hxxps://learn[.]microsoft[.]com/en-us/windows/win32/inputdev/virtual-key-codes

max time kernel
1131s
max time network
1133s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
30/03/2025, 19:10

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://learn.microsoft.com/en-us/windows/win32/inputdev/virtual-key-codes

Score

8^/10

defense_evasion discovery execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
349	5232	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2640	powershell.exe
4144	powershell.exe
5232	powershell.exe
232	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
166	1296	msedge.exe

Executes dropped EXE 4 IoCs

pid	Process
5072	client.exe
1996	client.exe
1860	client.exe
2752	client.exe

Loads dropped DLL 64 IoCs

pid	Process
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
2752	client.exe
2752	client.exe
2752	client.exe
2752	client.exe
2752	client.exe
2752	client.exe
2752	client.exe
2752	client.exe
2752	client.exe
2752	client.exe
2752	client.exe
2752	client.exe
2752	client.exe
2752	client.exe
2752	client.exe
2752	client.exe
2752	client.exe
2752	client.exe
2752	client.exe
2752	client.exe
2752	client.exe
2752	client.exe
2752	client.exe
2752	client.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5260	icacls.exe
2356	icacls.exe
4548	icacls.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
153	api.gofile.io
154	api.gofile.io
156	api.gofile.io

Hide Artifacts: Hidden Files and Directories 1 TTPs 4 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1028	cmd.exe
2152	cmd.exe
5840	cmd.exe
1348	cmd.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\debug.log	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\debug.log	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\debug.log	chrome.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\i18n-notification-shared\ar\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\wallet-webui-708.de49febeeb0e9c77883f.chunk.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\wallet-webui-792.b1180305c186d50631a2.chunk.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1333964504\_locales\hr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_689283366\protocols.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\i18n-shared-components\ja\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\i18n-tokenized-card\fr-CA\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\wallet\wallet-checkout\checkoutdata.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_410475699\_platform_specific\win_x64\widevinecdm.dll.sig	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1333964504\_locales\gl\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1333964504\_locales\hy\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1333964504\_locales\sk\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1162433469\shopping_iframe_driver.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\i18n-ec\pt-BR\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\i18n-hub\pl\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\i18n-notification-shared\it\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\wallet\wallet-stable.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\i18n-ec\it\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\i18n-hub\fr-CA\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\i18n-notification\el\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\i18n-notification-shared\ru\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\i18n-tokenized-card\ja\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\wallet\wallet-notification-config.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\wallet-icon.svg	msedge.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1333964504\_locales\kk\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\i18n-notification\fr\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\wallet\wallet-pre-stable.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\wallet_donation_driver.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\i18n-hub\ko\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\i18n-mobile-hub\it\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\i18n-notification\en-GB\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\vendor.bundle.js.LICENSE.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\i18n-notification-shared\de\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\manifest.webapp.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\wallet-webui-925.baa79171a74ad52b0a67.chunk.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1333964504\_locales\en_CA\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1076242788\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1162433469\edge_tracking_page_validator.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\app-setup.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\i18n-notification\ru\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1333964504\_locales\am\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1333964504\_locales\es\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1162433469\edge_checkout_page_validator.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\i18n-mobile-hub\es\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\i18n-shared-components\fr-CA\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\wallet\wallet-eligibile-aad-users.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\i18n-ec\zh-Hans\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\i18n-hub\fr\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\Wallet-Checkout\wallet-drawer.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_2053196927\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\i18n-hub\pt-PT\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\i18n-mobile-hub\de\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\wallet-crypto.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1333964504\service_worker_bin_prod.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1333964504\_locales\en_US\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\i18n-tokenized-card\zh-Hans\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\Notification\notification.bundle.js.LICENSE.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\Wallet-Checkout\wallet-drawer.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\bnpl\bnpl.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\i18n-notification-shared\el\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\runtime.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1162433469\product_page.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\buynow_driver.js	msedge.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\client.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 20 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "147"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133878354175908599"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-167299615-4170584903-1843289874-1000\{188BA182-71AC-4771-965A-F8090BCB09A2}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\client.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\.RemoteAssist\SystemService.exe\:Zone.Identifier:$DATA	client.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
1852	NOTEPAD.EXE
2380	NOTEPAD.EXE
4700	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2220	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
232	powershell.exe
232	powershell.exe
232	powershell.exe
1996	client.exe
1996	client.exe
2708	msedge.exe
2708	msedge.exe
5652	chrome.exe
5652	chrome.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
1996	client.exe
3580	chrome.exe
3580	chrome.exe
1996	client.exe
1996	client.exe
1996	client.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
5412	chrome.exe
5412	chrome.exe
5412	chrome.exe
5412	chrome.exe
5412	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	client.exe
Token: SeDebugPrivilege	232	powershell.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	5652	chrome.exe
Token: SeCreatePagefilePrivilege	5652	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeDebugPrivilege	2752	client.exe
Token: SeShutdownPrivilege	5412	chrome.exe
Token: SeCreatePagefilePrivilege	5412	chrome.exe
Token: SeShutdownPrivilege	5412	chrome.exe
Token: SeCreatePagefilePrivilege	5412	chrome.exe
Token: SeShutdownPrivilege	5412	chrome.exe
Token: SeCreatePagefilePrivilege	5412	chrome.exe
Token: SeShutdownPrivilege	5412	chrome.exe
Token: SeCreatePagefilePrivilege	5412	chrome.exe
Token: SeShutdownPrivilege	5412	chrome.exe
Token: SeCreatePagefilePrivilege	5412	chrome.exe
Token: SeShutdownPrivilege	5412	chrome.exe
Token: SeCreatePagefilePrivilege	5412	chrome.exe
Token: SeShutdownPrivilege	5412	chrome.exe
Token: SeCreatePagefilePrivilege	5412	chrome.exe
Token: SeShutdownPrivilege	5412	chrome.exe
Token: SeCreatePagefilePrivilege	5412	chrome.exe
Token: SeShutdownPrivilege	5412	chrome.exe
Token: SeCreatePagefilePrivilege	5412	chrome.exe
Token: SeShutdownPrivilege	5412	chrome.exe
Token: SeCreatePagefilePrivilege	5412	chrome.exe
Token: SeShutdownPrivilege	5412	chrome.exe
Token: SeCreatePagefilePrivilege	5412	chrome.exe
Token: SeShutdownPrivilege	5412	chrome.exe
Token: SeCreatePagefilePrivilege	5412	chrome.exe
Token: SeShutdownPrivilege	5412	chrome.exe
Token: SeCreatePagefilePrivilege	5412	chrome.exe
Token: SeShutdownPrivilege	5412	chrome.exe
Token: SeCreatePagefilePrivilege	5412	chrome.exe
Token: SeShutdownPrivilege	5412	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe

Suspicious use of SendNotifyMessage 52 IoCs

pid	Process
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
1488	msedge.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
5412	chrome.exe
5412	chrome.exe
5412	chrome.exe
5412	chrome.exe
5412	chrome.exe
5412	chrome.exe
5412	chrome.exe
5412	chrome.exe
5412	chrome.exe
5412	chrome.exe
5412	chrome.exe
5412	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2752	client.exe
8136	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 860	1488	msedge.exe	78
PID 1488 wrote to memory of 860	1488	msedge.exe	78
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 1296	1488	msedge.exe	80
PID 1488 wrote to memory of 1296	1488	msedge.exe	80
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 5160	1488	msedge.exe	79
PID 1488 wrote to memory of 3840	1488	msedge.exe	81
PID 1488 wrote to memory of 3840	1488	msedge.exe	81
PID 1488 wrote to memory of 3840	1488	msedge.exe	81
PID 1488 wrote to memory of 3840	1488	msedge.exe	81
PID 1488 wrote to memory of 3840	1488	msedge.exe	81
PID 1488 wrote to memory of 3840	1488	msedge.exe	81
PID 1488 wrote to memory of 3840	1488	msedge.exe	81
PID 1488 wrote to memory of 3840	1488	msedge.exe	81
PID 1488 wrote to memory of 3840	1488	msedge.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 4 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5224	attrib.exe
1524	attrib.exe
5124	attrib.exe
5136	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://learn.microsoft.com/en-us/windows/win32/inputdev/virtual-key-codes
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x25c,0x7ffed50df208,0x7ffed50df214,0x7ffed50df220
  2⤵
  PID:860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2180,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:5160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1804,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=2240 /prefetch:11
  2⤵
  - Downloads MZ/PE file
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2448,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=2532 /prefetch:13
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3444,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3452,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4868,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3672,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=3724 /prefetch:14
  2⤵
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3416,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:14
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5020,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=5136 /prefetch:14
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5472,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=5524 /prefetch:14
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5912,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=5936 /prefetch:14
  2⤵
  PID:4956
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
    cookie_exporter.exe --cookie-json=1100
    3⤵
    PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6048,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=6096 /prefetch:14
  2⤵
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6048,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=6096 /prefetch:14
  2⤵
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=6156,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:5256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3612,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=6764 /prefetch:14
  2⤵
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6944,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=6952 /prefetch:14
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6352,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=6808 /prefetch:14
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6844,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=6388 /prefetch:14
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6904,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=6828 /prefetch:14
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=5364,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=6852,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=5368,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4960,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=4948 /prefetch:14
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=4972,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5140,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=1264 /prefetch:14
  2⤵
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6552,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=5612 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5236,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=7260 /prefetch:14
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4936,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=6644 /prefetch:14
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6540,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=7048 /prefetch:14
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6708,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=6328 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5704,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=4872 /prefetch:14
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4068,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=3948 /prefetch:14
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6452,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=3644 /prefetch:14
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4768,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=3324 /prefetch:14
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3468,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=5560 /prefetch:14
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6848,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=5604 /prefetch:14
  2⤵
  PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6376,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=6788 /prefetch:14
  2⤵
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5688,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=3608 /prefetch:14
  2⤵
  PID:6084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3700,i,8024893634980606673,8622203647094098775,262144 --variations-seed-version --mojo-platform-channel-handle=3564 /prefetch:14
  2⤵
  PID:5468

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:4832

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3636

C:\Users\Admin\Downloads\client.exe
"C:\Users\Admin\Downloads\client.exe"
1⤵
- Executes dropped EXE
PID:5072
- C:\Users\Admin\Downloads\client.exe
  "C:\Users\Admin\Downloads\client.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +H +S C:\Users\Admin\AppData\Local\.RemoteAssist"
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:1028
  - - C:\Windows\system32\attrib.exe
      attrib +H +S C:\Users\Admin\AppData\Local\.RemoteAssist
      4⤵
      Views/modifies file attributes
      PID:1524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "schtasks /create /tn "WindowsSystemService" /tr "C:\Users\Admin\AppData\Local\.RemoteAssist\SystemService.exe" /sc onlogon /rl highest /f"
    3⤵
    PID:1588
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn "WindowsSystemService" /tr "C:\Users\Admin\AppData\Local\.RemoteAssist\SystemService.exe" /sc onlogon /rl highest /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath C:\""
    3⤵
    PID:5164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath C:\"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "shutdown /r /f /t 0"
    3⤵
    PID:8028
  - - C:\Windows\system32\shutdown.exe
      shutdown /r /f /t 0
      4⤵
      PID:8080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeaebbdcf8,0x7ffeaebbdd04,0x7ffeaebbdd10
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1440,i,15779012154661715645,10706179479977019842,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2144 /prefetch:11
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2116,i,15779012154661715645,10706179479977019842,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2344,i,15779012154661715645,10706179479977019842,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2316 /prefetch:13
  2⤵
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3228,i,15779012154661715645,10706179479977019842,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3336,i,15779012154661715645,10706179479977019842,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3940,i,15779012154661715645,10706179479977019842,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4008 /prefetch:9
  2⤵
  PID:704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4672,i,15779012154661715645,10706179479977019842,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:5336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3220,i,15779012154661715645,10706179479977019842,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4860 /prefetch:14
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4632,i,15779012154661715645,10706179479977019842,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4644 /prefetch:14
  2⤵
  PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5260,i,15779012154661715645,10706179479977019842,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5268 /prefetch:14
  2⤵
  PID:5480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5452,i,15779012154661715645,10706179479977019842,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5296 /prefetch:14
  2⤵
  PID:1916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5664,i,15779012154661715645,10706179479977019842,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5684 /prefetch:14
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5552,i,15779012154661715645,10706179479977019842,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5336 /prefetch:14
  2⤵
  PID:5144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5488,i,15779012154661715645,10706179479977019842,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5756 /prefetch:14
  2⤵
  PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5744,i,15779012154661715645,10706179479977019842,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5348 /prefetch:14
  2⤵
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2176,i,15779012154661715645,10706179479977019842,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5872 /prefetch:2
  2⤵
  PID:1304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3784,i,15779012154661715645,10706179479977019842,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2628 /prefetch:13
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=2372,i,15779012154661715645,10706179479977019842,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3780 /prefetch:11
  2⤵
  PID:5532

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeaebbdcf8,0x7ffeaebbdd04,0x7ffeaebbdd10
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1440,i,4624338641391224829,6474269236215264252,262144 --variations-seed-version=20250328-130116.098000 --mojo-platform-channel-handle=2084 /prefetch:11
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2056,i,4624338641391224829,6474269236215264252,262144 --variations-seed-version=20250328-130116.098000 --mojo-platform-channel-handle=2052 /prefetch:2
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2392,i,4624338641391224829,6474269236215264252,262144 --variations-seed-version=20250328-130116.098000 --mojo-platform-channel-handle=1780 /prefetch:13
  2⤵
  PID:5480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3260,i,4624338641391224829,6474269236215264252,262144 --variations-seed-version=20250328-130116.098000 --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3268,i,4624338641391224829,6474269236215264252,262144 --variations-seed-version=20250328-130116.098000 --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4184,i,4624338641391224829,6474269236215264252,262144 --variations-seed-version=20250328-130116.098000 --mojo-platform-channel-handle=4200 /prefetch:9
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4616,i,4624338641391224829,6474269236215264252,262144 --variations-seed-version=20250328-130116.098000 --mojo-platform-channel-handle=4608 /prefetch:14
  2⤵
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4780,i,4624338641391224829,6474269236215264252,262144 --variations-seed-version=20250328-130116.098000 --mojo-platform-channel-handle=4808 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4832,i,4624338641391224829,6474269236215264252,262144 --variations-seed-version=20250328-130116.098000 --mojo-platform-channel-handle=4932 /prefetch:14
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5252,i,4624338641391224829,6474269236215264252,262144 --variations-seed-version=20250328-130116.098000 --mojo-platform-channel-handle=5284 /prefetch:14
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5464,i,4624338641391224829,6474269236215264252,262144 --variations-seed-version=20250328-130116.098000 --mojo-platform-channel-handle=5472 /prefetch:14
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=3752,i,4624338641391224829,6474269236215264252,262144 --variations-seed-version=20250328-130116.098000 --mojo-platform-channel-handle=5436 /prefetch:2
  2⤵
  - Drops file in Program Files directory
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3576,i,4624338641391224829,6474269236215264252,262144 --variations-seed-version=20250328-130116.098000 --mojo-platform-channel-handle=2068 /prefetch:11
  2⤵
  - Drops file in Program Files directory
  PID:5196

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2256

C:\Users\Admin\Downloads\client.exe
"C:\Users\Admin\Downloads\client.exe"
1⤵
- Executes dropped EXE
PID:1860
- C:\Users\Admin\Downloads\client.exe
  "C:\Users\Admin\Downloads\client.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +H +S "C:\Users\Admin\Desktop\New folder""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:2152
  - - C:\Windows\system32\attrib.exe
      attrib +H +S "C:\Users\Admin\Desktop\New folder"
      4⤵
      Views/modifies file attributes
      PID:5124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Users\Admin\Desktop\New folder" /inheritance:r /remove:g *S-1-5-32-545"
    3⤵
    PID:4992
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Users\Admin\Desktop\New folder" /inheritance:r /remove:g *S-1-5-32-545
      4⤵
      Modifies file permissions
      PID:5260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +H +S "C:\Users\Admin\Desktop\New folder""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:5840
  - - C:\Windows\system32\attrib.exe
      attrib +H +S "C:\Users\Admin\Desktop\New folder"
      4⤵
      Views/modifies file attributes
      PID:5136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Users\Admin\Desktop\New folder" /inheritance:r /remove:g *S-1-5-32-545"
    3⤵
    PID:5928
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Users\Admin\Desktop\New folder" /inheritance:r /remove:g *S-1-5-32-545
      4⤵
      Modifies file permissions
      PID:2356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +H +S "C:\Users\Admin\Desktop\New folder""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:1348
  - - C:\Windows\system32\attrib.exe
      attrib +H +S "C:\Users\Admin\Desktop\New folder"
      4⤵
      Views/modifies file attributes
      PID:5224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Users\Admin\Desktop\New folder" /inheritance:r /remove:g *S-1-5-32-545"
    3⤵
    PID:4480
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Users\Admin\Desktop\New folder" /inheritance:r /remove:g *S-1-5-32-545
      4⤵
      Modifies file permissions
      PID:4548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\get_audio_devices.ps1"
    3⤵
    PID:2108
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\get_audio_devices.ps1
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\get_audio_output_devices.ps1"
    3⤵
    PID:4656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\get_audio_output_devices.ps1
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\system_sound_capture.ps1
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    PID:5232

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\test.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1852

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\test.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2380

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\test.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:5412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeab3ddcf8,0x7ffeab3ddd04,0x7ffeab3ddd10
  2⤵
  PID:1188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1928,i,7606256432157746014,4406238645493178438,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=1860 /prefetch:2
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1480,i,7606256432157746014,4406238645493178438,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2264 /prefetch:11
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2336,i,7606256432157746014,4406238645493178438,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2388 /prefetch:13
  2⤵
  PID:5240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3260,i,7606256432157746014,4406238645493178438,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3352,i,7606256432157746014,4406238645493178438,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:5492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4244,i,7606256432157746014,4406238645493178438,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4216 /prefetch:9
  2⤵
  PID:5464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4696,i,7606256432157746014,4406238645493178438,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4576 /prefetch:14
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4832,i,7606256432157746014,4406238645493178438,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4692,i,7606256432157746014,4406238645493178438,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5020 /prefetch:14
  2⤵
  PID:5164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3244,i,7606256432157746014,4406238645493178438,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4612 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5428,i,7606256432157746014,4406238645493178438,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5440 /prefetch:14
  2⤵
  PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5672,i,7606256432157746014,4406238645493178438,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5684 /prefetch:14
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=212,i,7606256432157746014,4406238645493178438,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5480 /prefetch:14
  2⤵
  PID:5848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5432,i,7606256432157746014,4406238645493178438,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5512 /prefetch:14
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5900,i,7606256432157746014,4406238645493178438,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5516 /prefetch:14
  2⤵
  PID:5328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4260,i,7606256432157746014,4406238645493178438,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5476 /prefetch:14
  2⤵
  PID:5688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5416,i,7606256432157746014,4406238645493178438,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5032 /prefetch:14
  2⤵
  PID:1128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5856,i,7606256432157746014,4406238645493178438,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4236 /prefetch:10
  2⤵
  PID:2716

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3568

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3942855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:8136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
c3673a4c9da7657f9648a6b1c1393afc

SHA1
657dba6bf73ac27fb71a147ef450c8adfe247e5f

SHA256
71e032027fe13620e1d4298778855983aabb9e23d23223650bccb1df4b5b33e0

SHA512
2c7a04f2d498b971e1936423df9eaab44cec4ff64335577ce4acd7207a5aa45985aa88d6e9e6702c254aa541c6f667326cb762486f385c1ced80b68271dd42b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1530f073-5cba-4034-b0cf-6eccbbb8cad2.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6512f4db-84dc-4d3e-b3a9-f4a93498c4d2.tmp

Filesize
11KB

MD5
5fa1fe0c275098e8a8e717e27ca3e2f7

SHA1
8be88c525baf12a1471a9c7e6a806034377b3461

SHA256
0514b5b20829e770df360b252fdb285c9615e55b8cdc1496459406bc7f79ccd7

SHA512
bc71fb83a4f0eb8fea822bbf75ad4d9a3c3f8c3c21d19c5c6ad36d51e5e4a129613fb6a2ca1b934bca3a7198361e2f555caae606df7f92030161f8ed79b6f879

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
8ed9265a97701ff27903268f458837f5

SHA1
c6676e5df4f6f044f79a6809a7117e83844d4449

SHA256
dac5daefa31e373433fe33a9fa5f07cb25c03fc9cb39b2d87bd20cd4a518fcbd

SHA512
e74050db8a76d82b03b166215f45d7b5e477d8c6ba68442a9ee98f549c0addbd2f734bd744c13037cb4ac006179735ca607e98dd62f23be795138772dbcc13ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
48566bdcf487745a33390d007d389612

SHA1
b2c767af1c217ad641d124d7a8f54f629d45f8cb

SHA256
5d852ff545b9673b5ec2ef17b928ffc5d543310c8a290d015759fe2f5e43756f

SHA512
c5565892eb7f4697e03ef89da1cb8b49c2473f749aad67c197ab0abffb90dfab4f40fa81534bb44593aafde9c34c2f5b0e1cb7a4020cf3f8a482d819043fd49c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnGraphiteCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
cabf879d9b91a5f59ed2a2e7940c90ea

SHA1
bc1712e26cda6d02c202fa785bad8dbdc90cd5dd

SHA256
ea5eaa210e525b98c8c4c3789ec705d0c44078654d209c99977f80ec3207a237

SHA512
47acb31e9da87ea7df7943a057eac60238e4c379c5fcc84fde980fa644b80e59e978eefdef615d40ec537f6a740b33474abc4e4ec6b773eabcdc3b0c3f8c5f7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
5f2f7e190c4d910cc4b9b708293b53a5

SHA1
8e28d7a35b2cd6cf551d41110fe6915cc8bbe13d

SHA256
21864554f719834a69480b40f53476908e1d5b11072d6eb44aa5bafd7fce2ec9

SHA512
6824c0e4460bb4e7c4b203a999d18321f3bd3d6b5776da97b76f0ef1e1155341619e7e7872fe81583b99d99623782132107c4af9268d74209bf324c61ef1d9a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
687B

MD5
fd097607bc4b881fb8445ec5ad5827a8

SHA1
78e1f874841eb4e77c9a4d1417346e3b8466077f

SHA256
3e5e5834548ac870c6bff9dbf425310534c3d49105e46e1eabd3c0e6ca89e661

SHA512
a89182b36ae76bf0f9cbd1ef3a198ed4e5fd013a4c03743c04e9cd1cea6c24ceda34ca47be493b7504e4ea5613aaf6d005128125fbac7601d2cfa45fd47af73d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4700e3cc538a10c80c8e27d818ee9a81

SHA1
63f19ee67028621583d6069e59d2d247dcc66747

SHA256
7e378b4447dcd2d7992ed5d2c028403be3b79c397c4a79237dfc6480234ff2ac

SHA512
da7be7cc09b7df75a1b55e19cc603df36a84e9e87ece912cb0f1e76da43a09ba95525c670318d2d90e251f6f7ebaff47de91d7613aae60d0bf02d95ec755530d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
48397d47ea1c07ef9ab27043d2406ac0

SHA1
9c30bb0f1ac1915e496d12462fef5a6597706a0e

SHA256
e0bd45f2d6aef883240fee7bf17fc913db4cab3e2103e97176c0c173198eb014

SHA512
a34671700ed8d3e761665b19580d0af392a562c6c14d4afd4068f392243c87cb58394c6950371de0235ae9300a5c7854c08e61ccf0f09b6c04b892547e0652e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
28c94e394beddc9f9812de59ea528657

SHA1
393d8c793b7ed3d5da3400c3c21ef2af2b457a2f

SHA256
838dc773d1d28528b396d2c189d6a9b985b4b5f834e1c3b0f2ad71e8521e5fd9

SHA512
9a46777652411522b3249defef4805f010b194341e539953a0e4b3a82fa1ae0a47463334d4fda61300df9ceadf60c9a7cde18a2fb38d673db17c5bc90f90cb80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
109220d0c9384f68904d9b3e2866949a

SHA1
1bfd19c7c5345640642c87594d7f484af4a4d629

SHA256
b7d70e247c1b1b5bf9de767cd4cf63dfbdbf6915d6786b8e20f1ca35e8d78bb0

SHA512
c1905bf6c3df7277b609dab33dc335d4b72fb0381af0802deff475ce1b2c9d3fe694dccda02ae936be680e611b54ffcc3aa9ae12ebf5647f2612a15f4ab77d2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
76ebc95872272eeb652ed472c2c6a58e

SHA1
6378e771986b4eb383f00a57b9cccdd7af0e2b87

SHA256
633acbf83220b1d66c8aabfe1d3f4dcec4c7011cfe6846bfa211f1ae9123566b

SHA512
ea1cf3bdd0696187eedf3fae262332d1f03f75e2c73a2ac73dc2bc14e1b5195243a97572afc3dd09e8a62a9fd37d64ccde9e551b3d02aa3397ee6a18b54bcb92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
d7e406d6b5b1ac9b1f2098a76e33e031

SHA1
45087e4cbd0cebe2db06ede746be947ec3228b52

SHA256
3ca855224097092ef576896f800cd91e5e31b07221dbc1a2f31af05d9f8782e7

SHA512
db69569a4c819477518e83ca18c771b029b055d315b3b41136011c4605a0346af74f923ed6ed26250fda30e669d6613086b255616d066a8b66a85361a5f7094e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
d1f1f44992fd7cb40ad2ada02c26be29

SHA1
5620969119ba66b28e532d56fae3c6eee34bf643

SHA256
92be1cc935a4599a9bbc8d2dbf3873b589ff2d9c7204fad7474f051dde5133e8

SHA512
22a61e943acab921bf05960e15fcc075cbf08476d2de9996159a481fd4ad610be036a74f972fe5f483cd6f7a62a37fadb7706313664dcd692f09b6f7338f957e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe66262c.TMP

Filesize
48B

MD5
9a4d9efaa884a776eb981fc44afc669c

SHA1
ccfb625ff28e961a6b108d7f433684db33e223f6

SHA256
f8e4e2ff62c6fa20ffc65832059dcad3e6ae79d448d817a5b57fe87ec47273fd

SHA512
2067620f0719faa4c2b1e9af2cb1618f4d5104a719b93cbcf5cb3bc2608db802392e7f15e5d90507f669e8fbfe6f2d0db46ce9933aa269c725769dc2d51175a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
156KB

MD5
511f630ca94e377782e61da6b27593d4

SHA1
6f56bc2e96adc01e869e1f71c2d78203dce80d75

SHA256
9f6461e40d671c6476dc9b314b0b621878d0f8b1e39f8b0e3a7f3168adc07a60

SHA512
e3edc2875070e0d01c83f6006184ee98b18161431b9c60a113f860c557760e5f986a858362e8e3e50379e95905a8a11dae4c38d8e153592217a94c254a046ee8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
68172ee0398c0aaafac176d995b5e45e

SHA1
56c0846884ea624da743e2291cb5aa37b5e2b7c0

SHA256
2a376299fc7f41674902ce2b0f0640eb641d364705cbdd97d3f853cbb81a856e

SHA512
0dd1d30b2527952b1e3be75c376986f215ae31a0b7d600c125db55ee306a13296f84b6e8bef4d10e3e51f7ac3f3c5bbfaf6cac0a1f58aeb74bafaf8098ad1ebd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
d82d47a2cbc7831b4f3ea2affd687072

SHA1
a4086972fd180a9d2955b31e992c1346a9c9ee9d

SHA256
15c7c30229dfc1d7ffcfeb79e390bb036f1bf49e3e998717326a462975578c21

SHA512
256c0b478ea7b0035b0adf6c4b8c90624144a6daf2788f7cae2a539adf52ccd071eb1dd7f66d19c3e1410d505ccea2a736a109c70ed452fbf258e94099c32c86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
156KB

MD5
6a0ed2b1ea616df55a65c9d401003d3f

SHA1
6193752e43f8e7e2e8d495771800b81355de1ea2

SHA256
0fc7fe9deb4455cf5cb7102569e65bbe2cd10a4b9fd1456e5b103387df48e105

SHA512
ee2d4af04f9f01f74c745fe6af89765b5b7fea5dc3a47d1befbc377dff69f5ea7d48874574658cdc99cf02ca751f47eafd74ca166ef28720f0fe10cfdd14c2d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.9\protocols.json

Filesize
3KB

MD5
f9fd82b572ef4ce41a3d1075acc52d22

SHA1
fdded5eef95391be440cc15f84ded0480c0141e3

SHA256
5f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6

SHA512
17084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
e5f3655796637b7d0f4a8ed402e119ea

SHA1
3baaf516676664d46727759914745776a166016a

SHA256
22d91a4321390a9445110f04d5600f49f03604a2d7ecadd10c663248295c88dd

SHA512
2125899d678c926c9f85ad81892f8ee91aa0a74e4c533bcb6e48675ebf0eccbe0db17998f3e3ab961cf3beb8fef7f950588398c5868327aa2d33f81bde797ebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000007.log

Filesize
21KB

MD5
8b4bc71efe864591657265b96080ef6d

SHA1
ef0556675d02d77dc9ba5f008813c2db29bb61e8

SHA256
e02fbe6153a730f463c0d3fff534ded574a52fd51024123270a3966ebdbca6f7

SHA512
277eed2cad2694d53751a16d0aff215328c76b2721ef87e06f26b76674e162777ab78bfad3411672acb26cd1eb2cfe0c31114cee864cfe0c4a2ecd5ae8faae84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

Filesize
334B

MD5
faa0d95f78dc848035b2a45029e1bb71

SHA1
c4c4a5cdde83513d30280ca1b8e6d59cbbf1f754

SHA256
3e004c9c0d21648633598f1b77fe70ccff3f6269413e21a4e732b620bcca3474

SHA512
f4c5d7f6b62ba8e4f1dce6a3e61ac1ab78a0fd62b6a249d03ce8edd940ad4163ce46c92b6946d3959c4310c6306f9f94c7be738a952a88420a0f71163b12adef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

Filesize
331B

MD5
149a36ab2964fe50fcd1d702d1198909

SHA1
f69838dc271d37cc647653c36c9ad8f64fc25c17

SHA256
f02ecc4766a76e004d238119e5a058ddc040a9cff1e20662765ca23c22783c3f

SHA512
a052418e7c8b472227366b59fd8745322f13a69f5d2ffb45cc1910daac5e98a6a7a4ff41fe143a4020de5bb2acbd302c90d1d0d330e175b45274d6aa17f63f8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000063

Filesize
58KB

MD5
2f235bdf2edc72828711a31542a5f2fb

SHA1
69c864f5d1d75fbf58aa34aadc9172d12168d342

SHA256
a2d6c570e58c1530d378539a81c293cce51cf26245f212a468cf308c6e6af5b2

SHA512
d9df48fd88930dfc1477492166f2eef838eacd8f138b7082a586e1adb6c2c9861c28419640c6f1722ce16f279681ba44f5e716404f7339e0a7048f29fdf9cec2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000064

Filesize
100KB

MD5
80b5b90c4f3c45f46d57b5e1bce1e629

SHA1
367e3928b8c501a0827fd1b56083824932e9dfce

SHA256
f8f5766093e3c09b37b085fe81a7d8307c69b34710794143efe460ae62bafb2b

SHA512
395fe714443f48f04896aaabb79d852a79e6ae948fbdf1678505be724c0efd172043b36feb8716d9882585a47d23746f2dfb1cfbb18149ab9e71310ba0b055e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000065

Filesize
110KB

MD5
856a44c7e5f305d914f73151e46348f1

SHA1
ef7198fffde31f348f41c1fce450f7c83f2724d4

SHA256
f576eb2ecc60fe36e8222e836af2b7a7fc0e2f757159e970631eb2e496b0411d

SHA512
c429e91a2cc420bede1768600604b9e3695d0f29640da2880ba9c2cd528fad536b63e40e142c48275b21c3607ea3e5677eee2c2c4332c894ff70687069dafbe7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000066

Filesize
355KB

MD5
2c017cd370b98f091fa277c8ed78271d

SHA1
8375a048564a44e5050bcfc12b1f2eff5f1f77b9

SHA256
c2b3511773b754984d34120b24d5af9c8be62298105c7251a3d0d4c14c4ddee8

SHA512
f93da7b825def400c32ae5f91c5e10ebeb17bb6d8596c556a02e9c3df24754448f818dd4b9d34af9ebe9c8c20be84d391fff22a04baead3c982775195d7dcb86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000068

Filesize
19KB

MD5
3b25fbd9be0594e7d5dd630003ef4194

SHA1
73d1b16b7b95ec2907407f06c3f353497e29a362

SHA256
0ab699ef1483cd423e0880e48701eb0f38d8d250a4f7e63262a5a10e587f6df1

SHA512
137ca7a8f12319721e9ad5a729c14c14cd560abad62366fe47d2742ed30e9dcf5f3a3c1c5607deee579ba9407ce5b5c1c737bc74e07e64dee65e1fc2ab8b0615

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000069

Filesize
76KB

MD5
c99f966767a99c2971aaad4890f0d323

SHA1
d6dd4e0199e653bd6663c5203dc3889e9b6c0baa

SHA256
ad5f0de938a628df6b0de66005e92497bb39c09fb8491ea7fc4d5afd600262e2

SHA512
02475dacf307541c4e2801b2e849585d4210990fff97bf5afe9f44f5ee46ae8ba21152295cd8baeeecba3005250d81e7d280007f0b8f57f77247a3e2588b7c1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000083

Filesize
128KB

MD5
1f7e88f5b8888cb31bff7fe3865ea33d

SHA1
1e867c7cd3d600e1509c8ddeb5d2404045c823e7

SHA256
57f9196e28aef265bf9a88f39b71275b40cab35ac0fe03b2fa0621f96411206e

SHA512
733e5bffa45b1f1d3521d8c4ed862ab0af177f0e42392bd7ef26f3a5cee57f3065a0eb66ece9493178431f1cdb09d2a6b31679fffa69f9c25655f3f341be1885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000088

Filesize
128KB

MD5
e729e8699547cb5bfb4f424406b8f551

SHA1
5ab8f998ba9fc47a60c1af131c29bc9f6b656b53

SHA256
8b584c48779d727e3638c8922aa47b1413d8906130bd3c480dbe0774186d2915

SHA512
027438641482b3deb4c3ef779542f0ea5c1a97fa90a24523b645b9d53ff13e03da89a102f6edff4752d0a0b517cb131f3a8c7a4f54fe20f23ead8d357ad970bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00008a

Filesize
256KB

MD5
d50df859fac0f2587beed99950a55382

SHA1
9389a43a2661575dd5afdbf9f4521abffb9be4eb

SHA256
0f1fe568a93ba617348d6cdca8a12cb85e4ea8f6f6ae3cce1cd0b8fbed3de935

SHA512
b7205c1bbfb83c07a08241c106678c79f4062e1c700f2c61f71ab7288c89700a5fb13e733e4c8e3b9f12a68dba1365674c9b940af84f95bce7a38af4f1618195

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000098

Filesize
33KB

MD5
33f80a9cf7ff070b98dd280f3b0f910d

SHA1
8b6ec48d11fe9a86272f46c2608ce352650b3f40

SHA256
429b492221499bbc9673a34a816d5c05f174cad2db71e0cd8d2bc725915ad25a

SHA512
afc5bb6902451707270889d388cf8580215854d632e48f19229d091ac1215541c575455f6d169f8079610805ce4d37bdae4cabbfa8b4cbaba803000d151f6983

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00009f

Filesize
63KB

MD5
a6fbd7372c82eb8e888367b8a4bb69ae

SHA1
14404e156a23b2e91b146e0268edf304a3281d72

SHA256
4c5223d4fd6221db374c741514ca2294d2d188fb7d205bcf368e92f7c3b72b42

SHA512
c6e61cf2b473bac4d88912d05be77ef79180d0209f2820ea4b7fd9e693c6460f8d2483c91c1160922baa420d08b143ed2d39dfb75dd336d1766fe96f40a3d927

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ae

Filesize
162KB

MD5
c21825efdfd817e04382d407f8c89468

SHA1
dd8d07ed3f6c9c21ce6874aa31b13cb5c6008e1f

SHA256
77a5c5547c6e35407fa33f69778db42b1c38f77ec04cebdfb525257fe69ee1a8

SHA512
9b49b23fde8c3c0522b6ced2ed2dafe5eaa2ce07d7955317eae37704491bd7aeb42470305d5404fc7ac76e7de2c5d0e5d4bc98d2cb6814bae1677764af81998d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
024528cf3ee03936942b4049fab2624b

SHA1
76244c4763d3fd2ef1605ba117191dbd78bf475a

SHA256
7ab36c19ea5132ba378f78065b4c808b00774867c7d44dd5ca6b5c2ee40a9b4c

SHA512
d3eba3df8a0b83a936e1ad77feb91244cf9af9e21fdc882892f0ce3e595cdde450266487b57995865bb31cdfa737d3b95ee6cf559757bdbb351cbae7a1b87f4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
12a399a504ae44f074a1593f8321d94c

SHA1
0589eabcea1a692975779f42265dbda2491ff197

SHA256
feaa7b8ac7ab4adb7312ea6a803942499acf2e288c0d26250ff4776e58337130

SHA512
1dd3b9c5a12740c23c8761f9d282463e73b7f37365b763c800bf4a784f415f837a35e68343d02c27a86c9b3527ac7124014cabeab8c8deab453760f84e699f94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
7b517b7224629b4ae35292c9cd7525f3

SHA1
38740f6f4d2436fc8ba99565ccf0ab9e8b22412c

SHA256
453e3fc3b21a26f1c10cc2310228e383cefacb1706cc8efa9ace3ac4052a9f6f

SHA512
00159b5ddd312f2616ae0a48f696415624210b93e505fc6db8d1fddb37988841259cf219d8203e29341a5900a8843184b3a6f1cdd664cc24581b2f7cfb680410

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57e01f.TMP

Filesize
3KB

MD5
d3d481eeaef3de21296ad77d34133c07

SHA1
150253a6b154cf3e59a10ea73e14485439605042

SHA256
c86600564e91a7afd4f6ebf72cb020b15abff055b7cbd4a28cad3657be2cf7f8

SHA512
9d8d083998de54abb8583511e7dda39920d15610355b6b8a540f7dde5668b2b0b888fc2b44cb2e11239ef5bcf89a305f574c6871794cd0e69a93b7d11e74da30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
20797877ea8e26d86dc0fba9ab68a837

SHA1
3be2be88d4e49fa8bc6462fc0f142b158f9e9fde

SHA256
2d3a43f4c329d05d766ebf40663d0556bb1072b06af229d7edccc68957a3e7b5

SHA512
ce6b683332a611e076b15c304b3f4c25137c77c310c3a685d9d81b4c97551b220eb69779711ef75bff38488840baf1883f44ec341cd1aac313ead0b9d78f0535

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
132f40a60f3d1b7f1ca9d982ef44826d

SHA1
0cdb5064f19b497c2d980f458db08945ff1aaa48

SHA256
ea5dd624105874b7ca7b696e39d385dc0e93e0dfcef9b5f45db11a5cd3c9b8bd

SHA512
7dc9333610ea33da825f553a02965a8cbdae225ddd60198877d330f3aee85d4b003e5dcf887e700dc30bc2deb86dd3c2bb93e471ddf910cc54471b334cb3ae79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
63ac512d202a3bebf70d83f4fcea3d39

SHA1
dbeee2e2672291b6b13828d7d31f89dcf4e90c65

SHA256
b50909017da39fe460fb0db90401553b01093f9e38e58bc854a686aee32d2ca5

SHA512
484a81c42db0253ee9d2cff8a67e20b73fbc7fdf572315c3c75e88727c6de200bbc68a7815c5d025aa0da79e362c7c941e48b378f3d87a9a96341cb4285e518c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
f8a5ba4b3ca781168b6793a8cf5133b8

SHA1
3a1f6ebc88d0189d919c510fa31269715a58b938

SHA256
545a0e698a76a0e324ecdb7652cda6dfc9a80e0ae15415ada69e258e8338d341

SHA512
9434511d82bf86d3562965a80f84a8e42c5600de93f9762dca8b327e3f42faa615611eec5cbafd68fc20f6937986d68d9f249890e2b58dd24b41a8ec79e96dc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
414KB

MD5
9ab474827e6cdce8d5673eef6c440770

SHA1
296f1d0122edb67bc9d83397930bd8bd6dd09561

SHA256
798cfa74f6ffa642fc7162d712c1c6ff9baff1433326ec2c47c21e94e84b2786

SHA512
c3b0887ec66ea57906e868f20a750d564b7d15f12bc91cd96570ac501f048fadcc9e683158ec9e6749462ab93b9bfc7ffb29187aa9f271ffd6987801713f052c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
414KB

MD5
8edbebf176ac33a9d54fec7662de2fe4

SHA1
1eba3acf782986b3ce5a24255af6b31168127515

SHA256
31330b42a500962b444dca3840d50bff94c5967ef089e5a788548422b61dda54

SHA512
d97840afd8f60af851a2e2aa7eaee3b8d8d92017289f3abc9121102f7fe6256baa3ff4e1b0c25278f5696a5f4fed868d47b22f37c2c8fa6b4b2c74770e412db2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
413KB

MD5
4e9a2d86ea6eecc94e3cfe36866ba9a9

SHA1
92e5a5ec4cb35eeb7719ac199aeac0636154fdad

SHA256
9fec2f1a5e23b96f7a1ae6dd05c9c8275a2dca8d08231699069ce747a20b1d88

SHA512
08806424c3a23603b65e4c862bd0c4a4fe42e406c84649c7a7bdb2d7f201b8fe2bacf3cc3edd068e9b2d95f60ddf5cb872845dcd6b45c17ceeaf43d1152f39bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
414KB

MD5
fd99a00a1ff6c43bf450645d429de441

SHA1
4941dd205f5593c24e77a9793ed992855d1d2c51

SHA256
343c5d5fe0d075c69695c0ea775c45b21dfcdff0f495383e46cc03205376ac08

SHA512
4f9e5edff9bc7926d06c75173dfaf5d49b6969dd1a72659ac56a8d14769ac56939f3779545be2f36c919dc1c10d2a6d20e03dc24d66a0e8d4bec6faaf1078317

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
cd630ed177a33567cfb9782b906d4576

SHA1
524002cab98b52cb47fb4d2702e83d4c5d64b9c5

SHA256
ba3f38800160542ab35fb83c565fe48ba467dbb51fc9be9594e12348f2e65c8d

SHA512
38447379fee4f653fc862bbd2597f1a8b8e8ca919fe525b89b0962a24575152f1ba688e9589da20638db0401a8318e3a6f6219234751188839667ab387fa7cd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\31cc4690-8f57-4fd7-82c6-159ad7103a35\ee91b116cc2005be_0

Filesize
56KB

MD5
eac1ab064eca143491527276f3438ab1

SHA1
122f5c51c5b363af178664294f306bca7701f5ff

SHA256
bbeaab6539d6e18a3c3584caee939bddacb4394873909cdfef5f10335371ce97

SHA512
e4e8919f1e72f20379a36b428aa9d5504ad0a7cfbb918591e15c3bffc45e6aa70808598dfc32d2a91a7a3178b3c88811fed476ffebee54c4f47982d16df8665d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\31cc4690-8f57-4fd7-82c6-159ad7103a35\index-dir\the-real-index

Filesize
72B

MD5
b9b93497cbb4f355a762c78e4603bfa5

SHA1
0ad876c23912ff8f63553836ceb6ac2cff015045

SHA256
6edbd695ea29df15c089560d05d798566d361207142c9ea62c236ac2f9494e74

SHA512
d2b469034098a2bcce85ccff569f9f1c7ec5098057d49f5c3732690da454b6e4cca465c116b77ba1d8f2d1dff75e59e920dd4beacc97feed5df4a486042015b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\31cc4690-8f57-4fd7-82c6-159ad7103a35\index-dir\the-real-index

Filesize
72B

MD5
7d5db147893234aa6f50daac54e59d78

SHA1
7d641266e11960f33e24fdec91549018b582c3d1

SHA256
323d26c2ff4da0c68a27db0f12bbb84df14678dafc2a4d1e10438be2837309ae

SHA512
2220c4260a765f6b58ea0d81ec6f859107bd3f0a9b52f44c43be058f7ea4f6a5428ab84e421f888ab493f6cf891e6ce378656d7c01937537b79b96325f042db7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\31cc4690-8f57-4fd7-82c6-159ad7103a35\index-dir\the-real-index~RFe57c592.TMP

Filesize
72B

MD5
b7e450e4209db73454612eb9b2739a9a

SHA1
a058eabe03d39626a6fab25649261933ce5cd738

SHA256
f4e8d059aaad3364ec1ee828a07b9aee7837a06c484a373fbf9d2ef9ec390c1f

SHA512
98447c68775249928f0b73c493718f334413257a9c684710d4dfc2e7e62607ddbe46076c624ad4a246c4df76d10172e67fd8955c9b7dea9e1789d7db63d28c53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\81e68200-7e16-46c8-a20b-e92c84549030\index-dir\the-real-index

Filesize
72B

MD5
7e11c530ddf336a9c2dd04e3a85e4bb4

SHA1
040919a85bcfd1c651843da8f5758b0d8ae19e26

SHA256
907986459a86f1ea9b8f80e606c69773a2d766de74746ebfc4dc84da97f309f7

SHA512
b57c04e342b9f6f73ddcb12f8b6f34a8e4db30d58ab23b7fe193dc41007d775b0413681f8eece30b4f1df3249dbf8404420f648402ebba1d21078bc1973d2d44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\81e68200-7e16-46c8-a20b-e92c84549030\index-dir\the-real-index~RFe5a7f24.TMP

Filesize
48B

MD5
12b109253ee2617c51afe2bd085b0af3

SHA1
54321ea9d3f08b30c110bbab31f92bb5f34401bf

SHA256
5109d255c4c9ddb0ff1834e63997cb58200cb9aa7becfa7794104bd65541c3b4

SHA512
6e93623a550c5d4adea5f5a7455f802e3c1c42bec862d982c78f899c56adbaad5d9f39246b43a726abd840df46148b4527982e0e6225e90a1dd418534f1a8524

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\92082a41-96ac-4e1d-8426-cc0fb9fb72d7\index-dir\the-real-index

Filesize
72B

MD5
0bebd6efdd7783b78f5330979e7a0f24

SHA1
08faa04df55aa6809053f8f928b48d04aafac51d

SHA256
1c90aa4fa61042b12b97b3d218ad5f02354659c26a21f2696c98f286d73222a8

SHA512
055e8f78219d1fa271e1255cd537c0329a100303c74a5aa8f9f1f249545aa6846e7b1fd2342c756940de0ffdaba065cd2dbe15734192be4cea17bfce4181fa7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\c971e2fa-b8a2-47b5-a4ad-0a1b8ab2c3f5\index-dir\the-real-index

Filesize
2KB

MD5
48da9a2664400818804cfbd04277cf7c

SHA1
8902600032bc8187f7a7c38f641d9c7d1dfb524f

SHA256
d6814e9d08190918187a5d40c1b7d29466baedc5fc44b34b3db8ceee1af02aa1

SHA512
c0a8c4113d214612d4e3a335e858c3798bb21a00820ad962e949a5fea2f351badc7f4220d98799c4749e7d706b597f6273105443477128a0b26e1ceed726d429

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\c971e2fa-b8a2-47b5-a4ad-0a1b8ab2c3f5\index-dir\the-real-index~RFe57d6e7.TMP

Filesize
1KB

MD5
a1cf8b3bfd14120d46e1f2db962d9742

SHA1
3c5d8491496c28ecd804eb5c884e0d5743392c2b

SHA256
15ca4096742552a2edee3ec3683ff7528fa6d6fae8c1e1c0228812e6d53c3fd4

SHA512
98f9b83ae4e3b996b853f3148cfc5d7facd3da1e378e8d2448a83285b407991748a8e03c4515fbe46ea98db8e1ca5ea7d587a05ff74e4b18da5bcf71bfdbbca5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
253B

MD5
3d3ae5f3f407d9edf74a45a392710353

SHA1
ed8e0b4d1faf656e08df696cf0c647df092f228d

SHA256
c4d0aefbab3ba464803fd75b80c0b31f64603af92b0401b83612f01faef092c4

SHA512
587f92b7918943110c56919eb608bf341cad316d5af309d6d7f2288e9cf21802b0d4c81d61b6404d989e5d03524145261f486b303f917c0362a6bd615604f1a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
327B

MD5
5eded25b30a2cb5021c5a93ebabf9c91

SHA1
8efe2bfe4076d4e7c064bb819cc2df774fe9c03e

SHA256
45574227fb3c84ecc5f9b9c9a138d194a0a984f79a471bfce9059f7925abad6c

SHA512
04bd01241fd2309b99f3b3ea7d2459bc67313193666ed4e60eff610de4e81d00b0ec9a7c1f82429c64ad2e883bc4709cd39e3212d00c27e7ca7474176ebcdafa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
322B

MD5
3e6c935dbf53355fb141cdbaa2542bb3

SHA1
bb85c74aebd1cca24329406b5570e5627df6216c

SHA256
7137a0eb03c37bf5ce9fd22037f337b3bb59d0a0cb9bfe5540b354d4b9972e37

SHA512
abbfa73be3951de28fdc5181c59420575cdcbc28e8d0b6a53188c963a1dbb267276ec9eb20a2a5e0e03d858d0b98c9fdc8e8f841f0da2f1ec42379c5bcefd70e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\f1cdccba37924bda_0

Filesize
116KB

MD5
220387681e3753fdfa7d164e7fd84fe9

SHA1
36e146a9163d8c3ea91d24237211b62f256f4fc3

SHA256
85536bf0064fd536ee34adc977ca9c0ea7ff783120539c2bd0560dcb0ba37f2d

SHA512
ba266fa5108146307840e5028de35e8a7ee9570e1141911f3226c608432d15a6446bb69ed1c3fd657bea4a12c37df58a795e2a9be305ff2d6fc4992ee4d8cb47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
aed14dd7f702916386a8119099cffbba

SHA1
50ce24615faf8c8c168f9495591a06e2cc785492

SHA256
f920617f25e36b31664aa8942c6279f55f4c4c2517539343240b83fe316b20e7

SHA512
e4c9a997a03941fb8b0344452334a437eccc0e8118a2ad3a0c4cdaa0852210ad3e55dd87824bff5633a86ecbbe4434896af4b77e6fe85056471cd2cadab3f160

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c64d.TMP

Filesize
48B

MD5
0e8db3e15ee463ca3906b27db07ffe76

SHA1
581e14be63eb76e1cea0a88e763c99ff8ffa2e37

SHA256
e6ca33f4a1cbb0e2ee25eb06be62a4da8630fff814c466ec21ec2c5d012b2a18

SHA512
be7f4216a9f143df4909baa6bdd96493af1596b5832f8b7814d7a0994720cebab5c95f0caf3f6deb4b02255ac187b223a2bce5ecb9789bc322578209b496c082

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
200071836ea2bcae0564652118d1c16c

SHA1
6cb66476c989f5d1faa6b5b8d5680e0847fb26d2

SHA256
7f4638531506346cf60fd8ba8b51a2d4fee61b41acf9004b721dff6d4de9ca70

SHA512
ad98c6c583518be6a400a72eb5bcf0c5e31b6cd4a0e6c67cec344da34698517b0a3ff3d0eace830eab9fe5a7d08e34864ddcc61fb09fc405723fa2fde5782577

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.3.10\data.txt

Filesize
113KB

MD5
60beb7140ed66301648ef420cbaad02d

SHA1
7fac669b6758bb7b8e96e92a53569cf4360ab1aa

SHA256
95276c09f44b28100c0a21c161766eda784a983f019fc471290b1381e7ed9985

SHA512
6dfa4eca42aea86fba18bc4a3ab0eed87948ea1831e33d43426b3aca1816070ecb7fd024856ad571ca2734214a98cc55e413502b3deef2c4a101228a7377e9d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
3f415b27f77ed1875fe77c6a9d0f5e6b

SHA1
ea46ba1ac1c73af5629c7a8392168424a0f9bb9c

SHA256
cea9cb6a4e29805923d1ff37b899ac5ac7cfa0b7214a0100a839dca57474dcd7

SHA512
2280d88b38b0f738207be9d265a9258f7f0f89a68585c9af91a2ccec43fd6f8671e3e97ad61a030189d2e4441c5fcf657abcfee3e0573d7624eef42700fe6977

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
898B

MD5
18225ad4dcef3f59ebae1a92ebb90841

SHA1
1485a2ff5e0e641013693146f6ef748669556b68

SHA256
b930f14ff958f3af11be54b0730e583c3594673ed48cd5e425f52dc1b4a00743

SHA512
0dec17692964342116bd37557b1cf820f8e9e70859d26d1c768a90980eb4a0ec101dfdd38552713fe3fc333e60ace5e4f4ffc1b51f7e7e7a59fd28f28ba5e1db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
467B

MD5
9cba67098f378bfcf2db4692bc83017b

SHA1
32877ed7c25333a1dc8f6d02c29a799495d10266

SHA256
ce109c1a2fdb8afbca733689e3b8e00216cee2dc0f57bb70d18cf71978f12081

SHA512
78433f5f567c2d3147873befa30d00f9bb2692a5d845bbf592861ed080e01aaf81b8c70caec7391a68bbe633983ed9d12e6bb62edd78ca5c75fc772e6ab03335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.1.31.0\edge_checkout_page_validator.js

Filesize
1.1MB

MD5
0e3ea2aa2bc4484c8aebb7e348d8e680

SHA1
55f802e1a00a6988236882ae02f455648ab54114

SHA256
25ffb085e470aa7214bf40777794de05bf2bb53254244a4c3a3025f40ce4cef7

SHA512
45b31d42be032766f5c275568723a170bb6bbf522f123a5fdc47e0c6f76933d2d3e14487668e772488847096c5e6a1f33920f1ee97bc586319a9005bacd65428

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18346.18345.1\json\wallet\wallet-checkout-eligible-sites.json

Filesize
23KB

MD5
16d41ebc643fd34addf3704a3be1acdd

SHA1
b7fadc8afa56fbf4026b8c176112632c63be58a0

SHA256
b962497993e2cd24039474bc84be430f8f6e6ab0f52010e90351dc3ff259336c

SHA512
8d58aa30613a2376ccc729278d166a9b3ec87eca95544b9dec1ee9300e7dd987326ea42d05dca3f1cc08186685f2fdaf53c24fd2b756c1ed9f2b46436689dc74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18346.18345.1\json\wallet\wallet-notification-config.json

Filesize
804B

MD5
4cdefd9eb040c2755db20aa8ea5ee8f7

SHA1
f649fcd1c12c26fb90906c4c2ec0a9127af275f4

SHA256
bb26ce6fe9416918e9f92fcc4a6fe8a641eceea54985356637991cf6d768f9fd

SHA512
7e23b91eab88c472eec664f7254c5513fc5de78e2e0151b0bcc86c3cd0bf2cb5d8bb0345d27afdd9f8fcb10be96feaa753f09e301fa92b8d76f4300600577209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18346.18345.1\json\wallet\wallet-stable.json

Filesize
81KB

MD5
2e7d07dadfdac9adcabe5600fe21e3be

SHA1
d4601f65c6aa995132f4fce7b3854add5e7996a7

SHA256
56090563e8867339f38c025eafb152ffe40b9cfa53f2560c6f8d455511a2346a

SHA512
5cd1c818253e75cc02fccec46aeb34aeff95ea202aa48d4de527f4558c00e69e4cfd74d5cacfcf1bcd705fe6ff5287a74612ee69b5cc75f9428acfbdb4010593

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18346.18345.1\json\wallet\wallet-tokenization-config.json

Filesize
34KB

MD5
ae3bd0f89f8a8cdeb1ea6eea1636cbdd

SHA1
1801bc211e260ba8f8099727ea820ecf636c684a

SHA256
0088d5ebd8360ad66bd7bcc80b9754939775d4118cb7605fc1f514c707f0e20d

SHA512
69aff97091813d9d400bb332426c36e6b133a4b571b521e8fb6ad1a2b8124a3c5da8f3a9c52b8840152cf7adbd2ac653102aa2210632aa64b129cf7704d5b4fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
51KB

MD5
daedbfb2057f72be2c84043c3bbf9a3b

SHA1
3cdc5b3f044ea53ee0963039c9ba176faab8df2c

SHA256
453dc9c8e5cb33e69922175fc04bf48514bff276580fcb4137801f66ea27b895

SHA512
886dbe5277518e4615ec95ad739e2443adc2e606db9a2d3b5662a83b9d204c32c08826b8c6dc422b4c1ecd477c270b91747f382052caf95156c43684289548ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
56KB

MD5
d07a4f49b76bf4fe672fc640e0dc9096

SHA1
829848253f3d4dbf0c11af0ea7b378a5cc642c1f

SHA256
691cfb682dd684c1133b258563a4172d5afbc7efad209c1823f0f74d5db3de4d

SHA512
1b5968bcbc110e3db0aaf606223f1d78d3547771b25fa1434653485df53c52b7232674f56fd8c77c8d4472ad8dc098ce61f5f5c59dd0d1197bee5c0871d64233

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
56KB

MD5
5f5264b12f1c888f88b20c250962d254

SHA1
42159b7adac0fc5dee8017acf5d6ccd730e047ef

SHA256
0d7097e66922c92819cd487839668842deefb0b3c524f666e6ef72287d96ebc2

SHA512
fc024397dbabed1cd556f5c7c8f38b62e0dbecaabca28dbd2129aa45f200e7e783128675f32ba31622dffca774db4b0b773cc8ee6f7464b3757f5049537f42a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
56KB

MD5
95da05293b8726acc0f8f8499f0b095e

SHA1
24b743643e14e7825a1c45050dec3e72fdf7df70

SHA256
636840a5ea4c49b57ec29f355678aa151d642a6f2a39a98a291a7f87fd12426c

SHA512
beb8e3122b136a254a532680f89e0b7ba8904767882ca9a0f21cf6f5717bbb4a1d2caa64df33a0f3c871521c9b85776cc683ed17dea4d979976a2820c46bb647

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
cf6b773f06260c15d3dfefd8b48667af

SHA1
9cfc7ff06677b3fa90bbdc622f71499eadd63914

SHA256
b9156d5e38194ead09ea34fd15e738473ba8723dda97a8493f114379be71e653

SHA512
2e8e2ab5bf36b2a6b4035af75b83733c5220b1951b7bbb4cb6ea17eee62df873ff5b46723c0529d194bbe9d673ffa73c186c5f7610f1fe2d4ff533672ed9585f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
cbc89289c0ffa0229c83c898736cec65

SHA1
d087157d11ba2ec2131817c971f9d43849ea90dc

SHA256
2a720b2f57a07a1cb688474efae7702fe73065e29ff5f5816a65ec0b012996e7

SHA512
80fb5acaf23d03df3f72e3f18252f4cf4aa9bd4a47515d66034ff907089da75d90b27696500b1f8b1c00736edcde99c77fea877f9b69caa599268e1391a9c442

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
938bfa9b8692124a37a79c010e4b0822

SHA1
96aeae79e39858f0d4a671b2330e6044905d44b8

SHA256
50584c9a8813c513497d157a0d1be8fd0354a31f3bdc8d1693fd8567ede7a1f4

SHA512
43d1bd388e2b81078c638790b6bf5291abe160a2717df1ab3638bde8d91adc9837db6183634639b45330ec2496925196bf7c1c47329333293b3965647c19ff1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
96680713c2e06c11c5fec03ffc04690b

SHA1
3611b1b83971013cefad53c33ff7687b266df304

SHA256
6b6ee3634f760c58b99a299ac87a145da13b8af0613443f2a8b1a1de693261c0

SHA512
f0b3938089d13d096259ee5badd4393f554e9e0e4d8c07f80036933f884d2ea895b255ed77a0d2bea434e3bfc5cd00d6a286122d859297bd881238e16335ddaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe583592.TMP

Filesize
392B

MD5
d3c428ea61e605e15e0733fa88a1c484

SHA1
3aabf0986966749225ce330b91e8f96f38c80981

SHA256
fb5dbaef323eeecfcfe204612cfaf1b357173a69fb9fae20bcb263309c1e17d0

SHA512
303c4844f34ec6f3fcbe9bddc51f71d206079f66d09146d9fa2c017684ae2c4dc2452c9520725add28b8b8eb79f96c7d46c9bac17bb9d418823a96a9d956bdaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json

Filesize
6KB

MD5
bef4f9f856321c6dccb47a61f605e823

SHA1
8e60af5b17ed70db0505d7e1647a8bc9f7612939

SHA256
fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

SHA512
bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\setuptools\_vendor\wheel-0.45.1.dist-info\WHEEL

Filesize
82B

MD5
bef8b3a8022a44402ce1e4466e43ab6f

SHA1
7da0861c6561cf0068f7e55d55ff014b355ab122

SHA256
0a950253178741b44de54191407611268acee407fe432fdf1cc72d710f034862

SHA512
a71d07a3ce845cba7fa4853391b0885da9bc29c4060f0fad01aae87ba74d6018333851c5e44c982f38b1ddf45d6409861b2a12a72c694b125b9ddbc312d0a2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\VCRUNTIME140_1.dll

Filesize
48KB

MD5
68156f41ae9a04d89bb6625a5cd222d4

SHA1
3be29d5c53808186eba3a024be377ee6f267c983

SHA256
82a2f9ae1e6146ae3cb0f4bc5a62b7227e0384209d9b1aef86bbcc105912f7cd

SHA512
f7bf8ad7cd8b450050310952c56f6a20b378a972c822ccc253ef3d7381b56ffb3ca6ce3323bea9872674ed1c02017f78ab31e9eb9927fc6b3cba957c247e5d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_asyncio.pyd

Filesize
70KB

MD5
70dec3ce00e5caf45246736b53ea3ad0

SHA1
3cd7037d211ebf9bd023c248ec6420f193ad7ed2

SHA256
8cef0cd8333f88a9f9e52fa0d151b5f661d452efbcfc507dc28a46259b82596c

SHA512
eddbeb527c01167fb69d9c743495c868073b5cacae3652d777b6a635c4feb0344f085bdc2aeb6a775ffef8056394ddb4df5cd47e622ccbf974d11c30857fd536

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_bz2.pyd

Filesize
84KB

MD5
057325e89b4db46e6b18a52d1a691caa

SHA1
8eab0897d679e223aa0d753f6d3d2119f4d72230

SHA256
5ba872caa7fcee0f4fb81c6e0201ceed9bd92a3624f16828dd316144d292a869

SHA512
6bc7606869ca871b7ee5f2d43ec52ed295fa5c3a7df31dbd7e955ddb98c0748aff58d67f09d82edcde9d727e662d1550c6a9cf82f9cb7be021159d4b410e7cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_cffi_backend.cp313-win_amd64.pyd

Filesize
175KB

MD5
5cba92e7c00d09a55f5cbadc8d16cd26

SHA1
0300c6b62cd9db98562fdd3de32096ab194da4c8

SHA256
0e3d149b91fc7dc3367ab94620a5e13af6e419f423b31d4800c381468cb8ad85

SHA512
7ab432c8774a10f04ddd061b57d07eba96481b5bb8c663c6ade500d224c6061bc15d17c74da20a7c3cec8bbf6453404d553ebab22d37d67f9b163d7a15cf1ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_ctypes.pyd

Filesize
131KB

MD5
2185849bc0423f6641ee30804f475478

SHA1
d37ca3e68f4b2111fc0c0cead9695d598795c780

SHA256
199cd8d7db743c316771ef7bbf414ba9a9cdae1f974e90da6103563b2023538d

SHA512
ba89db9f265a546b331482d779ab30131814e42ad3711a837a3450f375d2910bd41b3b3258db90b29cd5afccdc695318fc8ad8cd921a57ce25f69aea539b26ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_decimal.pyd

Filesize
273KB

MD5
f465c15e7baceac920dc58a5fb922c1c

SHA1
3a5a0156f5288f14938494609d377ede0b67d993

SHA256
f4a486a0ca6a53659159a404614c7e7edccb6bfbcdeb844f6cee544436a826cb

SHA512
22902c1bcca7f80ed064e1e822c253bc8242b4e15e34a878a623e0a562a11203b45d5ff43904268322a7ef5cebb8e80e5fe1f1f1bcaa972e219348f84a1daf5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_elementtree.pyd

Filesize
131KB

MD5
eed5e3c565099640c146d512e3cedd84

SHA1
e427d8af6a5dc3691b61e815f034f40fd62a6053

SHA256
f7d884c475e5c98006bf7c2abb6b5acbd885157fb809ed2ee06d2347ab409bc0

SHA512
b93cc53a09e0b959c62ba35a804c6fca0aff821b77d6d72047721fa71e27d644eb98f0102df4d33a96bf4bed447e3947ebcedd0c798d50c46e3475d97f57127a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_hashlib.pyd

Filesize
63KB

MD5
cf4120bad9a7f77993dd7a95568d83d7

SHA1
ac477c046d14c5306aa09bb65015330701ef0f89

SHA256
14765e83996fe6d50aedc11bb41d7c427a3e846a6a6293a4a46f7ea7e3f14148

SHA512
f905f9d203f86a7b1fc81be3aba51a82174411878c53fd7a62d17f8e26f5010d195f9371fa7400e2e2dc35fda0db0cbe68367fcaf834dd157542e9ee7a9742b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_lzma.pyd

Filesize
155KB

MD5
3e73bc69efb418e76d38be5857a77027

SHA1
7bee01096669caa7bec81cdc77d6bb2f2346608c

SHA256
6f48e7eba363cb67f3465a6c91b5872454b44fc30b82710dfa4a4489270ce95c

SHA512
b6850e764c8849058488f7051dcabff096709b002d2f427a49e83455838d62a9d3fc7b65285702de2b995858ed433e35a0c4da93c2d5ae34684bf624eb59fa6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_multiprocessing.pyd

Filesize
36KB

MD5
24aee7d83525cb43ad02fd3116b28274

SHA1
68a2870bd5496c959ee7e499f4472d0614fdfd87

SHA256
3262ec7496d397c0b6bfb2f745516e9e225bd9246f78518852c61d559aa89485

SHA512
6ef5082e83f9400e8ffdbb2f945b080085fd48c0e89e2283bcedd193a4e6a9f533f8da78c643dad95db138ec265099110a3a6dc8bc68563dbef5ca08d5e0d029

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_overlapped.pyd

Filesize
56KB

MD5
51e4c701e4efa92a56adaf5bdc9cf49b

SHA1
1adbc8b57e5ec0a90b9ec629323833daead8c3b4

SHA256
9ef177db14cfa3aa66193078c431a96b6ae70858e9dd774b3d3e3cb6e39d10a3

SHA512
35b2d4114aa12843cb767b7d7a2c82b00144fe8fea04b41601b790d8b4026e271148b5186308f461f2ed70d75df7c0ac56c4e023ed069f4f0f6f23f5ea11a2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_queue.pyd

Filesize
33KB

MD5
59c05030e47bde800ad937ccb98802d8

SHA1
f7b830029a9371b4e500c1548597beb8fbc1864f

SHA256
e4956834df819c1758d17c1c42a152306f7c0ea7b457ca24ce2f6466a6cb1caa

SHA512
4f5e7ef0948155db6712e1bd7f4f31cb81602b325ba4e6e199f67693913b4bb70bb2c983393646c0ac0d86ef81071907d04bceb8ab0d506b7c5ac7c389fe692d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_socket.pyd

Filesize
82KB

MD5
69c4a9a654cf6d1684b73a431949b333

SHA1
3c8886dac45bb21a6b11d25893c83a273ff19e0b

SHA256
8daefaff53e6956f5aea5279a7c71f17d8c63e2b0d54031c3b9e82fcb0fb84db

SHA512
cadcec9a6688b54b36dbd125210d1a742047167dad308907a3c4e976b68483a8c6144e02d5cf26f887744dc41af63b7731551287bb3ef8bd947c38c277783c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_ssl.pyd

Filesize
178KB

MD5
ce19076f6b62292ed66fd06e5ba67bba

SHA1
231f6236bdbbe95c662e860d46e56e42c4e3fe28

SHA256
21ca71b2c1766fc68734cb3d1e7c2c0439b86bcfb95e00b367c5fd48c59e617c

SHA512
7357598bc63195c2fd2ddde0376b3ecf5bd0211a286f4a5c1e72e8c68b6e881e7e617f561e7a859c800fe67bec8f4c376e7a6943cab8dacfeda0056b8e864143

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\base_library.zip

Filesize
1.3MB

MD5
8a76258c5757affdf2660748bb047490

SHA1
619c536d2ae8b79cb410b8ac718c4449a45f0406

SHA256
b2fa038989e48034f9e18992510a8f08d595559a866b61b893ef8b17b7cc669a

SHA512
d608d177ab21e43556c6c06dc70910f527206c591812a9b42626936a84264da3fd52b82084b1d6ab6baf8dba201a49ea261a15360750937845bf7a585d275eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\libssl-3.dll

Filesize
774KB

MD5
4ff168aaa6a1d68e7957175c8513f3a2

SHA1
782f886709febc8c7cebcec4d92c66c4d5dbcf57

SHA256
2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950

SHA512
c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\numpy-2.2.4.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\pyexpat.pyd

Filesize
197KB

MD5
0351dc34c06a7e74e977c142a8784da8

SHA1
1096bc9b3ae3a57dc7f684d53191df5365889164

SHA256
b93e6083eb06137cc9191dac0d9cf4483e47192113d3ac2228b4549f737bac85

SHA512
92caee00cc0588d30659d4b0bde38bf229beab0fc07d9aac362b84814b6ea541c39c03aba936124cbfd5d60c219d01cb09eba8005dd2236774503094cbdc609b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\python3.dll

Filesize
70KB

MD5
98b008be9834bfc362b4c2eef4e8cdb9

SHA1
a4a50ced1329c3986e3c1576f089b25aff5ffdf2

SHA256
4f93342b59addedbe45ebd973e6449ab85b11c0aab6ad7962124e293c5d03638

SHA512
d594ffd7d44d4d862475711973df87b08fb63a900ddfd87c7771ad27f0cc71e5fbdce92da4d4ad5856fe3cfb803257ce0b71cd8dc24ca5c421ddb1b9b44c7881

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\python313.dll

Filesize
5.8MB

MD5
501080884bed38cb8801a307c9d7b7b4

SHA1
881b250cc8f4fa4f75111ac557a4fde8e1e217af

SHA256
bf68cf819a1e865170430c10e91c18b427aef88db1da1742020443864aa2b749

SHA512
63d74a4871d1c72c2a79ae8a5d380070f9d2128c16949c3ad36c9862fcc4dab738137ed3d51caf0bc46b36655f8bd8a2d425d68200123415ee8d4de0e1cbebc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\select.pyd

Filesize
31KB

MD5
2663e22900ab5791c6687a264473ae1e

SHA1
d8db587b6c632200ae13be880cc824cdc8390df9

SHA256
baee284995b22d495fd12fa8378077e470978db1522c61bfb9af37fb827f33d1

SHA512
5f29ff4288b9db33976f5f79b9fd07c4900a560bb41fe98c93a33da7a36c0981ffd71f460e81e13e4f6a2debafa6d9284bc1a728734752ba5ad5fbd766659e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\tcl86t.dll

Filesize
1.8MB

MD5
3688caba94d9a1dc124df80aef41ac47

SHA1
66b314fc54b1d2475bfb655facacf8a8d6eacfed

SHA256
31560ca3b0eec014013405e9652b9261824232883749f0461d7d4e5f7faea3ab

SHA512
f3cd68e26f008b27370bd5222b6dafd8bb5f312a885db4e2f8f6502a719403263412f2aa7c8451b4ab7c59e674e3746710ce5a3c3c09f0cdb0266f82f226e9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\tk86t.dll

Filesize
1.5MB

MD5
d379810228b51c2571d9071eed3286b8

SHA1
a643cda1683168e27a209b397d0eea7bc14c5103

SHA256
34d402f3d6a237aac1165a010016ac032e0ae1a86dcfa03dda49ebfc0af40cad

SHA512
f195c4d38f3e1d6853efae68ef50a2d3e70fc0f3840aa9aa2c1cddaec6a311e60cd86fc84dcdf0d4febf4d0e94bb89238c1408c5781302bbfaeafc613e10084a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\unicodedata.pyd

Filesize
694KB

MD5
c0b4c55ce3711af914b2015f707e4452

SHA1
f1c1e9f8a461cfee1199d2100f5c0796733518b6

SHA256
a67eec238162fde20ac24ca7df931792734aad0611be22d1b3a71bc15acf72f3

SHA512
fa6bd9223898ef0c54ca9a67b10207bfce152eadbaec4c91d4e951d0790f455066f5095ed739fa2452aea1420d154beb00bfa9e6e10b46bed687c5d0d7484900

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\zlib1.dll

Filesize
144KB

MD5
de2e3379deeacbe476b9ee8ddeac7ffe

SHA1
b112c267f5a6e3d06809896708d9ef9f7c118462

SHA256
94675de9234f00e75c73e4973f8fb49a272a1df8003337205cd1b15fb642a168

SHA512
0dbe2d131f41258c81e931bbc459051b26de488030a0ad20cb1d2d8ce8cce0a1ddd17a7049a2878368d7e535428bdc6c7886265f43be27fbc6aeed784080c93b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oynn4tsn.03p.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5652_888847498\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5652_888847498\CRX_INSTALL\_locales\en_US\messages.json

Filesize
1KB

MD5
64eaeb92cb15bf128429c2354ef22977

SHA1
45ec549acaa1fda7c664d3906835ced6295ee752

SHA256
4f70eca8e28541855a11ec7a4e6b3bc6dd16c672ff9b596ecfb7715bb3b5898c

SHA512
f63ee02159812146eee84c4eb2034edfc2858a287119cc34a8b38c309c1b98953e14ca1ca6304d6b32b715754b15ba1b3aa4b46976631b5944d50581b2f49def

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5652_888847498\CRX_INSTALL\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5652_888847498\CRX_INSTALL\manifest.json

Filesize
1KB

MD5
2a738ca67be8dd698c70974c9d4bb21b

SHA1
45a4086c876d276954ffce187af2ebe3dc667b5f

SHA256
b08d566a5705247ddc9abf5e970fc93034970b02cf4cb3d5ccc90e1a1f8c816e

SHA512
f72b9190f9f2b1acc52f7fbb920d48797a96e62dfc0659c418edbbc0299dccf1931f6c508b86c940b976016745b9877f88f2ee081d3e3d5dcdcc2cc7e7884492

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
6KB

MD5
524cb5b78f6d1f8c47e3e7c205885edc

SHA1
fc39988be9dc85c3e254400d41645796727cf641

SHA256
2f8cd0885866cdfc34147c69affcad52bb0851849124ee8704de08da5bc0a81d

SHA512
12abb7a7f677a6f50ff4180d1d502492317428dc4629c3b0c4ba32f14b247cbbba01308858b10816586a9297ca5c96c9f1436a3a1120c76aaa54109dfb6ff407

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
6KB

MD5
4c1148ebbee85ef73538bfc8d2cceaf3

SHA1
a4fc11faf48ea3c93591dba73668cc613835089f

SHA256
4ebf1f47aa36110eb8f924c9cb1303587f19cd93a35594580fcf3b7061a43b1c

SHA512
8c59e0cf90fb645342198d1d677997bec34b4143bba0be4a853740c1f2c9146173be924d496136458670b2f64e65590fc1ba58919f6c30bf0d936fe60d3b6a18

Download Submit
C:\Users\Admin\Downloads\client.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\test.txt

Filesize
6B

MD5
09c9b7dddd135e112596b295f08a5a99

SHA1
038da8885656071c06b5f239be1adf3f971d459b

SHA256
c4a3f267446bb21cefc67b7771e6e191b8c09262bf86dc9e25458245592d5c01

SHA512
787cc8d6ae32a6500c4e4929410925ea8ff2e9cacf37d491203dedc5f06e4ab4540fece587dd4c48391af234efe1ec474df742e9e7bbe4ddfeadf061b6073cef

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\Notification\notification_fast.bundle.js.LICENSE.txt

Filesize
551B

MD5
7bf61e84e614585030a26b0b148f4d79

SHA1
c4ffbc5c6aa599e578d3f5524a59a99228eea400

SHA256
38ed54eb53300fdb6e997c39c9fc83a224a1fd9fa06a0b6d200aa12ea278c179

SHA512
ca5f2d3a4f200371927c265b9fb91b8bcd0fbad711559f796f77b695b9038638f763a040024ed185e67be3a7b58fab22a6f8114e73fdbd1cccdda6ef94ff88f3

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\Tokenized-Card\tokenized-card.bundle.js.LICENSE.txt

Filesize
1KB

MD5
8595bdd96ab7d24cc60eb749ce1b8b82

SHA1
3b612cc3d05e372c5ac91124f3756bbf099b378d

SHA256
363f376ab7893c808866a830fafbcd96ae6be93ec7a85fabf52246273cf56831

SHA512
555c0c384b6fcfc2311b47c0b07f8e34243de528cf1891e74546b6f4cda338d75c2e2392827372dc39e668ed4c2fd1a02112d8136d2364f9cab9ee4fa1bd87f5

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\json\i18n-tokenized-card\fr-CA\strings.json

Filesize
2KB

MD5
cd247582beb274ca64f720aa588ffbc0

SHA1
4aaeef0905e67b490d4a9508ed5d4a406263ed9c

SHA256
c67b555372582b07df86a6ce3329a854e349ba9525d7be0672517bab0ac14db5

SHA512
bf8fa4bd7c84038fae9eddb483ae4a31d847d5d47b408b3ea84d46d564f15dfc2bae6256eac4a852dd1c4ad8e58bc542e3df30396be05f30ed07e489ebe52895

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1049797843\manifest.json

Filesize
121B

MD5
16f004af39a3675a73f5c15f6182a293

SHA1
e7027edbadfd881e03d8a592ae661a985fd89cd7

SHA256
4e5ef1851bc910ceeb59a63bb53725cf5d8149feff9483e960b54cc26fdc419b

SHA512
8ef0d80259b5a38424676918f07238a76c527b643267008999dc3b2cff5c93e29ae85cbf0605f0d0b4f880fd6ae96254ebd30e5b80097eea95f5d27b5d461ff6

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1076242788\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1162433469\manifest.json

Filesize
145B

MD5
465cc76a28cc5543a0d845a8e8dd58fa

SHA1
adbe272f254fd8b218fcc7c8da716072ea29d8ba

SHA256
e75fb1fa1692e9720166872afe6d015e4f99d4e8725463e950889a55c4c35bb9

SHA512
a00286cd50d908883a48f675d6291881ad8809dcae5aca55d5d581e6d93a66058e1fe9e626852bf16e5bb0c693a088a69d9876ccac288181b1f74254bf1da1a2

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_1305197863\manifest.json

Filesize
53B

MD5
22b68a088a69906d96dc6d47246880d2

SHA1
06491f3fd9c4903ac64980f8d655b79082545f82

SHA256
94be212fe6bcf42d4b13fabd22da97d6a7ef8fdf28739989aba90a7cf181ac88

SHA512
8c755fdc617fa3a196e048e222a2562622f43362b8ef60c047e540e997153a446a448e55e062b14ed4d0adce7230df643a1bd0b06a702dc1e6f78e2553aadfff

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_2053196927\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_2053196927\manifest.json

Filesize
79B

MD5
7f4b594a35d631af0e37fea02df71e72

SHA1
f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

SHA256
530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

SHA512
bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_410475699\manifest.json

Filesize
1003B

MD5
578c9dbc62724b9d481ec9484a347b37

SHA1
a6f5a3884fd37b7f04f93147f9498c11ed5c2c2d

SHA256
005a2386e5da2e6a5975f1180fe9b325da57c61c0b4f1b853b8bcf66ec98f0a0

SHA512
2060eb35fb0015926915f603c8e1742b448a21c5a794f9ec2bebd04e170184c60a31cee0682f4fd48b65cff6ade70befd77ba0446cc42d6fe1de68d93b8ea640

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_536457362\manifest.json

Filesize
176B

MD5
6607494855f7b5c0348eecd49ef7ce46

SHA1
2c844dd9ea648efec08776757bc376b5a6f9eb71

SHA256
37c30639ea04878b9407aecbcea4848b033e4548d5023ce5105ea79cab2c68dd

SHA512
8cb60725d958291b9a78c293992768cb03ff53ab942637e62eb6f17d80e0864c56a9c8ccafbc28246e9ce1fdb248e8d071d76764bcaf0243397d0f0a62b4d09a

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_689283366\manifest.fingerprint

Filesize
66B

MD5
496b05677135db1c74d82f948538c21c

SHA1
e736e675ca5195b5fc16e59fb7de582437fb9f9a

SHA256
df55a9464ee22a0f860c0f3b4a75ec62471d37b4d8cb7a0e460eef98cb83ebe7

SHA512
8bd1b683e24a8c8c03b0bc041288296448f799a6f431bacbd62cb33e621672991141c7151d9424ad60ab65a7a6a30298243b8b71d281f9e99b8abb79fe16bd3c

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1488_689283366\manifest.json

Filesize
134B

MD5
049c307f30407da557545d34db8ced16

SHA1
f10b86ebfe8d30d0dc36210939ca7fa7a819d494

SHA256
c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54

SHA512
14f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780

Download Submit
memory/232-2627-0x000001565C560000-0x000001565C582000-memory.dmp

Filesize
136KB

Download
memory/1996-2652-0x00007FFEAD1A0000-0x00007FFEAE506000-memory.dmp

Filesize
19.4MB

Download
memory/2640-6393-0x0000020B7FC80000-0x0000020B7FE42000-memory.dmp

Filesize
1.8MB

Download
memory/2640-6394-0x0000020B00530000-0x0000020B00A58000-memory.dmp

Filesize
5.2MB

Download
memory/2752-6084-0x00007FFEA7200000-0x00007FFEA8566000-memory.dmp

Filesize
19.4MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads