71bf189ebc55138bfce56f63efcacdb2f277d53215883fa0895810f8403a2d5f

Analysis

max time kernel
300s
max time network
304s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
01-12-2024 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wix.exe
Size

71.0MB
MD5

f2dc07d0931121829637cba7daddd81f
SHA1

15c2184dc5d591f2ab39ade1381181e4479f8d19
SHA256

54af4e9d0e6236ee5655791ac71c4ed9ec3542b1b621207070ed1f28138b0c0b
SHA512

7dce51ab4ad9988f1a94f642dff2d52106f8dd0905d148431f54dcf2e6d55950576ab12b60ad28e01db9b9449f8bd101bc7ad9a1d6c90bc0aeae2a8841ee76bf
SSDEEP

786432:p+MqXLGy6AB9PMv+EttW8f5Ggo6ywk+9:py6ABH+dryw

Score

10^/10

microsoft discovery execution phishing product:outlook

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3944 created 3016	3944	driver1.exe	50

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1244	powershell.exe
4824	powershell.exe

A potential corporate email address has been identified in the URL: 6633dd5dcff475e6fb744426_&@2x.png
phishing

Executes dropped EXE 1 IoCs

pid	Process
3944	driver1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
14	discord.com
45	discord.com
46	discord.com

Detected potential entity reuse from brand MICROSOFT.
phishing microsoft

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4488	3944	WerFault.exe	85
5048	3944	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driver1.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

GoLang User-Agent 4 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	2	Go-http-client/1.1
HTTP User-Agent header	7	Go-http-client/1.1
HTTP User-Agent header	9	Go-http-client/1.1
HTTP User-Agent header	11	Go-http-client/1.1

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133775508830824238"	chrome.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4018527317-446799424-2810249686-1000\{A56384B0-AC80-489C-B4FB-6F75700F5D6A}	msedge.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Wix.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Wix.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Wix.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Wix.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Wix.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Wix.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3048	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
1244	powershell.exe
1244	powershell.exe
4824	powershell.exe
4824	powershell.exe
3944	driver1.exe
3944	driver1.exe
3944	driver1.exe
3944	driver1.exe
4548	svchost.exe
4548	svchost.exe
4548	svchost.exe
4548	svchost.exe
2484	chrome.exe
2484	chrome.exe
1928	msedge.exe
1928	msedge.exe
4496	msedge.exe
4496	msedge.exe
4772	msedge.exe
4772	msedge.exe
5544	identity_helper.exe
5544	identity_helper.exe
5780	msedge.exe
5780	msedge.exe
5848	chrome.exe
5848	chrome.exe
5848	chrome.exe
5848	chrome.exe
3896	msedge.exe
5648	msedge.exe
5648	msedge.exe
5648	msedge.exe
5648	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 36 IoCs

pid	Process
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeIncreaseQuotaPrivilege	4540	wmic.exe
Token: SeSecurityPrivilege	4540	wmic.exe
Token: SeTakeOwnershipPrivilege	4540	wmic.exe
Token: SeLoadDriverPrivilege	4540	wmic.exe
Token: SeSystemProfilePrivilege	4540	wmic.exe
Token: SeSystemtimePrivilege	4540	wmic.exe
Token: SeProfSingleProcessPrivilege	4540	wmic.exe
Token: SeIncBasePriorityPrivilege	4540	wmic.exe
Token: SeCreatePagefilePrivilege	4540	wmic.exe
Token: SeBackupPrivilege	4540	wmic.exe
Token: SeRestorePrivilege	4540	wmic.exe
Token: SeShutdownPrivilege	4540	wmic.exe
Token: SeDebugPrivilege	4540	wmic.exe
Token: SeSystemEnvironmentPrivilege	4540	wmic.exe
Token: SeRemoteShutdownPrivilege	4540	wmic.exe
Token: SeUndockPrivilege	4540	wmic.exe
Token: SeManageVolumePrivilege	4540	wmic.exe
Token: 33	4540	wmic.exe
Token: 34	4540	wmic.exe
Token: 35	4540	wmic.exe
Token: 36	4540	wmic.exe
Token: SeIncreaseQuotaPrivilege	4540	wmic.exe
Token: SeSecurityPrivilege	4540	wmic.exe
Token: SeTakeOwnershipPrivilege	4540	wmic.exe
Token: SeLoadDriverPrivilege	4540	wmic.exe
Token: SeSystemProfilePrivilege	4540	wmic.exe
Token: SeSystemtimePrivilege	4540	wmic.exe
Token: SeProfSingleProcessPrivilege	4540	wmic.exe
Token: SeIncBasePriorityPrivilege	4540	wmic.exe
Token: SeCreatePagefilePrivilege	4540	wmic.exe
Token: SeBackupPrivilege	4540	wmic.exe
Token: SeRestorePrivilege	4540	wmic.exe
Token: SeShutdownPrivilege	4540	wmic.exe
Token: SeDebugPrivilege	4540	wmic.exe
Token: SeSystemEnvironmentPrivilege	4540	wmic.exe
Token: SeRemoteShutdownPrivilege	4540	wmic.exe
Token: SeUndockPrivilege	4540	wmic.exe
Token: SeManageVolumePrivilege	4540	wmic.exe
Token: 33	4540	wmic.exe
Token: 34	4540	wmic.exe
Token: 35	4540	wmic.exe
Token: 36	4540	wmic.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2832	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 1244	4628	Wix.exe	79
PID 4628 wrote to memory of 1244	4628	Wix.exe	79
PID 1244 wrote to memory of 4824	1244	powershell.exe	81
PID 1244 wrote to memory of 4824	1244	powershell.exe	81
PID 4628 wrote to memory of 4540	4628	Wix.exe	82
PID 4628 wrote to memory of 4540	4628	Wix.exe	82
PID 4628 wrote to memory of 3944	4628	Wix.exe	85
PID 4628 wrote to memory of 3944	4628	Wix.exe	85
PID 4628 wrote to memory of 3944	4628	Wix.exe	85
PID 3944 wrote to memory of 4548	3944	driver1.exe	87
PID 3944 wrote to memory of 4548	3944	driver1.exe	87
PID 3944 wrote to memory of 4548	3944	driver1.exe	87
PID 3944 wrote to memory of 4548	3944	driver1.exe	87
PID 3944 wrote to memory of 4548	3944	driver1.exe	87
PID 2484 wrote to memory of 3956	2484	chrome.exe	97
PID 2484 wrote to memory of 3956	2484	chrome.exe	97
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1360	2484	chrome.exe	98
PID 2484 wrote to memory of 1496	2484	chrome.exe	99
PID 2484 wrote to memory of 1496	2484	chrome.exe	99
PID 2484 wrote to memory of 3280	2484	chrome.exe	100
PID 2484 wrote to memory of 3280	2484	chrome.exe	100
PID 2484 wrote to memory of 3280	2484	chrome.exe	100
PID 2484 wrote to memory of 3280	2484	chrome.exe	100
PID 2484 wrote to memory of 3280	2484	chrome.exe	100
PID 2484 wrote to memory of 3280	2484	chrome.exe	100
PID 2484 wrote to memory of 3280	2484	chrome.exe	100
PID 2484 wrote to memory of 3280	2484	chrome.exe	100
PID 2484 wrote to memory of 3280	2484	chrome.exe	100
PID 2484 wrote to memory of 3280	2484	chrome.exe	100
PID 2484 wrote to memory of 3280	2484	chrome.exe	100
PID 2484 wrote to memory of 3280	2484	chrome.exe	100
PID 2484 wrote to memory of 3280	2484	chrome.exe	100
PID 2484 wrote to memory of 3280	2484	chrome.exe	100
PID 2484 wrote to memory of 3280	2484	chrome.exe	100
PID 2484 wrote to memory of 3280	2484	chrome.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3016
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4548

C:\Users\Admin\AppData\Local\Temp\Wix.exe
"C:\Users\Admin\AppData\Local\Temp\Wix.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\";" powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Local\Temp\Wix.exe\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\Wix.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4824
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4540
- C:\ProgramData\driver1.exe
  C:\ProgramData\driver1.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 388
    3⤵
    - Program crash
    PID:4488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 384
    3⤵
    - Program crash
    PID:5048
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.exe /sc onstart /ru SYSTEM
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3048

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3944 -ip 3944
1⤵
PID:124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3944 -ip 3944
1⤵
PID:2924

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe0773cc40,0x7ffe0773cc4c,0x7ffe0773cc58
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,9066993395090995453,2101442327100136535,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:1360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1736,i,9066993395090995453,2101442327100136535,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2012 /prefetch:3
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,9066993395090995453,2101442327100136535,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2208 /prefetch:8
  2⤵
  PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,9066993395090995453,2101442327100136535,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3352,i,9066993395090995453,2101442327100136535,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4400,i,9066993395090995453,2101442327100136535,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4280,i,9066993395090995453,2101442327100136535,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4572 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3372,i,9066993395090995453,2101442327100136535,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4980,i,9066993395090995453,2101442327100136535,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  PID:2752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5136,i,9066993395090995453,2101442327100136535,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3452 /prefetch:8
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5152,i,9066993395090995453,2101442327100136535,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4816 /prefetch:8
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4336,i,9066993395090995453,2101442327100136535,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3492 /prefetch:8
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4728,i,9066993395090995453,2101442327100136535,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3488 /prefetch:8
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5180,i,9066993395090995453,2101442327100136535,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5036 /prefetch:2
  2⤵
  PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3448,i,9066993395090995453,2101442327100136535,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5100,i,9066993395090995453,2101442327100136535,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3492,i,9066993395090995453,2101442327100136535,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5316,i,9066993395090995453,2101442327100136535,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=868 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5848

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe19353cb8,0x7ffe19353cc8,0x7ffe19353cd8
  2⤵
  PID:860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
  2⤵
  PID:716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
  2⤵
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3556 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4904 /prefetch:8
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:5488
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6032 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:5656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
  2⤵
  PID:5988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:5212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:1
  2⤵
  PID:5992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6692 /prefetch:1
  2⤵
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:6056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaService --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=7372 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:5824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
  2⤵
  PID:5808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
  2⤵
  PID:5656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,15852038210133247761,6833509420461468485,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4820 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:124

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004F0
1⤵
PID:1800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\driver1.exe

Filesize
1.1MB

MD5
9cff7f2ffa235062a389eafa44385df5

SHA1
97f06a91915400aaf0f2e93352172395e9dc1c66

SHA256
1103d24428005f23b7c88bdaafc615d1b4ed4320f3554e096712c80dfc4048f8

SHA512
aa242d26d02ed4eefe317781ad0692a2e70269221b26042a6f9e47ae18e286dda5dac3959397f85ea4a40ba82206a553c4b5e82962393142e45ab235fffbeadc

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
ed860561613d2138b8d9aeda596c42bd

SHA1
627b60407d66fad8ff9bd0f05ae69c2887a2968c

SHA256
e1622f50ac7c6baee8a569dc70e9f313511ea8d53297cb1a3a7e7598419cd6b9

SHA512
c33d15409bf72d0861149cc9c65def48de042d8d0743e4cc5942c65142010ab9deaad64a91e448342af3a0149fb6a0b201e63e7da4a699c3ec13085e1d6ca585

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
41KB

MD5
e319c7af7370ac080fbc66374603ed3a

SHA1
4f0cd3c48c2e82a167384d967c210bdacc6904f9

SHA256
5ad4c276af3ac5349ee9280f8a8144a30d33217542e065864c8b424a08365132

SHA512
4681a68a428e15d09010e2b2edba61e22808da1b77856f3ff842ebd022a1b801dfbb7cbb2eb8c1b6c39ae397d20892a3b7af054650f2899d0d16fc12d3d1a011

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\0b6c01c3300bd377_0

Filesize
383KB

MD5
a77ac978e1b719a9ad2feb95be4f3381

SHA1
2641295a19f4b46e8f403fbafde694a95a17bed7

SHA256
cb541d959f91d9dc4ad22a54018789fc2c7e6c3d6cd39b51c0e7eb4a5e3feeda

SHA512
ba923fa393c2b34dfdcfd3a3fadbf1b9965eb17f538415d3cc65fbd385581f5a385987206052dd20d1c351b02fd1ac1527f7d999c7613794ab2ab26b11590d07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\3545a9e694a7a24c_0

Filesize
289B

MD5
9e8cc23cc7ec498d4c82714098c4cef1

SHA1
b952325979d1f5c93885ad2d4d50bd156b3efc59

SHA256
40b96e06d95c91f695b4b6353bda976f56088cfe36fc2b360645d81dbc33998d

SHA512
3a50d4e61db7a774a994b00b9a3bc3cb062f0a6a5ccc6079bd0538e7fd7d496ddb912e054b3c47c2c61f5f830e14f173b6d009edebbed0b282add5db201ea843

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\70abb380698a093d_0

Filesize
280B

MD5
520fa3dd197a309c7bc65449cb58692e

SHA1
fbcb80aa1d873af08ecb55305197e577aacf2fa7

SHA256
2b6a96bc9c62ad2ade15ff06fdc2d2586d8fd98e5c4ac5ba6c3f671e6de1445c

SHA512
35958fd66aad33935df438cc71503b93ebc36e9a78851f50386512eb424babe70551e771a5ca7c37d25190c467dc9f01088ff1dc20c398c802a09c8dbb949b17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\9edd2c247065bbd2_0

Filesize
19KB

MD5
ef80a00f97234f80e29000eea32c0b0e

SHA1
20f1aed32ed62fe10051be6209babc754036cabb

SHA256
f6f9db40eb935f1363fd7b063c2fddf2da41305a0d2173cbdfa30c474d083e33

SHA512
e74b1381abc05976a9fb409668693a2b39ab180f7d12a5d5ccf994f8971ac32d5641240783070ed6e30feb86c05dd9eea3889c342e2e3379069bcec14bb90766

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
e480e754a016ee9f083714b8d8e197fc

SHA1
0855f56649ba5ac6e6925bd73ccf9bf4e7118384

SHA256
46aeeab2b35f933531ff06cdd4fbb28837f0319c1b50916cf7a9d0ffbd5465d6

SHA512
a80699561c29fab9f163b58f670efc0fa540dc60ba5430f45da4f72207eb444ecb9f024d2e15f411a319e6966a19b17cf1b5b5df23e64a88c50d9532f2ea28c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
e2b39e7ebf9b63d9280acb00375a63d8

SHA1
ad7f8562a35227d099d90b9528f2c86c63892266

SHA256
cf03fd6a405cc99ca9cd23fb704028e8078285decc2d27cfd803435bacdc7062

SHA512
21507bd8558ef7bc061521edd34a00740e5c10124ef6079d38ea9092aa4c7e3ad870f27fd3324c70a8d6b63eb376a9d3aa155c8c6bf2032c5b297afbb059c808

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
e1bd523ab2039ee52fd0ff7e02d29a0f

SHA1
334b538c9838257d310266f158735963bc06b6df

SHA256
a1ac59fd8cf8aae530de24bff0b30243e10193cfe47d68773cc52e2b01883a3f

SHA512
fc731cb93de1244144092ad8884fd06caf4ff5ed2755f70f2c978b1727b9d2d63a03753650ca5b608eaecdda345bab56191b3018750cc0c930852f961146cff2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5d2a1e3627c267d927acc49b55f58e32

SHA1
1cdcebcb7d83fbdf1826ccbe95c00aa0ab733bdd

SHA256
bcb8fba9851c64cf01880473e65bee172a80921dff527fe2b9b403a62aad43ea

SHA512
06b7dc4d344fb4d81030f7dabf50cd19dd3be8b30d324ac549f256282448bcb3a44b7933dabf137ed62a02ff86fa2bae5d3ac37766db00e1fdb2e76ef606a0cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
251e408515fd0577d14e1c0fed851e28

SHA1
2002010cb7df7d12da69c23cc95e06100a47af6f

SHA256
2c650ef89dada4b3f641556dd13585290926635a33a005f64ed6fbfdc2883eca

SHA512
0fdd81e7ea203a66920a09568986fd6e11c947e38fb33301610d195b2d6c749f6f5d3a2a3952c07ebcc9b994383db058cca99bca597ae0c68d96cdae8b4ee925

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
1b29d0002510d184edadbe01a598dce0

SHA1
51e46d711e95d226b593daf89adbd161b51f1150

SHA256
01f19753dffd237a81b41defcca932c4158ffb82e57e202dacd7b68463ccb776

SHA512
2c7d012c76e814377f44ceb84084ca3ab3964a86a5ce31f42d57480f60cca09fdb651cf8593ea04f5edb66c593a76ea0afe1af4c3ff92156259b0b5a25f618c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
78ef876aefe5d4160a62154e72177e4f

SHA1
e9ad31561fc77b599a833dee3202a7ea94f28f89

SHA256
d806527048ef52b107ca87d6f977c8ed069930f6709597079a58445917b161dd

SHA512
3179e6bc5c963352117617378b7e027a9880d1e1685a1b71141c10a8ecddd107b18b5281295d60fca88e2572a26b707bb5dbf4b4616e9bcad5f30e32db758175

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c89823ec49f5c068abe746fa17a0205f

SHA1
4f7f8a4c33178fc539c51714d2a8c9ec1c0cb80e

SHA256
1044e4e6edcb865684c4570cc508df1115d40df684cfb4f27f176853cf57f6f2

SHA512
3d36a1ce82c7d1ac7764abb8d21503934edee3991c775b3cb5e6867ee54803dc46aa2431d037f6ebc42919850bdbf104c4d38bca02763a405464a5a028f17f64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
96dfe34a8fab439d3b88073707cde988

SHA1
dff9377dee11beea670fa472da02582815561c52

SHA256
1864568557404602cd7a77f9e923a75185eb286a525897b0fe4baed062aa485b

SHA512
6926de90696772a3a4806707fe67f89635d3c077c92de72ce7e7b8be6de7d416838dc9ede4fdbcc751b7b96f3b610127355737097c0410788180fefc1c9b8bc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d8c9a30ba270fec39226e58f3d5e04da

SHA1
424c21385145d5782d696b3a426c644c17030107

SHA256
ef9d21ca55e7bfad11ced4e72c805d44671a9855dddacdca5d51515e8f330481

SHA512
2ec2ba05cf9b6f03c61f2c83239c7f114e9bd13838caa88c934071fb820aa4fa56b8c6dce8a7ccfc78ede871a8ef2c24dc8631d0d0e5117bbf8b64cdcc141df0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
09e53026111fe7bb6be081d8380fb087

SHA1
543dfca9fd98481d32c599c6443c4a3ef22d501c

SHA256
431240ed6b009d569acc5b65fbf0471aee40ac2347fbfef2fabf4cdf09928000

SHA512
5567a096dbb3c244f0955484e1a7c5e9d560ca9f662cb7e881f551309f369249b44e412aa1ce54827e7ef995574f751617d9427c3153efa460b5002984516c43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4c68722350b2df34cb360bd7dc5e76c7

SHA1
b773070e4cef1cbe992181e4b489a5c2f172ffd0

SHA256
77202f13647a89fd455d1156afdfbbe13be71711b1482cdb878a8671d623fd46

SHA512
0e66d0b9ecafcae457c2a36f26ae1f81d17e11c444048924c2cbe2240e400f71d07d7a48df8907e7da6d4be624af771e7fa12c2515d0a8dda4253644ed26f301

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
930456924ddda00b3ecc4299818c0e17

SHA1
2cfe29e5ffda14b6f15cf102f59aa19eaa1d60ab

SHA256
b0f9fc35dec8d6a05306f4c11549cf999c2b083feae8093e851a4c74b74de874

SHA512
c8256f51c46f23bf05fb9dd123e49c3b855bbe1d4b7acd17a0cc32b275e8e799a10b40f4d99a24c59a9300da7e2c3ef27e167b31e45ffdd72a3b30ace33623c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
58504515f97ed969380694cc1d3efd00

SHA1
d55e85f7ed35b5decb05d0ab522640ff95fc29ff

SHA256
bd73e1fa31b3b40a582ae82727cbcce96e8cf0e7d9db3c5a92254fa4d9a55df5

SHA512
5c3636d50a9ccb9f66dc491b5a405723c771d0ab23102b865eedfc79eb715d97b3f9f8d724a1ffd2a9472501cb7461eea64d9257ab863506c22bc634580354a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
da02f0a8868b1996f0ad622293f6aa7a

SHA1
7bcb3290f512ac2e04537ccd9e1afc8241102378

SHA256
1e601032398fea604b3c9b742ccf4c64f96642f91d5fc87f52a6a79aac15b715

SHA512
1a1f34b2910a2b847e0a42461ea331a9ddf3389a5b581fd9d740a129efdf894dbdee50673ea4263fa0767d026f38bdbc1c964e7025cdc55595f074b70bf7052d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
949d805461146e620a7ddeee175f501a

SHA1
7e8d6f1152e4831350029a2c1c7beaf272e67492

SHA256
b01365a6abae07d3b7fce363fcea84065699d114b33460847fef6b4314775dff

SHA512
34a6ae7cc73c6f18c244cb4b1b5b751fa9b43e913be2b173c6171d16e0484e3f934b8eb4470d4353944c29cd4b97a2f1360a3568809dc5d315187e471f907bde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dff7fd6836f929e5dbb1b8e39a16010c

SHA1
d8a8145f4e882d53e6b68fd228462496c643d208

SHA256
9eadf7e87a82a428e2a707eb2ea49e30906a94055183ad91cb1eef5a3c813c0b

SHA512
5c85b6c72864dba1231fa8154303bae55461e594a4d00169523704f95210b518417491218965b39f01c775ca9d29409136fdc4ed22248892816ca85c6a08090a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
da9e0a3fc8ab4d0fe394d15a4d74ac17

SHA1
c5db58e291ab7bdd4fa61259822537b87a654f8f

SHA256
f0dd812aea5c80d70caf5c1e8aee1b91cec3c7dd97b851ab27e944b794c6fdf5

SHA512
e54b2644e18bb11896bd9557208dbc0f2d3569ca97b96c865ae51c27a3dc47ff795f9c0e85dd7a917fd8e60dd8a0f2833c1818daba624148ddcd1a869528872c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
74decbdcac79897325c468b481b5ae3b

SHA1
78f9e9f3f1a405f216701498d9f34eba63eb72fa

SHA256
0eb414e34ae1e9ab443a5069c1ee82e64200a1d9c484d211f2d38b43f733e2b5

SHA512
d5eda43b350464caad8f8ea535b99bb6501f9a4ee4093d5c1b88678052e7cfdb811bc33b8282ea5ce6b5797f8d2062fd749ee9b7f739fa4153a9f02ba358976d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7a7b9a6337a4bac44b228fb8a76f52ce

SHA1
fcb80b3a0195b9c55e1dea34dc87149147fe05ac

SHA256
bf327abc4830a2e0a4500876861fd371ca40babd4977934b26fddf6a7579188a

SHA512
b275793be0d9d68aa84bf6dd1365d93082ce2913573c91470378753ea87dd83640590d77d5f41ad5e85856e52293d8f87fb7c8902882e659035dd9b3403344c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2ed7cdb0ef14c9a1b4ebc549502773db

SHA1
fa3fbeafc87caf28db9bb8860aeace6967e31abc

SHA256
df4c3daeb287ab06f1610af499fa0e59fb50ae054941948f38b54b7264fc9eee

SHA512
64ba306a13834fe9cb1e2867e63683902eecfce834cf3039ecea2e26526a871cae335ade588044972c49b7659ccfb1d24c620f92595291c18a238c6b6bd9faeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a946c0af63d9ad75a09aae5283404b99

SHA1
f7ee018586e400983fe54543df7648219dcbe1dd

SHA256
f3e935efbbdf352d5c606c78346fba59cbf02d1e3097c9c570a396793e337db2

SHA512
4abbc627ee1f32e30d983990324e574203a00188379b4a4bbfd4c3eef991ec15d9633480066ec453c7bc68cddb194415b86158f52709337cdcef061d9ba76c2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4c4a78b5b31db9f69d391d3cb5eed135

SHA1
7c408e61a77782363a3bc515dda100fdc887cf18

SHA256
631785ccc96447ed7fd7e5a4cd0e911b7ab024dc2c52dc61243b74bfca9e491b

SHA512
42c31a7504d6485d6cef0705dd630d58d770ba52482ce35af5acd5b4790189563974ebb89f2043b72606d6edcc80d36ba6ce02e86ba7a4be28b9bad7344242bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
312b87ca516f57239dac64adc14e5701

SHA1
2bbe084030b352252e5514b2fd65a29d2e9cbbb4

SHA256
e58c3f8d39e7e14dcf1306264338671100b7f404a3bd7afa77a1d620c3f8167b

SHA512
d251731eedd9ffe7eb0b0077e1e9a25c33300c3feb51c838faf56de59aca0059fcc42e1b308c18fba950e3241cc7a2b49f0954baede2912a62eaf969a48c9029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d6bcc56f7bc8b392de7e28c1b46d4f9e

SHA1
0e7fa2cedadc95e4bbe2b339c167cad0aed8ac5d

SHA256
f63cfa01a0ddb497daac9cb677e424202070a092c0f13417a19f2f1d3e851d86

SHA512
54ede1133ca0b66803abcf995d3bc60ea5ee9c800d1c6842d93ce3676c78767f81c09ba43b0701df553149a07d97929bc599db160f9b4f45b7897379210f229a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2487a94ef575b4feeb764a940f1cf9a5

SHA1
9782cd453bffa1af5a06f15e8641fc32bd7f41f3

SHA256
2412a64639627989cb1379507434c39953203d6aef389e46d56baf0f2cac7dda

SHA512
3aeb4dff9b42cfa3e54dd0ade477ae177cf8366559af690cf6b5d913d35174e2fe384e5cbff3e3c6bea68030a5699bc72537e175b2b39a200333d83d93980291

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
4fddc4803863211e436c8736f56ee5b6

SHA1
65469c566d680f734294574794a76b0bb7c1a7db

SHA256
0f32f52d7ff265b8a540dc243da697d68827be799f9d41676d894cbc5f5e18fc

SHA512
81b09f3580496b8495692122af46bc81ed3736448d973c1ac7d91d24873396a662dc56bc9306f1850da76259aa5066890ae72ffcf27a01cd0f736594248ec7e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
89e5b9c3537322292b8d2114ebe95789

SHA1
cb1d7a65d21fd560dc58d468ef742a9b46ab4296

SHA256
9a01a3a9471651c583ff12a2e302c4513f7a955110f3a0bcc2964ee699c97a50

SHA512
0dd4297771b06c5e7d330418fd4fe070901dfeb732e7f0ee9b747f4e75e9722fcbdbe063c482f51cde54674a9fb7b9d0c522eac6456681e9d69b8ee743461c1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
dc7d5251c79a514e9ec2e431ef4c30d7

SHA1
6072c84e9b2102be2333dce6be224fa70d45b565

SHA256
9639dffe9ded431b704915c4747b530ef391a71bc9280748953da20867073679

SHA512
9a947ed3f5d7302e5078fe59dfd5aae354805b46eb9b91c8c80509b35b16ae18755b771634b3ebe8d9ddadffff2a8eb75a7ab69d37592cf06d0ad389fe9085f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
79adf8c02e7d7a7e1eddb8f2f4219874

SHA1
5b42ff0c3911776b378e214e4a6d30ef46804dfb

SHA256
2c8ed1ba4cefbca51c83fcd6402defcb07d2a972ddb60f0b8d38d3a610c731c2

SHA512
4cc7d34c6600e7a3c7140fe7d19d94ef16774a7c8872d1e4da34f7c4bfb7b7aabfbc36b25d4faaef83c7131b6e46d1930e3772a657261c30fd1c871a1bf6d7fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
a57a437ba735228df8a19bddf81d67ad

SHA1
c4b03183f6df64871ca3a85354c9e7ef6f12ea2d

SHA256
c287fdbd183f00453a295617ba61650068996e2c29416df285ad247c328bfcfa

SHA512
32825a5896567275860113541aaa3f76351d5e995df4d45c7b181dc617562f0285644db95a125d26ca7ee59e675e634fb1491fd40e96436ed6e06f63e2bebbf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
051a939f60dced99602add88b5b71f58

SHA1
a71acd61be911ff6ff7e5a9e5965597c8c7c0765

SHA256
2cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10

SHA512
a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
003b92b33b2eb97e6c1a0929121829b8

SHA1
6f18e96c7a2e07fb5a80acb3c9916748fd48827a

SHA256
8001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54

SHA512
18005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\11fce8e4-2eac-4d8b-b2f6-9c547a11cdd4.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
6efbc78e3a5a9d4d1ded14bd652f6967

SHA1
b54de2f2e628d7a1e8607eec1c8a4ebdd4e74470

SHA256
f4096e9bb245dc3072ce5cf3d7acb723a19a99ae93b08be246073aaaf979c1ee

SHA512
ce08964ba47b477da3e61d085dcf485ec1324a000689fdfa2b973cde2634631c5eee48d9c471eecd44a4728453d264b4a711ad54188ce7698a36790a68587a75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
6be1a37be04f9dfef17921b9c5d5ba85

SHA1
aa21229615fc6334a8c76ddc704604125ef9753f

SHA256
78aad73dd2d85a5ce73348eace066d83c5f474d02b2f9d7d58e28f209b273923

SHA512
71304cadd68c681781e32e170d9eb8922b26257b30dbc613e6a52b15732478a24c2ddbbc015784d1f735b0824abad56c15f52e7520af5bba3f5236fb30d5b60c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
ef4dc336f3b5cd84d43311ab50f418c5

SHA1
beb98c5680dc864417f91307be4efb0441787321

SHA256
414774afc2009bb43f72c77d04ea40df8260c5bd150d8441fa11ed541840771c

SHA512
6892af930b05ea43d6cab383fd999fc256297ff6385a2fb1713883f764ebf957010a1f5859821946369f9708393a777b63ebf6cc291373e2e90dc43d03741647

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
f601b6d5dd8e51f5ad6d05e5983ab93b

SHA1
715de2b37451e5caedda7bcbaf1898e14d3ea7db

SHA256
113a9bf0feedc900b037167323e515575b3702f0f15164776daeb9df88c07d6b

SHA512
3eeab59150ff14da7ffd0917c7cf916511cd8ffdab3e45608b2b5b28d5e76bd45ff77ace8db1b4da1f39ac3f0fbd0db596fc45fe7cfc9bd453921cd4edd2314c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6d2474a4a23a630240d6ef23490eb9a9

SHA1
c5c86fc88210fd6ad2f0185797fda56ee8c80621

SHA256
9c34b060cef1b2e0bc6317f82407a84e8c243ec2ff190db19290674c9c1a9d43

SHA512
58711fb9989f0536ee6e4a0974e71e99875c6ae5524d8d219a99362d8965e7b540f4ffc24ea7b9ce468b09128b0d0d9bf1c4c2bd9685d72b42bbaf89498f6668

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b59dde31a5bf4ec7225a3d51eb9bde92

SHA1
b461135bb6bbab4a401866225f37dd9932aec1c1

SHA256
9c313679a7402f368e4f6a2bc126eb0349c87100034d97a4df26acac6e4e4c63

SHA512
f782367175a8a5630d273e1ede1d37180591b50d781e4119eaaa245abaa88cde8a0a542f229271002773b53d1f7ef3951001cc7728b4eb3f971e9f3bc824504b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6748e55f0869af4df2d589f48f0a4480

SHA1
03e3a66da85ceca1c8f5d7621e5aa0f5f6aea6be

SHA256
7f30db1d791ec84e35532657e549084bd822e5df92aa4f4f753c1970d1968c22

SHA512
b51c8b1e830d8d138cdf4e8f4e995415b1439d667e29cb9671af35fbd83ce043708b19f059c0e46a7dcd9f38989756b62079c49eea3a8ee90b6c10a63695df1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
97127b91b9c47d340cc327eb3391f173

SHA1
9f0b8a3283df69aa3f6c5fbdc0468a60d5dc9e4a

SHA256
1d8dd2e8c98c42fafe52a6f64a5fbf506a6f7278f92a2bcfe3b171d053fb7bde

SHA512
7320a83a856e1a854aa25adf7ecf7c94e39eb8a7c8754736dd0d9868e1016fa4af3974dec7b5022f0af1e8350c86b0e576b30743d4cd9a431a2bfa76de5fd11a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
80fcd555fa6cf2b168d7090bea1ba5c6

SHA1
2f7394656972e135d6c7f638c8a51abe22ae3538

SHA256
89fcd911abbdb92da455067b35c8aa03274dca36d2fc58025b4103ffdf7867e2

SHA512
0803714435c257190d559b3b2f3d19a61201c8c5c3589b70accc02cf927ccbd6805599ecfab341fa69652bbfd77240e3e92c3251730dccd05070dff599a598e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8562d7a377d795e4c6377d3d65e59633

SHA1
a79889bd8f0d0094d7b8aacaa78d9799fad57b38

SHA256
d9b03522991b66ede353f3a4a5ae211416d0ccfe6431a8c95b56f581f3f673a2

SHA512
52fee85bd477bec6811492999d55e7049130e26c9e3036452b08930feb53079bc050433f0acf97dfdd26c8b1f3550d7681a923d5a00219c1393caa108f31e565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ce7f77966fa1aa4b2f2311f92fbb22b5

SHA1
cecf44c5417f0d8c4340983f191604b03bf53ef6

SHA256
3b8775b96c20a01b8db18eda756a5eacb30620aa1603ce311fd47465063d201c

SHA512
397a6b6869694005084775c81c12a827fe24541cdc58e7c39dbd78f579b36aa0a05792a30b1627cfc389f0f6cf4b708dae6ac674d4883355340930565872b272

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
395a1d9e7eedb655b45c162cbdda3160

SHA1
11345a99e51ad197007812d4a1ace012178af969

SHA256
5d246f7542d1dbb40c04bb46e583e11816d0d72a4156e723023878f40e86643d

SHA512
80f66d4f882743eed0b93f4e1338907e2d9643bbd14491e638a07c55000a71414f50608772b0f5a5ced791c10187a58be45d33aa570ad140d2a272c2f6580e1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
69b3a7ae6bd1b9ec9f6f744d93c6043b

SHA1
bec4fb341be240805404ddf83c36247b3b904d9d

SHA256
2cd1553a454f8accdfa9394a823bc4491063fbe8acaef34875d9679799c17a8e

SHA512
6b5ef730cbd6422374e87e665d87b3b015b5155314f6c3c036bfb29ea350a2933578cec93d600868f6c371d9da5a6689e74f68b29c66af1add1c02b7f0ced036

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
fc55c2803977e0595f9e27f95c444409

SHA1
b7563ddf0079042454b53027cea24076c5d8be54

SHA256
3442c7c31d4e9557f25d30bf76ae91dd8c44d31e02c56038cddf47c1870279aa

SHA512
96e28e6e0ec89ecd6d477d17d151d08cbd2f369af067c6891a4bdb0efb199382d39c91e7071f1221a1a3a560521ed98afc68e0f13e7ba4cc239aeeee3c022535

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1b59592010f1fa24d3406b41e5a7af57

SHA1
6b7a7f9e555f2e511634dc7b560d5bdbab87eb69

SHA256
7b9d086100ccf373ba36a28f30952ebe991b4fe7a1fd481492f1cdf7818ce7ad

SHA512
75028685c0479cc44ccb0083173156e30243dbc364488a5f7846dc8f770922a3d36578a2e9e90490d085e61fbeaa27afecde06406879f94de1e64c7588fa9044

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
5a3dd6fd5407577f7cc53c70919b44c1

SHA1
0449d2628eaf9c957f44bd2e77c819c6ca8e3dd8

SHA256
5f28cc558a049fdce00e1a3be131a2e37df9fba0297e536d384b73d1e29cabb4

SHA512
3f8accb283520cec49a7ff2bf48c2d7d03d043e7f91189f32af7d6c6981260bf0ad31aa018ac9deaeef898fb3392b672a83a590f0add66fdb5a2b90bd15f02d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
4751562504c2fe780244650e7961b2f2

SHA1
73a65f5e47f2f754db067f0a858affca9fb709ac

SHA256
5b5b68ca8d7e8f26edb48ecb7411e9b2c43a05e4aa464f7fffefa56bff54139e

SHA512
333b16a926f5622fd54a2384063d4523599ae4b390ecf922e57d8dbc9b2c877d72c8880da16c5732094e3e0f49d104bfe3b115976c63319916f214b2173494a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c94991527863d38edb8e28fecc813e1f

SHA1
76f37bebcb75ed7793121268d6d8abb7cceaec58

SHA256
18631c96082dbe6867a2549ec8f26fce9f21efc0ca6a5d58ec10c8431c093f60

SHA512
0a05b2112e6825481ea5f8bdcce0291c2e3c7b176439ff2a5a13086a44922623f908f7b07d86e098eaeb0e6dedfd47162e47f25c2372a8a0812cdd1031dd36e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe596bff.TMP

Filesize
1KB

MD5
fc68f3310e49c270ce58fc2186b640c6

SHA1
3fe9a66f0ab4fb7472093aa205bffbad2eec6231

SHA256
27bcb2f738981bed8dc35fd6af8e5e591d4d5fd29ad969b8ea76a06aa92dc578

SHA512
39d8dc9dbf16ed8504db72d064a1dcac31d744c3dde6a7b80988ea47bfe99d0dded19d34cb8cfec8342eb052bdf03e3f0c3c5b94a29f9c9b520c02a53de4a9d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6240baa896e861bba8f9d10eedb3fef3

SHA1
f048636d6784f5d096da382a17d874edb1821e82

SHA256
df44a70d63dc04e8c0677379a21d32fb5086d6a51ea80fdc868485d9d35be816

SHA512
5fd646ae9820fd30166218b99df12839c7567e04bc2d15b8a04201c71329894288703ce1e633e711d6b5fb3c1bddcf519b586a96fb41e16c722f39ea1600e562

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
b7443e89f0cb29d51ee6a257750e54d2

SHA1
84127eebf275e781d5276af6fc4d09c5a6bfb7b9

SHA256
8226877d6ab2e4834aea6bc71bd9865b28d0bd1ec2e8b4c23b8acf0301c56f26

SHA512
446cfe25d82f3bbf7badd324cae691ad62e13bd7469e415f47b9141bddf30679219c672937f4f6768796c2936c3b9c557fabbda1fb51c5edbb7c1964bffa17be

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sgogybfl.xhd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2484_2106332167\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2484_2106332167\c8a269da-d05e-47b5-82cd-9a0d3359a4a5.tmp

Filesize
135KB

MD5
3f6f93c3dccd4a91c4eb25c7f6feb1c1

SHA1
9b73f46adfa1f4464929b408407e73d4535c6827

SHA256
19f05352cb4c6e231c1c000b6c8b7e9edcc1e8082caf46fff16b239d32aa7c9e

SHA512
d488fa67e3a29d0147e9eaf2eabc74d9a255f8470cf79a4aea60e3b3b5e48a3fcbc4fc3e9ce58dff8d7d0caa8ae749295f221e1fe1ba5d20deb2d97544a12ba4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
11KB

MD5
abf8954daf6c77b8129a9316da3805f9

SHA1
e76ca0b3dec11e9857bb56399c55e1802c15a432

SHA256
2e94f305cd78b1c459db054b978c5a9541ae145e1c96525d08d50d6c5ac88a91

SHA512
fcec3c742350b183a171b391bdb9ffc29280988eb2187bbc587041157802476bef06667e7f0debd8e943957fbeee40ae14d0e3bc99486b763dbecba4b73c648c

Download Submit
memory/1244-6-0x000001F4EE110000-0x000001F4EE132000-memory.dmp

Filesize
136KB

Download
memory/1244-10-0x00007FFE07290000-0x00007FFE07D52000-memory.dmp

Filesize
10.8MB

Download
memory/1244-11-0x00007FFE07290000-0x00007FFE07D52000-memory.dmp

Filesize
10.8MB

Download
memory/1244-0-0x00007FFE07293000-0x00007FFE07295000-memory.dmp

Filesize
8KB

Download
memory/1244-25-0x00007FFE07290000-0x00007FFE07D52000-memory.dmp

Filesize
10.8MB

Download
memory/3944-35-0x0000000001270000-0x00000000012F1000-memory.dmp

Filesize
516KB

Download
memory/3944-45-0x0000000075EE0000-0x0000000076132000-memory.dmp

Filesize
2.3MB

Download
memory/3944-41-0x0000000001440000-0x0000000001840000-memory.dmp

Filesize
4.0MB

Download
memory/3944-43-0x00007FFE280E0000-0x00007FFE282E9000-memory.dmp

Filesize
2.0MB

Download
memory/3944-42-0x0000000001440000-0x0000000001840000-memory.dmp

Filesize
4.0MB

Download
memory/4548-51-0x0000000075EE0000-0x0000000076132000-memory.dmp

Filesize
2.3MB

Download
memory/4548-46-0x0000000000630000-0x000000000063A000-memory.dmp

Filesize
40KB

Download
memory/4548-48-0x0000000000CB0000-0x00000000010B0000-memory.dmp

Filesize
4.0MB

Download
memory/4548-49-0x00007FFE280E0000-0x00007FFE282E9000-memory.dmp

Filesize
2.0MB

Download