orcus | hxxps://pixeldrain[.]com/u/eaViHcxn

Resubmissions

18/03/2025, 13:42

250318-qzwgtatyf1 10

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2025, 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://pixeldrain.com/u/eaViHcxn

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

dandev.us.to:1015

Mutex

33346576134e432b900bfc3fb9baec32

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%temp%\Updater.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\Watchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000024257-152.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000024257-152.dat	orcus
behavioral1/memory/2860-250-0x0000000000850000-0x0000000000968000-memory.dmp	orcus

Downloads MZ/PE file 1 IoCs

flow	pid	Process
55	1272	msedge.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	RamBoost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	Watchdog.exe

Executes dropped EXE 7 IoCs

pid	Process
1140	RamBoost.exe
5964	WindowsInput.exe
624	WindowsInput.exe
2860	Updater.exe
3312	Updater.exe
4656	Watchdog.exe
2348	Watchdog.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	RamBoost.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RamBoost.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	RamBoost.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	RamBoost.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2192_1231407937\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2192_1231407937\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2192_1231407937\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2192_430698871\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2192_430698871\typosquatting_list.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2192_1395055649\crs.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2192_1395055649\kp_pinslist.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2192_1395055649\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2192_1231407937\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2192_1231407937\sets.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2192_430698871\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2192_1395055649\ct_config.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2192_1395055649\manifest.fingerprint	msedge.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	RamBoost.exe
File created	C:\Windows\assembly\Desktop.ini	RamBoost.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RamBoost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Watchdog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Watchdog.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133867789552780663"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3975168204-1612096350-4002976354-1000\{69BA42C3-C8FB-4C65-8234-E93B6ACFDA7E}	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3975168204-1612096350-4002976354-1000\{AD042669-BDB4-4536-A7F7-F61E76A07084}	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3975168204-1612096350-4002976354-1000\{B300A304-7A34-46DF-A029-94C2B2D1246C}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2860	Updater.exe
2860	Updater.exe
2348	Watchdog.exe
2860	Updater.exe
2348	Watchdog.exe
2860	Updater.exe
2348	Watchdog.exe
2348	Watchdog.exe
2860	Updater.exe
2348	Watchdog.exe
2860	Updater.exe
2348	Watchdog.exe
2860	Updater.exe
2348	Watchdog.exe
2860	Updater.exe
2348	Watchdog.exe
2860	Updater.exe
2348	Watchdog.exe
2348	Watchdog.exe
2860	Updater.exe
2860	Updater.exe
2348	Watchdog.exe
2348	Watchdog.exe
2860	Updater.exe
2860	Updater.exe
2348	Watchdog.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
2860	Updater.exe
2348	Watchdog.exe
2860	Updater.exe
2348	Watchdog.exe
4688	taskmgr.exe
2860	Updater.exe
2348	Watchdog.exe
2860	Updater.exe
2348	Watchdog.exe
4688	taskmgr.exe
2860	Updater.exe
2348	Watchdog.exe
2860	Updater.exe
2348	Watchdog.exe
4688	taskmgr.exe
2860	Updater.exe
2348	Watchdog.exe
2860	Updater.exe
2348	Watchdog.exe
4688	taskmgr.exe
2860	Updater.exe
2348	Watchdog.exe
2860	Updater.exe
2348	Watchdog.exe
4688	taskmgr.exe
2860	Updater.exe
2348	Watchdog.exe
2860	Updater.exe
2348	Watchdog.exe
4688	taskmgr.exe
2860	Updater.exe
2348	Watchdog.exe
2860	Updater.exe
2348	Watchdog.exe
4688	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2860	Updater.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	Updater.exe
Token: SeDebugPrivilege	4656	Watchdog.exe
Token: SeDebugPrivilege	2348	Watchdog.exe
Token: SeDebugPrivilege	4688	taskmgr.exe
Token: SeSystemProfilePrivilege	4688	taskmgr.exe
Token: SeCreateGlobalPrivilege	4688	taskmgr.exe
Token: 33	4688	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4688	taskmgr.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe
4688	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3976	csc.exe
2860	Updater.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5476 wrote to memory of 404	5476	msedge.exe	86
PID 5476 wrote to memory of 404	5476	msedge.exe	86
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 1272	5476	msedge.exe	87
PID 5476 wrote to memory of 1272	5476	msedge.exe	87
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2084	5476	msedge.exe	88
PID 5476 wrote to memory of 2148	5476	msedge.exe	89
PID 5476 wrote to memory of 2148	5476	msedge.exe	89
PID 5476 wrote to memory of 2148	5476	msedge.exe	89
PID 5476 wrote to memory of 2148	5476	msedge.exe	89
PID 5476 wrote to memory of 2148	5476	msedge.exe	89
PID 5476 wrote to memory of 2148	5476	msedge.exe	89
PID 5476 wrote to memory of 2148	5476	msedge.exe	89
PID 5476 wrote to memory of 2148	5476	msedge.exe	89
PID 5476 wrote to memory of 2148	5476	msedge.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://pixeldrain.com/u/eaViHcxn
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x268,0x7ffa5850f208,0x7ffa5850f214,0x7ffa5850f220
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1984,i,230663037533797847,18412967300648722687,262144 --variations-seed-version --mojo-platform-channel-handle=2332 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2232,i,230663037533797847,18412967300648722687,262144 --variations-seed-version --mojo-platform-channel-handle=2220 /prefetch:2
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2520,i,230663037533797847,18412967300648722687,262144 --variations-seed-version --mojo-platform-channel-handle=2528 /prefetch:8
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3488,i,230663037533797847,18412967300648722687,262144 --variations-seed-version --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3508,i,230663037533797847,18412967300648722687,262144 --variations-seed-version --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5088,i,230663037533797847,18412967300648722687,262144 --variations-seed-version --mojo-platform-channel-handle=4952 /prefetch:8
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5096,i,230663037533797847,18412967300648722687,262144 --variations-seed-version --mojo-platform-channel-handle=4180 /prefetch:8
  2⤵
  PID:5408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5544,i,230663037533797847,18412967300648722687,262144 --variations-seed-version --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5784,i,230663037533797847,18412967300648722687,262144 --variations-seed-version --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5784,i,230663037533797847,18412967300648722687,262144 --variations-seed-version --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6104,i,230663037533797847,18412967300648722687,262144 --variations-seed-version --mojo-platform-channel-handle=6164 /prefetch:8
  2⤵
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=6132,i,230663037533797847,18412967300648722687,262144 --variations-seed-version --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5596,i,230663037533797847,18412967300648722687,262144 --variations-seed-version --mojo-platform-channel-handle=6468 /prefetch:8
  2⤵
  PID:2500
- C:\Users\Admin\Downloads\RamBoost.exe
  "C:\Users\Admin\Downloads\RamBoost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:1140
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eoupy0r3.cmdline"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3976
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9962.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9961.tmp"
      4⤵
      PID:4724
- - C:\Windows\SysWOW64\WindowsInput.exe
    "C:\Windows\SysWOW64\WindowsInput.exe" --install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:5964
- - C:\Users\Admin\AppData\Local\Temp\Updater.exe
    "C:\Users\Admin\AppData\Local\Temp\Updater.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2860
  - - C:\Users\Admin\AppData\Roaming\Watchdog.exe
      "C:\Users\Admin\AppData\Roaming\Watchdog.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Local\Temp\Updater.exe" 2860 /protectFile
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4656
    - - C:\Users\Admin\AppData\Roaming\Watchdog.exe
        
        "C:\Users\Admin\AppData\Roaming\Watchdog.exe" /watchProcess "C:\Users\Admin\AppData\Local\Temp\Updater.exe" 2860 "/protectFile"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
  2⤵
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:2192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x24c,0x7ffa5850f208,0x7ffa5850f214,0x7ffa5850f220
    3⤵
    PID:4552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1932,i,4573412500547527233,15942858127177178492,262144 --variations-seed-version --mojo-platform-channel-handle=2228 /prefetch:3
    3⤵
    PID:5260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2200,i,4573412500547527233,15942858127177178492,262144 --variations-seed-version --mojo-platform-channel-handle=2196 /prefetch:2
    3⤵
    PID:3704
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2356,i,4573412500547527233,15942858127177178492,262144 --variations-seed-version --mojo-platform-channel-handle=1680 /prefetch:8
    3⤵
    PID:2852
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4268,i,4573412500547527233,15942858127177178492,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:8
    3⤵
    PID:4424
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4268,i,4573412500547527233,15942858127177178492,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:8
    3⤵
    PID:4936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4660,i,4573412500547527233,15942858127177178492,262144 --variations-seed-version --mojo-platform-channel-handle=4684 /prefetch:8
    3⤵
    PID:5540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4688,i,4573412500547527233,15942858127177178492,262144 --variations-seed-version --mojo-platform-channel-handle=4704 /prefetch:8
    3⤵
    PID:4108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4680,i,4573412500547527233,15942858127177178492,262144 --variations-seed-version --mojo-platform-channel-handle=4760 /prefetch:8
    3⤵
    PID:3412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4656,i,4573412500547527233,15942858127177178492,262144 --variations-seed-version --mojo-platform-channel-handle=4676 /prefetch:8
    3⤵
    PID:4624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3452,i,4573412500547527233,15942858127177178492,262144 --variations-seed-version --mojo-platform-channel-handle=4768 /prefetch:8
    3⤵
    PID:980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2860,i,4573412500547527233,15942858127177178492,262144 --variations-seed-version --mojo-platform-channel-handle=4028 /prefetch:8
    3⤵
    PID:4536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=764,i,4573412500547527233,15942858127177178492,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
    3⤵
    PID:5872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5000,i,4573412500547527233,15942858127177178492,262144 --variations-seed-version --mojo-platform-channel-handle=5032 /prefetch:8
    3⤵
    PID:2688

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:1540

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:624

C:\Users\Admin\AppData\Local\Temp\Updater.exe
C:\Users\Admin\AppData\Local\Temp\Updater.exe
1⤵
- Executes dropped EXE
PID:3312

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4496

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4688

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa66fbdcf8,0x7ffa66fbdd04,0x7ffa66fbdd10
  2⤵
  PID:5632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1972,i,15977855047496236753,1981111327037788365,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1968 /prefetch:2
  2⤵
  PID:5656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1576,i,15977855047496236753,1981111327037788365,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1804 /prefetch:3
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2360,i,15977855047496236753,1981111327037788365,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2404 /prefetch:8
  2⤵
  PID:5468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,15977855047496236753,1981111327037788365,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3392,i,15977855047496236753,1981111327037788365,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4408,i,15977855047496236753,1981111327037788365,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4456 /prefetch:2
  2⤵
  PID:5824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4712,i,15977855047496236753,1981111327037788365,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5380,i,15977855047496236753,1981111327037788365,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  PID:4432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5436,i,15977855047496236753,1981111327037788365,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5604,i,15977855047496236753,1981111327037788365,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3620,i,15977855047496236753,1981111327037788365,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=240,i,15977855047496236753,1981111327037788365,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3516 /prefetch:8
  2⤵
  PID:5236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6092,i,15977855047496236753,1981111327037788365,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6080 /prefetch:8
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6108,i,15977855047496236753,1981111327037788365,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6064 /prefetch:8
  2⤵
  PID:516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3656,i,15977855047496236753,1981111327037788365,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4412,i,15977855047496236753,1981111327037788365,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6032,i,15977855047496236753,1981111327037788365,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3524 /prefetch:8
  2⤵
  - Modifies registry class
  PID:852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4604,i,15977855047496236753,1981111327037788365,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6048 /prefetch:8
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=4632,i,15977855047496236753,1981111327037788365,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6156,i,15977855047496236753,1981111327037788365,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=6316,i,15977855047496236753,1981111327037788365,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6328 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6284,i,15977855047496236753,1981111327037788365,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6436 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=6360,i,15977855047496236753,1981111327037788365,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=868 /prefetch:1
  2⤵
  PID:6056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=6616,i,15977855047496236753,1981111327037788365,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6456 /prefetch:1
  2⤵
  PID:5172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=6292,i,15977855047496236753,1981111327037788365,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6624 /prefetch:1
  2⤵
  PID:5352

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping2192_1231407937\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2192_1231407937\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2192_1395055649\manifest.json

Filesize
102B

MD5
a64e2a4236e705215a3fd5cb2697a71f

SHA1
1c73e6aad8f44ade36df31a23eaaf8cd0cae826d

SHA256
014e9fc1219beefc428ec749633125c9bff7febc3be73a14a8f18a6691cd2846

SHA512
75b30c0c8cef490aaf923afbdb5385d4770de82e698f71f8f126a6af5ef16f3a90d0c27687f405274177b1a5250436efddd228a6d2949651f43bd926e8a1cc99

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2192_430698871\manifest.json

Filesize
118B

MD5
9191c4202582ea72903a86ce4e48a007

SHA1
91377355303e460951f8d4af612f80d86e5071fd

SHA256
945cd01c82a269c67b1bd6b76dda407b9c4289e4dfbb4a5d07e4a6b389430b93

SHA512
c4784538afdc8c3de223d187001c13a7b6c0309feffbcb88ecc689357ea04252e0521a5319f7b28b208df9e6b3880f54ef7b08b0ba33ce458f1277b3afcbff7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\38907665-d960-4976-a99b-2fa0d63763c1.tmp

Filesize
80KB

MD5
57a72ad46ac55182e8929a2abf8ce91a

SHA1
3e9306546eccc77a0b593451b32cd9bf8fadac79

SHA256
c34e52d20f1cb9c0a9e9eb8edc3562a279165c4475fb81f0ae20834cbac4b37c

SHA512
8b25e331a3d9ba9e13bbf6a2bb91d3d4afeb9794661337dd8fa33b4f10835011423f58aba33a77592ebb64d6e1982b3b62133ce60c3fde0cb3d69da52efff57d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\2368f63e-38b1-44b9-8742-b9c7fc9852e1.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
414B

MD5
64557e11d034c57008adae62ece46e88

SHA1
12253e1035d51e33b0ff2600db389a1c087038af

SHA256
c94b6a23791a5623df0cc37c94411c677f23758240331aec3440e03402ec8d83

SHA512
a364c0b20e0dab6d3b18998bfbacdf13f93d0a00e042006ae5480f70fb6a5121a5889b01748e7f567ad4b2b35720e505392ec2ecbeab586f07e099f81068e99a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003f

Filesize
215KB

MD5
d8899b1c0aa7c8e5836708fa76dfb119

SHA1
3ac6fbb49e7350221da7ee4d658efa239f2985eb

SHA256
106b6d9e8fab32613ec95b387848efc1a8b411ae4609237004009bd330e1a67f

SHA512
9f97e9187e145377992ecce519189fac8a3d13ee1c8fcef31b7aa1b2e5d1aacf0275fa031fddd40ab1bdfc855d549053f4dc43b65e6baf985924cad146d2bd2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
e78810ddc68602fd2cc63e106f76b579

SHA1
b8a8a2ec038938a36e045beda027b5349ba8286b

SHA256
94a6172b7c43cc123643a391abe6e8f24bf499ce5361cceaa0bd9e38f8307943

SHA512
729cb0f80caa689e2a02ad34f7f47159ae86cae709c1dd766837bc315df6663a5646b2590ae5d7f2c70652a4275b5e8929f178ba56feb8b93cec76ffda104e50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
446ac34a6cca38d2ccd0505d1f3d98a7

SHA1
c5b1c8bb8d36dd8a6048449f5b1196df7b0cb3cc

SHA256
627eaa9ccd27eaca18e2ba59a7dae8439ce7bcd1948e8797078800de617b6548

SHA512
fe45366103a65ab1b00428bfc7478da0a185918f21c29102b1728d17cde020dc8c35d3f7af68af96e6ba107c139e355c653636d8a17390c00767cfb11d483e2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
47deccb4300dfdb5224c6bfe2ade1c54

SHA1
2292b7eadef6ebfe86c38206d8f083518a043b1c

SHA256
1ca884c7c5df0192cf0724e71393de82559ea8b55d90d9c6248ba0bc29829c04

SHA512
ea272c128d94720e619c513b1e5f281ecb45205842b23e0f53d1f7cc5c542646bbb8689084bfc70b5cdfcbdaf1b51ef2d62cf7d865148c00656a1be4561f7f50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
521ecb0259f52423f701ba0bac07c597

SHA1
9bb3e3db746cd4f35784ab6416cda2349db51aa3

SHA256
61489434ee316c3020f94a56c94f48921ab355657ea2ae45f704bc1b7a15d283

SHA512
bf4b66be63520aa6798ca29ac4ee97e3530233030a7332f52047ff49807d42b9f0bb4651aa1eb155fdb0bf2bf22612ccb300513e0c1177274a1e9f97aed81397

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
01a4ea949370e42d5943460bf01d370a

SHA1
129dc5efb4d75a8468f6a656b0ac89b6b061ee64

SHA256
18679fa083ab7fa979659784db50cd8ea25431be6a5cd6853035ac8b7cef1d9a

SHA512
77790c36e48249fb8436df01e1b7b9f0ee6f9fde5b3101de332c0cad5c3cf2d1902257a8af4fcc43a853f42c55abcc72faf7b3a892311a64e5537e145046c32b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
90812c63c61034f1525bd5e1d3c29e2c

SHA1
b28bd40f991632f7614595154fe1b06de8b98a58

SHA256
178c3d2d6682bd2f84e55ac57ee7cb43db105798bb212622697f1d976eb73d24

SHA512
0e371df6269673ac8166badddd3202e42ccda36a23f0467fa191100c82a670ebef648922dbcc7003ccb5b67be523d5df37600a91fef5c766bf32308a24e6477b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
156bb596168f2f50b1b014ecdcd6732d

SHA1
591b77b508027b2293739aed62702b8222cfb01b

SHA256
060f19aaf91426922b2856d6234f53cb13cd1b3dee2d15f2bad600502ac20a40

SHA512
c6e8aa6e4858a0af1dd8bd0f11175cf9c7e73aa316c2eeb5cc0234e61bab849030d16352db6e11dfd26af7492737c9b859ae5f145b95b55dd42b8bb5a87f796a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e4bc3d29d2e6b279a2ca6032e5995f7d

SHA1
d2dee557a4ad0be66c6340da6c30cd4dc61d73f2

SHA256
e6126c19fd3f1c68e5755973e27f62dae209347dfc9669070bb8afa4551e4cbd

SHA512
76ac2c73c5ef07c7fee43e5d35ac5ab2b75e983d3c42b9a0edaaa01e6af7fb9c81ff4986887d64ddb2c705919cb630ef87ed4739e41100766f2fd1381c72e352

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
2aea60346f20ca8f60a957e55696ddce

SHA1
c3327782bb2bc62489fdbf78d11bd4f4b3528659

SHA256
f2d50ccb0e1c70a169730ad4970a1dfcd448c773ae25faae55d8be8d6817bc6e

SHA512
6d487aea6faa6871e2dcd9588c0eac5aa9d6d3df783449a799c4d086edda0262fc51555861a7a37e641a34c67b0bf8604fbbb9c36ebe8663705c5920f296166b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
fc39a8b0f9fe5a09846ce9500bc58dd8

SHA1
59650b5ee3f8092249b2dde3ee861feb574ecb11

SHA256
e713463bde8459ec5d55ac5045eccd60a781596c3799526ee17cdfacc6d161cb

SHA512
5a1c2177f765d5de22c6644823f10202d0e2e521992e9a44a6dce7f5ea1662f462a6f3d4cbed4f675c363286f9cd67d7cbdb5c5d8ecd2175857374fe288d9aff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58e2aa.TMP

Filesize
48B

MD5
356e86616777c6798b1168f5c9da14e4

SHA1
999bbf2a0fd6fc8deb9299afd833d588d6ccd715

SHA256
5ffa1a706ccfe0824594cfa44e622174c3ff3c258f8f9153337d168fb4949f89

SHA512
1acdb6c6138407e4b09cd28da67f12807bf48a2556f0a1b5692f8aa6a1473d017a7e389b04d1933763d259b21eef4df475d2073bb14ab7d1956ab532da48c7b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
154KB

MD5
4e5cf9574a689905d19b7d6b3404d031

SHA1
c4383d78098f38eb58d40cb3c51d925bb7476fc9

SHA256
a2555422847869d753effba4b9ded85cadea1d1b317157f721852f5bd10de149

SHA512
bad90d809ecc5c303356bc777a9ea454f5265e3ff352af602744c57e287968e3c105ee54de1af02015f86e1750073d50a64cd45c712d998ecce9917b8f82437b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
154KB

MD5
d9a752292469196789acfe9b6f52f3dc

SHA1
af9a03590792fea9652fcb60b870308bed5f8909

SHA256
97743f2b1a82dc09e190e2fa400a1cba7a9a039ebb6c52bdba907277a82beab3

SHA512
6d22549221d43074db8d8428f6cc657047df635db8cb6dab71a31d57bc233f46c85e9aa37ee1fa7f56c95f6f883aa55a99686c572c35eecf56720b4b942112cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Watchdog.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
65044109d1beb8ed8d59560642cbc519

SHA1
0084485b0aa26069232fab51ee603682e8edfd17

SHA256
a1e0b448218678b30356cbbe4092ea091435e7450822a9748361b6e8b198962d

SHA512
96dcc68fe92f98c4329a8335cfffdb0849a52562431045ccc42076bda0abf3842491303fb669246bfd04e64113688d3f90000a09571dd76ff84b52e34e45f9b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
21c371a45eb5c9fdfeb476d2810d66f7

SHA1
11fddfe146f642082e28b44c5612c597d4649440

SHA256
11cd0ab5ffaedd42ebcce9ec9a2d9cc2fb6ee6821ad002cec3a8a9becd3e5bcc

SHA512
2a0faa2815787a537064537eae4fb35275631d3fbbe44e151200bb18957238373341c8e839134f286a14af087feff9019fd1e7581d0fc7403ed3ed7ed1739a82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
9d8032889fb2303d83e589302a437083

SHA1
a2fd544a1c266758946ca3864fd635a453599acb

SHA256
00bd0382c3f93152aaef7398c18c8311d820d3605f4ec0e1ae5763c6ed6f0330

SHA512
9bfc843b4f9f1c605d3d3ae859f11f76eec7ec2708a4c9af00b937c68fb4e39d196fffa3b0b88a79af3ada76f24dd757b449ebc1cc8090e584160085e2be2932

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
f9904de8e2ccd03a4dda10528051aec3

SHA1
ec4c39b19778e7f177d86520ed40e25d73d5da24

SHA256
a58343f15576175275a60066e6215157df4decdd64899432c84d22e240c76a0d

SHA512
4e759c03538b76d5f0f937da2cebc14222896147855c5dd1f3a04f11db739cd0a74575407b16e72d6bc80ce4d6dfac225b1d7a4ef22edace94a297f4d95c5f84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
088eeec3819112f45ca73af3fb65eeb6

SHA1
7643a8af406c3f59268f92f28daf0f14990e773e

SHA256
2fb427cddb298aabc55ccb0eb19914b0df5e31c1b302ff84563bc22c8ef6f035

SHA512
2b7196fc0a051eaf1526e679f30e0b0c474fceea42bb41e758bbb79d60d03435e7b176d287151479ac4dab5db1bb6f59635d7520f27100865778fbfdde5620a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
9c1ffdeccc7baf3954f7588f5580f1ce

SHA1
faaf28367054aad6594d15668f739851cd901153

SHA256
18767317eace83e161d9af8584ca270931ef505575fcff3eb404abddb5811d11

SHA512
7ca2a642092f24d892759d04bfc823744cb31f7512c88e91900a6d8cf2be7efc3adff29f586791fa7d324cb922fb04448c8d78db6ecfaeda65d8c0881b99a138

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_3

Filesize
8.0MB

MD5
6ac3a6a72a77494e0dfeaf39e82c27f7

SHA1
bd0819f2fab013fb9f8c3f494086bb10f6b7c6ca

SHA256
52d8bf545e15065518342e33ff32013eb0bb2bccb5522654175853fdd43169b3

SHA512
55b3002b48945ce1dc526af1e974d9e8b66a9c958cdc486da856001b72d6d92967227d0f2997c535149d5378d448ceb83d804989cb48b0f8ba9bd09bf36d4710

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006d

Filesize
439KB

MD5
2397f68aef8214e7c130ce09dcd331b2

SHA1
af3bc044e89960907857d63227f554f8351f9689

SHA256
a4af13e2a03651befa365e5c946532dbad404dd2a3dca381cace75a26a1bead6

SHA512
4c4ffbe4849ff744b485997f47f333ddd332715de5464bd202022cd00287a88ce70a80997f2ca0e307b598abf1ac9e5893673b9cabcc470931410577f3d1b03f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006e

Filesize
125KB

MD5
53436aca8627a49f4deaaa44dc9e3c05

SHA1
0bc0c675480d94ec7e8609dda6227f88c5d08d2c

SHA256
8265f64786397d6b832d1ca0aafdf149ad84e72759fffa9f7272e91a0fb015d1

SHA512
6655e0426eb0c78a7cb4d4216a3af7a6edd50aba8c92316608b1f79b8fc15f895cba9314beb7a35400228786e2a78a33e8c03322da04e0da94c2f109241547e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006f

Filesize
19KB

MD5
5e5ae2374ea57ea153558afd1c2c1372

SHA1
c1bef73c5b67c8866a607e3b8912ffa532d85ccc

SHA256
1ef458d087e95119808d5e5fecbc9604d7805ea4da98170e2c995e967da308f3

SHA512
46059e4a334e0a5295ebcef8401eb94b8fa0971b200f0f9e788ed61edae5018c917efd30b01631cbd6bdadc5240c9fcad2966ea0aa9c94b538bcc369e10bbbaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
49a90dc8d39b2ea194e585733abdd073

SHA1
1873b3001f22f123930bcaa004f6c28beb53cac2

SHA256
cd811eb113015d4d23281633a500ef9cb972649328352c10658bc5577100ee63

SHA512
a02b5fb40d72f3b9919760e9ca1093518a1f21ff69a142976e2895083bb42c3df867670629e547f0ff46161644283527ce367982993c9f95b406fa492948598e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57b2d5.TMP

Filesize
3KB

MD5
fd92d2a72bc9768a7606f48ce0232a28

SHA1
4e91b1ec927127f86c377866edc71a1449e0e357

SHA256
a4cf5f7943b726beac7c71aa5501e4c4012a4e89d8da1bd0694951ef4fdb662b

SHA512
0e5645704278fa896915c881f42ac0841390b0e6c372954ade96d1325a4d21ab1204a17db9bcc5e4fec0f9cc1f986f5e5e6f9e7818ac390b371cbcb8363d8ced

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnGraphiteCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
4183c2b1e2f1c1c360908fecb414d31c

SHA1
9d644731cf0ec057d1fbdbf00b2d974a3aa308a7

SHA256
d537d8b2e059d52335c35de69ed7a9f90be7385b5c8ef42b3a2053f065ec493a

SHA512
1b2694b32b8d32c13d0064458ee99aed9d3a8c77e70e91531d8bfa62e3cc16140f5879306df03965559505bbff0a14f55a0a14fab98593322e725d9b806a3a24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
24KB

MD5
12bb03c88753cd0cc7bdef03131b6375

SHA1
880356297008bb3650959601ab56ef1bce3a3bb1

SHA256
ee75feaf95f064f260e84f1f514ce2f3ec8b961e0cd37a54948511b74e89c3dc

SHA512
dc26031c9f23af4b018d0ef004ad8d5ea0a9688163f71692bae1450485217e7223e90a8cad19fa3dec8de2c1366c41eb64902d9ca2e61fd80a934230cb3eeeb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
192KB

MD5
8b39039205ee5f47715b876e4acee2fb

SHA1
1da7174976b1ffd45c8d26a363b529743345439e

SHA256
e879e73ae9e192531d341fa9afe0a74e2edd8d9c19dfba456124c5b901200f87

SHA512
9775b153bf2e76b09d8de450d24e93d0d4389ca323a9440f378e92f20348d8d233ac85fc6088ada10f9c516d7c5cb296d7fc19902a8620b59ac1476e58ada570

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1c570ead458748cb99091e65c47e6e61

SHA1
0dc38835722a40483d9657f6a7e90f1633d5c836

SHA256
f17557a512cf897e666e76ea4d6bf20b6851323341bda3aa17b9938c7fe7b2ec

SHA512
439603817df3aedd703f649db5a9adf24706a409e2f8d26590725e9399cf88c898f8ccbe8e04f005f4217a824d92ab2c0e39ab6a7c69ee437caf0e4d55335899

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
189B

MD5
667773a57c2b32214e187d9977e4eae7

SHA1
2f7b4fe010dc78a72619bdeb7933db0d12b2636b

SHA256
e4669b3af25bb51094527990fbf3f80809c3c03919ee619b79b46af3b2704e49

SHA512
425d43b20a9e4d39999c88f4fb3dd6b34283945e9c0b014221bf4dcb5b26a47b14063bf26afdfdd7d9b41b3ac20aa93cc7251c4a117b583f31e79446fc33bc1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\aa060c4b-7758-4d9a-82ce-49fc3cecf19c.tmp

Filesize
1KB

MD5
bb1a49e351de44f09932fdf77e619556

SHA1
cf425db736a71c3bcc431ff0d5740414eab3a78b

SHA256
3b584bda6a3c2e646168c243a3a3bc0bde057cfd1b5be8bd1241497fc4559221

SHA512
cd4a356aed5be3729f111805468d7d15663645515ba89ffb93dc359c7acd72d97de055bb8bf79641a7d6ab10df25167073e47ef4ea3bf634926784d3b12d38e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
6c366a604f60802f6b7d53f9702db025

SHA1
1da2f2c6f9fba5dc957518b09b1d429b5368c3b6

SHA256
7240490a86bc3ff6be8d24d24b2c46d15c288f4e5a473b996353669c9db9f9db

SHA512
8b2d34ae2e0e196d6adde7b0421333af91207105639e121221eee49d0af59f462736b59938bb2ff60886e5bf78d5f0131639205da485addeabd6d83c61212aef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
b9d33524053bff4ca0c3f35cb452a28d

SHA1
48444b91c563771890a81a2edd09c26839d47b3e

SHA256
78eed1cb0e2da603ca5ef9e0cef03d9382c002b1ea04c8761ed5df455b5c7e91

SHA512
2239ab76559f719a2d8b1a4d4aa34d6829f8c6f8b799067841b605149a9ed96dfc1d6d8c56a4f228689c10c80278b2c5cb1bec4641d94fe1ebf780504cc2fad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
5e906bcb51a9c55bed16dca639c4e6eb

SHA1
746457e2c5dc6d5c46ea5badf453cebea24ef337

SHA256
23704529d7ed056dc66d7349399d526603822f683888e2c28b75298250312770

SHA512
3bcefbfae21e8a049306b3516585563db7163d29eaee98d4d8e4451a5da40f294a59fba5dcd516a8d55a1f079b61b6258295a5117700a846951618f40b55f239

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG

Filesize
335B

MD5
82594548f53c0c66b6de9d7dc4c49de7

SHA1
3492488f4ec4375cc151d5df928fc256c672a57f

SHA256
249f7c30042e7121d84b01f3a1a6c24dacbd46d30b4036b10b0e34f25406f9cb

SHA512
010362c06b99888168cf248f7d8857b86095bb382bb59fc814c63a4d1bfaea8696965e80593adbb73fbd2ccaae696ec1e3adeb94c50997e05cb8f472dcb821de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
45d16f9efa7b47323dd9adfffcc55c35

SHA1
6c9c3b548184c6425428e66dce5cefa428ab587b

SHA256
274500eea287b8735e1c9d55359f34db7519352ebb10a27f8652efb82f1e4b81

SHA512
82b667ac0fbc4c8130699c74fb859300e94341b1c1536aa674889ea2ecae0a09ee39c3708bbb91fe66cc7049f367d20203e9bcafc97fef4c9eb9d677cd8c4a37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
8835a9ce8a4438fecf3b4d30042ab0e6

SHA1
09ef2b420f138a7e637ae737e3b7425dfaf70397

SHA256
71883e16e663ded051ca38540c17aa91a38cae532bd04de503622281a38323d0

SHA512
0bd98107a3fc19f84940d7cff7d6f9867fbc1ac3fe64f095964ced5b76f3b4d332b6692584a27c127009e79d1d469be80269129e1954629cf571618d7448e5c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
320B

MD5
ea7e4aca2abf130d6790f9dd16bdbda0

SHA1
f145340321cdeda953a306ae698c70df25fc0a68

SHA256
365236d8e4018ff0366065f4164a81b74c188449cdc3083fb6fa7748680b6dc6

SHA512
d29d8466305010cd525f204e36e30a4b3240589e99755dcd79b0e96cf74dd1605a47a1c7d168fc524ad3df3afa8cccb7a9cccb8b95076e7aab839ee39add68e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
62d4ed2dd137cbab1b1f4eb6bdb4a2ea

SHA1
6feada3d1346c9fdef4c150a318c0c3eda802a7e

SHA256
537c9162725af280fc82a93e3141f2f6d34e47cc3fa9e8c65c96021e1a74fc8c

SHA512
bb3c6b32c845f8ef4b5fcb6a93137a7d22c7a0fe258493e53475c116e46c26df3bdeab137d6e2161a0a19bbb6aa891a14e1f9ad2b62cbf64b01dc7272d09a115

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
6edd47e22ae45b8f5f57af2c687972ec

SHA1
d6c8da054d683773fcda7865ac4289c8f7af3d8b

SHA256
94f70f7da512c412f0f3271b2783946e39417cd473086fa75f52b8a4f003081b

SHA512
eff0e4b32fe8cdf1e460bf4cb4254e7e5d7372fc2f1ce355673abe25b1c6943cb59090d78e4ed3f57b90715487b3edef5e7dfc4908f73b0719a7ec3d05caa8fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\default_cloud_config.json

Filesize
12KB

MD5
18261eb12378081f939fb9415ca0c9e1

SHA1
20d4ff782e17fe45e71c3f9fc60a94655f72ec7c

SHA256
12bbeec9a0af9e3ed945b28b9b8ef89b2f897768d1ba3ffd6f3fbb42fa5bc556

SHA512
fef634b4ce77c2f36ce1bdd63e8ac28e76cd089f0bff33f4425c757ddf37fe9fab30dea7b5bb51c91eb27012cf78800e03643e13d51a25bf624ce58ab3488a80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
4800603fda5b7e215fe221dcafa850c8

SHA1
893220ce2cbdab1331ed07bbdf7b42e7c954eb62

SHA256
d12f856d3144a0a75799650f3211262a0382decacab8e7b35023441580066e99

SHA512
98662944b5e96dc5f85ab7a2c6c6402ad5cf564d4d90e6d2d5646fa2ae21dda15181a8c0bdb82424889d3ac024a057cf20471dbce76f07066b741dabd05adcd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
18KB

MD5
20ef1b6d628fc8b8cbe445a43ceaef5a

SHA1
11b63e27724b039dcdb55382bacb9c4165cea690

SHA256
0a014b10a157d07493acdce68da3389e09fbb1dd05d86edf7a9687cd2261ddaf

SHA512
bdb2f3c2220588d8c04a580cbcebeed748f964aea62aceb4165c8ae3055125832954eae9593d8da176305d11fc5ceca455254e64118d58714a8e6b5e447d19b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
904B

MD5
e6946a4b121bc4d4924b1fa237f99a93

SHA1
855b6a3e91a7222cbadba8987df4c4cf0e89a4f6

SHA256
4270c351affb707f8785c61ab9da58068b3744dc0ab89dc7e50fcfa914147096

SHA512
909f62833105aa4ae9889e6057dff92dddf148f23ac0475d208fb16963d1bb2740600a01090cee95fd226763a5abbd6208e3ca72cbc942cecbedc19e00b9c8ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
469B

MD5
814ffc83bf18a6310ef6cf6376f28bb3

SHA1
e86c6c1cec566e0f155d2d43e6fb3eaa658bc779

SHA256
5928a5667e40cc0c42b61667b21f7b02cb207758c66edf2daddf741396a3c242

SHA512
80ee44589ecf2efe3aed7b60d59f0e4784261e48c38a2d79ce55eaa421b699ac9207be5a9296a7a7d321d314d99b6f8ebbb86a28c98629b80458ac6cca4d1230

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
13B

MD5
3e45022839c8def44fd96e24f29a9f4b

SHA1
c798352b5a0860f8edfd5c1589cf6e5842c5c226

SHA256
01a3e5d854762d8fdd01b235ce536fde31bf9a6be0596c295e3cea9aaf40f3dd

SHA512
2888982860091421f89f3d7444cacccb1938ef70fc084d3028d8a29021e6e1d83eaef62108eace2f0d590ed41ece0e443d8b564e9c9a860fc48d766edb1dc3d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
b4b77913e2a7e738cf53d93a1d6802d8

SHA1
688ba51945e6ddcd6237a7d00bd0686e39b4f92b

SHA256
f3637900465f2c94bd7bbb9e5086a554e0f84ec7d7a464657b391799765311b4

SHA512
03758ffa0e5f748fccf2b67e3e0efda805083142ca0e076a70608cb43d698137a41e1812f288c7026e6f5dabdc9b135fbb67ae6c568c744949a8a7822f5c9a6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
792dcda64484452bbcd4be5390d92a3b

SHA1
349f7f0c593f386c53deedd984466a705bda7824

SHA256
22c6b75ce0091e34d415e5cae519b03d821521d0e6616b8d2622a1f98c6b8074

SHA512
178c714bf4ce5e507de482bf87ec3fb9b5dec7af0d8c5269f157709e1616cbda8cce3f9b69e4dafe8d2c10cc2f752edc6a79315960894c7afa9f9357456cfbf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
a171ffd4f77db678035c8a4de3c2b338

SHA1
cd49930e5d5618839db19146162716091bd99ceb

SHA256
e7eb2ef5668fbf9be35d9d2d0dafdebcd8d625e863a80f71c7cf50625a0cdbbf

SHA512
eeaf235d3188bd68c836793c903cf482a0a2c9246df3b788b326e74b0ed7f85a8b60aebe7ad1c321a606d6fe945455656b700bb37ec352253ace44e4526e84b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
54KB

MD5
dd8aed1266a8ae419f676492f2b39982

SHA1
8aed27dec32aed8e3cf89e6a1ff53cf8505bf234

SHA256
a6e65e6eb92eccef870ca329343f20030b6eb03a114dda706826cd7436d2afb5

SHA512
777249d2dc92b48d197d86427ce804d5ca46f2c8175b982fc9bd727afb4f6674f495367a75a2155f9bd9d13c37409f5e8f74c87c2af92eed603827a73e863c63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
798e84c540c2231951a53e554fad7809

SHA1
e60da4e552c305c34737d3aab393fb811ee37b56

SHA256
a81f2056482da9e1a7463bc9972c704b9484091e370fe5563bec304da27df120

SHA512
59d996b9077218efeb2cb2dc5cd99a555a52a78805295bb44b04710ebc4cc8fa6563395cb3242dd637511e7be395ab6fbca170f1220c597d45ccb99c7d75d8cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
7b3197b965728903a861fc270dd252f9

SHA1
b7f4f4b0c57d3d509ee614957ba51d470d93f3ff

SHA256
348e2ad75a79d83a0ea341e3f7f9d3378a6f27b375cfd2f97ba97b6d6f1e6a6f

SHA512
038a289d4382e1d839d237a15548f8febb3f332952d5961bb98854a6c11beeef3e2d97785dfb7adfa3c7f39059182a93b7d0dbdec40513aa8bd51b7134cf51c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\crs.pb

Filesize
289KB

MD5
2b59269e7efdd95ba14eeb780dfb98c2

SHA1
b3f84cbc37a79eeecb8f1f39b615577d78600096

SHA256
ff2ced650772249abb57f6f19c5d0322d6df22c85c7cf2be193b6134e1b95172

SHA512
e4b454db2248021e0d198805ea54f1c0cfd84b9716a9348b1d0e0acb7c6fb5dd0839e532a5eb6d4410ab759d6688dd6cce8375ad55a150d738d280993142e9d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\ct_config.pb

Filesize
8KB

MD5
811b65320a82ebd6686fabf4bb1cb81a

SHA1
c660d448114043babec5d1c9c2584df6fab7f69b

SHA256
52687dd0c06f86a2298a4442ab8afa9b608271ec01a67217d7b58dab7e507bdf

SHA512
33350cce447508269b7714d9e551560553e020d6acf37a6a6021dc497d4008ce9e532dd615ad68872d75da22ac2039ef0b4fa70c23ec4b58043c468d5d75fd81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\kp_pinslist.pb

Filesize
11KB

MD5
0779206f78d8b0d540445a10cb51670c

SHA1
67f0f916be73bf5cffd3f4c4aa8d122c7d73ad54

SHA256
bf0945921058b9e67db61e6a559531af2f9b78d5fbedb0b411384225bdd366ec

SHA512
4140b2debe9c0b04e1e59be1387dca0e8e2f3cbc1f67830cbc723864acc2276cde9529295dcb4138fa0e2e116416658753fe46901dfa572bdfe6c7fb67bd8478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1

Filesize
264KB

MD5
c19d141cbe0a95b43c507e36f3443cb1

SHA1
6a8acd442746860dfd363da2f5e41fbb38155ade

SHA256
f1dfe71fd0ad3a64f1548d51a812475cd2dabb2f38e2b73d828bed2c181f4317

SHA512
c2f3e393043495955c5974e92c55fe55a37560f62c54354e810155bdffe57e0e75ecf0c3775dd2f327f3f6f30bad566031220a0dbf30d29bde0d9403375c7bf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.3.18.1\typosquatting_list.pb

Filesize
635KB

MD5
9bd22564aa3ca907ecb09074d0f011b8

SHA1
1f15761be36f2fd400e6ce7f9fbc1d613be8b81a

SHA256
a295e802149a6350aea7d9e132e5bf99c36085bb18ed5654b501a9c1d24dc4df

SHA512
47b17689549f292e34957c2a89dd273ace59a69975c0450cc9a88ee3cb5c2fe72543c370d858bb15e14002fc387d3ecdc1fb2eada53497ecd9fec8e0d6b2aa18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Variations

Filesize
85B

MD5
bc6142469cd7dadf107be9ad87ea4753

SHA1
72a9aa05003fab742b0e4dc4c5d9eda6b9f7565c

SHA256
b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557

SHA512
47d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
2d2f6163d813ee1076154d050557f387

SHA1
ecac0f4fd3b275f628e4a12c743889b838677662

SHA256
af0ac871eb6c6bc656c83bb3c25141cbcad67cd8de47bd8dcdb08b60fee95f44

SHA512
dc93478c62d27635d5e1c2cd6c117179eda70d26cdbf15f74d2369fda5a8cad16856278b5140620cd484725b0d9158640ca75db2269df5e9db878c7990ad852e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9962.tmp

Filesize
1KB

MD5
af17b55fc055298a8a70677107ee4578

SHA1
3ca31a803870c4ac0e03058e66994267e8173e16

SHA256
e8ef45a1ea239d3ec04474c0067167153dea74a3a8e13a7e462d864c46ce914c

SHA512
4cf0453d957fd68101d5eaecda53139f136d904d2d21f8697827525fa940ed6b7764cbbdac3f77355eedba0a1c45f9f8b55cbd3a38c2ac5d985cf4b59ad04089

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoupy0r3.dll

Filesize
76KB

MD5
ed13e4e376067e9b9cca574c0431687b

SHA1
95ea17ab542134c95e26acd1b8c1f17eea77add9

SHA256
2535b2b64edd910780781d177ad6ea7bb9486e538909d9c60e4d25dcdcd748ea

SHA512
d89b365b717a0bc7f3e60bef26bd9bc11e2e58243531ad59172b39d47a5ca545371b1548b0e8889c0bfdf905f49b1b6e18a65f1fe08c502cc0cc1ffaab80a75f

Download Submit
C:\Users\Admin\AppData\Roaming\Watchdog.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\Downloads\RamBoost.exe.crdownload

Filesize
11.1MB

MD5
a5c93db4c83dab084d6d4ae80ce1e527

SHA1
e90866ae65781058b98cb155e35b7ce1445d6139

SHA256
d9dc36b7bedf2632fe0a7ca99478b20406d288a69bd7b65e5da2c9d748a5b81f

SHA512
e61fdcabc99dbef705ac83dfa347c5f12b584ceec8b4f2fa7997a3f12722944987e65620d2f8764174e2145e7b3e7cf31372f4a591a38e4fc4496063f03e35b7

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9961.tmp

Filesize
676B

MD5
46c4d36afb732e632a7b8ef45fb5526c

SHA1
0a7e9452f29f1dbbbbf3df46f146670bfa41d46f

SHA256
2348f3ded57afab94d642d4e1b07a375322a77c056a36ff525c966c73f65d6e1

SHA512
32ea400b8c18c365acb58095bb6196a6bc52e060823ecd8ac8f607e6c5f44b61d3cdd731f44955ee59b876471d80f02d90ba78e1c0439d6f18380d66c024708d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eoupy0r3.0.cs

Filesize
208KB

MD5
82278f6d01b318191b91d074af17d458

SHA1
404246cd485ddb67fe76e139cd445b49ee99b25c

SHA256
7a337cb8df27ae863a7949838fc452f9cb412b504092b2d56d866f6822f1e9f8

SHA512
1885e0656ba314dab21a087a07ab67c2c808bc2b60dc6f8fec3ee8222c18534ad65f8e20a8090a249353840c294c7c5249dc72144c8bfa5c57facabb32c2fe10

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eoupy0r3.cmdline

Filesize
349B

MD5
783524227b088c0f626ab7297e0a6d38

SHA1
309e31c0dcff7749387f491cb3e3bf5a1a3c94ac

SHA256
1dfff99791d8cf51c3c2ff50220e1ba3c9be94ee86c2faa36ffd5b60091e1b2a

SHA512
d849ea25f5eff025b3738aa224a36fb64a740ac9ee81bcb7085c6a04cc513ce8e1112c1af3a508710ea89b42c262146d31dfdc387f3227640fd3e7be6b4edbee

Download Submit
memory/624-234-0x000000001A180000-0x000000001A28A000-memory.dmp

Filesize
1.0MB

Download
memory/1140-212-0x000000001C4E0000-0x000000001C500000-memory.dmp

Filesize
128KB

Download
memory/1140-194-0x000000001B910000-0x000000001BDDE000-memory.dmp

Filesize
4.8MB

Download
memory/1140-193-0x000000001B290000-0x000000001B29E000-memory.dmp

Filesize
56KB

Download
memory/1140-190-0x000000001B160000-0x000000001B1BC000-memory.dmp

Filesize
368KB

Download
memory/1140-209-0x000000001C4A0000-0x000000001C4B6000-memory.dmp

Filesize
88KB

Download
memory/1140-211-0x0000000000BE0000-0x0000000000BF2000-memory.dmp

Filesize
72KB

Download
memory/1140-195-0x000000001BDE0000-0x000000001BE7C000-memory.dmp

Filesize
624KB

Download
memory/2860-250-0x0000000000850000-0x0000000000968000-memory.dmp

Filesize
1.1MB

Download
memory/2860-254-0x000000001BAB0000-0x000000001BAC8000-memory.dmp

Filesize
96KB

Download
memory/2860-252-0x000000001B910000-0x000000001B95E000-memory.dmp

Filesize
312KB

Download
memory/2860-251-0x0000000002BE0000-0x0000000002BF2000-memory.dmp

Filesize
72KB

Download
memory/2860-255-0x000000001BDA0000-0x000000001BF62000-memory.dmp

Filesize
1.8MB

Download
memory/2860-256-0x000000001BBE0000-0x000000001BBF0000-memory.dmp

Filesize
64KB

Download
memory/4656-270-0x0000000000110000-0x0000000000118000-memory.dmp

Filesize
32KB

Download
memory/4688-531-0x000001CCB1920000-0x000001CCB1921000-memory.dmp

Filesize
4KB

Download
memory/4688-524-0x000001CCB1920000-0x000001CCB1921000-memory.dmp

Filesize
4KB

Download
memory/4688-536-0x000001CCB1920000-0x000001CCB1921000-memory.dmp

Filesize
4KB

Download
memory/4688-535-0x000001CCB1920000-0x000001CCB1921000-memory.dmp

Filesize
4KB

Download
memory/4688-534-0x000001CCB1920000-0x000001CCB1921000-memory.dmp

Filesize
4KB

Download
memory/4688-533-0x000001CCB1920000-0x000001CCB1921000-memory.dmp

Filesize
4KB

Download
memory/4688-525-0x000001CCB1920000-0x000001CCB1921000-memory.dmp

Filesize
4KB

Download
memory/4688-526-0x000001CCB1920000-0x000001CCB1921000-memory.dmp

Filesize
4KB

Download
memory/4688-532-0x000001CCB1920000-0x000001CCB1921000-memory.dmp

Filesize
4KB

Download
memory/4688-530-0x000001CCB1920000-0x000001CCB1921000-memory.dmp

Filesize
4KB

Download
memory/5964-226-0x0000000000C40000-0x0000000000C4C000-memory.dmp

Filesize
48KB

Download
memory/5964-228-0x0000000001510000-0x0000000001522000-memory.dmp

Filesize
72KB

Download
memory/5964-229-0x0000000002F60000-0x0000000002F9C000-memory.dmp

Filesize
240KB

Download