rhadamanthys | 9950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae

Analysis

max time kernel
202s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm.exe
Size

456KB
MD5

515a0c8be21a5ba836e5687fc2d73333
SHA1

c52be9d0d37ac1b8d6bc09860e68e9e0615255ab
SHA256

9950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae
SHA512

4e2bd7ce844bba25aff12e2607c4281b59f7579b9407139ef6136ef09282c7afac1c702adebc42f8bd7703fac047fd8b5add34df334bfc04d3518ea483225522
SSDEEP

6144:2uWP/BtSnurUylcrGYlnIttxv8HbcLgsd1Gus5psdrvV44dixP+MHDkBYdxtG9+V:2uWP/BZUyoLu8Agsmxwrvejkd2

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 4 IoCs

resource	yara_rule
behavioral1/memory/4700-14-0x00000000023E0000-0x00000000027E0000-memory.dmp	family_rhadamanthys
behavioral1/memory/4700-15-0x00000000023E0000-0x00000000027E0000-memory.dmp	family_rhadamanthys
behavioral1/memory/4700-16-0x00000000023E0000-0x00000000027E0000-memory.dmp	family_rhadamanthys
behavioral1/memory/4700-17-0x00000000023E0000-0x00000000027E0000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	systeminformer-3.2.25011-release-setup.exe

Executes dropped EXE 3 IoCs

pid	Process
3104	systeminformer-3.2.25011-release-setup.exe
5172	systeminformer-3.2.25011-release-setup.exe
1488	SystemInformer.exe

Loads dropped DLL 11 IoCs

pid	Process
1488	SystemInformer.exe
1488	SystemInformer.exe
1488	SystemInformer.exe
1488	SystemInformer.exe
1488	SystemInformer.exe
1488	SystemInformer.exe
1488	SystemInformer.exe
1488	SystemInformer.exe
1488	SystemInformer.exe
1488	SystemInformer.exe
1488	SystemInformer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 47 IoCs

description	ioc	Process
File created	C:\Program Files\SystemInformer\Resources\CapsList.txt	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\Resources\EtwGuids.txt	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\x86\SystemInformer.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\LICENSE.txt	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\ksidyn.bin	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\ExtendedTools.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\WindowExplorer.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\UserNotes.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\x86\plugins\DotNetTools.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\systeminformer-setup.exe	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\dbghelp.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\SystemInformer.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\NetworkTools.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\UserNotes.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\x86\SystemInformer.exe	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\ksidyn.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\DotNetTools.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\HardwareDevices.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\OnlineChecks.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\ExtendedNotifications.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\ExtendedServices.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\ToolStatus.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\Updater.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\dbgcore.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\ksi.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\peview.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\SystemInformer.exe	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\x86\plugins\ExtendedTools.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\x86\plugins\ExtendedTools.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\NetworkTools.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\Updater.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\README.txt	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\SystemInformer.sys	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\ExtendedTools.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\HardwareDevices.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\peview.exe	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\DotNetTools.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\OnlineChecks.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\x86\plugins\DotNetTools.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\ToolStatus.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\WindowExplorer.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\Resources\icon.png	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\Resources\PoolTag.txt	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\COPYRIGHT.txt	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\symsrv.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\ExtendedNotifications.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\ExtendedServices.sig	systeminformer-3.2.25011-release-setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminformer-3.2.25011-release-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminformer-3.2.25011-release-setup.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	XWorm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	XWorm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XWorm.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XWorm.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XWorm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SystemInformer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SystemInformer.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133815999543385708"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 26 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5a00310000000000315a5478100053797374656d33320000420009000400efbe874f7748315a54782e000000b90c00000000010000000000000000000000000000007ce16a00530079007300740065006d0033003200000018000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 560031000000000047596c4c100057696e646f777300400009000400efbe874f7748315a55782e000000000600000000010000000000000000000000000000004c07dd00570069006e0064006f0077007300000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 234380.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2300	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4600	taskmgr.exe
4600	taskmgr.exe
4700	XWorm.exe
4700	XWorm.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
2536	msedge.exe
2536	msedge.exe
4600	taskmgr.exe
4600	taskmgr.exe
2148	msedge.exe
2148	msedge.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4552	identity_helper.exe
4552	identity_helper.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4600	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 45 IoCs

pid	Process
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	4600	taskmgr.exe
Token: SeSystemProfilePrivilege	4600	taskmgr.exe
Token: SeCreateGlobalPrivilege	4600	taskmgr.exe
Token: SeShutdownPrivilege	4700	XWorm.exe
Token: SeCreatePagefilePrivilege	4700	XWorm.exe
Token: SeSecurityPrivilege	4600	taskmgr.exe
Token: SeTakeOwnershipPrivilege	4600	taskmgr.exe
Token: SeSecurityPrivilege	4600	taskmgr.exe
Token: SeTakeOwnershipPrivilege	4600	taskmgr.exe
Token: SeSecurityPrivilege	4600	taskmgr.exe
Token: SeTakeOwnershipPrivilege	4600	taskmgr.exe
Token: SeDebugPrivilege	1488	SystemInformer.exe
Token: SeIncBasePriorityPrivilege	1488	SystemInformer.exe
Token: 33	1488	SystemInformer.exe
Token: SeLoadDriverPrivilege	1488	SystemInformer.exe
Token: SeProfSingleProcessPrivilege	1488	SystemInformer.exe
Token: SeBackupPrivilege	1488	SystemInformer.exe
Token: SeRestorePrivilege	1488	SystemInformer.exe
Token: SeShutdownPrivilege	1488	SystemInformer.exe
Token: SeTakeOwnershipPrivilege	1488	SystemInformer.exe
Token: SeSecurityPrivilege	1488	SystemInformer.exe
Token: 33	4600	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4600	taskmgr.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2300	explorer.exe
2300	explorer.exe
2300	explorer.exe
2300	explorer.exe
2300	explorer.exe
2300	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2344	2148	msedge.exe	104
PID 2148 wrote to memory of 2344	2148	msedge.exe	104
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2468	2148	msedge.exe	105
PID 2148 wrote to memory of 2536	2148	msedge.exe	106
PID 2148 wrote to memory of 2536	2148	msedge.exe	106
PID 2148 wrote to memory of 1028	2148	msedge.exe	107
PID 2148 wrote to memory of 1028	2148	msedge.exe	107
PID 2148 wrote to memory of 1028	2148	msedge.exe	107
PID 2148 wrote to memory of 1028	2148	msedge.exe	107
PID 2148 wrote to memory of 1028	2148	msedge.exe	107
PID 2148 wrote to memory of 1028	2148	msedge.exe	107
PID 2148 wrote to memory of 1028	2148	msedge.exe	107
PID 2148 wrote to memory of 1028	2148	msedge.exe	107
PID 2148 wrote to memory of 1028	2148	msedge.exe	107
PID 2148 wrote to memory of 1028	2148	msedge.exe	107
PID 2148 wrote to memory of 1028	2148	msedge.exe	107
PID 2148 wrote to memory of 1028	2148	msedge.exe	107
PID 2148 wrote to memory of 1028	2148	msedge.exe	107
PID 2148 wrote to memory of 1028	2148	msedge.exe	107
PID 2148 wrote to memory of 1028	2148	msedge.exe	107
PID 2148 wrote to memory of 1028	2148	msedge.exe	107
PID 2148 wrote to memory of 1028	2148	msedge.exe	107
PID 2148 wrote to memory of 1028	2148	msedge.exe	107
PID 2148 wrote to memory of 1028	2148	msedge.exe	107
PID 2148 wrote to memory of 1028	2148	msedge.exe	107

C:\Users\Admin\AppData\Local\Temp\XWorm.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffeeff546f8,0x7ffeeff54708,0x7ffeeff54718
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=216 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1876 /prefetch:1
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
  2⤵
  PID:5272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6852 /prefetch:8
  2⤵
  PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:1
  2⤵
  PID:5484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7024 /prefetch:8
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
  2⤵
  PID:6024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:5528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
  2⤵
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4264 /prefetch:1
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
  2⤵
  PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7064 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,1486567099828331250,14296149934051091813,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7040 /prefetch:8
  2⤵
  PID:5392
- C:\Users\Admin\Downloads\systeminformer-3.2.25011-release-setup.exe
  "C:\Users\Admin\Downloads\systeminformer-3.2.25011-release-setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:3104
- - C:\Program Files\SystemInformer\SystemInformer.exe
    "C:\Program Files\SystemInformer\SystemInformer.exe" -channel release
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:1488
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe" /select,"C:\Windows\System32\sihost.exe"
      4⤵
      PID:5288
- C:\Users\Admin\Downloads\systeminformer-3.2.25011-release-setup.exe
  "C:\Users\Admin\Downloads\systeminformer-3.2.25011-release-setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:464

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2300

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffef103cc40,0x7ffef103cc4c,0x7ffef103cc58
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,5907996454885798464,9952599034274330279,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2192,i,5907996454885798464,9952599034274330279,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,5907996454885798464,9952599034274330279,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2460 /prefetch:8
  2⤵
  PID:6088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,5907996454885798464,9952599034274330279,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3260,i,5907996454885798464,9952599034274330279,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:5436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4512,i,5907996454885798464,9952599034274330279,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:5620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4816,i,5907996454885798464,9952599034274330279,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4904,i,5907996454885798464,9952599034274330279,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5160,i,5907996454885798464,9952599034274330279,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4924,i,5907996454885798464,9952599034274330279,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5164,i,5907996454885798464,9952599034274330279,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5200,i,5907996454885798464,9952599034274330279,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5492,i,5907996454885798464,9952599034274330279,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5180 /prefetch:2
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5664,i,5907996454885798464,9952599034274330279,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:1192

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\SystemInformer\SystemInformer.exe

Filesize
3.3MB

MD5
c21b9f52e195471f3978df692c46c714

SHA1
f64ab91451fd761b690d070a007b72c309447304

SHA256
0684d5382c346850eb2378caaa73606671ca579dda624c3d4d042ad514a50b32

SHA512
c995a8ad39a1f77d808359554f35f7df7ce8f0382c1aa6cda731bd645bd1c46ea4ab0b56fe7818bb9249d007fb695dc40f84680cd2c5f9c26ba5ac54b34c5b22

Download Submit
C:\Program Files\SystemInformer\plugins\DotNetTools.dll

Filesize
197KB

MD5
9e7c936f72caa3b7dfae0257368a2c64

SHA1
57983264011f7b905d4cbcb401aa5a67c5b2c8a7

SHA256
87ec8a69759dd320fdcab90266623593db49cb20313181553a2ecf3a1cab0715

SHA512
a9aaf9eeead9e951a44f6af83e9e106f1dbcf1a2d211ad575d12509690555f91deda8430e5812d13b750f895ec9f6336b6a88822919e22e32cb90ecad3a6e3c8

Download Submit
C:\Program Files\SystemInformer\plugins\ExtendedNotifications.dll

Filesize
148KB

MD5
0a13f312b2adac92056fef7e50406095

SHA1
dc1527bff0e4eb71b2396706b3c91b3604d6b9a6

SHA256
bcf2ab73e375aa67db089de7bcf49c718dd5da915c5e9d79f97ef6bc1437198f

SHA512
53cdcf158d43050c7e2106cb8cc1554bf3bf4e3bf81e56112f685a564ec27b90039788dfb43b3b469ddd875ccaab2c1bd89ed70e2765a6545d49efa2579d0011

Download Submit
C:\Program Files\SystemInformer\plugins\ExtendedServices.dll

Filesize
197KB

MD5
ef110f47f5b2eaa7fb338d8689f0b214

SHA1
657efcd1abea5ffc4e13ab4c188277a24d87cfde

SHA256
26c4d8447aa6e2e7eb6bc45a3ce724b12d9e9fac868b5607270440f9df41d928

SHA512
f59940236e58d221ea68fe611a041a14b23ab7a70b67863d3db1192d26e64ca1d0d0bfbdb5225cf3e74bf1e66637b133e77dfd379540d520889ede7f1f761f9b

Download Submit
C:\Program Files\SystemInformer\plugins\ExtendedTools.dll

Filesize
2.0MB

MD5
7ec2a164acabb32de4af0c551cdae844

SHA1
2b494bb02986a860f1b444d2738ee5f7ef239cfa

SHA256
373a7c6ad487971ba02e415f4b13d73dd94d63e6569e581f64df5d3f2e13fbf0

SHA512
31b256d8e087e0e1d2dda7553ba6de9af89e2459bdff4651bed3b8db214c20fd5b535ae6bb12f4d9eeb8ca645f6e95604478521947c3d2e98c078fe8eb0b6681

Download Submit
C:\Program Files\SystemInformer\plugins\HardwareDevices.dll

Filesize
346KB

MD5
91c13a046afaa86c4068e4a78eb8950f

SHA1
816ae864bc592c92923c93ceb06f12582c084d2d

SHA256
57306fe197c9dea97b9daae7028ec048c411ebfe9d1d9e473b967ed24ca1b8a5

SHA512
1c02cf9be70990377ef508ade9510b9952f766b615e25184f200f8dc6242e98161dc0a29a347f78eae452396acfdad24804c61f7a0ad712ae6d9eb9d72ae1bdf

Download Submit
C:\Program Files\SystemInformer\plugins\NetworkTools.dll

Filesize
741KB

MD5
58aef8e09368bbf80395f2d47c946105

SHA1
29f245fdd68443f36fc231feb411a160b8136401

SHA256
3fa9007708ac969e2797072cafa1da41373fed463a56b0cef27719a9da192187

SHA512
b4a1234f3d8c332849bd6c5eece93f919702b91489605725756b3db675fffdedf38cf8e943f6a3d82e415cb5f0f5055f2f09fd6e83bc0d899a3ce1f79031752a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DABA17F5E36CBE65640DD2FE24F104E7

Filesize
1KB

MD5
c6150925cfea5941ddc7ff2a0a506692

SHA1
9e99a48a9960b14926bb7f3b02e22da2b0ab7280

SHA256
28689b30e4c306aab53b027b29e36ad6dd1dcf4b953994482ca84bdc1ecac996

SHA512
b3bd41385d72148e03f453e76a45fcd2111a22eff3c7f1e78e41f6744735444e058144ed68af88654ee62b0f117949f35739daad6ad765b8cde1cff92ed2d00c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b98909ec4a72c349b3046030acc984c8

SHA1
cdd188ab95495ea9acdb83e89340f154bcadb317

SHA256
4a8cf5600fca11c2b6f7e55f384db30ab8bf6ffbdcdfb360cacf7d772a6055c0

SHA512
249ea71cf34a7b6afee6de45c8afaeb7936169797eb08a725666b23abc60d67689109b3fa6e77bc5d56d5f6f2476450b6623ac85e7600d489a8e4d570e64e134

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d474ec7f8d58a66420b6daa0893a4874

SHA1
4314642571493ba983748556d0e76ec6704da211

SHA256
553a19b6f44f125d9594c02231e4217e9d74d92b7065dc996d92f1e53f6bcb69

SHA512
344062d1be40db095abb7392b047b16f33ea3043158690cf66a2fa554aa2db79c4aa68de1308f1eddf6b9140b9ac5de70aad960b4e8e8b91f105213c4aace348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b2063336ffa9d678c2687b95bfebb0fe

SHA1
dfeed75e57e2aef2ff24902fbe413eb03ef47552

SHA256
b76a397ad2ca913fd7d5c0c8982b21a1fa91700bceff4f32fb5eeebbc8dded7b

SHA512
7a46202a12adf2c631c8f2da4203fa5915456bd0fbadbfb63aa31cc1c62c8a5225e6714f1794e8c6523440d4eaaf9324ad3f5a1b6c81d7f6b5886912fecc5bf3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
b842ae0a757c56d4edf7fcd6507661a0

SHA1
b4448c149ccf07410562b32a7abcf5a73f3930d2

SHA256
dab5ae463f270bb0530f6addd02aabfa63cd7a60100bdfc6de435a7c6784910b

SHA512
3013131ab6e5f6e0704400c78a955885de85d4ffc13f4c2008cf277bda9de64061f022eae6564c1f3d71f22f065c1513d3eebe0490b21962f9b8af5877d3125e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
26KB

MD5
69b550731f9a789a39d18eb917e43a4c

SHA1
20721285bcc8dfc47777e43b2d94a224469a0b50

SHA256
230bd4129d0d79dd196efcf6d9e8db962c5e750fa539dfb5b72ba43666485066

SHA512
0de48338b7108eb2b9206c57d382c69703f1424788f7c665f44e4ebf8fbc92da8f11d10416c03f37d62c0d72cf760b902ef52f8e41caeb89ec221f0fac76702b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
18KB

MD5
82b03f239b58044f1dc310a32f0f0cff

SHA1
58184e5e351719ec9b10bee1693260f4f34e37ee

SHA256
18a1e3a37e5cb38d38d452d2f0ea83b78b915a507ffa9860cac9c33575a3c105

SHA512
884d2835624980f8a8c4eab8da57f93f3b2de8dc4978070d48ce0df355db8a82c291cc8bb7c42703aa55fa11c7180ece5d5bd1877e77ac875fa6155e64576cd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
152KB

MD5
1ec0ba058c021acf7feaa18081445d63

SHA1
73e7eabf7a8ae9be149a85d196c9f3f26622925b

SHA256
ae17c16afbea216707b2203ea1cf9bdb45b9bfe47d0f4ae3258ddbc6294dd02f

SHA512
16a1b8a067ad4a33dcf4483c8370ca42e32f1385e3c4e717f8d0ce9995ca1f8397b15a63c0cee044c4b0fca96c4b648c850f483eeb1188a20f8b6cbf11d2b208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
65KB

MD5
2c2ea9cfcd1b7831754c4d70892901c4

SHA1
c179c5a26e5ad12ff5656dfeee0631a119d83ec4

SHA256
aadd75136ce4d127af80f7a1979e2c76cada95cdd10817f1b1e40e9bd98b8c80

SHA512
f0eb51a828fb6e281f8152502f58b12df6e9d77c1d1e0ab6883358d7b69ce2850529543d4af150f9b36498438acef12b556550c5fe94d54f5f31fda195c8ec2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
95KB

MD5
599e9afa64f531b784c95a2f22a5e7a9

SHA1
fb7946855e0e7e42642ed968214b302010eb0bda

SHA256
8e2b6652eaa41486e7f89c99ed8efc659fcf3e86d7dc0fd169b806e3fdd41e5b

SHA512
faa80373bbcb53b85a3790980b05c3c84bc964348679922b8881a21d20d6f39f88fc07c6d5b53c7ee851294b515bfb8e4feedf5cc6c290071ea0396055c2a812

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
19KB

MD5
16ea2a01894c38666bc185757b4f1b74

SHA1
435bb15c8de2e0ef76512618ab291da1b40776a4

SHA256
16e88923203a6b50f5a1b4c2c52001720833d07f7f0b1ce1510d42d66c40db11

SHA512
e333308b517a4c647cbb36b429224390a5c1afcaedaba81a7c8d68d88bc48c60a348af07956dbf3de8c7bada355e27128ce10ba3a0aa764bd6d807dd531025d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
53KB

MD5
c599283a2acefd6f92eb528d6670b0d7

SHA1
14c77027dc2db404d2594d1456d38cd6330cd9c1

SHA256
f344dddf49887f44dae483373b77a7c49059a3986add08782fff258786f99b1c

SHA512
58479a5401478bb437e4486703ab3951eb39fe1cad3e55616c2b72fd41f4ada38d0a2d92774a0ed9069b290c262563f2bfc426bc78e67bd01f84bb7f77d74e18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025

Filesize
19KB

MD5
c751d4245070205da09e25c68f9f2396

SHA1
f84e9e597ce88e3dbf09104ce8760c453316db38

SHA256
4f6e46cf32d7e19bbf2f9607a8ea742bc99e142c3157a9c73660185a3278540e

SHA512
322b1b2218fb8e8cfe5edfce0d0326aad1c7cebbe2b44818ef69a710d6f0c0a114b0c09ebb2ffb1df65d91a41e07727e0976f0e07d96f3f7325ed10961724491

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
16KB

MD5
15e99cbba91068813f0b006eb092d46a

SHA1
5dda189459e186aba8bde39ad10620b88df4575a

SHA256
4c3cbecae2ad561a91bcb112c907050f66e90428e77b27bf1b1c9d8a3ef0ef50

SHA512
d8fd2a5be58526bae6de1ffd046301ac88df394f3f7d26e7b5a11b09bff6b66565b1fa6b47d590419f123ff29121f9a3aaf589ec4fdfcc2cad3a91dc9f059459

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

Filesize
38KB

MD5
632616ff15825f030aab3391a58ef042

SHA1
a9435e095b8a17b6058c9d1e0c8ea53805e20d39

SHA256
d0e12af8c4e560fe89643639e0c3ed4dc76125c62adeb2879b761d73dbaecf50

SHA512
ffcb6cb7713af0499229f6316f762fe119c313e2a3810d8eccda8c005ad664adfc640915970e8d479558e627c875e4fe9e9ccef1a9e2ef3788947657916d1c2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
33KB

MD5
44233c0849ab1e7faaacbe05b1c9b0c4

SHA1
f1610675ef6abcacfa3368286bc4db37719d91cc

SHA256
76c9e9faaa3dcfe7b87f3c8303a0d79d2d76f8bc1042c9dcb164c9a053d41b88

SHA512
2e88cbade9c64a185917eb0294415a3f1ec1d424e9560e2e7e414f0aece2edaa4f494c5467f64cc37e7f688ae364d2110db435c3f33c20c9f9870cf5725bebf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
112KB

MD5
504587d58c86cafe605aa7e175c324c9

SHA1
168cfcee8f1fd32ec2ce3cae7f0c9bb54f7c2036

SHA256
82cf147fcd7614d730537b65f25ec72a25e8f302aa725e8ac5d5258592084f14

SHA512
9e740ddaf7c91a34466ce9cac84a8cda8c98f357fbfcf200efd6770a6d2ba80d3894d1d9ee8b88583cd2b9c6704b93f7ce8e69ba8c51a52b112c9707fd228619

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
18KB

MD5
ce4c7d1372a2686ca61a83a53cc53481

SHA1
1fb11b54ce19ae72cd5cc13c0fe28c9f6389a9c7

SHA256
326a1140babd8fbdde8633873c0fd56acb5bd4550f9b285a13d0a1bdc3810ac4

SHA512
79d4f9b24dc9d4b4897b4df65e3a28960bdf64c72f04d0ac565b73c18b5b8b38f6235ad9f28f2c24b698946c56084d7cd9050fce48a78a8c4ff1bafd7d2da7fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
128KB

MD5
e2094ba951762a138808082270412941

SHA1
8080a9c4f15e7ea93ea086d0fc55084d39ff948a

SHA256
42780fa1be39e8a6ce5cd919e80d92c15c98c6aa97f200f846548549bf107846

SHA512
f1c74743f2efb967eac1f02aa3acb7bf95dcc398fd3ce0570466bb4b559ac55868341696fac38961f41fd6f29fffb9f99bfed796e2ca1b110a05ae2201545da3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
155KB

MD5
f58ab33f98dffa842edbff8ef1391c8d

SHA1
7a1c23c3e84a7c68920fb44ae2a61da6303d27f2

SHA256
3eee5335b9fcbc91d0f730966eb41fc52a61b195a0215586b2101b6bbfefd2e9

SHA512
a5e71bcb88f1dfb9529578d0ace0dc10668168d9fd8c79e69403e0ccd21e0760179572f89994208cf6eb90d5101cb270ea891bdc47c6ad57609abbe9feb21ca7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
48KB

MD5
73a453ea5d4a2fb2916473737ffa7224

SHA1
6401625619addf96a9a64c7c3a8c3608b15233d1

SHA256
88d6624cced4fc50d398d759513b1475da2c29dca62572afa65859bea2950dbd

SHA512
8ecdda35045b2ecd76d08c985c87a065a152f7a2119fb50e5102a48f7bd098377ab2f772b19c6049269612a2b4bb3279de94b26f787705b98ad0d9c723e2a29c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

Filesize
63KB

MD5
34d5015941e4901485c7974667b85162

SHA1
cf032e42cf197dcc3022001a0bde9d74eb11ac15

SHA256
5c166a5d40aeefd0679a14f95e47ff28824e66abba82adfa30be41803cc25632

SHA512
42cef1d6847f535a6e8afc0469b9f5ef79ce4ab21512ac7eeda8ef9667d5f24bb33b30aba9a29824b3d853d41d4addf6bdee2042cf4fbd0a033b61657c671f0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

Filesize
52KB

MD5
37cbc0f7a790019604fd049f26842e93

SHA1
b95eb8ac7f7708214230a22e603bf623d12c3c8d

SHA256
314e204a2224b625aa39bd9fa55ad282001d343293c129d3e4cf1a0f6ac943c2

SHA512
2b57f639b4a5fa959581d8fdaf1b84022f63cdafb3e68f8d030992d268794a1a73d4ff2e2e74bbe5a7092b92ccfc244a8de106cdb2a6c568110c2f6d7fa1c727

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000032

Filesize
29KB

MD5
79ffcf947dd8385536d2cfcdd8fcce04

SHA1
a9a43ccbbb01d15a39fac57fa05290835d81468a

SHA256
ffc11b830ad653e7a9d4257c7cd7a8056db5e7d7e89439b8fd67d1207b1729bf

SHA512
3dc82ecb2abc8c567434666a9162cc188de669927c3dada6392d8bd97d5e746f1ed350e1a02ec016ee2b1dc8a9cc5c71c553f2ef1293d6793800c276560859a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000035

Filesize
20KB

MD5
6408c37d09ecb7370b4d61ea51a15ad0

SHA1
8fa447851c7db6c2a4e20a13d769ed926daee5d5

SHA256
38c4bb35d2dc312b0e82bf8c5098495fd12d73029dedb6014c8f3ead635e641e

SHA512
5436d6204625fcc424989776d5ceb7fbbe286bd37bf077967289ce336ecea0e1db85f064d51d4a18877cd96be0d20557c682bbf2ccc6e34d6e096557aa357311

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
f739587ebe83244252d3c07039f4f332

SHA1
e1a51ac5c6c143bb08375d747b9df7f03ea354d6

SHA256
50353604d205ea99a96ba01c2f9c2f3701361fbe9103c93a5caac40492e4f307

SHA512
6e94e2f7d457d10cb75c6392311c360a13e64fe7c8096149b59a7cc7f67cac4c3a12cf632401c1a9c1464f4be78de144750ee2dfa7b0b9ec2f081aaed250570b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
6917839789ad0f92169cbd69533eaeb2

SHA1
7045adabf371cf7badbb82afb868aa5a83726cfb

SHA256
d05d479cb6b588345c74012639dce0e7b7fbc26ab56f55d717ec9e9be1ab0ffb

SHA512
9f068659cc7b0f223ed65396f2297b6e78bb43d4e5fd604bf1038234ed8950d47eb910708c97cc7c9afd987e6633cbe4e4afedab17905fb0044d5c9ee9053684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
eac3bdbdc8b5af6abd479442bbe6c5c6

SHA1
c687683a478d73c6e58452ad127e7aa593cc7b8c

SHA256
29109ce4ae443fd54adbb830eda82923930e377c8a5a684298bb2a345391c7f9

SHA512
032cdc4c899b1ac0ac85abfe3671f4011457eaaab91c5204dfa6c2da7aeb0e1eb812f8570657e4a271e4ba812a517b28f97176bcd2688a9bd87b3d4ac6ceef4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
51c49c47bc85fec4e9b9552b3c26ed4c

SHA1
224091ce15a53fc8d3fb8e4e5bb2e9c7640c0a64

SHA256
64389741d1e7d36017ca80e3c299e6a47fc05c7ecbb714ff92d0e3c1553b7bb8

SHA512
8e5d8fffc78d0186896c14201cb986ff698f5e5ab41e7c432112ec7e3bc581415d4be93cb0ce478f813f8331132e294a3d015dec9d2a1cf7eb5b37832673ba07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
2f43044007113048274ef3750d3a5e48

SHA1
870389b21daa79969cc9538a56fa6b82c93353a0

SHA256
8b54f971d0294ff3c93f11fc08fd5cf8d8bdcb31040a2585ef0fef70542ea10d

SHA512
025e60c314c059c1517430d149c4b04e3bab4b2762a643b469f3eda75bed561a06ab50acb17cc8f40d7ec252476d7baad41bcd31eea662314fdd7e9605e1231e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
d86b57e2dbf03faa4aa235d10c69c325

SHA1
82de3aff7eb904e147d23c9c0e764a75904369c6

SHA256
b180a26fbddf1e50beb2c52d35d664833b0fb636a2ef66f143071aa209bb539b

SHA512
263a6b5526cb608fd0da1ea28ef950bde19d1158b06e4aa10d3e20f908a53bba63f6da98ecc68b89cd3372a67dd58357be9127a12717640a4ed494aeb44a1822

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
ecf31f41cb9c6c93c1f1612ff3c8655f

SHA1
68619f3203bef149f97ab68400328f31514fa614

SHA256
f59ec0fe67127fa949720cb5ee28d3201d9b9a9747937689a86db3755b562a3f

SHA512
02e4f3bdd3b89e35ea86d6b8279f75f0f911234bdfb69559591854fb377f38870f831201e28f0aef6133d63d2e710ffc43e3ffe09d73de321393b1aea66c5f61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
c319ea02ca744ff426a1a99114e9f5ca

SHA1
e6466e63f040a47deea3edfb41b1b36a5a3b7a34

SHA256
0203844cf3eddae207c7a1aeaf0a80e25ec821c0f952d783562fcfbfeedd0556

SHA512
65f9900a5fc85f301fa409dfe20bcea3da814eaacfb9ac03c1e65451ad9f60f97b43ddb21af9d140cba490f2eb6ec44abb8d6ecf300204be0dc4a3afc5723443

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a3b0927048879acbdddad3978b506d96

SHA1
afebfa081e8593647e7e8c221d39a486c00e0d9d

SHA256
54712c85f2a8beabab95953e0d45a943293df7de5208abc8899033cb6659cac8

SHA512
94056e04a17e2c7b288dd673b00473738b728297c934c86d137e8f89e84e0bd267d8f608ae5a9dbb10e7f338fcca4d3ed1d8b06a547c6a6807bcad9c14a2a69e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
67ba0b37c3d808e57f28c477fc8fde64

SHA1
3e506dabaa1e889b902e620bdfded93494fc6d6d

SHA256
f1baee7e129dcc7b7a91a0b52c70cad9aec9f4c7a2b81eeab87d71853985e2e7

SHA512
3e2f007e0ffd3959c2a8a87fd91f70ae29fa55e8f116ce2f4a478e78c2b452a3e897e3d11936951d7d210e6abf43e2a98d93a049dc1c9b010137d567b78be138

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fec59c9f109a52992db78d42d510b163

SHA1
1ab0af610c60a02d6748822679042bbd3a4bd4f5

SHA256
a5fd88d76914930d5111b58a245df0e895af3eb7e18386f8bfc8d57231ba46e7

SHA512
2d43eac1729b83285a9c723b557bd6fde20c1a1b62bc8258788e611c45c3ecc31bbcff568f3b050d1e1860ac0b92cbd7082191901bd0cfbe3e533a13f1972df4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
fd7144e672e43f70f22ff4b68fc899e4

SHA1
282b32246d801580656d6dabd3d0fc548fc90164

SHA256
8a830badcd44a3c3d66d65a1820ea27039555ff4b755660d75aca5c8bcdda0db

SHA512
1c42c6449fca0a07438d540ef52c92284d489ad3e2905bc9914525847162c8f48405176721b6884d3824884bddadc9fd7af697a39eca24432c19a920b8256bc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
96f006273a62f69aeac7012621ef15ef

SHA1
2642baece7a3a279038bb4433937f36f1b1590ac

SHA256
a37b1ac307f5a8a25c1df38eee91df228d4eeefed56fe2b534a48fa49f14533f

SHA512
27187a6e68f82b926f1391d1d9c3b08529a0122c457caa80a64f7d9cc0bfdf95e82a9e9bd8c77acb96625d2479a64425af205ac5bd9d108d8d496f21a3747292

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
0b2e89a2b6c4fade927538d0955b5493

SHA1
f62759f12f78b4e7dab3f1519ed16bd7d37f8590

SHA256
e27828282bb173d08eaaca369645d0c593e682a733dde74010c41baf2c68edd5

SHA512
8833bb72a6759557d92f7ac09b3f0e830aa68fcab97dcbca4480a159ad1e5000b3c844f109b19e3e01f85d2822f0d23a98ee56cc86f7afa3880e49ae997645cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
199193bb9134927eddd1322967b655c8

SHA1
e7dd7ae70554596700c7099a58ce15db6d21afdf

SHA256
271d5f8850c38958d1067b6b46944b093886d96980a6807d482342f2eb2955d5

SHA512
2de7f8fd03300de87eee0ebcb9a58be9ee9d61dede6d8678a33a53eaa03b200e62af31d0d4611f76dd779b642155b714bbf872a19049a93cd180da5935f14198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585649.TMP

Filesize
1KB

MD5
d3de5abec6537218a2b55bb57b5d97d4

SHA1
68b93679f7b730d10c327df822a86a670c5352a5

SHA256
a67b91cac420200266f3d4dba22c501d8d4d8e2d06795d673525ce34e66d6ab1

SHA512
63eab509cf70ca09a4a754682a767c43bd9d2efe4903d4543326a6a2d75721ce04fa23706282d52b7fb40c31c418f794e438a54da29b12f34971983581ccaa10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d9baf65c-0e0f-4ed7-beb4-03d825349c48.tmp

Filesize
1KB

MD5
1abfba9626ef82f337cb00b3c9fcd5e1

SHA1
0767196fdb3547be2de5b9552c9410a3b1869777

SHA256
12e483bb729110049f005a2f64e3c3dc81d2ed98fbd4fe393b74b72b3058edc4

SHA512
caa399d90cb71491f56b5a36f3ba58919a481fd1170ea381d9a69812d45259ec0099cefef8422e7d9c2a83e10f3d6384b3f4bcdc16967f2120b819a483b4fbe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e1916dc08abb159f3e230404e7e9d75e

SHA1
ffb81994c42e47b952f5043d94566ccdcff86998

SHA256
eda9dde5d57d062e65d53b86ced9862b608c60ce0c6b0ea0106c68853ebcd8f4

SHA512
ee0f241a51adab2d12aa7d2846d34ff2ca90a7c05e1a434f502354fddc76bc0987c59016e0f48f18446cf74d955a56b63cb763d7af1d1ffcef724c11696f8aae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fe38951742bfe7ea4e4aae5586d6efc9

SHA1
d8cb91eda08c63a09b42ced4163fd05d17b6cf9f

SHA256
003351093b836334a985c4079da706afb1fe04e6af85a89b106598783dacf6d1

SHA512
e48ca012ef7cd9562684eb7c440448d416efad7fe3e4f09b708c9c44f41443b8a7ee3f15ee603a92522845ea58212a538df9ed41ad2e22dcaf288789b6e7ca1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
92836c5fd2ef0e857e679f2cad6d23be

SHA1
9182a021e7ee4895a3134b6826b7f0ae08e848a0

SHA256
fbbf578277dc3a530c55cf52f176fccd0b82b790ecc0cb45d63aaea77f6022e5

SHA512
8d0e53104b49d694ce268a5aa12cc6a7cafb9da01ff3a1a1f7378fc29149327bb669572f204bc39214f62dbd74d64a2a2771975891bbc648728104b26db956aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdda4587-2d66-49c8-a87b-5bc5a0dda800.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3368_448083344\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3368_448083344\f5fc6527-2be0-4aff-8ddc-7b946857e3f6.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 234380.crdownload

Filesize
22.6MB

MD5
979b20755ddf86eddb3e2892003a2ca6

SHA1
3a0b6f9ee4ee12872e733948465be5ece5b25629

SHA256
7612d5e44a5a392ab9f0d1b5b8a79bda3cdbe19848e8ee9ec23909aaf3daad45

SHA512
3238f77f7810460cb7cdfe7692892879c28e14ccd95969e80cf83d1dff320c8354173a87503b893b7095b99ee81c61e195004ad5f5e6a28e09e3e9c1fc080d44

Download Submit
memory/4600-9-0x000001C8F2EA0000-0x000001C8F2EA1000-memory.dmp

Filesize
4KB

Download
memory/4600-0-0x000001C8F2EA0000-0x000001C8F2EA1000-memory.dmp

Filesize
4KB

Download
memory/4600-2-0x000001C8F2EA0000-0x000001C8F2EA1000-memory.dmp

Filesize
4KB

Download
memory/4600-6-0x000001C8F2EA0000-0x000001C8F2EA1000-memory.dmp

Filesize
4KB

Download
memory/4600-7-0x000001C8F2EA0000-0x000001C8F2EA1000-memory.dmp

Filesize
4KB

Download
memory/4600-8-0x000001C8F2EA0000-0x000001C8F2EA1000-memory.dmp

Filesize
4KB

Download
memory/4600-1-0x000001C8F2EA0000-0x000001C8F2EA1000-memory.dmp

Filesize
4KB

Download
memory/4600-12-0x000001C8F2EA0000-0x000001C8F2EA1000-memory.dmp

Filesize
4KB

Download
memory/4600-11-0x000001C8F2EA0000-0x000001C8F2EA1000-memory.dmp

Filesize
4KB

Download
memory/4600-10-0x000001C8F2EA0000-0x000001C8F2EA1000-memory.dmp

Filesize
4KB

Download
memory/4700-15-0x00000000023E0000-0x00000000027E0000-memory.dmp

Filesize
4.0MB

Download
memory/4700-16-0x00000000023E0000-0x00000000027E0000-memory.dmp

Filesize
4.0MB

Download
memory/4700-17-0x00000000023E0000-0x00000000027E0000-memory.dmp

Filesize
4.0MB

Download
memory/4700-13-0x00000000021F0000-0x00000000021F7000-memory.dmp

Filesize
28KB

Download
memory/4700-14-0x00000000023E0000-0x00000000027E0000-memory.dmp

Filesize
4.0MB

Download