hxxp://itch[.]io

max time kernel
1443s
max time network
1440s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
05-02-2025 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://itch.io

Score

10^/10

defense_evasion discovery

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-946476529-1335986830-1090511001-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	SystemPropertiesComputerName.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-946476529-1335986830-1090511001-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SystemPropertiesComputerName.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-946476529-1335986830-1090511001-1000\Control Panel\International\Geo\Nation	rundll32.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	perfmon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	perfmon.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133832481167046227"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4088	msedge.exe
4088	msedge.exe
3996	msedge.exe
3996	msedge.exe
2376	identity_helper.exe
2376	identity_helper.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
2008	perfmon.exe
2008	perfmon.exe
1012	taskmgr.exe
2008	perfmon.exe
1012	taskmgr.exe
2008	perfmon.exe
1012	taskmgr.exe
2008	perfmon.exe
1012	taskmgr.exe
2008	perfmon.exe
1012	taskmgr.exe
2008	perfmon.exe
1012	taskmgr.exe
2008	perfmon.exe
1012	taskmgr.exe
2008	perfmon.exe
1012	taskmgr.exe
2008	perfmon.exe
1012	taskmgr.exe
2008	perfmon.exe
1012	taskmgr.exe
2008	perfmon.exe
1012	taskmgr.exe
2008	perfmon.exe
1012	taskmgr.exe
2008	perfmon.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1512	powershell.exe
1512	powershell.exe
1512	powershell.exe
1560	chrome.exe
1560	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2008	perfmon.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1012	taskmgr.exe
Token: SeSystemProfilePrivilege	1012	taskmgr.exe
Token: SeCreateGlobalPrivilege	1012	taskmgr.exe
Token: SeDebugPrivilege	2008	perfmon.exe
Token: SeSystemProfilePrivilege	2008	perfmon.exe
Token: SeCreateGlobalPrivilege	2008	perfmon.exe
Token: 33	2008	perfmon.exe
Token: SeIncBasePriorityPrivilege	2008	perfmon.exe
Token: 33	1012	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1012	taskmgr.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
2008	perfmon.exe
1012	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe
1012	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 3160	3996	msedge.exe	84
PID 3996 wrote to memory of 3160	3996	msedge.exe	84
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 1872	3996	msedge.exe	85
PID 3996 wrote to memory of 4088	3996	msedge.exe	86
PID 3996 wrote to memory of 4088	3996	msedge.exe	86
PID 3996 wrote to memory of 1184	3996	msedge.exe	87
PID 3996 wrote to memory of 1184	3996	msedge.exe	87
PID 3996 wrote to memory of 1184	3996	msedge.exe	87
PID 3996 wrote to memory of 1184	3996	msedge.exe	87
PID 3996 wrote to memory of 1184	3996	msedge.exe	87
PID 3996 wrote to memory of 1184	3996	msedge.exe	87
PID 3996 wrote to memory of 1184	3996	msedge.exe	87
PID 3996 wrote to memory of 1184	3996	msedge.exe	87
PID 3996 wrote to memory of 1184	3996	msedge.exe	87
PID 3996 wrote to memory of 1184	3996	msedge.exe	87
PID 3996 wrote to memory of 1184	3996	msedge.exe	87
PID 3996 wrote to memory of 1184	3996	msedge.exe	87
PID 3996 wrote to memory of 1184	3996	msedge.exe	87
PID 3996 wrote to memory of 1184	3996	msedge.exe	87
PID 3996 wrote to memory of 1184	3996	msedge.exe	87
PID 3996 wrote to memory of 1184	3996	msedge.exe	87
PID 3996 wrote to memory of 1184	3996	msedge.exe	87
PID 3996 wrote to memory of 1184	3996	msedge.exe	87
PID 3996 wrote to memory of 1184	3996	msedge.exe	87
PID 3996 wrote to memory of 1184	3996	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://itch.io
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff891ec46f8,0x7ff891ec4708,0x7ff891ec4718
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,15704822673345008936,15293818422151344093,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
  2⤵
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,15704822673345008936,15293818422151344093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,15704822673345008936,15293818422151344093,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2572 /prefetch:8
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15704822673345008936,15293818422151344093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15704822673345008936,15293818422151344093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,15704822673345008936,15293818422151344093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,15704822673345008936,15293818422151344093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15704822673345008936,15293818422151344093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:3752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3884

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1012
- C:\Windows\system32\resmon.exe
  "C:\Windows\system32\resmon.exe"
  2⤵
  PID:4496
- - C:\Windows\System32\perfmon.exe
    "C:\Windows\System32\perfmon.exe" /res
    3⤵
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" "C:\Windows\system32\sysdm.cpl",
1⤵
PID:2928
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\sysdm.cpl",
  2⤵
  - Checks computer location settings
  PID:2124
- - C:\Windows\System32\SystemPropertiesComputerName.exe
    "C:\Windows\System32\SystemPropertiesComputerName.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    PID:908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x200,0x224,0x228,0x90,0x22c,0x7ff8829ccc40,0x7ff8829ccc4c,0x7ff8829ccc58
  2⤵
  PID:708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,2138275859826445953,7937076051473536370,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:3548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1792,i,2138275859826445953,7937076051473536370,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=1992 /prefetch:3
  2⤵
  PID:3732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2136,i,2138275859826445953,7937076051473536370,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=2144 /prefetch:8
  2⤵
  PID:3208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,2138275859826445953,7937076051473536370,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,2138275859826445953,7937076051473536370,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4556,i,2138275859826445953,7937076051473536370,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=4528 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4908,i,2138275859826445953,7937076051473536370,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4928,i,2138275859826445953,7937076051473536370,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3684 /prefetch:8
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:3520
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x298,0x29c,0x2a0,0x94,0x2a4,0x7ff7820e4698,0x7ff7820e46a4,0x7ff7820e46b0
    3⤵
    - Drops file in Windows directory
    PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4880,i,2138275859826445953,7937076051473536370,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5072,i,2138275859826445953,7937076051473536370,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  PID:3504

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
7d87d59f2335f8e9b21db488e21b0ecd

SHA1
5fcd06cbf4f518c643ddd9677e253b519f007369

SHA256
d8ae6b4a0c3034923d7a07a786a7d4ea77880c99d05b3cc8ce35288c2880f56d

SHA512
3f68b388fb817c6648054814a46323bdc1f7a5ae7483d59c3acf9e24903e927fa37a3d73f2f3e4ab109a2e9b92e0b09baf60df1c8e0519eb9d9f468f6fe1be61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
214KB

MD5
ba958dfa97ba4abe328dce19c50cd19c

SHA1
122405a9536dd824adcc446c3f0f3a971c94f1b1

SHA256
3124365e9e20791892ee21f47763d3df116763da0270796ca42fd63ecc23c607

SHA512
aad22e93babe3255a7e78d9a9e24c1cda167d449e5383bb740125445e7c7ddd8df53a0e53705f4262a49a307dc54ceb40c66bab61bec206fbe59918110af70bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
3121ae753e9d146b4994a69947257b8c

SHA1
2518cb1a7684a976fe69c79276e1e233245b4578

SHA256
587a7feb7c19ee63e23d9d30473201fedbae09eb61102568a79cefd3852b8f92

SHA512
091fdee2ab45b54aa22bba2311e0cd35a84e1758b82ffc42d5f34dad8930fb635118d1e20dac3d5b2b8239fe53f4f0b3e7b6257c0096f1cc7712d1d8bb57ca70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
24009625db01cbb22ba89c9ca1d17024

SHA1
3322ac185d65dabe8f8d108e7a49e2459488ba1d

SHA256
d5f3c9a4cd15de009c4e11a3c9db8bddaf69ac4f56e2d88ad334078b803cc079

SHA512
feb052cc328560b9ab0ef67a40f81e85d4fab8f77aa2265d5c00bc4e01b1b3735fa48a185ed57f67c106e9b7c0152f72e2010a28fdde50e0599c4a255aaee98a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5552850c09842330a600b805255f9a64

SHA1
8b95794286d8dac2084bd6a27b656f7e4eb4e53a

SHA256
0aaebdbf7469a14690b9e377ddd4bb9956c5fc7be6a2fef30fe5d41116982b93

SHA512
7b1e65a7675a92649f5bb6a2faf1943641effe0dc1584029b01d100e4fa57cadb2d70109cf238d800485b177d5759238924de31208cba260548469a993eb82a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
b484141c1f67e0fe0f24bf6fa48ac4cf

SHA1
55a47809a221ee8190dae8a0aabc12bf08c83296

SHA256
41d39b539ef2e42261c3bd7d4a8e7a6ff334e79439e9beca760febee526ee260

SHA512
c7f958e11ba362696e1c7b4ef7b41c0642d5bfbd2be144b0f212ca957674cef8cc5598472a07a377c29ecf4c34e466b08570cc5f1dcf3dd0e5275d66c37fbdc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7093a9c61e2499de7cb3b631d7a684ba

SHA1
7f4e8aad8b331a8911c56ff9c0f85d7330056728

SHA256
345e226ca957a44191abae9f8fa9429f4c71a3b530d2c38fd22d64a227f2275d

SHA512
4086a6112ec10be853dae391c382497167b9fcb1509856a87ac343af7f88ee4cd8350be26a6e8731218235ac6f84a22ae11b388deb7c0fc42190d3afe547424a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
45e3f0885b03981a6383a95dd2bd71ed

SHA1
4634d0e9f1c1b4af4974b696873af7317314ecbe

SHA256
3eaca5e1cd481bca7efd976ba5cdfcb9e319705e2c02164fd55cb15b030e5f1b

SHA512
0d04d6b83b8748b0d5d6c0f988fcfc64a9bbffb4299045e0c4c3b0e2587897133b3d23e94f123e02b9810c6ac0389f9810c180d29290209fcc3b07b19f2cc779

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cfc76494cd248c228a4a33a195f24c8e

SHA1
91be2da5a8d2b40ad578f32324d35043140b2d95

SHA256
67c1be3cf0bae7a4e7662a3371d46f93d7d1392ed8b9ae28e462499d393138ed

SHA512
0d275cca138c3743a8a71711e1d86321449a55035e3526771d08b445b4ef450a39cf5645cf01a593c75718068b5ee88559a1443d30db8cc5830c326517f7074f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e29574f1ac5c8225a562a341619654cc

SHA1
04d8fe5538f7bc5bfe8bfbfdc3b7b773039a9015

SHA256
95aa2ed758b51909f0ec785c53f2bd64a440f4bd016f98d1d61539960d8fd15c

SHA512
c0730478d1b88aa193a6c9fbd72b4aba664806808f289844c7046b10f860f71b67259b79499044a190f287f38bf00344369fc4932e8c067eea5105cc322a50c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1958ddb3dc1e25b58141465342c550aa

SHA1
75e56872ef7c1a2f8a33bcbffee0d5e8d36bcea5

SHA256
845319dc8006651b6a1f1223bb33fd5aedd7776828b14c7b2285c230d8b21649

SHA512
2939940d0edb6ef134482c9c42178a461b03af378d390b32813cad1959f736ef5ac897f08017a0f0f3a1e604c30c66a521136599af87d04e99751f53319962f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7da060bd77f6a427c46564667676e78c

SHA1
c1f8d4de091e58e4a9d69db24d024fd21e5b0a45

SHA256
31bc54e2e4997f1c051ffeeb8c977ce8144dfd41f07b157d147c747a8d481ff3

SHA512
dd41a6fe2c276fd70f85e9eb98da996db07a135be6934df5775746362b01682f824b998a888766533c274178b99686857e40c3b10f2bb7d23d34c7a7ec8b85f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9eb3bbda913b765744ba346c9f2ea3ee

SHA1
db5bf1733c7b825d787d5ae972ead8bd82118adb

SHA256
b6a2c1c3772952df4b56504f50d89af01dcfd2bd4f9a51e250148f274def4189

SHA512
4b22b1ca0bbe3ae1cde73dc2035c025d5f9b1cfbb414cd6dc5deb620c974b16595f26254580926f7682db95f25796153bdb387a870fe27c15db98e7c64e8652a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
67c15436a70b559d193cb8e7fedbfc5e

SHA1
da685058fef730bb5ce584efa1e69247810cbe9a

SHA256
abf4f0fffe2057fca1d67731a629e7f95372b5cdd75c4443d5485c48b82848ed

SHA512
0ceabbd47a470376e77f3bb8239a18f3aa9f570a439be75873d9112a3da47867af2fe7e75a5088c119985e0222eabad3736770d3414dcc0d75a4d02b292d1ea5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0d3316cd6f2479d66097cbe7dfcf7676

SHA1
2f553f3bd1ffa84685ad81ca1ac3854ecad243a6

SHA256
512f2f860d095d57a04f4379cac7b6dc0ad36619128be239b3a55a686c5cc7fd

SHA512
759146ed96bb6a0f309d7048f4382fabfb1770901b0dda75dd5c7a41254e6c6f3f0b30f1ad094ef6a32c8cbb2807104750e96889b2f2aa79c2a406ad746ce11d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aeea5a71a7fb573956076f8e3a5513f2

SHA1
0d07919b8c04f6312b73ca86845089417fca75bf

SHA256
47297ae372cd219fdcd9ba39522ad8a5a86e9a1b0d4d1991738c9642f38c4d93

SHA512
e6d4882220b3bc6405854a0909f0117f9482b1bee54c3df13d6f23cae9855b4e249b6e0a48d821e961656e98b88aa5cee757209886aef5b8a776c212d4b983d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2cad61dc4ce119a02e3512bfc080a8d3

SHA1
3ff07e444cc0df0807c50372cc3a21201acf5ce4

SHA256
260e772ec21487872cbcba067e65641f51da0e08a40acb0d73da02433c041c69

SHA512
15a72e03c7295288a9052b95c97e60b1380c50e8874db21113cf34ff72c831d6cfdbcad894208aeefbedaa7ad6d0bfcd3db49cb417354cad6465208be4987519

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
83418093f9b6ef6ab113955ed5637522

SHA1
8aea3a666c1a7cad69db6a367592b8f63b5fc1e6

SHA256
a0ce8fdb77b10718f37440e8cfe232dbe228c9fbfbedd5efe4ea0cc3d152e432

SHA512
e895743bfb4286bf54226fa537b878d3f7432c5dccc95f3467718128b474cb84dea18efcef57f22d752d8577ee5bb0133e738db5f665cbeee194a5d121c8641d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0696cb26a7a3d314462cc77fdf0fa0a1

SHA1
4dc1988ead0aa76f67b93fdca175c356175edb38

SHA256
4f52099cf8404dbb8e19cb2539887c653d09f05eef9e1c0ff9d5b7da41077fb5

SHA512
3daed33f5b29b22e5a833255a98bc38ebdd58974577cc6e28a743b8c3ba3e0351fc2ff70ffceed591e65d4b6826dfefafabfcbc7e4f763fb7648a23b477a6719

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d42be5ef94fc243ac1894d1eceaad0a6

SHA1
bb2c676f2186eb776c5ed29871937246f5adcef8

SHA256
aaefc2c6cdc08ff47fef08f442551a3501d4f19d13f5dbdc38e172e0d880dc7f

SHA512
a708cf415e9ac9da8da584407a58464baa6c106c913b7de6482d4c794d9698133b294726801a31fa0ac367d605f6f4b59ed3c8b47e9e17a8ccdb6c9da1d0422b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a5b65275c8a122759ffc25b27ae6f61d

SHA1
3eb1c91880e2bb6e425ea376033877a76ee53ad3

SHA256
fd25933b899fce073b69a9c9d9bece3d7a6a88ceb94fad96af783b558c03f182

SHA512
cf321fc1f642f55658061c0764a3ebd4e89304e3edb3fff7126d65544274c6ae5016df258149e686c7febfe37cb4e985ad87f40ab77e5ef50abd338a925768a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
240KB

MD5
a4240a11637367a16eb15329a6a5d131

SHA1
831e75ebb4c79733fd929d2fa1fa805d088b29dd

SHA256
ca5a9964d177394a650da5cc93d939ccc2cd6528139fcd6041410c9059bbce62

SHA512
109d7e4a033be3e0bed6c0937dfea9507b89cb83dd81424f6d43ac4a958fd8818ee5723bdfbf94f117f61fcdcbd7be851480773be869dd5bc21bf0bcf70f7567

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
240KB

MD5
56853d144e6908193165f1d7c23e222b

SHA1
62dfc2f560a913f91c44b4de973afdd338d33e1b

SHA256
e533f0d0ee0140aff68f7ff2c0267caf2a9f1ec73767453fda494ffa44b322f7

SHA512
4e61ef6421cf0b46aee6e9d7cf64e7fbaef34dedcf4a0db7a65ee46ac9efb2e478e565d361a5376e9dc3f0c3188fc851a5fdc3ea0ca520b9a07241f8038eebb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
240KB

MD5
b194d8094a9909ccb3b3ff3afb4a86d0

SHA1
6b9bbef9f9362e7497996a4495e1d3114d49f578

SHA256
d6a143105229e086f26f95a81de67a3c7e69d3531586df96a3d44b2edcc07584

SHA512
8bf423bb3cd13f1e2c28eadeb58799d911a814394099ea228174b1ef22e576e04dea4bcb1467219f59291a3a341c681fcdd3b660b7c21739d79fd12d6f55effd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3fb127008683b390d16d4750e3b7d16d

SHA1
8204bd3d01a93a853cc5b3dd803e85e71c2209af

SHA256
6306c5c7293fe1077c630081aa6ed49eba504d34d6af92ba2bc9ebf0488bd692

SHA512
2b8003cc447e44a80f625a6a39aacad0a0b1a5b1286eabd9d524252d37e237491d069c603caad937d564d0eb0565224d6c80c407b61092b562c68087785a97e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
b4efef0948b2d00b1b078cfc683ebf14

SHA1
d3609bbcba0ca0ea1dd8d0f9ad2030e5e39fe5aa

SHA256
d80f22bb4a635cb8d4c5c9fcac4bf0e30480a949b48b1e886f4be7a7d4bb6b40

SHA512
15f1ae66eeae80676f78b79e2ca27c023df1bf146b430804a7351367ccd05bb4a8cc85222317767171ced65c5211ebaa5e3221a0cc9b364cb3a8369e8d59cbea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
853B

MD5
e95f09f9c138cd56fda7f2113bf6adfc

SHA1
43aaaf7f76fac0ec6081f8adeffc1c63db0184e4

SHA256
552fbed24d4d73c400553824138bcefee06ff6fdaa8492c6902eae81e675b750

SHA512
771fa9dc7f3f692fc92df767bbdda2d0ac4f0c7986c59cb5ce2e62f45bd230c61c1323e898fb326af440ee5842d967ba70069d6e2a61c0df4bbb73702bf2fde0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4f4d74f3d62d26d9dcb87ee341c968fa

SHA1
a598db1547de16aa7d6a70b89c2bb6555583d261

SHA256
59fefb5ee54aac23133a3ffd964eb55d6a9e6f0bfa9014fa8b74f1ac16ab7163

SHA512
010792e39e347f1a5821806842ac9c8af5225012072b56b37d0744a76db8da1ba970541ae7ae2ceb933e8841b77fe647e31a784219e855ec2d164111b87b9278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
30355d485a06d78168f2319d55dd58ec

SHA1
eb1b1553ea45c34e9f1a9cf0ca3ad795406e291b

SHA256
2c542112f67b790b21c2f292ba708fbdade796a4ecfa58399950aeb8845489ab

SHA512
26690bc8c82f480c5103c755804c6c79d8775c02931d4da0a7986f939d2209fbab789d98561ee04862707add90af9e1262fcf1aef109cc459c47ff3a2a606555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
aff160ba747bacf72d7f08d2069748db

SHA1
f07295978a52bd80ed5c397569c8a43a6e275baf

SHA256
d5506d499bdf13789b95fac5eddbaeb96a74ace799c688983e55873654611907

SHA512
a30f07ea191a08e729a89765d35275cb4a39155fe75ddf0f0bb176c45bea85afa21efb8fe96b8398a37bf050f0fd35098c858d050f0cbd1944ca13fe0e7fb042

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4ed6de20bce4745dc90ebf3196d7ffc1

SHA1
5e7d13d9c47c819f191aedf6d6956601a1c97454

SHA256
88482351a416de0737668841dbaf86eea356248d2308a4cf1e7f790da78378b0

SHA512
6caede77e7728c1cab867d070ac778c561839bca8259e138fb89d79d4c78668afd5d997f0910de5f6c70b788397950d36b3e77a3244626c3d15cd3a2ef2ec76d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
0677b7272984a6e8d243405b2c644c7e

SHA1
a844ae7f8d5fb7839f1258622142e67953d19607

SHA256
d5107326caeba499cd7c455096423d8ae9417bacee6cf3aa6f814d93eb4f7ed5

SHA512
0680e6d08364b7eb6d66d25b26220c21a4974d249c778f80ee60e5a257d44afbc2013017a8743699c7139d6275b97883940e7b0914bcaf1e2281c8238b64c972

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6013e0a39fc61c73acf870d7387dbdbf

SHA1
5035a9208f400012ea8f5b90a1deabd72b48b54f

SHA256
53129f99b6d50f893ec60ad8d844fa2a4f704a1ee6439e0f9735364d6ddfc81d

SHA512
6e4625d7fe32025762fdaad3b5a57062ae529808fb8dde8781e2ba17c53d579410cc091f21113ccb554d51b9fc274af8840d4035242b5e883b78c62a5988a400

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b6a0ec9a615980eb86534eecaefb0fe0

SHA1
8224f15f3142b049e244316c97b81b27c9375b4d

SHA256
68a84e7ef3b5a71993f68efdf331c6acaf46e96b6017beabd4e532f69de5072b

SHA512
95d794e2b06f797c0e5109c9f3924b28014e9c310e5bb38923660c19452f49281d9b6cd4aa992d22d91e49b031be28649bbf7a603a9063e90c73edebb684dfd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b5528d41ffa7223fde870dcf09048739

SHA1
929830d0f2f606549640003409eeeebc11f91ddc

SHA256
afadb1bae2359bd8e9ad12cd388ddb9d91a2fca3b67d86fad4b861d698b181af

SHA512
db91b92cdda70fda9e6e75f4f066d4135d47258ab80bfa9d66686127e5df9fbb1673b9e507ad60e87e23a99442b213df6f3213334e82f8ee694e71e84d85e9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_smingmnw.rmv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1012-130-0x000002EEE0CF0000-0x000002EEE0CF1000-memory.dmp

Filesize
4KB

Download
memory/1012-126-0x000002EEE0CF0000-0x000002EEE0CF1000-memory.dmp

Filesize
4KB

Download
memory/1012-127-0x000002EEE0CF0000-0x000002EEE0CF1000-memory.dmp

Filesize
4KB

Download
memory/1012-128-0x000002EEE0CF0000-0x000002EEE0CF1000-memory.dmp

Filesize
4KB

Download
memory/1012-129-0x000002EEE0CF0000-0x000002EEE0CF1000-memory.dmp

Filesize
4KB

Download
memory/1012-131-0x000002EEE0CF0000-0x000002EEE0CF1000-memory.dmp

Filesize
4KB

Download
memory/1012-132-0x000002EEE0CF0000-0x000002EEE0CF1000-memory.dmp

Filesize
4KB

Download
memory/1012-122-0x000002EEE0CF0000-0x000002EEE0CF1000-memory.dmp

Filesize
4KB

Download
memory/1012-121-0x000002EEE0CF0000-0x000002EEE0CF1000-memory.dmp

Filesize
4KB

Download
memory/1012-120-0x000002EEE0CF0000-0x000002EEE0CF1000-memory.dmp

Filesize
4KB

Download
memory/1512-292-0x000001EFF3F50000-0x000001EFF3FC6000-memory.dmp

Filesize
472KB

Download
memory/1512-291-0x000001EFF3E80000-0x000001EFF3EC4000-memory.dmp

Filesize
272KB

Download
memory/1512-281-0x000001EFF3960000-0x000001EFF3982000-memory.dmp

Filesize
136KB

Download