asyncrat | 6bf16a7e4243192f646af557655c39a15c45e0f54f4e926630f0dbc02dc95fda

Resubmissions

29-11-2024 04:20

241129-eyl17s1keq 1

29-11-2024 03:47

241129-ecdgyatkgy 10

Analysis

max time kernel
1788s
max time network
1789s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
29-11-2024 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PLEASEWORK.rar
Size

32KB
MD5

86117256ec6c1c3431ef95922b4b80e9
SHA1

fafede09d0724b67ac485ae1b071656aac384420
SHA256

6bf16a7e4243192f646af557655c39a15c45e0f54f4e926630f0dbc02dc95fda
SHA512

1d073b501d155d56e18b1d3fb6eea9a6c7038b9ceeaee2ceea586f4611bdb2bd422cf4df2f9eb94f11280c8143ab44bbfd97957752a7c279690c3369ee6f0908
SSDEEP

768:KMcHcEgoHntlhY1jtrK9sZX8pho6IbXjWp1LGbhrK:NctgeSXe9qqo6yZe

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

192.168.1.15:7000

Mutex

sfesfwssfds

Attributes

delay
1
install
false
install_file
dawdasdawd
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x001900000002afe4-1195.dat	family_asyncrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133773257355406952"	chrome.exe

Modifies registry class 37 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	firefox.exe
Key created	\Registry\User\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\NotificationData	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\dnSpy-net-win64.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1284	chrome.exe
1284	chrome.exe
5844	msedge.exe
5844	msedge.exe
1104	msedge.exe
1104	msedge.exe
4604	msedge.exe
4604	msedge.exe
4900	identity_helper.exe
4900	identity_helper.exe
3920	msedge.exe
3920	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2124	7zFM.exe
1568	dnSpy.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
5844	msedge.exe
5844	msedge.exe
5844	msedge.exe
5844	msedge.exe
5844	msedge.exe
5844	msedge.exe
5844	msedge.exe
5844	msedge.exe
5844	msedge.exe
5844	msedge.exe
5844	msedge.exe
5844	msedge.exe
5844	msedge.exe
5844	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2124	7zFM.exe
Token: 35	2124	7zFM.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2124	7zFM.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
5844	msedge.exe
5844	msedge.exe
5844	msedge.exe
5844	msedge.exe
5844	msedge.exe
5844	msedge.exe
5844	msedge.exe
5844	msedge.exe
5844	msedge.exe
5844	msedge.exe
5844	msedge.exe
5844	msedge.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
1340	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 3424	1284	chrome.exe	80
PID 1284 wrote to memory of 3424	1284	chrome.exe	80
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3152	1284	chrome.exe	81
PID 1284 wrote to memory of 3160	1284	chrome.exe	82
PID 1284 wrote to memory of 3160	1284	chrome.exe	82
PID 1284 wrote to memory of 1600	1284	chrome.exe	83
PID 1284 wrote to memory of 1600	1284	chrome.exe	83
PID 1284 wrote to memory of 1600	1284	chrome.exe	83
PID 1284 wrote to memory of 1600	1284	chrome.exe	83
PID 1284 wrote to memory of 1600	1284	chrome.exe	83
PID 1284 wrote to memory of 1600	1284	chrome.exe	83
PID 1284 wrote to memory of 1600	1284	chrome.exe	83
PID 1284 wrote to memory of 1600	1284	chrome.exe	83
PID 1284 wrote to memory of 1600	1284	chrome.exe	83
PID 1284 wrote to memory of 1600	1284	chrome.exe	83
PID 1284 wrote to memory of 1600	1284	chrome.exe	83
PID 1284 wrote to memory of 1600	1284	chrome.exe	83
PID 1284 wrote to memory of 1600	1284	chrome.exe	83
PID 1284 wrote to memory of 1600	1284	chrome.exe	83
PID 1284 wrote to memory of 1600	1284	chrome.exe	83
PID 1284 wrote to memory of 1600	1284	chrome.exe	83
PID 1284 wrote to memory of 1600	1284	chrome.exe	83
PID 1284 wrote to memory of 1600	1284	chrome.exe	83
PID 1284 wrote to memory of 1600	1284	chrome.exe	83
PID 1284 wrote to memory of 1600	1284	chrome.exe	83
PID 1284 wrote to memory of 1600	1284	chrome.exe	83
PID 1284 wrote to memory of 1600	1284	chrome.exe	83
PID 1284 wrote to memory of 1600	1284	chrome.exe	83
PID 1284 wrote to memory of 1600	1284	chrome.exe	83
PID 1284 wrote to memory of 1600	1284	chrome.exe	83
PID 1284 wrote to memory of 1600	1284	chrome.exe	83
PID 1284 wrote to memory of 1600	1284	chrome.exe	83
PID 1284 wrote to memory of 1600	1284	chrome.exe	83
PID 1284 wrote to memory of 1600	1284	chrome.exe	83
PID 1284 wrote to memory of 1600	1284	chrome.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PLEASEWORK.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffedf78cc40,0x7ffedf78cc4c,0x7ffedf78cc58
  2⤵
  PID:3424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,7896360213243758598,14810968907994407812,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:3152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1816,i,7896360213243758598,14810968907994407812,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2088 /prefetch:3
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,7896360213243758598,14810968907994407812,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2212 /prefetch:8
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,7896360213243758598,14810968907994407812,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,7896360213243758598,14810968907994407812,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4352,i,7896360213243758598,14810968907994407812,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4464 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4724,i,7896360213243758598,14810968907994407812,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4788,i,7896360213243758598,14810968907994407812,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4128,i,7896360213243758598,14810968907994407812,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3304,i,7896360213243758598,14810968907994407812,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4952,i,7896360213243758598,14810968907994407812,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3408,i,7896360213243758598,14810968907994407812,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:3596

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4016

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2484
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1956 -parentBuildID 20240401114208 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {32710581-426a-4be0-88cc-a8b9eea425df} 2300 "\\.\pipe\gecko-crash-server-pipe.2300" gpu
    3⤵
    PID:4716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2360 -parentBuildID 20240401114208 -prefsHandle 2352 -prefMapHandle 2340 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8cb202e-b332-4365-a96e-9f3be4d8a97d} 2300 "\\.\pipe\gecko-crash-server-pipe.2300" socket
    3⤵
    - Checks processor information in registry
    PID:2468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3288 -childID 1 -isForBrowser -prefsHandle 3280 -prefMapHandle 3276 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77c76040-fc4e-4ace-985d-0a2da5e28480} 2300 "\\.\pipe\gecko-crash-server-pipe.2300" tab
    3⤵
    PID:2412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1436 -childID 2 -isForBrowser -prefsHandle 1496 -prefMapHandle 2720 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1441b52d-9573-4f9d-b7e4-29f42097f537} 2300 "\\.\pipe\gecko-crash-server-pipe.2300" tab
    3⤵
    PID:432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4228 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 1568 -prefMapHandle 4216 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed942e3c-765e-4a88-9168-3c307a5b2b4d} 2300 "\\.\pipe\gecko-crash-server-pipe.2300" utility
    3⤵
    - Checks processor information in registry
    PID:5176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5688 -childID 3 -isForBrowser -prefsHandle 5564 -prefMapHandle 5632 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a3ccc4b-6062-40c9-98ef-d5e78f04cf2e} 2300 "\\.\pipe\gecko-crash-server-pipe.2300" tab
    3⤵
    PID:5928
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5712 -childID 4 -isForBrowser -prefsHandle 5724 -prefMapHandle 5728 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91c24b77-1059-4fce-ba08-0aa55a907b0c} 2300 "\\.\pipe\gecko-crash-server-pipe.2300" tab
    3⤵
    PID:5940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5932 -childID 5 -isForBrowser -prefsHandle 6008 -prefMapHandle 6004 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6114d57-9047-46e4-b18d-7b6f35288c4a} 2300 "\\.\pipe\gecko-crash-server-pipe.2300" tab
    3⤵
    PID:5952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6472 -childID 6 -isForBrowser -prefsHandle 4252 -prefMapHandle 6412 -prefsLen 27276 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56445af7-81fc-4b36-aef1-e34ba2f3a269} 2300 "\\.\pipe\gecko-crash-server-pipe.2300" tab
    3⤵
    PID:5572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:5844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffedf3d3cb8,0x7ffedf3d3cc8,0x7ffedf3d3cd8
  2⤵
  PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,14873798241831889791,16396911336164241537,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,14873798241831889791,16396911336164241537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1940,14873798241831889791,16396911336164241537,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8
  2⤵
  PID:5872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14873798241831889791,16396911336164241537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14873798241831889791,16396911336164241537,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:5912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14873798241831889791,16396911336164241537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14873798241831889791,16396911336164241537,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
  2⤵
  PID:5616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1940,14873798241831889791,16396911336164241537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3492 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14873798241831889791,16396911336164241537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14873798241831889791,16396911336164241537,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14873798241831889791,16396911336164241537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14873798241831889791,16396911336164241537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:5416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14873798241831889791,16396911336164241537,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14873798241831889791,16396911336164241537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14873798241831889791,16396911336164241537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14873798241831889791,16396911336164241537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14873798241831889791,16396911336164241537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:5212
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1940,14873798241831889791,16396911336164241537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14873798241831889791,16396911336164241537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,14873798241831889791,16396911336164241537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2924 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,14873798241831889791,16396911336164241537,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2528 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3332

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4184

C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe
"C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1568

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\10a2c3e2-35d6-4849-b37a-88d5b92eb98d.tmp

Filesize
9KB

MD5
48eea75371090155294c06e497561b5b

SHA1
9f576ad710efcb098d8dcdc23e52657155b0745c

SHA256
994c9f9c7f76d78693c4371f05adf93aa07dc5856a2dbe0668929840ee6b10e3

SHA512
17f1ab8906681637d8bfff2fb79a9f7aa9562f24e609cbd14c8fb260a2f8146466f689c576a35ed10ff1934b3e54142ebfc34a6f88c20383b85cb5a50eae00ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
30bc659f056c5a92ad7c07ec7bf4420b

SHA1
7e8452e117a93c570bf3fb079acdcec807ed2cae

SHA256
17c90070caf4d8f1d00607753fd28b345943e7c846a28072c7e6079345f0cf95

SHA512
e1b1e1bcd87edf1c78ef516152d33b514b7cd85a27cfbb9a42cc1a876e9304efd240cc39207996ea4f35737ed63cfa963f0a9df28def6a2654be87027e204148

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
41KB

MD5
e319c7af7370ac080fbc66374603ed3a

SHA1
4f0cd3c48c2e82a167384d967c210bdacc6904f9

SHA256
5ad4c276af3ac5349ee9280f8a8144a30d33217542e065864c8b424a08365132

SHA512
4681a68a428e15d09010e2b2edba61e22808da1b77856f3ff842ebd022a1b801dfbb7cbb2eb8c1b6c39ae397d20892a3b7af054650f2899d0d16fc12d3d1a011

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
47b9c6de672065f3ef38f8766887cb17

SHA1
ea8909debf39116a054349710444489e13aaec60

SHA256
0999acf575388f36de1c583636c55f9590d9cca3c441061bab31cc93233826ce

SHA512
8a66377bfa01cce1752bdb616c2f8febd39be6117527605f528fd2e123154c95408fc90a99700736138c6275f25a7c44a5e95ad9fafd0819fcb1b1bc80e8a98c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
7147d25a44cdfdbeb039d8ba437ecb0e

SHA1
513b0f932951f22c9ab962728ce18f36f49bf887

SHA256
3036a9467c8978d75b856c99c93913a573e27a51ef2539076f916ffb2e75ca3e

SHA512
d6ae63a270a0d08c7b00e4927a089d9d8c731be02e14b5d2ddbb4149b8898941f9c9ad372bb68270fb0911fe57dbf6d0fe84cd3102979c259322de55af319463

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
bb6fdd2ef5071755016fc775c71779c7

SHA1
3a59513e6a3a7745b6bb422b8cd084b45be6ab23

SHA256
bcb2b43ed7d6b18ed049556d63c61bd3e8ca3fbe3d93bda8b112922515a1981c

SHA512
c792aa0246f8342fadc112b6107f7add4d389ad7f84f6f2d02f0d41441a46d11717f8bb25547afbea858bb05a67e581cfd492cadb705f7489c5ff74e7cdad22c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ba08eded4a6f6e8a27dae9dfc35c87cc

SHA1
05764a7d644bfb864a6dab9caa55c7f5a622722f

SHA256
74d635938d4a6908604a08f06e4739654893d797afe83b4acfb06a761c1d7f44

SHA512
b269eb7a21b328aed4a7b03ff8f04e8a96e210379c05662de91ceb8205b5fb1ec0d9fab6fb9a0d636e97593cb2070fb363d5c7ce43366975b4430fab953028b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
415a6e0c85c2e4e85cf6db3a4a5708d0

SHA1
294ab6f264038b5b4de200731dc25199168d951b

SHA256
e7a7dbf5abc7c1aba15b090f7c74840e8392af7ff301c0372ee5c36239cb07e5

SHA512
793b5533703d44a6a627c4aebf3ec597efd0e3b874150d67d697d51f2cd89a5d1ba0100ef28d86ed9f3ac6373665e0ebc6214a1d7b2b9c7d18315b735aac812a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
4c19818d31fb70f2c6492dbdf53e62d4

SHA1
e23697bddc51bde0ae30c55f209ad3d255d42692

SHA256
f1c71c4b91d12be17f487c36de4d84a06e5bb3f10fca99eb08474bcefb4c8140

SHA512
c5eb90be79ea48c3a598e3f4e092b182cdfdc5954730b18c8e57d133225298c42f8fc7f4f6a6ba1f9e015d0a277591a72d4c3a5d3e6344c85dd8b2d907998c02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3b48776df524d91cf7e50e818f3d3645

SHA1
bd048bc4a371038dd23dc4b9d1dc4eb4f9500a03

SHA256
6a61aaa9f1f2f3d119426cb209c92afb6b202bba54acc0e36af21e61d6af141f

SHA512
4abeab696a8417d327f23f6df0d9f82066e2ef8b63529f433fb4792c83c1dc7b4e97c90cde1e80f64969ac8e1dc8251331e66506b29cbe0e5b28c8ba6f8b1a77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
82dae3e1d8cce4c00c5624bf02df135d

SHA1
e1d1880a9d9254a432692590e62be36d2edf6bbd

SHA256
b1a6d1a059331b3c3884e49e760f2b76c6153010c172ff3c20bd2ac0f3f6b5c3

SHA512
06ceb5d0320f7f44bb2c1ee953668f1e6e9dae5d8d3c2d8d7a1bd482fd044f6e482292b89815d48ebd002c4a59ee636716ebf0de1747b01b69cb5f38717fc80a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
104848f99a910924a0531b89ea5bb718

SHA1
41e415d75e74e6d999a0e88c11f88c2a50721d8d

SHA256
aab4e189a21e3353a551eb9e70c510fad7f93442cf93ba8fad69bc30c39cd18c

SHA512
c0999947533ab28c0306d8761c136c676c92d2bf9665748446dac718e4b3e13934b9ace79c2bbd39ea650c3eb6f9e4cedba9725614a4e375df38891dca6f38d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
eaaff1fc6179fc71cd3ebfe5f1db3120

SHA1
fd64af37ba5e15b569df5005acfe64482076cf34

SHA256
bd9513bb4877cfbfc2bdf48b7e728a85ed5515174bc0b0cfa4fdbf6a76f0d11d

SHA512
1145dde81cee700189e8914be1b7da5f1851d273d684c548708eb40cf195dea06df25a69187851e3e9f7b58efc78d5f12c73533326d912332d4afb885f485f93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
76f76394e257c2ce3fa447291cb9d710

SHA1
207001c746a54486efc37fcb5219d2bdafe67542

SHA256
ede87238acd95d89294b8b327c930137b6e0d300ba4f7516bde709084970ff2c

SHA512
40ed81e43aff44fee22780346d368b58abfafe7c1e0fb43d8250dd94371eb7c600b3cbcdc2a78aebffcd776e8454f05dc691ad5cfdab201e9aea055fe9411f4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
118682581af354c41804e465e0f989bb

SHA1
f3ab90a7402cd22649035c0e63504ea996d35573

SHA256
70cd24808468ec529d0ff35cb2a931eac524278f0ce6c3c00c69ef8cde40e447

SHA512
61507684ba19baf72bf2628f55b1386d3658932bab9e3d479ff156a04f4170f557622785f7b13aaeac34809fd4283a3c0c06eb8e13ddc1369c5e09e47e77c80c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
056da9a37a3c34c0cca9879a2c84f5f3

SHA1
8c4045c1112587423ffbd88ad2d9733948278086

SHA256
2a5a99893d0769d23d54d24edf19f1141172a4de612ec2fce9b1e3b3482960cc

SHA512
09477c798dafe7e0a334371ff22b7e34457b804fbf482e28a03741f35a67ff60710383b89e30def46e8309d26dd05396316879bd210df4687556c084cd79ee53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
5d00cb4906495a226d5604c26ec6e865

SHA1
93ef44be832c224141c92fb05fc79b204918dadb

SHA256
3cd229ff12441a954fae5ae1b6f727c54a609d7e157c88c1be71b4ae75450ae2

SHA512
f0ff26e06eb1d1b60b2a170141706a7f77fa2daa4e8eb1a0d09b52d8b6b7f429609f6ded6f52021fecca5c7c67a47cdf6da7be5ffefcba73875d7efb4fe5e652

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\addcd7cc-2046-467b-b793-090d461a1b7c.tmp

Filesize
234KB

MD5
e0c7e9ecb49e6d6d847f284bf2c49bf7

SHA1
7cbe6a488c4514bbe72bef018881b931cc61b985

SHA256
f3ed1d50334d7dae828b57d6dc4da5f3ce7a2227d8feaf5307dbd75b069cb1b2

SHA512
1499c223d5edb7bd8e4a79b968192ef20bb0f1a4a2bfec0e5e9b82a73fbb8414fa942bed86a0f76d60d0a6ed9c67370a9718891191ae285dba5513a4ac251079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
02a4b762e84a74f9ee8a7d8ddd34fedb

SHA1
4a870e3bd7fd56235062789d780610f95e3b8785

SHA256
366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da

SHA512
19028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
826c7cac03e3ae47bfe2a7e50281605e

SHA1
100fbea3e078edec43db48c3312fbbf83f11fca0

SHA256
239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab

SHA512
a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
a6ed9896cfabbab7ffc1627971cb101c

SHA1
1a4bfb104a5274c38e913085e12176b583d61c16

SHA256
65b205f9796b52b14efc9e107bf2114e6337014261a1c751618ef09131aab1dd

SHA512
deda3f023c290b1d650e8f13be5c2b251e9fa2d1d58c6846334ede55e426be0c1ee79827c8ad021a88add06e85d08f4faef971f84c9291d41985d5dfa4e0c14a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
854B

MD5
1c20dcd62cd260aa574a7d363a5f7266

SHA1
3f89da127cc62e5b3e7b4289939541b478738e0a

SHA256
17777b7a06453ed925706f1e2bf20e9937a01f33ef891dad415abe6acc0bb98a

SHA512
2700894907281639c2c5a648c7431c247f9f9e9e7ad848dbb42bb5babff5dcc6b1402c1b47296b77f454b02d3dc89c15a7c8592ee325676d14f456a723d351b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
854B

MD5
11b0312bcc7d677e99d197a60be83b68

SHA1
5dceb402c32aa04c1b6c2eb1cff78ca770110ef5

SHA256
d35235d38d835957d86e0db314d121d8b237c6a1d05b64ff8792ad4becca03c7

SHA512
b4ae4f43f176e46162380c88ca09ccc366ee86541798d83c8d0079fe03fa4dbee233d2fd028472d2071d9048392278af0bad6cf2a1856be379001afae36d4c9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
919399965085c74f90d6c60fca86a883

SHA1
6fdc8d907e56e4718add80e1222159630922c700

SHA256
edf9e9b91e883266553b7cd280c5956e3354a169a7d889b9276d9658f81bda92

SHA512
2d02b57b0b169dc28ee8962f404c9b9d86c8933f71c21853aa54193babfa1d430535da83bde42f54546f73792b7d52abfd8645174852ca770745f0ea0dc86b2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7a67af14cdcdaa5c6777460918e21e77

SHA1
55c7e052be664d35940355066ce70c21be199c9f

SHA256
6a737eb7b9b6fcd250a28cfb912ddfd222b02ca5570ff791d28a5454f0d1014a

SHA512
af36912779585fbeee738663f032efde562c086b29247e4bc01b2b371d6f70aec8005c0415a6012df24638072d417b3d194150b03e38b94ac5477849cc0ca3e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
24bcca846e1cee820ca685777fc28a19

SHA1
9f7190c9678172ef880781110332eea11c76cb7b

SHA256
25861f6924ca54189fc9a660cd8a4fb6a410dfb07573f672204ed999e201bf9e

SHA512
d308f98202dc387e7f90a2699cf968861a727b984c250661d77cccac3bbd551a4845a674034ebf1589bf27e1ff49a1848c7b667ed9c3766de78c437066b49cc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1b62bf3e3265625e75a46bcd9d9f0a6f

SHA1
f13ee0ed91f82e67745caf249aaaeb9b49ee4208

SHA256
ba2ae2f01c2a26cab8a3e4709fc617e90e9c02bebbeb259f9d82725025733b91

SHA512
8be5a03b0199bba91948a0386b7f2b80a5a730911935c600929bbcbd77da159618dcff52b5f24c89ec93b2e29427e03b7927c779f08f4cead8a9c2801d6e071d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe593406.TMP

Filesize
1KB

MD5
79ef5182759bbd7b909ad6307457aeed

SHA1
c2d58c5b6aa3341e599f4363723b4923f1a20e37

SHA256
39d87fecb1a6c5325f5a9b449127d6cac4ac9c9159791700e5c4f05ab509b3ff

SHA512
9486e2041f733081056dca535e1852db5e088c973e61394f4e34846c8f0b300ffb3488f20af46ba80c95d59c7a88f270678119adbc616c6cd12daf29da8dc1a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9445ac1ad8a2c07e6ff288991f40ad67

SHA1
e120f504784000329862a3923b6f6af8a1ebfb04

SHA256
138e7c7c130cee68f1cd5ebc00dfb1312e83a3d2cdd717fdc7d18448f4ef4102

SHA512
3655a7286f38044811070632e7a5087632bbcbc11901c66269860753f82f5e540ad0473f77f7311ebc6f8f3a98378f6acf1b0fc88bb7c9a0b3d94673427e2034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ff00f2a3b286d8b537e6fc891c661dec

SHA1
5e063b4dadff7e5572eecf368e3301c92a267066

SHA256
b68b549f408e8e8887019c7ad03fccb751d804540dfb98801882cea9a62d72f6

SHA512
ebe2645fc81fda40b081b697e758233b31b4810b9f41aa911b8aa9dda7e6646e2c6a136343e6d36ee59187c2540198584ba08a545862f6cacfaa65a3b4f20a53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6768d427f9eb15682664922cf7566f9c

SHA1
ec10fee42e59bd65ef2f9278e046b2b65743386f

SHA256
49d55e4a2cf89d0af8ff3a38674f5b8f46baed4f0c7962171cd8a8f57cfb11dd

SHA512
3f5059ca07dfbc7e99c2466563fbb4108a9a8dbe7f903158440b2dd212b14800fea13e97b31d78623d38487dc6eb03beee8a79d8403bdb9246d368b265c23fd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4a24c6a99e84d7645c50eee2cf0a7b5b

SHA1
d83e5d1dac8584fda19bb986161d8baa59272558

SHA256
778e1e83f1d713695dce066c2cb66f0cd56b1a1ff3792af409738fa4da6a6394

SHA512
9b9e343ec1163d2c140e03a37a8ca52cd5504e3ae812718bb3b2ea3751d99bc8bf8baa0c86ed68921f7a62f200752e746a58cd0f52a04039854c3e19f09b628d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vo8scey3.default-release\activity-stream.discovery_stream.json

Filesize
25KB

MD5
26fcc636d2bfe6650038824ac3c323a7

SHA1
d696ce865244a85d7f8b8b4e8970da7912dc755c

SHA256
e6c741deccb0868e8f5069db9e4c0f57c92508c562ce1f4925e5b77f5e22bcc8

SHA512
7ce8aba0f10554a019db95f3b05ea7a5f932f268cd4e2c39e4f9d31d1ad5149334b02b0f14926ef4b63b6ed7ec7a3d25013bb88020fa1ec531b41c4d55bffe09

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
ef4d9165f280b4d556f349f896b81ce9

SHA1
ddfe1709a292d9900687d4fe0b4c8b2429d848a3

SHA256
8add12630f4210146f1c0f543e34f61810eadbb6759b6eb3a6303337155c9cb2

SHA512
e8b2c08605f8c3c9eaf0a8f905e65829ea2ff4e0d45c79f171ff685e80fc74e4f7858b4975fac8ebfd4dc3b21a14fe571e446889d4022400e84d8193053152ac

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
71a6b59e08e25451e52675c842fae23c

SHA1
565a97673954a9209c7a05fba20b89d10b88025f

SHA256
5b96212d3d1347b76c8c1c64b2f7ef981242bedd3b84b766b543d56dbbf8dbd6

SHA512
5cc98eb2aa02e2e69165170451d89dd880893e6b07440bb84fbab6cf92cb558bd58c2235d8d64ff43d380c5e9869827800d310ee67950bb21b498d89fbb5aab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zEC48DF75A\PLEASEWORK.exe

Filesize
74KB

MD5
f8911042578777535d8ff96e497fbcdf

SHA1
63e7762081770fedd0ebb9465b08016ee7c8a3ce

SHA256
1d46fb2030de3d9ab05245b734ff0970b7207ae7e8201e64536fe2b533cf24a8

SHA512
33617dfc0bb22a3a6f18aaea59bab9069b09e27445f2321e1a3fbe5858a96e2ebe5f88c451abbd092c86cd5225de463540b7dfb75f4871f5475e223ac3031b21

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\AlternateServices.bin

Filesize
6KB

MD5
6726890b36945a65a42ef06806808db6

SHA1
e24e0062ceb5e40f2fc0fd2ae2e9d6e094894f0f

SHA256
7fcda7a7181050296584c4ce089e3e7722735c4633e8d388c64da35a9eb187d0

SHA512
7eb2931065b66613073abfa7c0a988d209269fe5eae4544b482a42a30e86f466e6bdf7e595b8d7a6481e6b706067f2d18a08fe8714a68056b4c23ce9bb071034

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
7f26c00ff5819409d3ddce7ef4dbfde8

SHA1
260e0666e958400187dda5c00fee03953ad5a2ff

SHA256
da5e317b9e4cba6deb5e333f25ce93ccfde5eeb163844714749de9740526dbb8

SHA512
f1b38b038d5192967fb1fcfd85c78d2be8379c3e15030e88c76e1a6a72f60e56a624399494b1e87ee7b975622524681d6372b4920de61b48b0a2180e01daba95

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
496143671190b0bd9e8cda9861cc6790

SHA1
9a07c7c776adb4d8355683fe9553e012db0017f0

SHA256
2faf5e6bebbbe7a951f030a254fd6f5891add0fa5cf1e86c3432131fa20c3ece

SHA512
4ecd1beef4f3e673895e396fb36d6a00c8b8116af397b2b1caaf38dc192b36018b841bbdfe4ed89eff7616c80c290db1eddf3f1b842418067d2f2cd4d4a3f15f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
f99e4be983519b4ad0cff7b657c87fe5

SHA1
a84cebccb0fe7ae07fd5ecc791c59c3687653fc6

SHA256
b89711b57f71b803f10d7440c3a24fc54c9cfcc2111f92a54f34ade2ca6f537e

SHA512
08f0a1745b77fd146ce1733e29ea04bd27e0fbed69e48d6c841822ea38c4b56ecdf71a42d665dd783643e08acd08363a0f0dbdb32fa3079ac1c2a9085c2338a6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
7bc29d265cb78628a63f0b24eee74173

SHA1
4a9edacb3a0e558bba4430f01abb2803467072d5

SHA256
574a9bbbdf9f1aa7409bc67ae7091891e773174edec2e0d43996208082d41b41

SHA512
6fe6d3365a5eef235772b80cc4172c1ef87c26e6dc49bc38503fd69af3c58ecbdd6e20a61248f51d9f428cedeaca0cf6b68ff3575036d839b1b7ade06aa0da0a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\pending_pings\71ec26cc-f596-4c00-a5a4-07341c599021

Filesize
659B

MD5
01ffcb9bd5c72821f6cb3f1a4b0b8bdc

SHA1
5bd74e32082b852ce570c64e4610278dcf5835e3

SHA256
ef7ec40e0911681de0b05c0990c51b5186b387896781338294b5d7ec2940b5b4

SHA512
9e375196f104a79199bd346b11a55746201d2c58893a7689c727da98792b42bc9518e16b653072eeeb24ec05d592a80693b62565e716f64616e5acdd5d34a617

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\pending_pings\89b22dd0-0813-41be-91ea-825119cd5b9d

Filesize
982B

MD5
3e4f7dd7322fc77a8ca33f41432f7658

SHA1
573e34a228153bc882398c2d85bdb83d919629ae

SHA256
32b58c8a87632912c3af49692ba3fd9c6af448380ca94b2169fea3db5be0fdd4

SHA512
3880f55e6cb0182c31bcb60ba1eb483e486c607521b9a5d21cd8b8d989c95270b08045e6bad952e322890e1a47375fcb5d9aa9ffa8dc526a635923d6269a3f65

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\prefs.js

Filesize
10KB

MD5
ee656615854b93edc172f0f7c30cfaa4

SHA1
4ddc2908a3dfea392ef238a11835aa6644119fdb

SHA256
9bb2f67fb8f2bf4d267e2ae857c53defb31aee866ff30de39d6582fc652cec8b

SHA512
601350218f7c48cf75233d14b872e0849fcb94ed4d76a02abb54f01b0a4693aaf25416015242a442b40bb1ccc63e66d5fce978d48d5ed844127e30d9d5d6e03b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\prefs.js

Filesize
10KB

MD5
6723e30dd361cbfb416c955aae94bb02

SHA1
7a2dc8250b40b531c4f9ee27b5ba9f0d906627a7

SHA256
253ded17a619fe74c6d44833deb74868fa211cb79cf7baf6c340ea08630f84b3

SHA512
e9707c5c649987c07bbf50d9349c7dfae6fbd4aa2e4863acab2c7894df3aaa848d68b917d157045d9b1a666d97feb304754c25bf79d354c39cb4f060e9225374

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\Downloads\dnSpy-net-win64.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit