lHZycwPgqmt+iGTvIiA6/N6HJatSHvArukZHbVdJy6ynEQ1irxAw0O:uyVcGqu+pv7ACNhgH+Fy6T

Score

10^/10

defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

RedEye.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	RedEye.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	RedEye.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

RedEye.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RedEye.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

RedEye.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	RedEye.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	RedEye.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

RedEye.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZAM.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro_x64.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZAM.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iExplore64.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.scr	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2start.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkill-unsigned64.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.com	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.com\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.com	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkill-unsigned64.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill64.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mb3-setup-1878.1878-3.3.1.2183.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mb3-setup-1878.1878-3.3.1.2183.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwCleaner.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iExplore64.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill64.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.scr\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.scr\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe	RedEye.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

NetSh.exe

pid	Process
1556	NetSh.exe

Loads dropped DLL 8 IoCs

Processes:

MsiExec.exe

pid	Process
3632	MsiExec.exe
3632	MsiExec.exe
3632	MsiExec.exe
3632	MsiExec.exe
3632	MsiExec.exe
3632	MsiExec.exe
3632	MsiExec.exe
3632	MsiExec.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RedEye.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\RedEye.exe"	RedEye.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\RedEye.exe"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\RedEye.exe"	RedEye.exe

Drops desktop.ini file(s) 7 IoCs

Processes:

wmplayer.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exeunregmp2.exemsiexec.exewmplayer.exe

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

RedEye.exe

description	ioc	Process
File created	C:\autorun.inf	RedEye.exe
File opened for modification	C:\autorun.inf	RedEye.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

RedEye.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\WallPaper = "C:\\redeyebmp.bmp"	RedEye.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exesetup.exe

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Drops file in Windows directory 4 IoCs

Processes:

svchost.exemspaint.exeRedEye.exe

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File created	C:\Windows\Nope.txt	RedEye.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

NetSh.exe

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

wmplayer.exeunregmp2.exeMsiExec.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exechrome.exechrome.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 3 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid	Process
2884	vssadmin.exe
5032	vssadmin.exe
5916	vssadmin.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

LogonUI.exechrome.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "5"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133761649214183183"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe

Modifies registry class 16 IoCs

Processes:

wmplayer.exeOpenWith.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\md_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3227495264-2217614367-4027411560-1000\{366563D1-7CA2-43A9-BFD3-485F73052EC8}	wmplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\.md	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\md_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\md_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\md_auto_file\shell\edit\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\md_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\md_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\.md\ = "md_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\஑淞ᔀ谀耋	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\஑淞ᔀ谀耋\ = "md_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\md_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\md_auto_file\shell\open	OpenWith.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 316271.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

chrome.exechrome.exemsedge.exemsedge.exeidentity_helper.exemspaint.exemsedge.exemsedge.exemsedge.exeRedEye.exe

pid	Process
2908	chrome.exe
2908	chrome.exe
2716	chrome.exe
2716	chrome.exe
4632	msedge.exe
4632	msedge.exe
1048	msedge.exe
1048	msedge.exe
5596	identity_helper.exe
5596	identity_helper.exe
3820	mspaint.exe
3820	mspaint.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
2668	msedge.exe
2668	msedge.exe
4780	msedge.exe
4780	msedge.exe
4408	RedEye.exe
4408	RedEye.exe
4408	RedEye.exe
4408	RedEye.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid	Process
5672	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 40 IoCs

Processes:

chrome.exechrome.exemsedge.exe

pid	Process
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

unregmp2.exewmplayer.exeAUDIODG.EXEchrome.exechrome.exesvchost.exemsiexec.exemsiexec.exe

description	pid	Process
Token: SeShutdownPrivilege	1684	unregmp2.exe
Token: SeCreatePagefilePrivilege	1684	unregmp2.exe
Token: SeShutdownPrivilege	3396	wmplayer.exe
Token: SeCreatePagefilePrivilege	3396	wmplayer.exe
Token: 33	1368	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1368	AUDIODG.EXE
Token: SeShutdownPrivilege	3396	wmplayer.exe
Token: SeCreatePagefilePrivilege	3396	wmplayer.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeTcbPrivilege	3008	svchost.exe
Token: SeRestorePrivilege	3008	svchost.exe
Token: SeShutdownPrivilege	2896	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2896	msiexec.exe
Token: SeSecurityPrivilege	2008	msiexec.exe
Token: SeCreateTokenPrivilege	2896	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

wmplayer.exechrome.exechrome.exemsedge.exe

pid	Process
3396	wmplayer.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exechrome.exemsedge.exe

pid	Process
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe

Suspicious use of SetWindowsHookEx 34 IoCs

Processes:

mspaint.exeOpenWith.exeLogonUI.exe

pid	Process
3820	mspaint.exe
3820	mspaint.exe
3820	mspaint.exe
3820	mspaint.exe
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
5672	OpenWith.exe
3472	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

wmplayer.exeunregmp2.exechrome.exe

description	pid	Process	procid_target
PID 3396 wrote to memory of 1256	3396	wmplayer.exe	85
PID 3396 wrote to memory of 1256	3396	wmplayer.exe	85
PID 3396 wrote to memory of 1256	3396	wmplayer.exe	85
PID 1256 wrote to memory of 1684	1256	unregmp2.exe	87
PID 1256 wrote to memory of 1684	1256	unregmp2.exe	87
PID 2908 wrote to memory of 2524	2908	chrome.exe	104
PID 2908 wrote to memory of 2524	2908	chrome.exe	104
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 1480	2908	chrome.exe	105
PID 2908 wrote to memory of 4544	2908	chrome.exe	106
PID 2908 wrote to memory of 4544	2908	chrome.exe	106
PID 2908 wrote to memory of 916	2908	chrome.exe	107
PID 2908 wrote to memory of 916	2908	chrome.exe	107
PID 2908 wrote to memory of 916	2908	chrome.exe	107
PID 2908 wrote to memory of 916	2908	chrome.exe	107
PID 2908 wrote to memory of 916	2908	chrome.exe	107
PID 2908 wrote to memory of 916	2908	chrome.exe	107
PID 2908 wrote to memory of 916	2908	chrome.exe	107
PID 2908 wrote to memory of 916	2908	chrome.exe	107
PID 2908 wrote to memory of 916	2908	chrome.exe	107
PID 2908 wrote to memory of 916	2908	chrome.exe	107
PID 2908 wrote to memory of 916	2908	chrome.exe	107
PID 2908 wrote to memory of 916	2908	chrome.exe	107
PID 2908 wrote to memory of 916	2908	chrome.exe	107
PID 2908 wrote to memory of 916	2908	chrome.exe	107
PID 2908 wrote to memory of 916	2908	chrome.exe	107
PID 2908 wrote to memory of 916	2908	chrome.exe	107
PID 2908 wrote to memory of 916	2908	chrome.exe	107
PID 2908 wrote to memory of 916	2908	chrome.exe	107
PID 2908 wrote to memory of 916	2908	chrome.exe	107
PID 2908 wrote to memory of 916	2908	chrome.exe	107
PID 2908 wrote to memory of 916	2908	chrome.exe	107
PID 2908 wrote to memory of 916	2908	chrome.exe	107
PID 2908 wrote to memory of 916	2908	chrome.exe	107
PID 2908 wrote to memory of 916	2908	chrome.exe	107
PID 2908 wrote to memory of 916	2908	chrome.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\drum kit_sound.wav"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:1684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:2032

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504 0x468
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcd955cc40,0x7ffcd955cc4c,0x7ffcd955cc58
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2004,i,6251470858206128899,15088027433218025765,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2000 /prefetch:2
  2⤵
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2080,i,6251470858206128899,15088027433218025765,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2068 /prefetch:3
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2304,i,6251470858206128899,15088027433218025765,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2484 /prefetch:8
  2⤵
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,6251470858206128899,15088027433218025765,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,6251470858206128899,15088027433218025765,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4520,i,6251470858206128899,15088027433218025765,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4432 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4876,i,6251470858206128899,15088027433218025765,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5000,i,6251470858206128899,15088027433218025765,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5012 /prefetch:8
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5012,i,6251470858206128899,15088027433218025765,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5004 /prefetch:8
  2⤵
  PID:3388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4992,i,6251470858206128899,15088027433218025765,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:668
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff63c524698,0x7ff63c5246a4,0x7ff63c5246b0
    3⤵
    - Drops file in Program Files directory
    PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5236,i,6251470858206128899,15088027433218025765,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4080 /prefetch:8
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4420,i,6251470858206128899,15088027433218025765,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5288 /prefetch:8
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5268,i,6251470858206128899,15088027433218025765,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5328 /prefetch:2
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5604,i,6251470858206128899,15088027433218025765,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:1432

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcd955cc40,0x7ffcd955cc4c,0x7ffcd955cc58
  2⤵
  PID:692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2096,i,4051107705842823701,7933270404877399046,262144 --variations-seed-version=20241115-050104.422000 --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1820,i,4051107705842823701,7933270404877399046,262144 --variations-seed-version=20241115-050104.422000 --mojo-platform-channel-handle=2128 /prefetch:3
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2300,i,4051107705842823701,7933270404877399046,262144 --variations-seed-version=20241115-050104.422000 --mojo-platform-channel-handle=2312 /prefetch:8
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,4051107705842823701,7933270404877399046,262144 --variations-seed-version=20241115-050104.422000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,4051107705842823701,7933270404877399046,262144 --variations-seed-version=20241115-050104.422000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3648,i,4051107705842823701,7933270404877399046,262144 --variations-seed-version=20241115-050104.422000 --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:1752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcca5346f8,0x7ffcca534708,0x7ffcca534718
  2⤵
  PID:920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:2
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:8
  2⤵
  PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
  2⤵
  PID:5732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:5740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:6072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:1
  2⤵
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2676 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
  2⤵
  PID:5216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
  2⤵
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1704 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:5800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6516 /prefetch:8
  2⤵
  PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6900 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7080 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1300 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,7276791098774191339,16026188989629852011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4780

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2432

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\RepairComplete.dib"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3008
- C:\Windows\system32\dashost.exe
  dashost.exe {4578443c-f3bb-4df3-b9aa21323ebd144d}
  2⤵
  PID:5612

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3180

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Browser Hijackers\BabylonToolbar.txt
1⤵
PID:4728

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5672
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\README.md
  2⤵
  PID:5580

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\BabylonClient12.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2008
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C02AF29266B6E6BC3B1117E402F60151 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3632

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\RedEye.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\RedEye.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Drops autorun.inf file
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4408
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:5032
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2884
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:5916
- C:\Windows\SYSTEM32\NetSh.exe
  NetSh Advfirewall set allprofiles state off
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:1556
- C:\Windows\System32\shutdown.exe
  "C:\Windows\System32\shutdown.exe" -r -t 00 -f
  2⤵
  PID:4496

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5824

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\RedEye.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\RedEye.exe"
1⤵
PID:1680

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\RedEye.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\RedEye.exe"
1⤵
PID:872

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3930855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3472

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
980ebd34ef8cdfa9900dba4fe367d2f7

SHA1
35955645e6324fce99a971a5a80ecae0fc21d971

SHA256
d5384308d29f2f9478f0d1354e9f94053300496f3b7cd2f88f5f8d00dbe1482e

SHA512
470cce060f4dcca34b26c8c3b2d3d4024c12fb4631ed8251e942e7e992149a422f30526b27f9f55c13d5d9581f022d3b18439893c6b0455180ae70c0fb24430a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\9de82967-85f4-4d84-9912-ec0baade838b.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
fb86ae27a38334fdcb001bcfe760148a

SHA1
618682e2b3d5b0ab2f5c01a9632b5c305c7c557f

SHA256
1ebf7b35cf8d55af67953e740932d6fca603b3e28c0c5666d72f603e6919f572

SHA512
72fc926917abb284afa876752f18450515d915125c9d115f989af1262fb6342604533be437196954d204af7437180e67415bbf9faa568276b1f00567eadf598a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
7746e68d654efe33aad50bf850a9eb40

SHA1
b9fc2bdaf91c425207f87768a735df5ef3e9db81

SHA256
dd842cee58c9d31d81cede77e8db66b226889170b4d38974dab2e996a6c00168

SHA512
2e59d7a76213732785f0fa2fed1f3d54e4c27a5be47d998a8454a6ffce58c57f848de238ddc3fbcac5e5b307c6f1836d7ea44d97940c7120d28e94b1ad17b7a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
a355de5836cfb0f4e36d10b5bbd4414d

SHA1
540861c89567713f324bebc4ff253264e7b0fe62

SHA256
3897d303685cc6c368b60833519b8e81f5ab9193ab26a326875e5480bc3b4aa9

SHA512
cab45caede7cba491ebdc33b3635b3cad7f76b8158c3374c0932c6eab1a1a0f47fa823caa04cd1baa648a9a4289e1c0f354a5ccafcf4621f781712dd79126251

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
0c91db6214f5ecf8315eb8602ae41c64

SHA1
16f959dc12b3c9852bc72fff9ee74c7d674d23e4

SHA256
435bd888d4776201552bdea304d975022cb88afcc14545003409a18ccd7f70f1

SHA512
47113c84479db4b6702bf71436502e3476855b7bcbba1d4ec6c3a1e33efde3a4b94d556d955bff29fb3e0f56eb2bf92cc6f6b04a69d19c5c37c867efe55e89e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
f7ede2f4c29b05fe215641e2199fde53

SHA1
6d1aa4f494753f96a251e873c445fcff28a5ddb0

SHA256
bcb7bfbc15c6bdb784d96cabf486ec225daccd98d411954577576ee468fdea6c

SHA512
3dc0e17e173059e5630fd1d076243131aeddcf536eea49c8ab7e3a5ef0964c2ef8e7fcdf311a7d77e54b1373e91a9119edf21adbd0dde0912146078421f0a8dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
41KB

MD5
503766d5e5838b4fcadf8c3f72e43605

SHA1
6c8b2fa17150d77929b7dc183d8363f12ff81f59

SHA256
c53b8a39416067f4d70c21be02ca9c84724b1c525d34e7910482b64d8e301cf9

SHA512
5ead599ae1410a5c0e09ee73d0fdf8e8a75864ab6ce12f0777b2938fd54df62993767249f5121af97aa629d8f7c5eae182214b6f67117476e1e2b9a72f34e0b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
e1c4ad7c931fbdb82d2d1930de1c9898

SHA1
37183e0deaed543ca0b9465fe3daeb2b96a3b8f6

SHA256
8848683ac60e336e157936a6b00014d4a65b925e101673c36a4c9acbdb77de1d

SHA512
091b95f940cb7a28c0cea7d468fdbf13611082e5296fa4e66dc46b0b6a56a515e97a851d2d2c57a3f1a7ad33e23b5dc00e1a703b84435d7ca456330e76f8ae19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_metadata\computed_hashes.json

Filesize
4KB

MD5
7a3448db5fa5835d53a800aaa881be43

SHA1
2648c873fb8f04ab6ab5ad08f237d9960ec9da80

SHA256
73c4b3145bc4cc4c936ddae8ec853c3bd6302b7ad4a98cb82df44563b3e0995a

SHA512
f7d91d6dfcdcc2a14ef69bfdd6499eedf39c65700cf96c2474c067fb2f02c31eb344736ef5f66d37facc00858620e1e501bfae2f3596659b93368a44041abb4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_metadata\verified_contents.json

Filesize
11KB

MD5
f897300492e3ab467e56883d23d02d77

SHA1
decd6dc9e70eccf9b45983147680614c019b99ea

SHA256
f9b3a5747dedcb5aed58fcfc0f4fd3bd2f2e903f2ccef90a92a73dbc0f8c3dbd

SHA512
b8ac574e24814baf04a264e7f3f00b4285cd7b66104dfc77897440a898fca5230775300ec7def723678975a04c2cd1bc73a44f77da26262e8704029930990c62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Favicons

Filesize
20KB

MD5
8669461abca4ba8275daa5da74efd343

SHA1
7b85cff1902a4ce0216514e8bd9f091a97418312

SHA256
87e3c7df6d2932d0f527ab2340a8c25f6796ba23d695a88c69d6e3e0fed893a6

SHA512
f007c804ae19f2b39b28244ebbf6326d08da1a6324a1a0680ceb7e1e1d4d8affce864ca3d77641eb8a9940a17153753f5f8d99563ee353cdbadb30d06759455e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_0

Filesize
44KB

MD5
4ace08e429dd163d279b39c949fc84ba

SHA1
e1fcd89ab9b7dc646911b557d6e78ab8e4ddbb8d

SHA256
5cc437bb8aad8c7dd61184e7eb5e1a4fad704772725256093dbba1b08979a563

SHA512
32447fb1205b6bcb1837525b3d2f9784b1501153d38afd7885ef1fbdf551aeabe0a2b02444924002466b016f6eb36d23adec7a099ab66fb66ad29325b565ceb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
b85a4820437fe4a8f28f8f96f6eda78b

SHA1
d248aae70f8b5ddcd6c91b6d09437ae5ec5914c9

SHA256
b746dfad7b9ce81078eef445c961b8e3668c5af28d774058978ca27a49e08f8e

SHA512
de5b197e943b06ab31cab8fa35e21de08a3da39d7c2183617f33a53df8268f06d83985f9402ccd3f395902fe03e83fb93f8778f103ffebccaf667a8ce34e8b2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2

Filesize
1.0MB

MD5
2d733aeb7a107f24f65962648e23431f

SHA1
82b32b1925649328ffc809074e3829bff768166b

SHA256
cc5acc40b12e502e7e041e18451c8f0351eb9f71ccf274972f72507321e3e4b9

SHA512
fbde7b22fe7a5beb101cac83b654d179525a62cb90900f3ae2e96b493b0a95f247b24cf1e7e7a3607fe28efc151037a8d42faac418456ce34e7f7bdbea7e5a5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_3

Filesize
4.0MB

MD5
a12709210fee65b2b103b3a2872fe187

SHA1
60f5d9b907cf39185860d65f8c2e47e955f181b1

SHA256
43b67a681d2b0f10eeaecf7257bb1ba273cb1a19cb824ca9026121aebfb77931

SHA512
de841436ddff49ed49d7312129d3b432409ed063eae46df1cce480c8cce7fd90d5e6df1689d650c1624cbcc5c885f5d36bf1c0bc6a834c9ee25bb7abf0842f1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
160KB

MD5
bef70c7dcfa23ecb4e06a313097751bf

SHA1
94976611244db6f360b837c7175c5ba09fd26bd0

SHA256
2e376a8392028c1982b627a3bebd0d70bbc29792837c87282f5a7032ffd1c163

SHA512
71f359088c0c4ac48644c3033963424a5c598b1b818bc35243209f48e57e0fd8bee4a5e66b796f9df135d42a1fc5ec604ffa1424102e9feed8b1a17b1d542264

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

Filesize
278B

MD5
a1b42b2a07ce4fada7f4653f3f58adb8

SHA1
fdc2a987552825cd82f845b8326f3256f1a4babd

SHA256
48b00544affbeb71e9a0c2a20735a135ac97f47b68b5c8ca68799c576335fdc1

SHA512
44ca9b99acd93b1e6c37f1a9c457ca6fbb2319e35b7626c721a52e1d27aa8b11dae66ff1ed662b7a6bae0ef2de167149f9b06fb51fdd7b5f21281e2b35f1de2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
329B

MD5
69f021a28b4a942831f66505b994af94

SHA1
18fb29ec98d761ec1abbdcc9c3f5b66a708450b5

SHA256
6f356750b7f0354272725a3184d563ccf54110e730974459fcea9e25877bbadd

SHA512
a7603256a2e00966e6cae900450299187b641375923929878e077fb80b075f1093755dda1b0d904c6b70cfec0f3a0981052255e89cdf0ba1de736e7d1170567c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
f1e4db65c8dda90cf3eff00cc74421af

SHA1
69bb037210025b8e95c561414cdd4c13e25441da

SHA256
613acc6ee740395d449a0c46d1bc6d3549c82c681af9799931d0ece955b561de

SHA512
c30aed03e98363899a6c92359d46e095d5e2c21b8d9a65a94a1b77d96cb7a166b2c7db681133c0761732c934260db0a678a23f51d6130e666bde551af98bfa79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d4c7d51a01932274e03ffe0c1c777e8e

SHA1
fe9e2dd1c854300b1dd62301295440dd67037af4

SHA256
4f2408256e6813f15c2edcea24fd074ba05d7fa12679c40d3ee9595447449efa

SHA512
7d24571e9914e3ae5e79f439ba3a14691ae79d1f6d51f5a144b502b15db8033523ce986883ad2bebbe2671d7c0142edf6bd80f5fd3db1198738fcf32f645f1e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
fed9b5b80efca7546ba62cebf915ce8c

SHA1
76edcb1a7683dcd7a46d50ef1820f2055a6ed890

SHA256
94a903065c78c4c547e954f5a43c927b55c0266b2a4d1e1c408e149a7085c00d

SHA512
09a8f1847c213c8698d5ae2a8d92892c1c0955eca13664d63618f76410d685bd7173d37d8d3c536d31415b6d7314e20fe074d3bec9808f05bae24fff35217cdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL

Filesize
36KB

MD5
389354fd5ddd5bc1bfc2b5150e62f086

SHA1
069334dfd24c302ac82d6fb1c8290aad524a6973

SHA256
89e3fbf7e8184f5d2d522271b484036f8ac56901c5679720a68166bef1296fb9

SHA512
dc8043152caf5984e7684ea60d67e0c972e2a389e99391ead0aec0253c5c63daffe5192e00a36ae58c48c87df0c3cc78ef0eccc1abe76600d14eedaa2e825534

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4d572c412c2b32f8b9c6d8693a7e41d0

SHA1
e53ee54c4db8a05102fbe1da0b64d4fca22d6ac6

SHA256
c40e57b50df2740e2f7f9120f36e1398e07d4fdcf6882af91f09d5d626f07522

SHA512
0b10e462a5cf151b61a57e3bdda7ab23874d47ce25b30e16ab9f80a1895755ad1e6009089d53bc8ad26b0e4403fc8d323b1501b6a042c5ae70adec422b2598e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
980f24f534e0cf092ad3b1a12e27c036

SHA1
7a585c95bc94021a070308642c4640604764f4b5

SHA256
cc7ab5835c9c19fc6a9806a29ddf2c6d94594eb57a7079f80b99fbc0e536657d

SHA512
edc5c3af570ab8b9ad7a471a627bdd7a3cedb1ddcaa899ce984c8e908caad414964c941d156bc7afb01a3e587431f8b9e2953964cb9a6ff658cc33b8c88fcabf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4e1647d05eef63e486c47162c3912508

SHA1
b2a8d1f6c94faac3aed34c436944d62418cc8fb1

SHA256
4cf27c945475933cf81c9afdfd76ac598b2281f6fbe9d1bb735b4bd36bd2cf4f

SHA512
54cbbfea855b8afbdbbb35c5c2afaba020477611802efe97c193a59079bd805aa2a0b8429b87a7c2a724fd01d1af0990acda0ff33093efb27d32d2488d36ba53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
716e7de858e54d9bb360c9fad0d74288

SHA1
02106d49b046ac0ea7cfe88b807b46ba13ef5e87

SHA256
4e37b7b47cef519cf41d9ca0e2ce9d9b34e9b782557c10a083b92c4e1a037bc0

SHA512
518855d70c556075485f4a362ceb9b2551e4801702f8e4e1cb71705e1501cc43b39b027fa59c90ae6abe0206ddb17255d7d6c27dc0ed8d97f33296f41eacc66f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b41f28dc9f7a878fe07432ee034bdf2c

SHA1
417269df2866b038b3d562926f97dbf6bea33d96

SHA256
dcf7ad65b2581156e0c6ca6ac6582ddb625871e040d2c49c1093ac7c5065c2d2

SHA512
1c4d02a0b69bb06d6d2e67e43b21d4dacca22c26f97d24cd2c4b7d2e3c93e61a4ef30dcea7556abcff2b263a17f9a0e604600d04280fbc2bcd2784804c8ba335

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cf3f9b7516c0f12ffbb5073652109393

SHA1
652619337c782304cf7e16b76ee000512aea5a6e

SHA256
1277f692733b71a8c7487f47b1800ab67347f72411c4d5794b08291b09e0dd79

SHA512
6e11c6844563b04c160d6a456d6f7fe6d04018798d1202b1b058de0290a366ffd31c2aedaa7aa1d0bb12740555fabf2443bcab6f510a165b0446b43888571871

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
76c69c0a62500296cae3dcbde7565eff

SHA1
4b1637257fa0d8b4bbcd1933fcf0bc7a083d7511

SHA256
08d6086099ee0ddeadd7edaba7d95f1f5aff461da3e9121d943d868ac22cf6ac

SHA512
4f13dee1bd39c02f2b2e6537364ac236e65c19c2b9a7c22ca3c635687966575b0fd48beb0560af7566b011094fe8774f49d324fee6d57a9782005a3ad8e72945

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000003.log

Filesize
3KB

MD5
62f24a779e6c89eab36fdd7dceffd0aa

SHA1
592ba69a6aae805ecbdc7b466837f1493b6aa9f2

SHA256
473d34ebab56fe71e290432ec116404ca771e679f8aa590d442ea783c911d2d0

SHA512
e4827419c7688156d73febf5e62fedd473eefc9a87e53cdee5a4b4b2a6feae6e3047df8111fd567d466d5659b7053a21d3b97294f42fc3a93d6c4c0b10bbe70c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG

Filesize
333B

MD5
4c6e24993b6a0fa2790ee5ae27500377

SHA1
8a877adb955cc5555a6dc3544434b2aad923314f

SHA256
3eb07b8c44bb3483bba436334df047097ad7150ec8579977385397f81d097e58

SHA512
d85996a5610e35b71077e492da8b9608466dbb84a87e12bf2de421c5efe720fbf128a81bea651dfe4f79f447b9c76188710167b435d177fd4a1d61b05ab6d844

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
35361c41bd88cb43e309a4ffb0130fd1

SHA1
c3cd7ad2780a897db953a4984daeda16727ba3d2

SHA256
eb651412a614dbe0cce400bdc900269699990a1c1e946be3d2ade05fbb9281de

SHA512
76c452b4198732be938279e44b000d54c0fd30d290d662c2005f7f2a987595bd6a4b99c6f8024a2b62a9f5882953000ba3ca075d6b8d5930abc85f735989b239

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13376164936706994

Filesize
3KB

MD5
76ef78f4369e22c8806f5f267668697e

SHA1
faa4e7f8d82577b9e19e0751760d2041dbaf1fcc

SHA256
c0c9677772ec7772b3fd36c374278863224aa38042af93908eedf2bb62aaccd9

SHA512
1fceea9251214ec44c5f0fe5f194f0f76d76e18f5f32031f679ef8d3f7a96ffe872f6071db08f93cf6cceca99bd90953ddd7b6ae857642931a80d9f8e8d0a8d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
345B

MD5
bdd071b0d9ab05bbfb23bfe2ee01ef05

SHA1
50341b56830f220ae5e458ccb4b8aadc0492c0df

SHA256
e6a0e75deeb2b13c6e6b2c2001c680020bbb04b8448446baf2c9d72b8e13501f

SHA512
dfba592b9571c2e95be29f63005fca8da9d16d34c85ebbf716efce577c05b672a9f463f925f45d367ed449d1a772439f5472197494d3e347fea1b090664bc6cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
321B

MD5
1c24d5428fee42ef751de6409922c6e4

SHA1
2bb783fd99bace8234aaef072cc8bdd8604bcb19

SHA256
754e8d025e9cbc316ac7106de44b9c3b67f4b202fd410f2895d08d23462bcd37

SHA512
971c1fbe3da4f4179b4303037d783cd2490a2b587945e36763d8e2593d7f79ecf9338f1240bd300878d25d14bfdccf5ea60c4b7e7cc428f598ef5d6a5c05200e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Visited Links

Filesize
128KB

MD5
8fe9e50c714769a84bb1ebf5f0c6a419

SHA1
14c4dbfce0ffadf8dd00571dfdcaf8a0bc3db6c4

SHA256
316c68ab2412101f357cf1a8239e23e0a06f8ed9ad544461cedc7a8ec35b4932

SHA512
c5f1939973f6d8e0fddf9911f6b2a4f422c40eedcc66046b86008a41f088b45ec5123abb2d91b251c6f1ec00fb307ed0727798d833c7f2336bc780dad257ccbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
114KB

MD5
b438ba5a13fd7119235e9d9adba94ee0

SHA1
b20d0b1dbb53676906f0752f7a03bb20974cffed

SHA256
f57a38483b37980c98b3f455c881f06e9b74311bf541dafcd5991dddce6567c9

SHA512
7f94c00ef09a7e39661985451531258b0ddeb5d14c38457df1e6a943c4ca99a9c48a6153f30563eaa3bf6f8ba69e27cebec57dd10065c8a06bf420c151bb8a76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager

Filesize
40KB

MD5
78224443ebcec5b2dc65d0e71f670778

SHA1
8fa622c8978bae92672ed408c7b4b22172bd186e

SHA256
115529bcab83f99134b2592057cf3b6c45029f08cc650af89463600641a46153

SHA512
b27cf0a571f484d7d3c8b19801792c5196a2f061b33f211a9bb2b3124738fde511fb5ed773bc2034d0f0d0e68ab3d6735158a534b3681c423a17b7d2ea4811a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
ef48733031b712ca7027624fff3ab208

SHA1
da4f3812e6afc4b90d2185f4709dfbb6b47714fa

SHA256
c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99

SHA512
ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
715da73e288674b59f43b8c24232a295

SHA1
c9adc500d2a3f01eb63f28ce77da48d5181062c5

SHA256
4d98383125fd834bdb6d53710032714188e100b75fa49b5d02f9105f6ef8c2ab

SHA512
b645b2b5f769b81e1f944df71c29d78d5b959511cc1fce8edf49186bd47543b0faf0ce53e8fe0e35ef010470aa3e6f2ab01a9a93ff86fa4bd62244e9b359008e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
12ec38befeca50d8fb076988f8d971ab

SHA1
6f804a1c518abf171310885828ea56a2272f4ab8

SHA256
0c0746012366fd296c2befeceb7e9c15b27360fb51a68ba094cea6ffb0e2bfff

SHA512
eb3b99026d38d74396de67b7022520a43782d26f2583b2133239d94e407f653fc7e72e84e3236584a1bb0a94c7ccd6e6a5790e04d9e644c78760161376308413

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
120KB

MD5
4f33921ed64eb31809b11c5d010d6bad

SHA1
a517aec5eb1c74e29d75cdbecb25a95c764d85a6

SHA256
6612faddfea3d37d131909d12965664f75ab32165fd9288293563a7922586699

SHA512
f926b95d775179f8104f84d20d201a3431ff3a688ba0c766e8cbf87dc013e6a2a4632ccb5e03653463fade850bff227abfd20a396ba9b22ca5c88cd88506e5ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\segmentation_platform\ukm_db

Filesize
28KB

MD5
903d8dafe7d70efb2ac2257dcd486297

SHA1
c175dafda098db86876db18ed4ad041786fbbba6

SHA256
6bc05db8fbb2fef78d9414c39a0d3422d3a85e036c37405f9fb4af8995800288

SHA512
5911849fdb9afd56b1715106eb6c46a0782e29b99c88e1b08b52fec991ec7f3e27d3c9d34465731ab4c445b4dc5c56fd1b436912fdff07bef4fd2e3f3c0ba339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
128KB

MD5
85c98b065c6270bc244ceb022d435b28

SHA1
3fec994387a2487d40bfeaa8ef8863f5940b0212

SHA256
7b32a58cbb5516913026f6e7154acbd4dc4340f75e2dc8195f0accff0977ed87

SHA512
0aafded44a5fb33619429be235b24f0c81d6940d324d3defd629511418da6678fe303095bb3031f723436f5e38361d68e703a36af3c0c4b2224cb469924a558f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
47KB

MD5
0d89f546ebdd5c3eaa275ff1f898174a

SHA1
339ab928a1a5699b3b0c74087baa3ea08ecd59f5

SHA256
939eb90252495d3af66d9ec34c799a5f1b0fc10422a150cf57fc0cd302865a3e

SHA512
26edc1659325b1c5cf6e3f3cd9a38cd696f67c4a7c2d91a5839e8dcbb64c4f8e9ce3222e0f69d860d088c4be01b69da676bdc4517de141f8b551774909c30690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
25KB

MD5
8b06b747bf45671dbbfd53cdf42b39b7

SHA1
036ab57ac56e3e82e24d25b1e8fc3da0e758dff5

SHA256
77b7ba43678eb41699aadb083add7958be7f1a7d3bdeca68e356ce734bebb623

SHA512
d8545ae12e2ee9da79e099d02e94b227e79bd7d4b79ebb65fae983c68b1234d3556951805a659876e184db92c8575512e84fa850ff2f2f90bf93e8eb17aa7b32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
40KB

MD5
3051c1e179d84292d3f84a1a0a112c80

SHA1
c11a63236373abfe574f2935a0e7024688b71ccb

SHA256
992cbdc768319cbd64c1ec740134deccbb990d29d7dccd5ecd5c49672fa98ea3

SHA512
df64e0f8c59b50bcffb523b6eab8fabf5f0c5c3d1abbfc6aa4831b4f6ce008320c66121dcedd124533867a9d5de83c424c5e9390bf0a95c8e641af6de74dabff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
53KB

MD5
68f0a51fa86985999964ee43de12cdd5

SHA1
bbfc7666be00c560b7394fa0b82b864237a99d8c

SHA256
f230c691e1525fac0191e2f4a1db36046306eb7d19808b7bf8227b7ed75e5a0f

SHA512
3049b9bd4160bfa702f2e2b6c1714c960d2c422e3481d3b6dd7006e65aa5075eed1dc9b8a2337e0501e9a7780a38718d298b2415cf30ec9e115a9360df5fa2a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
2bbbfaad6aa78577874d68e411ccad1e

SHA1
d1193a2398142f931a1db4f831bd22b620b96daa

SHA256
d077f7439f75c7a111fee0dfb2b54ceb56554222a9818ad769d20aed687fbc1b

SHA512
b697aac07a10f92f2157db5a0ba3f9ac699b68fef5c3230a239a418ef681c5fda8add72c9e1738c7709a99881bb247391a6c5c510817766bc937bdbda7e034b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
3c43c0b3b2003d9e8ec558c5d0acb3f1

SHA1
3a4821a7ba64c35977c1449939213b05b2d78524

SHA256
c6331a29f2e1e39a07747e53065652886c9fe5bcd0fafa5a8f6c3d89396125b9

SHA512
19fd3aa6b7e53274f01a090015f7831d5d2c35f9ac6a5cf63dc912cb565b4666d6f1c3a1ba82a28d9a57532b52f805d312fa13f2433cef9307ca46a942bb2400

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
d4ecb7dde13af5788ca0db27e678804e

SHA1
13e4b65ffbfa9cdbb886f36317c8d0d6315e6ef3

SHA256
d90f97c82fa25bb1697bfe25dcd63a8b27c9d1ee1fcce1aac0eff4d0dd419714

SHA512
0e58e3029e25b1c3f62ce74c6e211c650ab52ac20e29fa17b834d2b56cd9a826cab7c346146ddb9972c8329551435e0cd76cba3f0aa473c06cff2cf4711149f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
5886302375df1fb29495d9a4277de442

SHA1
080fb335f2cff7b1b2094b905a6966be19c8d40d

SHA256
045114c23544835ef7852578bc7fd1b5c758d72da53d43b39ec93488a82b9354

SHA512
f5d59022c0ec9c857ec323d88df6f0a8842bd8fd83d927615b3802c8f2649eb46e446f53012274b4e68de7113d3e8b0f43ad6c6a769443088afc7d7be137bd72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
548c7ba5a95af54b39da97cbbaa8e815

SHA1
ec25262b5563d6750ef058f7399384f6ff57dece

SHA256
bfee5d4d3162f2f7780b07fada0fe71dc3e09b6a15dd186c993ddd8d265a5b21

SHA512
161f77acb3509467b18bfa76742de9cf1cbc5842433064e10f69bc0808d25fa0361bde0fe31f77798db9ddb009fbd3a9b0d5d9bb9bd248d3525a515dde9e2db1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
8e4369c74173a47cfdc72dec14dc1d42

SHA1
9f9e6f017676fd540d18e18e05ca8f7f098e754f

SHA256
659ce7ee7400e816a4f90023fde2bbc6c998546731801d04e280d966f2166a96

SHA512
44e046c655204e7d01dc091a91420235d7e0cadbcd8162920020e80814a547e7c29cb6ccce3f697f298b022a28e5e173eb93e48c25114714ccee1cac4b916a94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
9884d97ff6772eb1e859e2d82ef0b89f

SHA1
e7e3720336a6c09a37c19333c5055fc3dd4a1bef

SHA256
2a2a4a45b1502bbd59ac04f25a91824adb23d595349171a10030baa3143c006d

SHA512
49e0132a7b0ab5f31fe3f6b2998755522bd9deeddde9e5b04387e64db56d3cb40e6c80ea40754beb802e8e81f1f6d7067c07c0633673a928779abd48b03684e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
f0849cf537dbb4d3b48faba8d0f3d17a

SHA1
3857f038db489522545cd470f4f0bdd03e66746f

SHA256
21aadcd83a988bfc07d6a37566f0c08a888c29e62b9d23127dbbf81f75485683

SHA512
7178c9b7d9fa4d3da5cf0119f43ad9ca3ce7bc22c60944bb4789124d3fa20519b92e8d9c92572f8b599f69414349f6af0a82eed190a97832fd0d148c2a210f67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
56fcf42deff9a325e471790e35fb941c

SHA1
9e65fd4458908cf18ddbd97c2d79f586e42ea732

SHA256
3d01a347f45ab656559915fc07fdc661a34b6b880ca1d297989f5dd41030e69f

SHA512
069c1bdbebb52cf005e9f1dfbe049bce2ba22a6387be1fae4c389ff10fab618b0b17b51be975bc428a0fae38e352558fda018676662930ec0416a88ba3933f0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0ec2922fc27edfda649a3258fc79957f

SHA1
b6712210cbb8a3182421d3f79cc01e6ea8789621

SHA256
4f2c7f58f5d282affd13421ed33105418139f34f2b54fbf11d9897c096657617

SHA512
4093afaad1c0d5fa85273f465337d7171f802800a7e212fb3c9cda405cdd8883f5a487a7b1a1282d432f4323b3e9a9f620a06e2bbdbf51a19b47c622f95b1195

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
740c27d836ad2997ce76edb54a6800c8

SHA1
5005765214464d8fa8ce7a3ec1d32a5b071750c1

SHA256
3e4e5df04ca50b7c87e91fcedfb99ec9bc0a6d693b786126d25cf943dd98e728

SHA512
bd5bef7e4251a8850a82c7ef75885ced1ce2534a37a701f7892a2cb425edf5de9c056f23bc5cdb2584f04b9ad2c31632006486baa8c30b269230ce758e714408

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
6c5a2c621deec44cb5ca43e610496833

SHA1
d14c00d33ee9d561eaac0848deca015dff57e7ed

SHA256
5fd431e7983ea16af343b4c2cc4d4de4564b3b007c2fb0d61ebf663c27fa8768

SHA512
2b987b7a48f5665daecdf37bad0695c998877dc9452e61ec31d758bb9d7df0067324c680b55965d9b1f79aecc7fecd2310532ff7e69412aa61b2ba700466a98c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c261953c20902172ba8eb47949979d7b

SHA1
00cae1901b083941026e02fe0913d1d4b6ffad4c

SHA256
771f82f5e42d26bf21da30f53527f4aaaae68b72547f0855c789935bcd4b73d6

SHA512
27560195b9ababd96750fd345b209cd2c7394721b8548016f702cb563abc1a7d7d41c8f379baa62adbeb416528f4cd5cf350b8f5fd0093674ca5ead3da745950

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
07ec3f3ea4c4c44d7b59bdc98348399b

SHA1
5a3fba63f9076b8d13830b83694f4780088570ee

SHA256
1d2f21cdc5728556ba9b72afd8cf534545c8a18002a3c19fd2bd26928c9729dc

SHA512
d626086c503219323054c5578e34091b4311c64b85998bebec848c7a8814af309bf27218eefcc5e3449b8bad2a0d5d22e376d4c123c6d853a47c7a781b4e424d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
18f955cac7300a556cbf168a1221bfa7

SHA1
2f09a423ffc8b3072a024d3d2d5d774e606c78cb

SHA256
96acb31ded30c99cd5525b0b2786b4a746e3755a82602d7c4911747b1504cd5b

SHA512
5ab93e70ae4859f57e28466cf5a2e1c1c2d336fd7b1b5059a126e12af5aa223ad1f69f3264d8f40440683b10dc801f5ecbbfd4e507b5803cb57664c298d85f28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0c59f8b9bb174e68e273f7389d28ddce

SHA1
a174129b70d9d193f3e3007dba074303b4fa4663

SHA256
970775e80abcf5d960bce688a731bf0b0e3698b76e209d23df4866a84e5174e4

SHA512
a1cd030fab789ae43f6a8de58e9a04d6132cd978b173582753f955d3a8db76d512856521548beed406966d4e370e5bc97765a894a07685b33a8bd00c3242f9f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dde9c1471871e8f77399bc646808e646

SHA1
7ebc4b64f79f318f39aa40eda9be4d0c35af387e

SHA256
f259faf2e27fd8e18bba259051b0e655acb6e3b6aa47238b07cafb7643bc7083

SHA512
fac00d16ec16d87f009ad8f50294b01594d51d71c15662dff56efed7db97c5944ee4b8570402b28b3204bee81123fb3f74113cbfebf5af88fa772592804c055f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1590071843dfdf7421917d9f7234b169

SHA1
fa8b1cc8ea885e3e9f50894f4dde4e11deb36366

SHA256
b49ce3698aefb9f7837dfef7785bc91762760cb0d26085e9066899f5e5b661e9

SHA512
aa6979a3dc82fc3761968400cf38df20689606eca1d7e1c3698c2bdebdd3854461e260a083a19985d577d645ec89ebd783b8203f2155c907835283f46c82c403

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
084f8c57b3b2781ebe0a91a8b5d1f48c

SHA1
9c2514d710213c38a8af5f2f0b863e71f6ad86b6

SHA256
dc824d179791afb9bdf307ced55ef220b00b138f0901fde8c567013dd85ec6a0

SHA512
db49f4d7fdff1fb271ff4b871e331ddfe936e0247bf1130c06220bcfd308f3d7a8fb46374df12080f89437080e76b5681ec79d923a69c283426e71c247dd60e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
642d5ea6b32b6ab3d31b51202f554f13

SHA1
8ec8cdd6fcab09139f04a43a8674e61aaa1ae348

SHA256
bfdd7d616ac3dde2042d614a350bc0303b37902e41d93311ddb20544ff525d51

SHA512
a35ae0aa9c606db5348d99a4b25b6bc78bcee4e0e0dfd0e6ffb83719f3ae93d8f4ca437c1fc686c4965b249149899a064b2dbf3e8c50e1099b37852f6dbaa97d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f0e28695e7c6808b5a1f80407821a9d2

SHA1
027ff4e192a017578abec80f9df77369f430a8d1

SHA256
6da8c0f9309edcb4b80c4bfdf9c619c5884d17b0125a73baf544d8f2b887d6ca

SHA512
37808bab66806f4a3635295df5f9a5c2a444882bbe29dbf7a45cc7ae521dd4e1cf54fd37cf1c00b37dfd108d40effbd09abec358214984df7cb318df3884e886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e2f4fedf619d29a9964db628228394cd

SHA1
11d72cd1233683de197fa33612cfae7327e37d3f

SHA256
aa4ef4320389a4d35d23d3c967e38c13ff00d95e4f126487d4ab4aecd1f4a805

SHA512
8a07e38445db9fa937444433c2362fff3780d246ea493dc3c1a8033185e871ac97f59a3bb1ca60ee5da4a5390e44704e4fbb17f6022c06cb9dfa784bde89426b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe6d2918.TMP

Filesize
538B

MD5
95a7c0eb28a5f1d94bb71a989b1064f3

SHA1
9ee6304caa24fc6bed76c0d26be5bf964695f287

SHA256
02013bd019b38451ecaae4e8c72eedfd76fafec923441e4c054dccfa7d931aa9

SHA512
4e19050b75771216f3e96ea1546ceda478ab33706ddd24b4a9beca736e75d93dc38125321785ae19a07f6618dabf572f95726ce51a99876b09cbbf2291a07404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5c82fac4ceb3b038e96812ccc8cef9b9

SHA1
a59a36d2a7bd949e1f56b9f2312e7db86ecc24c5

SHA256
995de383cd63b4325bac4fc785c307784f0cd155650553cc4b911b42531b8059

SHA512
4fd1485f31ef5a18a545530210909a46a20591b3c8ba4301c7c2748c812587cef43fd9b1f82ec0a038bbe06deb121e963e68b684e27fb8ee54ec17bb71ff6559

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
37edf9a172dd1f251dfa6edbfdaa951f

SHA1
63159a357a922ab04ee0853f82f519da044f2d55

SHA256
4517e7c741c66f7b5d6ac7c53f5da1932b9afc50856ae6a4eae25528a33df8a3

SHA512
c24e43b5a6a2a4f1b829aa330153b0a6b844d40f4b95ec54a0e9f8b1305e92d795f1278dd73000aa139850567250aea3f302548009efd3727cd0e724ba68f111

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
576KB

MD5
b82b3a9c79a22958b76a307a42735a63

SHA1
5358be8e1e4248a979327e8bbafae3aab556bd61

SHA256
1555bf5019769bd6bd1f78d2632e687a2090f9e0719aecd985b3f5f5dfc10ac6

SHA512
68c38287e6f70b4fe55c51d1626899a6344b0d753e1694c503c44a2e8dc56144fbe6bd0044ced4bb2f2b51f08447330a2c516da5487ee2111b1665ce20a5e171

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
68280ae43b0151ea41119eb630da5c4d

SHA1
a51c724623d4eaeaa9ad2516d262bfbd1a5da5c1

SHA256
d5ce87d94391fbd9a808b4779f4eb0048af2869958282f291f976833a969b989

SHA512
51eba241497bb78cb3dddddc5f2a5599855d681ec651c0c110b8dfa820e54d899ef6410e5ac7cb2e6d596a8a0df0ba620e78df99741329fc997b2a6900fc21aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
2a8331a2b31a83d2770acde9e6ab295c

SHA1
f0a300b997130b6d8b8b9a3d3aca40ccc9e06c97

SHA256
b77194e557e5715933f709f5518ad5d94b872cdc7147a04567f5f35cce06d9f0

SHA512
c756334b04a85cd2bf58e27e1813dd7e25d514f241fbc89f9ee58e0ceebd244ab75fabf2e65af0f81699c1e683e613877490f575657084321d9647f7539165c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI385E.tmp

Filesize
421KB

MD5
6425466b9a37d03dafcba34f9d01685a

SHA1
2489ed444bce85f1cbcedcdd43e877e7217ae119

SHA256
56f8ca5b2079bc97a7af9c015ed4b6163635baef0d9a287d19fc227fc330c53d

SHA512
62f4c79d165282db14b662d4242a065af4c8a642f2023032ab5a059e2d6001f0b80e9a0562989013acf01a80a67491be9b671e6bd99220cf9d4fb44a17719371

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2908_1433047804\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2908_1433047804\a42ec592-ce5d-4758-bb24-3e8660378263.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
add482fee24447fe9a436e2bb1dcd2bd

SHA1
2b4403e91453df66b0d33dbe5a62a7b4d9a03ca5

SHA256
5a891588f5394a3e16118492f4eb21c96f969722dc4a17aec19289bbf975562b

SHA512
eb1ac558118005bfc90ab8c60aafcadbfc37ba5f746ee7ac42a966bf79a588592f60d5865ddbcada8b9b267ef51fa9b63267721f949eb59a96f1636284e76883

Download Submit
C:\Users\Admin\AppData\Local\Temp\{09EAD19A-804B-444F-B17C-15F8C5837E63}\BException.dll

Filesize
142KB

MD5
a2d4928c9836812735b3516c6950a9ec

SHA1
01873285eec57b208fa2d4b71d06f176486538c8

SHA256
79ca108d5c51259d8fb38ed1cfcc5a70e9cf67a5954e52a4339b39ff04fa20c8

SHA512
d03964a2bb597bf0fdefb787de3b462010c4cd02d286b16587a03b5228553a307d1b8f472c312e0d8bb53f21570aa5b112d85193cf42b83ef33fb7905855eba7

Download Submit
\??\pipe\crashpad_2908_TVAFIOIFPVUSYVAY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3396-40-0x00000000048E0000-0x00000000048F0000-memory.dmp

Filesize
64KB

Download
memory/3396-41-0x00000000048E0000-0x00000000048F0000-memory.dmp

Filesize
64KB

Download
memory/3396-38-0x00000000048E0000-0x00000000048F0000-memory.dmp

Filesize
64KB

Download
memory/3396-42-0x00000000048E0000-0x00000000048F0000-memory.dmp

Filesize
64KB

Download
memory/3396-68-0x00000000048E0000-0x00000000048F0000-memory.dmp

Filesize
64KB

Download
memory/3396-58-0x0000000006B00000-0x0000000006B10000-memory.dmp

Filesize
64KB

Download
memory/3396-43-0x00000000048E0000-0x00000000048F0000-memory.dmp

Filesize
64KB

Download
memory/3396-39-0x00000000048E0000-0x00000000048F0000-memory.dmp

Filesize
64KB

Download
memory/3632-2117-0x00000000032E0000-0x0000000003307000-memory.dmp

Filesize
156KB

Download
memory/4408-2162-0x00000218FBFD0000-0x00000218FCA6C000-memory.dmp

Filesize
10.6MB

Download
memory/4408-2163-0x0000021898000000-0x0000021899016000-memory.dmp

Filesize
16.1MB

Download
memory/4408-2164-0x00000218FCF10000-0x00000218FCF16000-memory.dmp

Filesize
24KB

Download