meduza | ec711f3d9eb360eb08ef30c0b315de37a59da35bd6e332d8f19d18fc480d9a3c

Analysis

max time kernel
164s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-12-2024 03:22

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

setup7.0.exe
Size

3.6MB
MD5

d38571e4500bd3936c55ab41b7d40c4b
SHA1

b7dfcd284dd985b92c4ab45e13bfc45dcf067ac5
SHA256

ec711f3d9eb360eb08ef30c0b315de37a59da35bd6e332d8f19d18fc480d9a3c
SHA512

324e71c33eab94097b4e0cc0b6d28d8bdbca1739282b6b1fafdbb440ba2ab69d256b4905046edd719bdf20192440d160193f983f2217ccaf4972b5617a2a592a
SSDEEP

24576:wiSVYduVRYxf0fXRBvmt/cGFCTYGTnEt3lKTtHttN0jhmtksrP1yspoz9J7FbQxa:0QusxfsH8OThTM+tHtEjhFs4Uv4rqYp

Score

10^/10

meduza metasploit seon backdoor bootkit defense_evasion discovery persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

meduza

109.107.181.162

Attributes

anti_dbg
true
anti_vm
true
build_name
6
extensions
none
grabber_max_size
1.048576e+06
links
none
port
15666
self_destruct
true

Extracted

Path

C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note

You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/usXawLpW http://goldeny4vs3nyoht.onion/usXawLpW 3. Enter your personal decryption code there: usXawLpWRwLURGapDL2wQCK1RsmANwg8KrEJBbovzGZ6QahaCXbeEdkngkZhCTLfrBmBekz8aWA5GZuRbdg334seDCDumeyo

URLs

http://golden5a4eqranh7.onion/usXawLpW

http://goldeny4vs3nyoht.onion/usXawLpW

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/1196-0-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral2/memory/1196-1-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral2/memory/1196-2-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral2/memory/1196-3-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza

Meduza family
meduza
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
Seon
The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.
trojan ransomware seon
Seon family
seon
Renames multiple (114) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	setup7.0.exe

Executes dropped EXE 6 IoCs

pid	Process
3572	GoldenEye.exe
380	GoldenEye.exe
564	GoldenEye.exe
2980	rekeywiz.exe
1676	certreq.exe
1992	RdpSa.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
131	raw.githubusercontent.com
132	raw.githubusercontent.com

System Binary Proxy Execution: Verclsid 1 TTPs 3 IoCs

Adversaries may abuse Verclsid to proxy execution of malicious code.

defense_evasion

Verclsid

T1218.012

pid	Process
4560	verclsid.exe
1584	verclsid.exe
4604	verclsid.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rekeywiz.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3900 set thread context of 1196	3900	setup7.0.exe	83

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rekeywiz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certreq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdpSa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoldenEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoldenEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoldenEye.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133785338066310800"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	msedge.exe

NTFS ADS 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\{a3aa137c-f466-43cb-b663-d50d14f3a74c}\rekeywiz.exe\:SmartScreen:$DATA	GoldenEye.exe
File created	C:\Users\Admin\AppData\Roaming\{c2aa3851-5b4c-4bc5-ba5e-cdfeab54cf63}\certreq.exe\:SmartScreen:$DATA	GoldenEye.exe
File created	C:\Users\Admin\AppData\Roaming\{62f0e3d9-0d83-4ed0-807c-f7b564fe1b48}\RdpSa.exe\:SmartScreen:$DATA	GoldenEye.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 608406.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3044	chrome.exe
3044	chrome.exe
4288	msedge.exe
4288	msedge.exe
1940	msedge.exe
1940	msedge.exe
4244	identity_helper.exe
4244	identity_helper.exe
3144	msedge.exe
3144	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1196	setup7.0.exe
Token: SeImpersonatePrivilege	1196	setup7.0.exe
Token: SeManageVolumePrivilege	924	svchost.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 1196	3900	setup7.0.exe	83
PID 3900 wrote to memory of 1196	3900	setup7.0.exe	83
PID 3900 wrote to memory of 1196	3900	setup7.0.exe	83
PID 3900 wrote to memory of 1196	3900	setup7.0.exe	83
PID 3900 wrote to memory of 1196	3900	setup7.0.exe	83
PID 3900 wrote to memory of 1196	3900	setup7.0.exe	83
PID 3900 wrote to memory of 1196	3900	setup7.0.exe	83
PID 3900 wrote to memory of 1196	3900	setup7.0.exe	83
PID 3900 wrote to memory of 1196	3900	setup7.0.exe	83
PID 3900 wrote to memory of 1196	3900	setup7.0.exe	83
PID 3044 wrote to memory of 3864	3044	chrome.exe	107
PID 3044 wrote to memory of 3864	3044	chrome.exe	107
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4524	3044	chrome.exe	108
PID 3044 wrote to memory of 4912	3044	chrome.exe	109
PID 3044 wrote to memory of 4912	3044	chrome.exe	109
PID 3044 wrote to memory of 2100	3044	chrome.exe	110
PID 3044 wrote to memory of 2100	3044	chrome.exe	110
PID 3044 wrote to memory of 2100	3044	chrome.exe	110
PID 3044 wrote to memory of 2100	3044	chrome.exe	110
PID 3044 wrote to memory of 2100	3044	chrome.exe	110
PID 3044 wrote to memory of 2100	3044	chrome.exe	110
PID 3044 wrote to memory of 2100	3044	chrome.exe	110
PID 3044 wrote to memory of 2100	3044	chrome.exe	110
PID 3044 wrote to memory of 2100	3044	chrome.exe	110
PID 3044 wrote to memory of 2100	3044	chrome.exe	110
PID 3044 wrote to memory of 2100	3044	chrome.exe	110
PID 3044 wrote to memory of 2100	3044	chrome.exe	110
PID 3044 wrote to memory of 2100	3044	chrome.exe	110
PID 3044 wrote to memory of 2100	3044	chrome.exe	110
PID 3044 wrote to memory of 2100	3044	chrome.exe	110
PID 3044 wrote to memory of 2100	3044	chrome.exe	110
PID 3044 wrote to memory of 2100	3044	chrome.exe	110
PID 3044 wrote to memory of 2100	3044	chrome.exe	110
PID 3044 wrote to memory of 2100	3044	chrome.exe	110
PID 3044 wrote to memory of 2100	3044	chrome.exe	110

C:\Users\Admin\AppData\Local\Temp\setup7.0.exe
"C:\Users\Admin\AppData\Local\Temp\setup7.0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Users\Admin\AppData\Local\Temp\setup7.0.exe
  C:\Users\Admin\AppData\Local\Temp\setup7.0.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb27b4cc40,0x7ffb27b4cc4c,0x7ffb27b4cc58
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1964,i,6608781270075531799,16884870113346067875,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2000,i,6608781270075531799,16884870113346067875,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2308,i,6608781270075531799,16884870113346067875,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2292 /prefetch:8
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,6608781270075531799,16884870113346067875,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3228,i,6608781270075531799,16884870113346067875,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4608,i,6608781270075531799,16884870113346067875,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4896,i,6608781270075531799,16884870113346067875,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  PID:744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4940,i,6608781270075531799,16884870113346067875,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:4628
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff7f6f54698,0x7ff7f6f546a4,0x7ff7f6f546b0
    3⤵
    - Drops file in Program Files directory
    PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4684,i,6608781270075531799,16884870113346067875,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:2904

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb27ed46f8,0x7ffb27ed4708,0x7ffb27ed4718
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
  2⤵
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 /prefetch:8
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2692 /prefetch:1
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6476 /prefetch:8
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3144
- C:\Users\Admin\Downloads\GoldenEye.exe
  "C:\Users\Admin\Downloads\GoldenEye.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:3572
- - C:\Users\Admin\AppData\Roaming\{a3aa137c-f466-43cb-b663-d50d14f3a74c}\rekeywiz.exe
    "C:\Users\Admin\AppData\Roaming\{a3aa137c-f466-43cb-b663-d50d14f3a74c}\rekeywiz.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:2980
- C:\Users\Admin\Downloads\GoldenEye.exe
  "C:\Users\Admin\Downloads\GoldenEye.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:380
- - C:\Users\Admin\AppData\Roaming\{c2aa3851-5b4c-4bc5-ba5e-cdfeab54cf63}\certreq.exe
    "C:\Users\Admin\AppData\Roaming\{c2aa3851-5b4c-4bc5-ba5e-cdfeab54cf63}\certreq.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1676
- C:\Users\Admin\Downloads\GoldenEye.exe
  "C:\Users\Admin\Downloads\GoldenEye.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:564
- - C:\Users\Admin\AppData\Roaming\{62f0e3d9-0d83-4ed0-807c-f7b564fe1b48}\RdpSa.exe
    "C:\Users\Admin\AppData\Roaming\{62f0e3d9-0d83-4ed0-807c-f7b564fe1b48}\RdpSa.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2076

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4548

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {374DE290-123F-4565-9164-39C4925E467B} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
1⤵
- System Binary Proxy Execution: Verclsid
PID:4604

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {3ADD1653-EB32-4CB0-BBD7-DFA0ABB5ACCA} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
1⤵
- System Binary Proxy Execution: Verclsid
PID:1584

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {A8CDFF1C-4878-43BE-B5FD-F8091C1C60D0} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
1⤵
- System Binary Proxy Execution: Verclsid
PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

System Binary Proxy Execution

T1218

Verclsid

T1218.012

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
51de2f21eec6bc1995d6955af076cb60

SHA1
aecdb0975a6eaa27a945525ae3d463b19ffcb23e

SHA256
fe40fd835a8c6c00738dc72a543de57517309787d71726ce926b3ab706c629d8

SHA512
8798c95dc484f14eeed6487154d46132a0028486a5a03817bb639a586a2860f7e8cc0d0d70aebf75c6b394f467b85c1c5a49d1e602755d11caa5bdcb88dff9d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
542311ec754c861fd44a63e4530b4c69

SHA1
88d1c853ef05b89965bd8e723983597976af9e9d

SHA256
9087cb785b73a80858e56cdfa414ff3bb661d4038452c32829b5e259572cf889

SHA512
279c9737fec38cf9c67fd2a051043daa19905ff315954a8643a40b7e1d814301869e5db67dd85a27899178d5af58055a02081dc4f3fb4530fcd63df3c44f7d95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
3f015ce2b36a0c678471c5f2634e7b4a

SHA1
38d8de4942bc4d81abf1d26eeb33287a7b8d5820

SHA256
ac3905d3dc49abe52c27b56e732c01277c7c3d77852599f949dd7ab64b19f522

SHA512
f2f9982eaa4e61b34275b0a20327497dee456026296b286f52cddb76b27c0b3c89a730afb3e8ab5e265a7a0f279729c18faea40ee55308e152f01044a408ea9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\1920a506-1afd-4fa3-949d-61a572521271.tmp

Filesize
2KB

MD5
0004092dfb1129ecbdb8dc64278af8bb

SHA1
2c9c078e7765943c7f8e86cccb37c8b9afdb73b9

SHA256
051ea75357af6bfd98f71736fd6aa85a8a7a1d0635e990b1db9d96222e2e2f44

SHA512
285d8e0368653fff3989ee51c8cbe6845c724f74f866211df1787be733e5f18d8a61b8e8000772b44073c7d3d9e9e7115ee43f253b89de727a7b9eddf45e3b45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c011e62ed1659a159c460259fb59b064

SHA1
e95e7becfe6e436349a1e7db1724d392728514ff

SHA256
3cac6af51ee1b478a115545094118c37fad69b712de6a44c866b7f71293660d1

SHA512
2ce85296adf7c14a14ff38051eb383efd66356c36154b60555e7312ee99aba4dd7884db0d02ada8f2e332f417209a0c2bd036a355f4f837a21cfddbb4627fe7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a5e147e859f854e64e740cd32247ad60

SHA1
3092cc898d16ddc356dbeb9d8541250dc68b900c

SHA256
b5038f246dd93ae79ae288b34ede5d6d37c757aae09c8666ea5b923da8c84c8d

SHA512
10a821be5fc02bbc939edccdb06b3c45dc83799d905db70ac39e26ac6ed9530a6e1351d493077c614a36ac9dbccbdd1ab0f9a8e2cabab80e4e762844c7a96940

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6d34fba3c51ca56e519924dd0c86d6b3

SHA1
339d8397a84afc165d6c6467f9ba081c0864d594

SHA256
a7b02b4eaa11165d2185368d98a34feaaeabddb67d6f4ff9cad82557e04e8d15

SHA512
bf3711d8c1cc242ccc82cbdd2de2fc7adf89890c36a1ed67ce4fc46273a3b9194d28d63c4c11f09436237f2a84c86e94be4f74a93d0f45e25fb3298f4ab65d0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f5f2e6de426afdb78d0e506f4ffb1979

SHA1
1abb6967aaffc87a46afb0e00f3878e0e944f5c6

SHA256
5bc3cc9ba74d77095da872ac68d327f3e2b06a5960ecf9ec16237388aa3b0afa

SHA512
f50789356a0ebeef0f3af236a041741b6856f9f68d77f0ec80cda7fa388b11afce1b6ffce0373c3094a54ab9829fcddfdc4315e533407f29de089b875d1cc5b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
3badc5af86e7da3bd5cfb797b747c885

SHA1
3409040114b91555ccb32706bbdb03b983b7f324

SHA256
adcd95ded55e7d0129442ea42bc15f1a995fe97086fb617a05d01a1653ffa109

SHA512
ffcdd54ade46788509a4fd44c8f293d379f13e05925a75d6ccf3faf56cabfb014417e164797d00b1699ee26b8beff4adab96410da190cf9dcc21ef308e24a494

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
eceea655fa1cf6b339fd1c9f2f81060f

SHA1
fd08ebfccf51f53f273cf548971a3133614b882c

SHA256
6a8e97835296137dab057924aaf0de5c3e9a1caf107a934e8be67f305d1451ec

SHA512
74398213fd3e213f241ef80027e526e40c537ad722817b30e947f82d360c717270b1a5c4b96c19cee4dc3f3bbc0bff5bb26aeac0b7c939cba349be4925f81f87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
15754159972ace562c97941b1a3787c9

SHA1
1008661721d81e1488faf97fed57796c05c2397f

SHA256
eb852d3dc20ea5308ec796e8476bcec0fe514eb0918ba3a1dc4bc300e8e42a61

SHA512
292c057691a87ff93adb3b4e609ad3521bb8bafefccfe5488fd5ef584da3e85ca6951bec73a56cfdcae2345ff515f37d3ce17efcb9448cd9c0af87d52f03ee4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
abf4ccceab3902cdfc96ec26747471b6

SHA1
f4dcf0d9673915515a3e8554fe4300b2e1b1cf6c

SHA256
3bb9314a86308fe67753226285ecbd9b8f5fe6aacf6209ab0516f1fa45f436ea

SHA512
b1b0dcf42e8ad9ff759817772b50b9f6b82c2784f8c64a34b7df4e744faad8b2474d5fb598a18d0858a8bbb6e72f671bbec8b120aff581fddb5359c7dc702839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
68KB

MD5
d4db8e09c45049ff25b0c75170df6102

SHA1
6d1f07d1556a132a4a794e29df8455cc271f05a3

SHA256
381473cd4e59e55dbacd388d552dcf27ebb82e7c8ddf315262a558fb25b3f742

SHA512
f78a68b51982e6f2cf25b12b3e24195a003f9c2d8ea84f7b5ab0ed3a70a5f2c7ed97932bcf5b30be57db7f6133c9b8f1744f801ee2bf4351b6fba5527cc1b51f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4d32531bdcf5c2d3de1f651af16ee1c5

SHA1
150d2b99d67a132c0c685395ad36c2526c313103

SHA256
fbd8ca4e0d2d438346f22382fca62d1a1ad59e92abdd7da836309a4cb8b0c576

SHA512
c5eea33e87e268f36702c1ef762ff61ae5f486784bc9295a7d2beb418240256156dd9bae88976d232d677d2240d07e1dc607a738eacaf619aef68cc61b413a4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
6896fa18ab6679e98fb90326d6dd29b0

SHA1
109f934f1bea6b4a06d36871d0b09cfac5854e7b

SHA256
1413881a10438fe4b6125e39c0932787fe43ef0780bdd52d60d4dc9a3dda3e73

SHA512
fe3ff6eb373fb385d41ce59dbd0ef8aedc240bf89088c88336ac0ede70a1d1098352d706a9fdaee7c205c1ce6a219939f6c9cc51b5ae3c855aa67cccdf546196

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
857B

MD5
8345ed49d6e1e64e71353a947a17bb60

SHA1
f40128d3f0b7206615dadfb089fdcf73f28b0db7

SHA256
1c39035ece0c9810965c1131417762168832e5075f3a1925a2ad64967aa355ef

SHA512
90dc7e5b02d4eeca1ccccd45a2c9f5681d734923c64a7e731229bd53753344904b122426f6365063a2abf292168aa7b842f4d7183e012e7dab232e3ec23a0566

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
33d6def2cfb741da0218e6e621818cf8

SHA1
75eb855dda219201e84f708a90a175ac80399158

SHA256
d3aaf4b9dd245dd880269ec9727607d81e6c74b3a9e5cece615febdde7c6d7fd

SHA512
1bb4d54cc2bd6fcb562885d492a7a1faa695d6a3f9ea8561975ce8f983028172386675323f40a193465c84c79123483a28c02eafe3d409919a7f626d360df849

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
83741b84e9a8eee2b5301ee86f9ec5c3

SHA1
348559c29ef533150f7c31557071956ce3b190d6

SHA256
e21cd53b1b999790a39480b57a7fdc02e9de0d1077c95ab22ae885d971ce9c38

SHA512
f94973c3d43defa461aa8d0e4e3c0d61d7696957e3750f42c33c60bcbaa5d6442175cd67f075cb1d4adc610acf6b4a97ee493466a1231fdc98a4070e107f0e59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6d417d85f2034d47072b2867954cb393

SHA1
8252f10b1dff6997bb089fb820242520cd10162c

SHA256
f7591d349cff1dd5c8d58613450573959f8194eb5e1a27e4f5a560e263e4fe84

SHA512
b5ed5b9789aeca63c5da6a3e9330a5b294c858037b5a632a331d16a1b6d886f2c409825b21d0be6e1bea2415e90b447355b0d62a1d5c414905eb12b75fd380e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7243b0bffe4f7343cb826e822efca0ec

SHA1
ea7a52d666d7120fba16275c5ad3fd963ca9ff62

SHA256
57eda6c6bb0adf36d8b5249a08d2b3f3c07790bd69cd74327dec1a01e7e23ceb

SHA512
500463b04f3e7763dbe971f24b3697d8f2b6aa719038d3f282fe1f27cc912e76839b9b0fdf567b6c522d937042d9e4898f99af71d5ec68106f8ed4bc4d40a97f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
71cca35a78e17e90a87098229b748931

SHA1
a3056f7dee3f35414f84187c3a7866ec9bba8433

SHA256
209ca45aa4c6323805a35fc20d5f71dfb84d2776b6742cbfb25ba5e165abf7be

SHA512
06f5fb075033cda61c717629879a23189c3bc11662f2ae3c1a3fe5ff387d191be096001db854e477bc5274141613486a72caf1ad540a60d8fd6895a0bc777fc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f3f3fa30cfe93ffb52100e4dabc5725f

SHA1
46809ccfe7c81990491d037335a899f191bde951

SHA256
b1b9c66369f321183ce65b5f98b602bfa211c3ed61d4eb24dbde3eef25f9eb5d

SHA512
b6dd1562b972023b7e4f58ac2b1652873f7d0939bb0054819696ca3001d2725278a0fdbf487851d0d9873adfc14a12b26fd67e736c2a9c3b533ecff6acfaebbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bb971e3ec51a2fda548409b8c81d2a71

SHA1
d37048a831d0e436db0b0661560e3b4e9d986a55

SHA256
ab47781404d7af4166c3e5058d4e2d81e38d5c944d8f8b67aaed4648e5fbd689

SHA512
bf114ccd790b662dfc0cb37a58dc9536fdc03f9d36eb86b8e91f43cc19dfb8f27ea22a4b7254fe2e874d0eafd504e405efc387ade093bac692ef7e8356e7acd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cb2fe141be981150e8511afd1249e383

SHA1
cc4c7615793fb527dded859552f38cf77c88a68b

SHA256
af81e1401bca4536d61c410ee1c18087b0babde3d95d7deada35fc6d791c8752

SHA512
2ea0d408b1934b7189e0921d3215664c46db6ac8311fe3d517b742a5261fa4e7f7e796c6a1c5cdb927ccaf1e83788872636b3632faab7df3c6ba2f72d30aedeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9bf40c2e250f7b98f2e64e09b3c9eacc

SHA1
b2de41cc7d6e2b3e74d9b16b3fd18bbb7fdfd3f6

SHA256
c6ce8589e303081c9f5d284c86bbd78dffa11f3f131f64369fb9dc226abd84a1

SHA512
bee97555b92111f78bf467abc45482a2c96ce74648ddbab53171928ec4c3f1ca173743104a547bf2cfa8daec3f876f8fe145e0a39d77ff256362c846f602a259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe593f90.TMP

Filesize
536B

MD5
2d11d70872e553e5ded2bfaaede4136e

SHA1
05248a037491220ecc8f47d4aea91111fe21b6d9

SHA256
7e326d6c196698561ed2b286071e2b29af4953086f298615e476322aee617b4f

SHA512
81abbfe30ccbe6255c290d4dbd4f814514bf0be01e85151f49ea874e47fecde06051d3f807182212c79fd6d665a4eed8c79d17f9ec7c151d04148a825bc23f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
06bb8aa05b2c8f7bc2dad70ebad6bbe7

SHA1
e00437cfbf9e8fac2fa04ce12b075530d24142ed

SHA256
e4d9545f8e3e5915a7a40edf6324fb046b052c91b9624f829249207ef35e3a1b

SHA512
f1066e3df7815e5f01e8d93e15678c9fae696295c7058f64aeec90462bb32d97a7b6c33856f5195dfa0ddad7fc5be512f62032bb9e8ce6942b8280d235a71c15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
aa174cbbbaa644b6fc64f25a2fecac4d

SHA1
f6da205013e8a2fcbd400c38e6dcb737fae065c2

SHA256
5141d75832d648c384e562964bc1590942955e4dcbc4189834d182f5890656ca

SHA512
47625964f3808b5640ce34a8bacfd35c1c2110ba5208bc4ab0e9184134884474dfc8bc0f3535666ffdcfe8c7fee045347067e9afbcafa8f04bb297d0bc7d7e13

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\container.dat

Filesize
118B

MD5
964beb469569586a1028b02f58bdbb40

SHA1
6844b37226297c481c2b03a94eb3734faf69c4cc

SHA256
7e5b2c0b02510cfafb7abc76318bab53fb2c9c113bbacfcb27ff06c63bcf4abe

SHA512
5fec4ad84fabc0e8e170d430dab0463ecfb05586192613af3c25883f12727543f2e244a2a07e45fbadbc32fe37d5674baf3fde28dc80fb7528f0c700f782c2ad

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{5808aa44-cfcd-4434-93ba-c99287f8eccf}\0.1.filtertrie.intermediate.txt

Filesize
1KB

MD5
0502cb887fa0178cc3a03b09b7c14108

SHA1
fd45e8ce4940f7ab71edc7329116211f9684c420

SHA256
60f7b585e886c7b00c926e19d598048148aebe540a3ef961ee7d209dc275a1e5

SHA512
f4b03fad2ba049e50f709f1a3e6c3c732a5ba99f0e323f3d05f483254cb8960d8b1f49c793dc1123ff04eaa9d8f890b922dbe0e7b89fa6729cc57fe02456fc5f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{5808aa44-cfcd-4434-93ba-c99287f8eccf}\0.2.filtertrie.intermediate.txt

Filesize
1KB

MD5
2a999fc1662935be19777c0fabbf701d

SHA1
e803cca3b18284bf839a0224ded2742baa1aa169

SHA256
4c2ecf6f3cbeb645a05b0e39c12162f623010bd70f94e1e9dedd6aded17baf58

SHA512
8eb40d76d9d798004415eb1675d4bf6bba10258bb1f3475fe55f6e371de03063f0a1fc3875a6ebf1f7e049c8f25e2b38bbfb298af0c268090016063263715bad

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727661992394667.txt

Filesize
78KB

MD5
5f3bf9505d48774e0e25d515f86f868e

SHA1
b2b006eb189e7f9065d58f2095db1ce828b0ace7

SHA256
6767593cbc8fe7d3f67d3bdd859e754fbfab7dbec8190692d5a260bb8b80a708

SHA512
0b79f221a4c619feab9e1e06568c91d1c169803457cae98417105ac3dbf78d67c97d142af85d2820401f54af29ffb214d76bef6291ba78e0984b6dd36e56f6c6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662487357744.txt

Filesize
48KB

MD5
b6c831d314403d989888c0ba0ee69571

SHA1
766a0fcad39a988d21658fc0a28cf3df045a5171

SHA256
08d23cceaa792bc9b1cf13d79d1ebd6840d27c74cdd5d5dcd12676770bde700a

SHA512
6b3a7ff00ecfdc2a6fc55f4fe69182886972d222e774f404b1f5bcbf5c4c633d98c74bd752760a3247ba290a2df61acd2d74e9cbe007c1146ac566e15f1394c1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727667722373689.txt

Filesize
64KB

MD5
f7f5fbce87b741e3fd7032b3bfd2ec4c

SHA1
f43c9872e36fdaf4692cbfbf5b3f14c0ba96b329

SHA256
3ba3ee38f95091af4356d65ff1cf78c18ffc5a1c7ee6a20f92474a966b5d4ea4

SHA512
f1fe3d356a19b51c3c366c9323f02747cc06ce40a8aa07799853a01cf16c3d4f8d37e227fb32499ca82a498f634aed672c1fb68289846d516bdf6226a3a027f3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727670771168387.txt

Filesize
75KB

MD5
d0ccb4319a3423b0950d1564eebaab27

SHA1
f77ada663b909c5567b244a9c1d7ef584855139a

SHA256
75ae85316a6ac819f16da360fbee791c5d4db329c13e733fe36f5b05c8330d85

SHA512
a2bc6946da70ea1607d9028682e30741cded94e7c556a5463b438311f0423005b2d5bb78eadf1345e1419d819f17d9865f5b80c4bf12e67af5d897201fbd4978

Download Submit
C:\Users\Admin\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\Settings\settings.dat

Filesize
8KB

MD5
cb006ce5c28a78bfdffdc1ceda76609e

SHA1
6f1114e0c64b3fc5f82ef104fccec134c28071b1

SHA256
be7f5db2ce7018b06d75c18a7c513b50bbf5711cd57859ee6336f3e70e7a5b0b

SHA512
2b444d0b8d8a2dfde04b736ccb474f403d32777ebc5b4ae635f0a794bfda35ece31c6d4f5f04d3b8a3a6375b313c067b4d07c17d483fd06d0e5959c0926cac16

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 608406.crdownload

Filesize
254KB

MD5
e3b7d39be5e821b59636d0fe7c2944cc

SHA1
00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88

SHA256
389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97

SHA512
8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5

Download Submit
C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Filesize
778B

MD5
797187a51acaea8a180fdff7ebf38c32

SHA1
2be81d63f648e58fbef7070dc74a93f5246d87b1

SHA256
98feedf9a97bb9b8549f57ef2758874ddd7982d309b043c3b9db4527780d3835

SHA512
ccf1ff7b4e4548bb988e649a92ac94c1a5485089c61310fbfd62757a61457bbdb8c6a5a673ee0e1177206b8d6787277a0ef7021f7a0f3f6387ea6e32caeac102

Download Submit
memory/924-46-0x00000222FDE20000-0x00000222FDE21000-memory.dmp

Filesize
4KB

Download
memory/924-47-0x00000222FDA50000-0x00000222FDA51000-memory.dmp

Filesize
4KB

Download
memory/924-41-0x00000222FDE20000-0x00000222FDE21000-memory.dmp

Filesize
4KB

Download
memory/924-40-0x00000222FDE20000-0x00000222FDE21000-memory.dmp

Filesize
4KB

Download
memory/924-39-0x00000222FDE20000-0x00000222FDE21000-memory.dmp

Filesize
4KB

Download
memory/924-38-0x00000222FDE20000-0x00000222FDE21000-memory.dmp

Filesize
4KB

Download
memory/924-43-0x00000222FDE20000-0x00000222FDE21000-memory.dmp

Filesize
4KB

Download
memory/924-72-0x00000222FDCA0000-0x00000222FDCA1000-memory.dmp

Filesize
4KB

Download
memory/924-37-0x00000222FDE20000-0x00000222FDE21000-memory.dmp

Filesize
4KB

Download
memory/924-36-0x00000222FDE00000-0x00000222FDE01000-memory.dmp

Filesize
4KB

Download
memory/924-4-0x00000222F9740000-0x00000222F9750000-memory.dmp

Filesize
64KB

Download
memory/924-20-0x00000222F9840000-0x00000222F9850000-memory.dmp

Filesize
64KB

Download
memory/924-71-0x00000222FDB90000-0x00000222FDB91000-memory.dmp

Filesize
4KB

Download
memory/924-44-0x00000222FDE20000-0x00000222FDE21000-memory.dmp

Filesize
4KB

Download
memory/924-70-0x00000222FDB90000-0x00000222FDB91000-memory.dmp

Filesize
4KB

Download
memory/924-45-0x00000222FDE20000-0x00000222FDE21000-memory.dmp

Filesize
4KB

Download
memory/924-68-0x00000222FDB80000-0x00000222FDB81000-memory.dmp

Filesize
4KB

Download
memory/924-48-0x00000222FDA40000-0x00000222FDA41000-memory.dmp

Filesize
4KB

Download
memory/924-56-0x00000222FD980000-0x00000222FD981000-memory.dmp

Filesize
4KB

Download
memory/924-42-0x00000222FDE20000-0x00000222FDE21000-memory.dmp

Filesize
4KB

Download
memory/924-50-0x00000222FDA50000-0x00000222FDA51000-memory.dmp

Filesize
4KB

Download
memory/924-53-0x00000222FDA40000-0x00000222FDA41000-memory.dmp

Filesize
4KB

Download
memory/1196-1-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1196-2-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1196-3-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1196-0-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1676-1050-0x00000000007F0000-0x000000000080A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads