netwire | 093cb9134822c32a6eeb8b0f33ccf5d9e2371fcacffafa38d09cbdc6b364a31a

Analysis

max time kernel
625s
max time network
456s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
29-05-2024 22:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Key-Steal.zip
Size

227KB
MD5

291a0a1b75d4375fa54f62f25d7a136a
SHA1

33079c44648402bbd770dfd158e9623b1dbbf145
SHA256

093cb9134822c32a6eeb8b0f33ccf5d9e2371fcacffafa38d09cbdc6b364a31a
SHA512

e949a75be481cf31a3f959479d838782548446a823b54ea90b36c82e362008b9bbcea31a8662d6949df19959f620044b9fd218321fff37b4f6aa8f0d1c2babd5
SSDEEP

6144:17rXTrWeVB4PHWrf9F7ri9rGbAUH4PHa4D99Do9ow:ljr1VBcHWP2/UHcH/Rlo9z

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

23.95.88.13:3360

86t7b9br9.ddns.net:8980

Attributes

activex_autorun
true
activex_key
{3GYL0VK1-5SB1-4X20-W6B8-PQP7L2B50166}
copy_executable
true
delete_original
true
host_id
HostId-yaq2Oq
install_path
%AppData%\Install\Host.exe
keylogger_dir
C:\Documents and Settings\Administrator\Application Data\Logs\
lock_executable
false
offline_keylogger
true
password
doctor
registry_autorun
true
startup_name
system
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4640-890-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1716-891-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/4640-892-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1716-893-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
460	4640	WerFault.exe	f61a7fa3ca28133a6fcefa0e04b0de4dc1e4020a87388b4b3a315dc8dc18194e.exe
3184	1716	WerFault.exe	8dfa86ab54225a8e1c2027172d71cebf13dfa2e622ac9cc06fe1058b6be3ff20.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Taskmgr.exeTaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133614950433369880"	chrome.exe

Modifies registry class 3 IoCs

Processes:

chrome.exefirefox.exeMiniSearchHost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2551177587-3778486488-1329702901-1000\{F695F1AC-D154-4B16-98E4-2445C70A6F2C}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeTaskmgr.exeTaskmgr.exe

pid	process
2292	chrome.exe
2292	chrome.exe
1056	msedge.exe
1056	msedge.exe
5108	msedge.exe
5108	msedge.exe
3776	identity_helper.exe
3776	identity_helper.exe
1828	msedge.exe
1828	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
2272	Taskmgr.exe
2272	Taskmgr.exe
2272	Taskmgr.exe
2272	Taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

chrome.exemsedge.exe

pid	process
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exefirefox.exemsedge.exeTaskmgr.exe

pid	process
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
4984	firefox.exe
4984	firefox.exe
4984	firefox.exe
4984	firefox.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exefirefox.exemsedge.exeTaskmgr.exe

pid	process
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
4984	firefox.exe
4984	firefox.exe
4984	firefox.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe
4876	Taskmgr.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

firefox.exeMiniSearchHost.exe

pid process

4984 firefox.exe
4984 firefox.exe
4984 firefox.exe
4984 firefox.exe
4984 firefox.exe
4984 firefox.exe
4984 firefox.exe
4984 firefox.exe
4984 firefox.exe
4984 firefox.exe
2200 MiniSearchHost.exe

pid	process
4984	firefox.exe
4984	firefox.exe
4984	firefox.exe
4984	firefox.exe
4984	firefox.exe
4984	firefox.exe
4984	firefox.exe
4984	firefox.exe
4984	firefox.exe
4984	firefox.exe
2200	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2292 wrote to memory of 3380	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 3380	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 4076	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 3132	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 3132	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2284	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2284	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2284	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2284	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2284	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2284	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2284	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2284	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2284	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2284	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2284	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2284	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2284	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2284	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2284	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2284	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2284	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2284	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2284	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2284	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2284	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2284	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2284	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2284	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2284	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2284	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2284	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2284	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2284	2292	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Key-Steal.zip
1⤵
PID:780

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff10b8ab58,0x7fff10b8ab68,0x7fff10b8ab78
2⤵
PID:3380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1808,i,12398194011554622504,8948107876904219997,131072 /prefetch:2
2⤵
PID:4076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1808,i,12398194011554622504,8948107876904219997,131072 /prefetch:8
2⤵
PID:3132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2188 --field-trial-handle=1808,i,12398194011554622504,8948107876904219997,131072 /prefetch:8
2⤵
PID:2284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1808,i,12398194011554622504,8948107876904219997,131072 /prefetch:1
2⤵
PID:1908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3184 --field-trial-handle=1808,i,12398194011554622504,8948107876904219997,131072 /prefetch:1
2⤵
PID:2256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4232 --field-trial-handle=1808,i,12398194011554622504,8948107876904219997,131072 /prefetch:1
2⤵
PID:1108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4388 --field-trial-handle=1808,i,12398194011554622504,8948107876904219997,131072 /prefetch:8
2⤵
PID:2076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4520 --field-trial-handle=1808,i,12398194011554622504,8948107876904219997,131072 /prefetch:8
2⤵
PID:4400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4664 --field-trial-handle=1808,i,12398194011554622504,8948107876904219997,131072 /prefetch:8
2⤵
PID:4056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4824 --field-trial-handle=1808,i,12398194011554622504,8948107876904219997,131072 /prefetch:8
2⤵
PID:3460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 --field-trial-handle=1808,i,12398194011554622504,8948107876904219997,131072 /prefetch:8
2⤵
PID:1944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=1808,i,12398194011554622504,8948107876904219997,131072 /prefetch:8
2⤵
PID:4092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 --field-trial-handle=1808,i,12398194011554622504,8948107876904219997,131072 /prefetch:8
2⤵
PID:4432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4896 --field-trial-handle=1808,i,12398194011554622504,8948107876904219997,131072 /prefetch:1
2⤵
PID:5104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4900 --field-trial-handle=1808,i,12398194011554622504,8948107876904219997,131072 /prefetch:1
2⤵
PID:2940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3356 --field-trial-handle=1808,i,12398194011554622504,8948107876904219997,131072 /prefetch:8
2⤵
PID:1020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3276 --field-trial-handle=1808,i,12398194011554622504,8948107876904219997,131072 /prefetch:1
2⤵
PID:3176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4272 --field-trial-handle=1808,i,12398194011554622504,8948107876904219997,131072 /prefetch:8
2⤵
PID:1044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3260 --field-trial-handle=1808,i,12398194011554622504,8948107876904219997,131072 /prefetch:8
2⤵
- Modifies registry class
PID:2948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2796 --field-trial-handle=1808,i,12398194011554622504,8948107876904219997,131072 /prefetch:8
2⤵
PID:3332

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3176

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4120

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4984

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4984.0.326450677\2023137608" -parentBuildID 20230214051806 -prefsHandle 1788 -prefMapHandle 1780 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d36a2f2-479f-45df-b372-8531733b14bb} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" 1708 28a1e50a658 gpu
3⤵
PID:2416

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4984.1.258166993\379693134" -parentBuildID 20230214051806 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6239b52e-e839-4beb-bf43-fbca9e2409dc} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" 2372 28a1168ae58 socket
3⤵
- Checks processor information in registry
PID:2372

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4984.2.825825812\1997212698" -childID 1 -isForBrowser -prefsHandle 2772 -prefMapHandle 2888 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1368 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ce48b6c-e85e-4944-bd56-7dc5f5b03482} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" 2884 28a21206758 tab
3⤵
PID:4852

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4984.3.1125098860\1930068333" -childID 2 -isForBrowser -prefsHandle 3444 -prefMapHandle 3456 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1368 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41524c61-aa1e-444c-be21-c08fec588022} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" 3288 28a23987858 tab
3⤵
PID:3172

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4984.4.166171222\822028863" -childID 3 -isForBrowser -prefsHandle 5176 -prefMapHandle 5172 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1368 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {274e6e08-3d06-424b-9cfb-886392677f83} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" 5184 28a2592a858 tab
3⤵
PID:1964

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4984.5.1723150031\1772018406" -childID 4 -isForBrowser -prefsHandle 5328 -prefMapHandle 5332 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1368 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4a3ed95-b309-4967-877c-26e795491985} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" 5316 28a264f5b58 tab
3⤵
PID:1776

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4984.6.283225114\1062726506" -childID 5 -isForBrowser -prefsHandle 5604 -prefMapHandle 5600 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1368 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf5bce37-dd8e-4dde-8a56-3eb17519531d} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" 5612 28a264f6d58 tab
3⤵
PID:2812

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4984.7.1983564700\1194544263" -childID 6 -isForBrowser -prefsHandle 4948 -prefMapHandle 5576 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 1368 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f08868d-6e72-4192-8411-514594e587a7} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" 5868 28a23b70358 tab
3⤵
PID:1912

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4984.8.1051053599\740161469" -childID 7 -isForBrowser -prefsHandle 6016 -prefMapHandle 6012 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 1368 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c2ee9ca-2646-44f5-bb4e-4e8400fd8322} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" 5928 28a23b71258 tab
3⤵
PID:3288

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4984.9.1391667732\1022927306" -parentBuildID 20230214051806 -prefsHandle 2708 -prefMapHandle 4996 -prefsLen 28076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc79c997-dcf4-4dc5-a52f-4ef7c5d66981} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" 4980 28a11686858 rdd
3⤵
PID:1716

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4984.10.1579624093\204256158" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 6180 -prefMapHandle 6164 -prefsLen 28076 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {591ee62c-76c6-483c-a7ce-f8fda7f62a98} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" 6252 28a11683558 utility
3⤵
PID:4596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff2a723cb8,0x7fff2a723cc8,0x7fff2a723cd8
2⤵
PID:1712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,2900232961819259502,1684563680169145138,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
2⤵
PID:2120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,2900232961819259502,1684563680169145138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1996 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,2900232961819259502,1684563680169145138,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:8
2⤵
PID:1808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,2900232961819259502,1684563680169145138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
2⤵
PID:1188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,2900232961819259502,1684563680169145138,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
2⤵
PID:1664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,2900232961819259502,1684563680169145138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
2⤵
PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,2900232961819259502,1684563680169145138,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
2⤵
PID:496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,2900232961819259502,1684563680169145138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
2⤵
PID:2104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,2900232961819259502,1684563680169145138,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
2⤵
PID:1932

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,2900232961819259502,1684563680169145138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,2900232961819259502,1684563680169145138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
2⤵
PID:1580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,2900232961819259502,1684563680169145138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,2900232961819259502,1684563680169145138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2000 /prefetch:1
2⤵
PID:2324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,2900232961819259502,1684563680169145138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
2⤵
PID:3920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,2900232961819259502,1684563680169145138,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6124 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2648

C:\Users\Admin\Desktop\f61a7fa3ca28133a6fcefa0e04b0de4dc1e4020a87388b4b3a315dc8dc18194e.exe
"C:\Users\Admin\Desktop\f61a7fa3ca28133a6fcefa0e04b0de4dc1e4020a87388b4b3a315dc8dc18194e.exe"
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 416
2⤵
- Program crash
PID:460

C:\Users\Admin\Desktop\8dfa86ab54225a8e1c2027172d71cebf13dfa2e622ac9cc06fe1058b6be3ff20.exe
"C:\Users\Admin\Desktop\8dfa86ab54225a8e1c2027172d71cebf13dfa2e622ac9cc06fe1058b6be3ff20.exe"
1⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 424
2⤵
- Program crash
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4640 -ip 4640
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1716 -ip 1716
1⤵
PID:1020

C:\Windows\SysWOW64\Taskmgr.exe
"C:\Windows\SysWOW64\Taskmgr.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4876

C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:2272

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2200

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
480B

MD5
abe0c50a6c13bdcba1e5b34d05e3ce05

SHA1
cdde2a437772bab9d9c5b2ccd7cb46f1ee71af49

SHA256
d59631876402e5758e63754fc36854da37c17497207c462d232fc60d74631d2a

SHA512
a5a4d8d97782fec905bab097f4e3a73e3e785ffb1feca67e9ffeaff70353b1595878a05256896d60d84a8fb7a795dbf6c669b7b7909cd461fd547c753ed595ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History
Filesize
152KB

MD5
0b303f53cf6f66f45b46a222e3bf020e

SHA1
bdd68adcd354d285dc598181df81caa8f4e7cb34

SHA256
71117da922202c46d76dc695b08f7d13f9c1f8e388d4521e6ea8c28de5b20aef

SHA512
d486ae6678f19afa1ac4b657af6f4ea9f9d1e1562a24266904507e07e245401dc2cadfc745324d6b1e479d46499e44922d311f5caa60fcdeae21fdd471fc16a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data
Filesize
46KB

MD5
61fde67ebae6cab7992edf35751b58e5

SHA1
8fb94355f9974aa51e1ba2be651d02dc17b85133

SHA256
91af4d46d3e072fc95c01ec6b2ae94d920bda3a308034da0c84533cb1d700813

SHA512
3283a466ac0a0f924bb6e939744a9473f043eb6804a19bd57af3444bf89b6dc748a55c16cbb0f71aa37120bff97177f13968b654b1aff3e0d21529c5dbeaada8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
f1a861269068253e1fac5acd81c9ffda

SHA1
369ed03a3e1c13083cdae87c2085fa55a5ab07ec

SHA256
813298a5471604d92c3cf59bfb11c9314223c50eca344779f14fa46fe8acc2f5

SHA512
2601f4257918a6bd4502f0855d6ba61e71e17305059b36f1923227fc3537900cab7953a015f7f86a64ac2827e89d7f2ca027ba0582681c8087404c9bbaa4f963

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
523B

MD5
66a62122678bf0b014e6dee5be23ccef

SHA1
3858585a5e9fcb366d2810a175939ac5e3efce7d

SHA256
e039f87ee344cb03e91adddd4a43c6f483a55022ebd884e830c25df40b164087

SHA512
2b688bc59aae7ec5147cceee04ca08f59d2c48e04747bc2d574a65b69743ee9fa408ac1fbf95ef07dd7e10f87a8d16de99f13e46759a9354686aa6c66e3c73de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
523B

MD5
c2610016e52aabcedc56f8cbc12506b0

SHA1
61b99eb0b7d37a98f2729e0add786989b50fc7d9

SHA256
9634058906f45e63d1c4bbf62d77307b4be4d4deed8f5e1af6344886b6020fea

SHA512
e9472767f5621b2f6abf39a61a187de4e5b06de1b2226f63fe3e0cd126173709f831d2853bac27517393f7319f640778421f9b2595640f6db0db93bf1c191c5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
523B

MD5
e7f702f261f6653e0dfa564ccec92fef

SHA1
c282dce96859e54c6cc2fbe6f4e21104d656d250

SHA256
f1b52c94c7b46d5733bbec1f3c23a141f78d6ecd0ce8be0478324b2787494c07

SHA512
99d82124687bb40a385263a394aed3ad9b583f77c69b6d759edd7044b2f4c3b9748a035f5621165c57f581161774077a81dd06b8b663412565799bfa843bdd90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
9c7038ebf8da2e7bf6379fd08f2938f6

SHA1
d8a94a5f9b633f5367d07ee6c834a904b1a390d0

SHA256
f5384297cf38b2f1cb02d70835833c969112de3666c681a893cc5a03be9588c3

SHA512
bff660899313417500c8142f57ae0fbbfd20a9e47ca8136946dc9d2e0bf41891af1cdd692a92d86147af43784f5c3b0ae10c154f6e1a0bbb6d707ca7456020a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
c6e148d49e73df284fe20fc4a53cc131

SHA1
ba1412fa78a72280269d232d238b6a3d1ddb68f2

SHA256
08a65c56dcf28834adeaf32f93d124520e1d7f75cd4fda71324344373ec9bab9

SHA512
e72238e14677e3f3bc11949ee7b81886a987c30963c9f2628f22e8e708ec9e77093e6c86afb62b606f42ea3ed03d03718536098f98ae6595e638f78e0ae50205

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
820153eadb35ee03c5d174f1abb46945

SHA1
fab62d30c7b2cda2711cc79b5e0b993988cf8127

SHA256
a042b1c3765447cd599c7183cffb08d302eeda79fb1c4ad3c54004ff9fbc8aca

SHA512
229e887e5766f509094ef1b841f63db76ed9a52fe283f5baf44ab67d9d7d1731d82af29cf68f25577ec651ef7ef415d5327ec3e27ed2a455576b509740c41ec9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
4189bbe192a586f05c5dd3217c346d2d

SHA1
0c23a60e952e7c9dca9938c951d5255af4bf736c

SHA256
78ac3f5beed873dd83372539ecb20a74c1437d494b341c7213964dfb57607fb8

SHA512
eeedbfb63e29e5b6461609248529e13b1a7da586d98f218f5717cfd50dcacc08f6c1f8948c6696aafd511010ea39f8bd4319a9c6817f839d1f372541c29e127b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
e9db45f079142259dc06e86cfd8c05bb

SHA1
4169224848f03acad89fb114301003b4942653a8

SHA256
762b05725a1c0b7a34c1793e8fc234cdaf088283185a8242bbca7eb7c9593072

SHA512
06cac07e90f5271e2891caa3a39c47a95cb0c75fef528d578cc859b7e800e08d14a21d486c6db50bb95ed670c6d67b505370368e70b8f8cfde77d8a2216e8cdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
cd11ca7625fa01fe8f3779f5ca38afc4

SHA1
7c27f9baed3bdf6f3cb66ef02f0feba52236fd19

SHA256
97d54ee0414007e8f7c3a939b5e1901594046d92eb23b44ed61ee2b1f2523828

SHA512
a4e4dfd27acad2cb498a13a0a4b23956b790e4996c327f34d33f1cfc4d8b27ff45c3d52cb989d4663f8c264c89f34c8f126a4cebbb2f04e30e5ed0570cfd00e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
4edf267a369a405d2bd87ca1604f2a93

SHA1
287b96034fe0dded1b3946533486575104b6fd34

SHA256
aa8f3b8c59558152c06c45e02af589ee3c19df09d37e8cd242b827b0aeb3a389

SHA512
1305d1d1b35be01e7dd65817df796c9c047d719b8cd243baabc48098efa3c411becdc0045b6b33e53580f4d0b21e0127f0c30036a3101f8d0d19d7f6cc4b7edc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
c1e2dd7e4e907af6d09527c98b1f2d1e

SHA1
33dcad72a80921adc7b68801190bb180f9672117

SHA256
d66494f7a36c64b617a57c5abf46a60695be7747f35995962fce5f98c0fda1ca

SHA512
a2f48ed8fc006de3e0c3e67b1f7c78d959655102c566209d5a97eebfbb253a39b18aabeb748a41c299fe8f7336c7f7240c7afe74991021992cbff47bc68adf5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
a7d676e15877432e020e51b98e32da1d

SHA1
bb657013c8b647f3440209dd0476285185133b06

SHA256
dfeba541782e112105b53ce4e8f9856d97e0e114ff40f34cb712731d1ba62a7f

SHA512
91bde2f6db761a0cd77c1d5c8592bdbafd2c844046d000234e1e99bcb3391e1c072cff63506c87a44577cb4c0130ed4cade97cae30db904c8c522fa556746314

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
9d782aa03c06a153c4f6822a0d20bcb4

SHA1
c244d8f5ca9d8ad26662f36b80a96ec53efcd0e4

SHA256
a84252e6030659036bfa33504e6856822b67a475cf040d3ae7116f215ac9f52f

SHA512
377c7b396c90f0a99a417f212dd5aeb71edf09705c48aeaa2f9b7ec47d23467f49328aaf61b0116bc11ae72d9d809ee30ed689a1f0d7bf4a16b6a27667e784e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
87KB

MD5
6c409957755722ee9e26c7537b19d98b

SHA1
249eb7d39d41e855bbb3e9d70612893ac4b6a011

SHA256
4463c182a810c41c245fa2b76d3803af847983c373f494a8a0c1fe1892a6d416

SHA512
f4c302168abd6345f4db90011442b495662a38d8945c5ac835cfc0b6a10e7c7319240f8b36f2d69c93b582a875164cd4f38d0e2c9f6fb5f9a818326e37149a58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
86KB

MD5
900a9cb32680358cba02fb09578b87a5

SHA1
4e8c5503e31dc30b737ceba063a4937ddd038219

SHA256
7a8a5d7fa394ebee32a9bc115b9aac60d1e3799137c118e844347ed6c349c6a0

SHA512
027c25115b0ed5f31b89c20ec2c1f2b547992da5ee2e2c5d58b80891a37a86f7a3cd177ca962969831fac7a141a18c259ed81fec4e41a3c510edaac0c75a0aa5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58ddd8.TMP
Filesize
83KB

MD5
e1fbb40a9712b9af9038c2c5f7e002ee

SHA1
e315d6c94b1607236b67c5a083ee8025d5eb400e

SHA256
b81f1a922b4aab8d49655f8f14f96febd33dc95cd3565a0b58d1e75eb69efafd

SHA512
34f38f639300426bae70990f23d4f1eec972cee707f2216ab146512467743e99afa34b6004153ce5f0c19af7d8bddcb2a6e7acfc35c3a2c2b0037bd9e6768529

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
91d3d080f0c7665744b76f32ce9a400d

SHA1
8ad9fe45b16ddcab43d8d9975055fc09a00c831a

SHA256
36af7903cc37ad07ec04e2552e1f791814491edf6e2926b0a937d595e5eb6c92

SHA512
134fb2ec14da7fed83d840c4e26e0a83f9a024f16da692c2b962deece790fee5e0136fa8b3dc635379724997de8600fc3eee77f8e51ac1511190fbde6a2198f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7915c5c12c884cc2fa03af40f3d2e49d

SHA1
d48085f85761cde9c287b0b70a918c7ce8008629

SHA256
e79d4b86d8cabd981d719da7f55e0540831df7fa0f8df5b19c0671137406c3da

SHA512
4c71eb6836546d4cfdb39cd84b6c44687b2c2dee31e2e658d12f809225cbd495f20ce69030bff1d80468605a3523d23b6dea166975cedae25b02a75479c3f217

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9faad3e004614b187287bed750e56acc

SHA1
eeea3627a208df5a8cf627b0d39561167d272ac5

SHA256
64a60300c46447926ce44b48ce179d01eff3dba906b83b17e48db0c738ca38a9

SHA512
a7470fe359229c2932aa39417e1cd0dc47f351963cbb39f4026f3a2954e05e3238f3605e13c870c9fe24ae56a0d07e1a6943df0e891bdcd46fd9ae4b7a48ab90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\481a9a52-207e-481e-a044-23d6b5cde47e.tmp
Filesize
6KB

MD5
c2528bc4c7de1c1988d45a5f7bb86737

SHA1
bee5b26f4f1cce5eb48d20155c32c088060fb884

SHA256
2092ec9e11d49f6feb780a220f71ffb3966d407dc87a1cecb345f7939e94a096

SHA512
42e9ac92d2c9d14e3d73baa619c341b4e23acd1a4fee16eb637a3f04cbdae0a68079431830a2b7af316ae82a8f930cc6ae289b085732072107ce8fe0fd19b1a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
Filesize
34KB

MD5
64af5e859cd411f58ba7ade44f5a8c26

SHA1
c1ccd85a8209e2bbb58c662f1b621d2cdf7d3565

SHA256
7d3be672a50529d4ed208efdb7a90fa467eea5adca9bf877e18b167a4511cc24

SHA512
61ec83ff7512bd438f0c7112111af73b1a6eedd1dbf515dfd19c41dc46e58ea4b998f0faee85e7fc75bbc2d142bbf6b337e52e76aec01f4c6725e9d733765240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
Filesize
32KB

MD5
e4898ff5704a23946677e8f700d465ce

SHA1
003ab77c21f053d89c8afb0eadedc62fcf7333e0

SHA256
fbff44e750cc795ad4887fbcc2bce7633844ec00e15fe31e586b795215972e68

SHA512
6f89a831f3c988a5e601ed6f99c2da6c6fa88c400a503a70a0b2c319b99c4fd4a8850aa7e2ebd3d3cbdf08ff29625430a3a947f97d92a632a54636423c1fe5d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
480B

MD5
f27066299493a995f9c08f1530aad6c2

SHA1
4112f96f48a40580d1f10760d46849391198d9a7

SHA256
8a5d829c0cb70183de0f5eeca8913a6dd01af12515cc5f877fc76c21cf1148d5

SHA512
3bc9519f873b659428cd0ef93b9414fad1b3d175a87b395fde0d8184495d610f19faa84e72e175e092ab5adc924e7ca636703ddc3a6530ac8d616e8e4be7395d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
ba61874802878c199a6cda74fd8f3458

SHA1
d8d1c1c37ef9e47636ab92bc1cafe5f01ff32b67

SHA256
36ea7a8cb452fa0f90d9afcdbb9381b23ee32cdfb577dbea105a5d838b101cec

SHA512
09279c6c9c6ff1e2371b8c28a98e15cdd6784cf8cb19d7c7ab011e58cf74053eee1233244926b560a8a54676760cf86e45d59e695eb6f5bfe413407f239ffa11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
f00ec8738d8ee7a5cf02225e005549c8

SHA1
0f9440ff80a48969da2bc12fc22741b46ac14d28

SHA256
004c95f017f5bd8fadf6b926fc2be7caf61e5b4887a6a9d7215a8a07961b1b7b

SHA512
436480fa700c4d197a76cd259557da8fc0cf7eecee03f3867945c23886e59bba2aff6c7f4c3f27502bc1b471515049a42e9a6f288e465c96c7c643dcc08aae73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
a2fe93bd6dd89603e5be7d0f927e4ac9

SHA1
2a913ac074eb53fce487bb623a3bfd3d55f561bc

SHA256
2ae9392e77627e5534e2b30283dd7b5a27973fdc34c6a002ad36dc993b5c5c72

SHA512
4e22a38f33c831e88a28a033fa574abccf03a60012ffbc4770fa3e97f0eab3f6355be6f70cb24c4d80631b61850b817f4bd22cfe16b05da149d450c3e98ea327

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
6d6ace7ff014168cf5427dbba114fde0

SHA1
d72e183268dbd27a819c7dde1496c81eae6ace31

SHA256
850cbc39330a8fac281c1a11d6a7e853fb4220020192c9f6fa92206f54b27486

SHA512
3b1a00d0dbf63ba87b72e6c5b387f78cf914f59c7465d94ac6b0749d1aac92ee737c3d2cfd9c74f56f7ed4ccf252d1c914aa0e1ac5a950e35666fa7b04b088b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
395789c42ba123c032e8808c101a958b

SHA1
f589d8d91c66f1f1e3ff07365de4d5bb36e2f150

SHA256
3f75d69ca635faa9c466a9ce8921eeb6184afcb1fe72bb86fc77f8359a288d47

SHA512
70de09091b6a28f1478b1b05cc0b7e584d2f6c3ef7e5f65156a348703542d516d557356d29b62fbcc6f6add9c7eaa80b35a1dcacace6c5b48759c36112cfe918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
1a063d27cec0d81b80e1e8a854d1e00b

SHA1
f054105e0a3a0a152a87cca2afaa39801d4a00b4

SHA256
5e2b8f1f4fadb85f5d94d1612c68d089f8383d696cc4a8a2eccb0b49158fc90a

SHA512
e04ae83825e05b88ca1ee27f86b29426e60d4009af0d1f841bd1a5527be1d7c7b415dcc1d5eb8215a0c60431d749725887625fad5b8239c6a752480aa161e69f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
370B

MD5
fc3415185606ef8c92ea686c9972768b

SHA1
15ee2fa567eb651a87e62853d37eb924f19331d5

SHA256
c9aca3205853171025f7fb42454a83cee12fa725c319650b9c2a50e2bfdb6544

SHA512
fa854e7053bfc72838b16e5e0e764c9d4f22770fea04e6eedde604a6325c6d724ab1d0bfdd1cbd1753387e809b9a7fa203b0119c62226876602030330a646263

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
370B

MD5
db05c6263b5ce318fde4b22f40441a9d

SHA1
c29d94274acfad6c94641297b1aa5d21863e6958

SHA256
83563f71e8c6264d96612e55af84e185c7e8ba2edf7059273ba5ef3c6416034a

SHA512
17a414d645bb840128ca46612eb7f60c8f25a701a24ea8649937d709b3925948219c1f02c2691a987dbb4928e7f50bf038ec36fc42d548bd194b89cc513f79d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5c1cc7.TMP
Filesize
370B

MD5
c1838a48034d9da0ccd292d44a7449ad

SHA1
0372df25afea10c2c217500efeab251bfd1b5a23

SHA256
444f1f63e82f81861e6dad1a47dd6c296d05e459c32ee6c57f1a79e58528c147

SHA512
00f96195b511f3af96849f80b762823a2e0734599e5d4312430130959ab15e53c44ac4a67d3ee226dcb6cc5d06eb2402ff09d5e38aedd2d28180068615fd72fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
1c876ce2976bf7141ce5bcd00be27458

SHA1
4aaa15bc9ffb204d99e1dc8b6280be7af3b4f26a

SHA256
9b5ffdad76f295218947b7d251301357f8483fa802e4fc7c210738a4c37f4a25

SHA512
ece88b17ee969a8562445df008ede6b8f0aef3abdf0fdc10440f5be95a29ca9effd1cb5ed80265e3ffba29bf776bc80a0afabdea85ce68ca8c6a0f399fb2b114

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
f51002c0fbd0a048cf8eb050113fb5fe

SHA1
4cf41a5420f123dd4dcef6664ef31744bcf3374b

SHA256
219915c3b7f9c17caa73b75cb8619a72764490b5a1e8b902560afd096a00658a

SHA512
768de73bd0d1c820808594f5405b629ee20bef98585bd1917b17fd02cb346586147554a7a94304215e2abb1ea92361e3038d46a46e456d9502becc65db7ee44f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\prbn7a8y.default-release\activity-stream.discovery_stream.json.tmp
Filesize
24KB

MD5
fa53fdbf4ea3f1a6f737ea8ddf27b34a

SHA1
6dbad79405522fc1b8c33bb7200c355438583564

SHA256
1207261b640bdd362a0d20e8eb90a9f7c9482cd374ab501074caf93e7c3d71d4

SHA512
aba7e064b7688d85859ac3c545f2398f04855f504b13fb4632cf0adbb2f567700ab473b7d9a2f56212a02b98dc63da9c5d59c770678ed2eb55918d75865eb393

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize
10KB

MD5
113d26c6d5bf518bf98f08c69313c555

SHA1
6a7f0c789d2772333899eda3b8c03ec765ec0570

SHA256
01e2576ea162b3f2759ccc3ef9819bcf76d672718c585519c89db04207f3e63c

SHA512
36e058803b10e4c9f6cdc5f47adf1522e197dfb3934d2b01d133f57485517677a91766624f36dfe8d3bf4461650f5a21d8fa7525468d9536b07765ddcd676d60

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize
10KB

MD5
bca013349ea9cbfeae8a6a2fcfc0a968

SHA1
e6e8031627dd6efee732345a879d37bb8f5bbb62

SHA256
72996bfeb0e86a9816bd2521deb29d43117b8ea2dd12e81e002222131a40b672

SHA512
6adc3a35c751ee3aec51ffc33c00113e5c795b7925ea31cd9f412b386a9e1fec54b89a665678ce891e6877f01f981aa5c1c19a24fc9ee8687e8b72a39b4478e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\prbn7a8y.default-release\logins-backup.json
Filesize
673B

MD5
b03464f086b280fa084601f1c73a1f77

SHA1
96482dc5444e10015fd065676464d5cf02185326

SHA256
c1cdb129892d24a24ef00af47d40f2614ddbf8355cbe9223e2133123e7da0c37

SHA512
6eb5ab10524312c02516f325e994c9c1a8667c6af480b41815e69c63f5c969c4a9b3d683d0f240fb6b47bf83d45fd47e5de646dfbae7e1f14cd376995cc74640

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\prbn7a8y.default-release\logins-backup.json
Filesize
673B

MD5
d4f350d5bab48af7b2ac0b790ab64c64

SHA1
7d10d10e6dede24eba7099c870b15aca7523e268

SHA256
a81bdbe5b7367eb9b581b9f14d2950a944243e07cba2e2e4949ef9dd48c98dba

SHA512
e91f7cfd8b0b7cbb42bbd75aa77cc2aded569ae7779362636e0d8a94fbd66e2832b52ab7496f3c0f9e4ba7aa411c5c70f164cde4478cc6fcc69ad199292715ef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\prbn7a8y.default-release\prefs-1.js
Filesize
7KB

MD5
ad2286b2721bbc10218b707acfd0a890

SHA1
df360861e632800ae447bf6d2e0b2c6519d7a0a0

SHA256
e644f88113efb8a8f53a1163d23b9c6d3a6ef2e7f9cc39cceedb81e2c86e818c

SHA512
11f894dcc597d96be1e7c2a4dc262c21d13c8022045b085fd2d8afb36b6ff78af1413b1da42eb2cfc309a468967caf3a038d4d1e8be794bb183189198f2445bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\prbn7a8y.default-release\prefs-1.js
Filesize
6KB

MD5
e94ce20a59098deadb52549765f4ba36

SHA1
2e3f8d9f0a8a60259618ac1005e1c2e80f60bef7

SHA256
3a6b7fc82304764d978807f4019dd07bf58ad70275a02e60e33d913c97b9a0de

SHA512
3f10bbff5639b5992ac656b99f63a6fa179774908aeb2f340903fa446c9b0d0a830c686976f27de1930afdb3733c679c57c45ac20ef58543615618e8f3350f03

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\prbn7a8y.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
d08dd40b7a8edc71609f682a41875d73

SHA1
37b308efa01753c9b7f42b71c38873b89096575b

SHA256
be34fbd88dc647c8eb127201dadf0916956144e0793512a9ef0ed14a6257b14b

SHA512
f08ce195adc5d259bc51063526bf39ed24ea5a53ba6c37e740c337e3df0cdae15cd52e5909f9870e78961998fdce9425ebc1d46db96b884e27a909da214b1911

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\prbn7a8y.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
9b6d136f663622e8ba944e7bceb2354f

SHA1
c4f3e8f6ccabe0ca5d534a1ff98cbc787695b2b7

SHA256
2a1a22a25991135bccb96db50a30ab3a299eb75deb2d7118fc5e114e1e60c20c

SHA512
611fc07176992f7ade9acf06ec02c3ca452abcd19b27798f949e0741890b6f15fff0d88b3e2a467180b8362e661a26f148f0e4ba877626ae5be9ac4005e02ee2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\prbn7a8y.default-release\sessionstore.jsonlz4
Filesize
5KB

MD5
2740d5bb4b683e83e4ebf2a2d43af5a3

SHA1
33a5ed1f7884e724776b99c6f37d13909167e4be

SHA256
b9b9695469e182120da0e68f8c6e6704cd542bb8e0af1ea43e42d17402afc3a5

SHA512
c1c9c04ae149f38d4a6406cf25625d40b896141939a571f9f318054a8289ced8f84334941e8eeea8e78d6cb11b67db27c8cd58f64b7a2717a18efbbbc72e329e

Download Submit
\??\pipe\crashpad_2292_VKBIWYWNRPTWGCUZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1716-891-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1716-893-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2272-907-0x000002319E9C0000-0x000002319E9C1000-memory.dmp

Filesize
4KB

Download
memory/2272-915-0x000002319E9C0000-0x000002319E9C1000-memory.dmp

Filesize
4KB

Download
memory/2272-913-0x000002319E9C0000-0x000002319E9C1000-memory.dmp

Filesize
4KB

Download
memory/2272-914-0x000002319E9C0000-0x000002319E9C1000-memory.dmp

Filesize
4KB

Download
memory/2272-916-0x000002319E9C0000-0x000002319E9C1000-memory.dmp

Filesize
4KB

Download
memory/2272-917-0x000002319E9C0000-0x000002319E9C1000-memory.dmp

Filesize
4KB

Download
memory/2272-918-0x000002319E9C0000-0x000002319E9C1000-memory.dmp

Filesize
4KB

Download
memory/2272-908-0x000002319E9C0000-0x000002319E9C1000-memory.dmp

Filesize
4KB

Download
memory/2272-909-0x000002319E9C0000-0x000002319E9C1000-memory.dmp

Filesize
4KB

Download
memory/4640-892-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4640-890-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4876-900-0x0000000008870000-0x0000000008871000-memory.dmp

Filesize
4KB

Download
memory/4876-894-0x0000000008870000-0x0000000008871000-memory.dmp

Filesize
4KB

Download
memory/4876-901-0x0000000008870000-0x0000000008871000-memory.dmp

Filesize
4KB

Download
memory/4876-902-0x0000000008870000-0x0000000008871000-memory.dmp

Filesize
4KB

Download
memory/4876-903-0x0000000008870000-0x0000000008871000-memory.dmp

Filesize
4KB

Download
memory/4876-906-0x0000000008870000-0x0000000008871000-memory.dmp

Filesize
4KB

Download
memory/4876-905-0x0000000008870000-0x0000000008871000-memory.dmp

Filesize
4KB

Download
memory/4876-896-0x0000000008870000-0x0000000008871000-memory.dmp

Filesize
4KB

Download
memory/4876-904-0x0000000008870000-0x0000000008871000-memory.dmp

Filesize
4KB

Download
memory/4876-895-0x0000000008870000-0x0000000008871000-memory.dmp

Filesize
4KB

Download