xworm | hxxps://cdn[.]discordapp[.]com/attachments/1345776574292561992/1345776601526177954/matrixnew_mapper[.]exe?ex=67c5c7a1&is=67c47621&hm=500a57a7bca2c90dcf4f340e9b6d8a57d3a0b1ad8cabd7af66795e1aa0440f98&

Resubmissions

02/03/2025, 17:23

250302-vylcnsy1gt 10

02/03/2025, 17:21

250302-vwyvzszmt9 10

Analysis

max time kernel
137s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2025, 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1345776574292561992/1345776601526177954/matrixnew_mapper.exe?ex=67c5c7a1&is=67c47621&hm=500a57a7bca2c90dcf4f340e9b6d8a57d3a0b1ad8cabd7af66795e1aa0440f98&

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

paul-nw.gl.at.ply.gg:51413

Mutex

AVvzTAnLyW8qQCcO

Attributes

Install_directory
%AppData%
install_file
kev.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00030000000231ef-939.dat	family_xworm
behavioral1/memory/5020-956-0x00000000008E0000-0x00000000008F0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Downloads MZ/PE file 1 IoCs

flow	pid	Process
6	1676	msedge.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	newuimatrix.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	matrixnew mapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	-.exe

Executes dropped EXE 4 IoCs

pid	Process
2736	matrixnew mapper.exe
6984	newuimatrix.exe
7004	-.exe
5020	.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
189	raw.githubusercontent.com
188	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
193	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
6984	newuimatrix.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133854098551222477"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000f621f9da4c81db01fa35f7db5481db01ea4ed7f1978bdb0114000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 862645.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1676	msedge.exe
1676	msedge.exe
2576	msedge.exe
2576	msedge.exe
4468	identity_helper.exe
4468	identity_helper.exe
5548	msedge.exe
5548	msedge.exe
5752	chrome.exe
5752	chrome.exe
6984	newuimatrix.exe
6984	newuimatrix.exe
6984	newuimatrix.exe
6984	newuimatrix.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
6360	chrome.exe
3460	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
2576	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe
Token: SeShutdownPrivilege	5752	chrome.exe
Token: SeCreatePagefilePrivilege	5752	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
2576	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
2576	msedge.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe
5752	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
6360	chrome.exe
6360	chrome.exe
6360	chrome.exe
6504	chrome.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3460	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 1232	2576	msedge.exe	86
PID 2576 wrote to memory of 1232	2576	msedge.exe	86
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 4596	2576	msedge.exe	87
PID 2576 wrote to memory of 1676	2576	msedge.exe	88
PID 2576 wrote to memory of 1676	2576	msedge.exe	88
PID 2576 wrote to memory of 4512	2576	msedge.exe	89
PID 2576 wrote to memory of 4512	2576	msedge.exe	89
PID 2576 wrote to memory of 4512	2576	msedge.exe	89
PID 2576 wrote to memory of 4512	2576	msedge.exe	89
PID 2576 wrote to memory of 4512	2576	msedge.exe	89
PID 2576 wrote to memory of 4512	2576	msedge.exe	89
PID 2576 wrote to memory of 4512	2576	msedge.exe	89
PID 2576 wrote to memory of 4512	2576	msedge.exe	89
PID 2576 wrote to memory of 4512	2576	msedge.exe	89
PID 2576 wrote to memory of 4512	2576	msedge.exe	89
PID 2576 wrote to memory of 4512	2576	msedge.exe	89
PID 2576 wrote to memory of 4512	2576	msedge.exe	89
PID 2576 wrote to memory of 4512	2576	msedge.exe	89
PID 2576 wrote to memory of 4512	2576	msedge.exe	89
PID 2576 wrote to memory of 4512	2576	msedge.exe	89
PID 2576 wrote to memory of 4512	2576	msedge.exe	89
PID 2576 wrote to memory of 4512	2576	msedge.exe	89
PID 2576 wrote to memory of 4512	2576	msedge.exe	89
PID 2576 wrote to memory of 4512	2576	msedge.exe	89
PID 2576 wrote to memory of 4512	2576	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1345776574292561992/1345776601526177954/matrixnew_mapper.exe?ex=67c5c7a1&is=67c47621&hm=500a57a7bca2c90dcf4f340e9b6d8a57d3a0b1ad8cabd7af66795e1aa0440f98&
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa737746f8,0x7ffa73774708,0x7ffa73774718
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,2021669444038958937,15130525531544318029,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,2021669444038958937,15130525531544318029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,2021669444038958937,15130525531544318029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,2021669444038958937,15130525531544318029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,2021669444038958937,15130525531544318029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,2021669444038958937,15130525531544318029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,2021669444038958937,15130525531544318029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,2021669444038958937,15130525531544318029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2936 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,2021669444038958937,15130525531544318029,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,2021669444038958937,15130525531544318029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,2021669444038958937,15130525531544318029,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,2021669444038958937,15130525531544318029,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,2021669444038958937,15130525531544318029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:5236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2068,2021669444038958937,15130525531544318029,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6160 /prefetch:8
  2⤵
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,2021669444038958937,15130525531544318029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5548
- C:\Users\Admin\Downloads\matrixnew mapper.exe
  "C:\Users\Admin\Downloads\matrixnew mapper.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2736
- - C:\Users\Admin\Downloads\newuimatrix.exe
    "C:\Users\Admin\Downloads\newuimatrix.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:6984
- - C:\Users\Admin\Downloads\-.exe
    "C:\Users\Admin\Downloads\-.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:7004
  - - C:\Users\Admin\Downloads\.exe
      "C:\Users\Admin\Downloads\.exe"
      4⤵
      Executes dropped EXE
      PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,2021669444038958937,15130525531544318029,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:5012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa60dbcc40,0x7ffa60dbcc4c,0x7ffa60dbcc58
  2⤵
  PID:5820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,13176966664797074707,10780304004238912968,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:5984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2172,i,13176966664797074707,10780304004238912968,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  PID:6000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,13176966664797074707,10780304004238912968,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2456 /prefetch:8
  2⤵
  PID:6068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,13176966664797074707,10780304004238912968,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3268,i,13176966664797074707,10780304004238912968,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4600,i,13176966664797074707,10780304004238912968,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:5608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4724,i,13176966664797074707,10780304004238912968,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4704 /prefetch:8
  2⤵
  PID:5700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4856,i,13176966664797074707,10780304004238912968,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:5732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3272,i,13176966664797074707,10780304004238912968,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4388 /prefetch:8
  2⤵
  PID:5928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4772,i,13176966664797074707,10780304004238912968,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5164,i,13176966664797074707,10780304004238912968,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  PID:6008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4876,i,13176966664797074707,10780304004238912968,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  PID:436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4792,i,13176966664797074707,10780304004238912968,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4388 /prefetch:8
  2⤵
  PID:5928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5168,i,13176966664797074707,10780304004238912968,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4816 /prefetch:8
  2⤵
  PID:6388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5772,i,13176966664797074707,10780304004238912968,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5756 /prefetch:2
  2⤵
  PID:6152
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:6588
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff6eaf24698,0x7ff6eaf246a4,0x7ff6eaf246b0
    3⤵
    - Drops file in Program Files directory
    PID:6604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5928,i,13176966664797074707,10780304004238912968,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:6700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4056,i,13176966664797074707,10780304004238912968,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:7056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3436,i,13176966664797074707,10780304004238912968,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6064 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:6360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6064,i,13176966664797074707,10780304004238912968,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6124 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:6504

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
99f953d4571831db49a962a44becc98a

SHA1
204379c718cce59744855a4d9ab0ce98cb7904e8

SHA256
0296b570e51dac2bc8efac85f926ced11191d5962b6dcb3ad8ce202e7351252e

SHA512
fbfc5ed9badafc0f9cfada66615fa2f64522182c981bd56d163b9bb409bf5b36f26cfa785c97fa7ea5b4211da47f8dfee583470905f4daf69d89eb5e1768e89e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
720B

MD5
8683ade18e334d0137b60acd8264a951

SHA1
c972f8184afe8d40aaeec916c7bc10d5f7dcd3f6

SHA256
56206ebe8fbbdcc5d954ebf80d5e6a466b7d44110f7befa0434053501959497c

SHA512
446e31b0a19c3b125ef9e2135d9816f3855f728665ba7c07a2347e9f4aaf28ce9004fb00614a69aebbd0df3b251d09ee5e480fff6f28d2ad5a05ea2695e23242

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
3fe3f9a51b52de2d3b5ad65271426efc

SHA1
22e482ed5bfbb2b14ecd4f5899772de1a5b8cc9b

SHA256
dbc3e7b4524c3fc7948aec2fae074b719076e9840ecbec57f28abd99aeb5f8e2

SHA512
2c50a53d559dd297cc82877531667398ee40c4a2d94488b30b704c48a71062777685d0df7d4283d042653d393a76e6ecaed451d96b99cdc2863ecc93148c0384

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
122893711495cf54cf5a6d88b575103b

SHA1
1a11685b8423a99535a6500f22dcc0a715bf11a1

SHA256
781290e594b6d1ad014752c7b7a20f6a6a6b5d000853fc1dd15392dd50e49020

SHA512
1b6cf44ca4c019129379f009fe8ffb2e3db937ae70999cde81bdb1562d8eadae695e7ccfcc331bc8d97128d1072f638cf4b0e45e7ec8c6a65542e7d083ad0155

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
6e70b6a367a3028a5f056255f4c38734

SHA1
434f35eb3c71858e89293ed25ec30e6f467cdd0f

SHA256
df042b58d004cdbbdfb7c3b7b01681277153d111de1816c7d5d52aae71d48622

SHA512
69403060fcad6b4ded2b3559fa564e48f9056100a849408d97d2797cfd3eb4f77e5816e8beeebcc6b0cd077b6b32f8a20f8cc9165858b41b041dad1c52c2cbea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c9475fc6eca9e44f95e494009dfa930e

SHA1
cd35c167c98bced84a46eac74848af3086a61f8c

SHA256
3ef58f2c616089c9fcd1239ebe46bede5f6fa063186098efcd599e9825384e21

SHA512
1592f215ba542ef6bedd4b71bac6eb839e8ffd234ba80acac0574c91478b9643fabaca13a6d90830483286cfeedd4949b836da68706a966ac88ba03c0f7e1153

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
5549179c07fa372f1e5e2582a5f80133

SHA1
28106510a6e89cb1f16957cb9131c697f0cb4b83

SHA256
16faac6903cf1a5f7c048125d2b9ad253ac70ab20c1d9aecc5c3954a1a8ef7ba

SHA512
a6307f8042731ff76e45d3fcdb4ca42e1cf7bf19d6cbeb297867076c3ffc6ef530ba33c1b3766581532b0c59b218f698991ccf5a2e363b34e5a2f8134cdf0bb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
056014348bc84fee77cc75f2efb04058

SHA1
00520955c6e9d234d1ad4fc1f127950c6602483c

SHA256
b9bd42e88263a09674f9d793c4d0cc1aeac34344b0ca042a5e6de3decba57bc8

SHA512
ea0e23f968debf75a2a5bd4726b6ba0109d6bb6cad6f66dcd2bdc4ba7788dcc47287848e1f6fe81a7190e421fe2564bca6bdc97f12164ab46234f45855792d84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
481650a51f704b54aa013adcdeaaa98d

SHA1
0eb086464f03d1fa8e8ab570590bd6a561a30fb0

SHA256
e8f8f3910972c92ae9b952f75b10413a36ce94d2879e70edfece2f2d80232225

SHA512
6822117f746e2af22034a24a89fe24c8998d37a97c299a6eb6bb45a4149d20143484158b5c472708717397e82c37f7debac9345b6982d85061f231cd36349a05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e6cc19c036989567089a8cf56f4aef59

SHA1
9d14f2fe6f4d21b208ef3c25c2d3fc838b72191f

SHA256
e5bd47edf5d562aade67773a49fc9b83598ba234b6b59d8e507d798b46a71bcb

SHA512
0e2a25331ee31b393707db0a7d3a75f77e45d045a97d0535187cbb88f56cb4193133656ea32b1a47a3aaacbc3e8eba466183df4e618ed152c6b6846a978dd0a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
85a140e75bfdcb36e629c2838f061b87

SHA1
b2667e6a0dff26917698a6ae49fd5c3784f236fb

SHA256
5126bb446ee27ef53bb5e9c68523990aec596e977559ac2b22af47727cc9369f

SHA512
9f5fb1d85ccdc4d5e450081115035c47a785650eece1278a1fa001440530778364cd43bc0a708f2707309c34687abe8c63034edcf56cec57309dc3cf08178eda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
01a248b72af1d46839864f6427c28402

SHA1
5e1c8f4856ab495bb9ef83b78d4c5a9cb9cd37de

SHA256
7c2658a70900c4f0ccdf820f1b2326e5615374ceae34e823f8e21444af8781aa

SHA512
63ac780905277634b2cb5a083a94942af59f8ee9061483140a379a0a64b1c24ffe6c01762866357d5c4d7b6dba7934e3f9bdcea6bcde5a62bf660c0375c2760f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a6d9cd64ce76dc67a63c5b4be1c8f171

SHA1
cfeee49c87863afe73a97926eab15349138c98dc

SHA256
08df954584360cc18ffc359fea5c19caa6b58af98f5065443c46369fe125aef9

SHA512
7b22a326e06b6553bc9a62b3d3562c850e238ed260e3e5f93dd0ab3739626776ed174e74a5580d4e3027ceea52bbdbfca0d3a444a4f11b5b729055186868f944

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
57048141aae88860e85f1f61af3492fe

SHA1
8134f07eaed0def73d56d04e53d4d3147eed79fd

SHA256
7b1a3a182ca41c29b27ad4a0afb494de6ec2dd39a228e48ee003925762baa345

SHA512
1dc5bef5b466f00a6bbe8a2b3143354f6a0864683154d0299ae1b05bd23bef63e22b8bee34ec65ffb8de319fa724c4571b74b5301d991c0feb954892acd68e23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
2c778485f1dd6517d21addca3eb62697

SHA1
a294afef328a999cd89cf0a67cecaa14b8e8d6b7

SHA256
3c9939013e8b58813a71fdee41136130297a73f320bad8e743dd0486d6cd4f42

SHA512
1830da6d53965a63c67486cff58f750bd3f3d17106c9f948c31dc5950e716f895909c4db7a2f3c1966f30fec7e91df453d741e127dfb30fea8f2a4eafcb84bbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
470e8ccba9b12d25df6477160e9d650f

SHA1
0bf393c1a99c8aae1773435caec9d55a606ef471

SHA256
f47a72d07131812073e82d85c4299daf328f2a9b57e6f5ffa9177f6865efe597

SHA512
f483fcdf99b7c054e46c4f1023fcf0c1407ed0e12ca008364a1d785020b8b01ae9a3400a47b9ba9d837f155208c665ec50cc6bf7d236c29e0e39e0486aaaeff2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
49e042237c4c72cf2d0b9128d9305870

SHA1
23c559d6ca80d9c1c0771ca6e663b39577bd9e03

SHA256
1b0c7a9c1e4c784ede3f4c6864812b1e14e31855782370454101c3fea5a65087

SHA512
51ebd528f7e5b4df6e21d85646afa03c3d29018a8b11bf956e46a2da3b950401066db3acf0677a56d62485da076b75f2916e9393058fda59c89692d9b60eba45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56361f50f0ee63ef0ea7c91d0c8b847a

SHA1
35227c31259df7a652efb6486b2251c4ee4b43fc

SHA256
7660beecfee70d695225795558f521c3fb2b01571c224b373d202760b02055c0

SHA512
94582035220d2a78dfea9dd3377bec3f4a1a1c82255b3b74f4e313f56eb2f7b089e36af9fceea9aa83b7c81432622c3c7f900008a1bdb6b1cd12c4073ae4b8a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0621e31d12b6e16ab28de3e74462a4ce

SHA1
0af6f056aff6edbbc961676656d8045cbe1be12b

SHA256
1fd3365fdb49f26471ce9e348ce54c9bc7b66230118302b32074029d88fb6030

SHA512
bf0aa5b97023e19013d01abd3387d074cdd5b57f98ec4b0241058b39f9255a7bbab296dce8617f3368601a3d751a6a66dc207d8dd3fc1cba9cac5f98e3127f6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
772c4a5d51ebe37bcb005f3ec03343fc

SHA1
65656065c45d45e4099ed72954afbbfb1fdb7a3c

SHA256
92e43d478446e53b3127529a596fdaff483219a78b110733efb4c20d98aa0620

SHA512
e9691cafb02d3a9166ebd79819c06cf7312103227c46b772cacf65719a67be912e650003408fbcc2d29fac2643bd185d2676efd206ad2dd319860a9137fe1189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
345131797657d081608bf71a164109f5

SHA1
5389871d2ced6ba030d091a4710a240edd0484c8

SHA256
21fbd548be2d7e8127c8a0be8e324b512cf4f1720a32b6dc7a00951d1cc517f9

SHA512
c479c35009121eeecdff749edbc21995ca29309f3370da1f98c6b190cd9b42b4b42dfd04ee02ae573e144ecaeda5f7ae5ddb17fc788c3717c7eca2b1a010ed7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\bc65f8ae-9464-405e-8241-0177a35fe580.tmp

Filesize
5KB

MD5
49d3d21e0ca630733e074c1302f7a510

SHA1
884332d6096da14f5ef72675cbc0b9413c28d257

SHA256
14efdac7908fafcb6b4fcee1daba9a25711fc77f427dc168f43879a6e0314dc8

SHA512
424a25e305471d50d9293e28a98545f10026b093e1308f79131ddadef75f06f795b76d4b1a389019463cda9bec7bba9ac414d1548d3547b66ffa897b929f71f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
7089e55119b1bf72b5a55e30834511fe

SHA1
3372694b3dd8da35e603639f530a66784823bcc9

SHA256
71a3012065f4e6865aca3250f74e0f2d6a89136e6337258daa147e1c5084413f

SHA512
0b34cb87ca78c7d65e711377088c524f803d024033c5f11cc7455a0a3066c97843048a2285dd4b1448879bfbc811eecfd003d89f39e9dbcc58337b620c30c659

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
40133f70b697fb76d08113cd3f76c759

SHA1
088de7502c7ae003d71ec5791431904bd1d7e639

SHA256
a4bcfdd54fc0d01729574b5fd4c6e4db9f15bae55a224adc8c81b4297bab8a80

SHA512
d1c08c91f11d1601a81e0f10d8fff5676f3a297e7be47decfd758bb23954b2ae97cbf6e2f62160d2a04a8f3fbf6f104b4a2b624661f608164f987e06b9b28b4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
94ebcdc7e7194d416bb2e425a23b1630

SHA1
349ee82a0911be1957739056611a8fc4b00408a4

SHA256
be3e63c72c081d56157049668fa8f5951ad3c716fbe4aa206506d8dff4d01684

SHA512
fffc5dd51fe5281d23ef1dba7d1c344423ba121a24eaa32a151b030d49377e52ebb8c2e6ab21c43260773b3ac1ec66363266c417c69e35f9e52968aad6519077

Download Submit
C:\Users\Admin\AppData\Local\Temp\64f18eef-c62a-4809-8acf-625e847e89b4.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5752_23363609\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5752_23363609\c9f860e6-60b6-49e0-b398-825622407238.tmp

Filesize
150KB

MD5
eae462c55eba847a1a8b58e58976b253

SHA1
4d7c9d59d6ae64eb852bd60b48c161125c820673

SHA256
ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad

SHA512
494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

Download Submit
C:\Users\Admin\Downloads\-.exe

Filesize
428KB

MD5
4e4ef72e167c726a5918dd38c9ec901d

SHA1
0d6502c6c0e0e60be7883ea09514b0bd1a1dd1bc

SHA256
17bfc5e52bc85dfafe14e428825ae1b36bd9f016c0a26dc2049057e4a4d71e69

SHA512
c86161039a7c09bb28614a62f40b34b27f0894fc84ed60ef24919048e0aeebaa0ebe00cd4d5cf2a4537f0f09df2ee3eae666c1ce4ae93711e362ca6591e74f24

Download Submit
C:\Users\Admin\Downloads\.exe

Filesize
37KB

MD5
01f86862e5a3fab03f886eb19089da95

SHA1
8749ecbbac9f911deaee8d5530ef644ca0270258

SHA256
ecfb4e772dd3be3c70e2833558b53c9352466ef193694a32a2a6e4926d810d81

SHA512
c03771ab0e115c95c2af29f1ec3e331e90bac38074bd1eeda741a6e9f4f93d7cf55dd2a6354219886e50055730c10a363f264eeadcb2c06a1fd06a3670e41a86

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 862645.crdownload

Filesize
4.5MB

MD5
2661e9a9b063a4d7a96686aa8e4ffa04

SHA1
cf6af9701e80fb8000f0820e649e9683f7e0e659

SHA256
a3b2fdc9903049997ece0fd5ae96922642477a8ad822c9d8a53d574b8459aca5

SHA512
6bda80210f421d64d8a954564689bdb3fc8f8e229e748c0aca846e9ae2f2b7bf24533a85ba22d0d2771f36a88e38d5918b9b387a6224f83301f5eda70bd3bf83

Download Submit
C:\Users\Admin\Downloads\newuimatrix.exe

Filesize
4.1MB

MD5
f749fcc1351aadd81b6775332859fff7

SHA1
d774f21509b2e96ae96c08824387c353d8b5bca2

SHA256
fa1c0114aca150636c782bf0a161aa46059827ba4690090cf5fe076ffc50d82e

SHA512
434a5fa21e0e138945382398726540393308b4eccb7e3b42f557c6683fd39b519e7d8dc507c73e4fac14c961776d6d938406b07bbf7b14f2f4f15a6f41b090fe

Download Submit
memory/2736-852-0x0000000000800000-0x0000000000C84000-memory.dmp

Filesize
4.5MB

Download
memory/5020-956-0x00000000008E0000-0x00000000008F0000-memory.dmp

Filesize
64KB

Download
memory/6984-868-0x00007FF6BED20000-0x00007FF6BF134000-memory.dmp

Filesize
4.1MB

Download
memory/6984-1008-0x000001A63B380000-0x000001A63B381000-memory.dmp

Filesize
4KB

Download
memory/6984-1007-0x000001A63A750000-0x000001A63B36C000-memory.dmp

Filesize
12.1MB

Download
memory/6984-1009-0x000001A63A750000-0x000001A63B36C000-memory.dmp

Filesize
12.1MB

Download
memory/6984-1011-0x000001A63A750000-0x000001A63B36C000-memory.dmp

Filesize
12.1MB

Download
memory/6984-1013-0x000001A63A750000-0x000001A63B36C000-memory.dmp

Filesize
12.1MB

Download
memory/6984-1018-0x00007FF6BED20000-0x00007FF6BF134000-memory.dmp

Filesize
4.1MB

Download
memory/7004-876-0x000000001C040000-0x000000001C0DC000-memory.dmp

Filesize
624KB

Download
memory/7004-875-0x000000001D8D0000-0x000000001DD9E000-memory.dmp

Filesize
4.8MB

Download
memory/7004-874-0x000000001BE90000-0x000000001BF36000-memory.dmp

Filesize
664KB

Download