bumblebee | 8a345b6f2e1e723587b6156ad998dc7eafcaafc9c7380fcbc52c626f8388f328

Analysis

max time kernel
210s
max time network
212s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2023 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Contract_02_21_Copy#55.zip
Size

909KB
MD5

902e24b235fe7408391f5a55565e30be
SHA1

49d79a3511857654dbc24a498404505d445e447e
SHA256

8a345b6f2e1e723587b6156ad998dc7eafcaafc9c7380fcbc52c626f8388f328
SHA512

a7504040e0898d29bef33f31172aa08c9f8069c927e50cc6a90d92876266e80b62bdb7b615905f658e9f297caf2b58b1fe0e50d63dbaf50a3ac900e1b76d75d9
SSDEEP

24576:OgmrD9eOq9Q0BPVabisQFOrpz2gz1vnBTlP27g:OLr5eOcxPmisQFOXRJ5Pgg

Score

10^/10

bumblebee 21maca persistence trojan

Malware Config

Extracted

Family

bumblebee

Botnet

21maca

108.62.141.20:443

104.168.140.145:443

51.68.145.171:443

108.62.118.170:443

192.119.72.133:443

23.108.57.201:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Executes dropped EXE 1 IoCs

pid	Process
1260	Contract_02_21_Copy#55.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1260	Contract_02_21_Copy#55.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133215440698732982"	chrome.exe

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0 = 76003100000000005656a7661000434f4e5452417e3100005e0009000400efbe5656a7665656a7662e000000d3e7010000000200000000000000000000000000000036565a0043006f006e00740072006100630074005f00300032005f00320031005f0043006f0070007900230035003500000018000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\SniffedFolderType = "Generic"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "11"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 820074001c004346534616003100000000005456e295120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe5456e29556568e662e0000008fe10100000001000000000000000000000000000000933b3b004100700070004400610074006100000042000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\NodeSlot = "12"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0 = 4e003100000000005656d266100054656d7000003a0009000400efbe5456e2955656d7662e000000a3e10100000001000000000000000000000000000000c1e80101540065006d007000000014000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe1000000020b727b95b45d9010f7c3a386345d9018875c7d1bc46d90114000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 = 50003100000000005456c09810004c6f63616c003c0009000400efbe5456e29556569c662e000000a2e1010000000100000000000000000000000000000002d040004c006f00630061006c00000014000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3636	chrome.exe
3636	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4768	7zG.exe
Token: 35	4768	7zG.exe
Token: SeSecurityPrivilege	4768	7zG.exe
Token: SeSecurityPrivilege	4768	7zG.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe
Token: SeShutdownPrivilege	3636	chrome.exe
Token: SeCreatePagefilePrivilege	3636	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4768	7zG.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe
3636	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 3568	3636	chrome.exe	91
PID 3636 wrote to memory of 3568	3636	chrome.exe	91
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 3648	3636	chrome.exe	92
PID 3636 wrote to memory of 672	3636	chrome.exe	93
PID 3636 wrote to memory of 672	3636	chrome.exe	93
PID 3636 wrote to memory of 4260	3636	chrome.exe	94
PID 3636 wrote to memory of 4260	3636	chrome.exe	94
PID 3636 wrote to memory of 4260	3636	chrome.exe	94
PID 3636 wrote to memory of 4260	3636	chrome.exe	94
PID 3636 wrote to memory of 4260	3636	chrome.exe	94
PID 3636 wrote to memory of 4260	3636	chrome.exe	94
PID 3636 wrote to memory of 4260	3636	chrome.exe	94
PID 3636 wrote to memory of 4260	3636	chrome.exe	94
PID 3636 wrote to memory of 4260	3636	chrome.exe	94
PID 3636 wrote to memory of 4260	3636	chrome.exe	94
PID 3636 wrote to memory of 4260	3636	chrome.exe	94
PID 3636 wrote to memory of 4260	3636	chrome.exe	94
PID 3636 wrote to memory of 4260	3636	chrome.exe	94
PID 3636 wrote to memory of 4260	3636	chrome.exe	94
PID 3636 wrote to memory of 4260	3636	chrome.exe	94
PID 3636 wrote to memory of 4260	3636	chrome.exe	94
PID 3636 wrote to memory of 4260	3636	chrome.exe	94
PID 3636 wrote to memory of 4260	3636	chrome.exe	94
PID 3636 wrote to memory of 4260	3636	chrome.exe	94
PID 3636 wrote to memory of 4260	3636	chrome.exe	94
PID 3636 wrote to memory of 4260	3636	chrome.exe	94
PID 3636 wrote to memory of 4260	3636	chrome.exe	94

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Contract_02_21_Copy#55.zip
1⤵
PID:1780

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4732

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Contract_02_21_Copy#55\" -spe -an -ai#7zMap8357:124:7zEvent1113
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4768

C:\Users\Admin\AppData\Local\Temp\Contract_02_21_Copy#55\Contract_02_21_Copy#55.exe
"C:\Users\Admin\AppData\Local\Temp\Contract_02_21_Copy#55\Contract_02_21_Copy#55.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:1260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa2c239758,0x7ffa2c239768,0x7ffa2c239778
  2⤵
  PID:3568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1844 --field-trial-handle=1816,i,6413645231115870022,11393137190122603292,131072 /prefetch:2
  2⤵
  PID:3648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1816,i,6413645231115870022,11393137190122603292,131072 /prefetch:8
  2⤵
  PID:672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1816,i,6413645231115870022,11393137190122603292,131072 /prefetch:8
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3244 --field-trial-handle=1816,i,6413645231115870022,11393137190122603292,131072 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3268 --field-trial-handle=1816,i,6413645231115870022,11393137190122603292,131072 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4500 --field-trial-handle=1816,i,6413645231115870022,11393137190122603292,131072 /prefetch:1
  2⤵
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4740 --field-trial-handle=1816,i,6413645231115870022,11393137190122603292,131072 /prefetch:8
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4892 --field-trial-handle=1816,i,6413645231115870022,11393137190122603292,131072 /prefetch:8
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5072 --field-trial-handle=1816,i,6413645231115870022,11393137190122603292,131072 /prefetch:8
  2⤵
  PID:3312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 --field-trial-handle=1816,i,6413645231115870022,11393137190122603292,131072 /prefetch:8
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:4192
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff64dc37688,0x7ff64dc37698,0x7ff64dc376a8
    3⤵
    PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 --field-trial-handle=1816,i,6413645231115870022,11393137190122603292,131072 /prefetch:8
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5344 --field-trial-handle=1816,i,6413645231115870022,11393137190122603292,131072 /prefetch:1
  2⤵
  PID:728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3520 --field-trial-handle=1816,i,6413645231115870022,11393137190122603292,131072 /prefetch:8
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3480 --field-trial-handle=1816,i,6413645231115870022,11393137190122603292,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3768

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
1816bba70fc1594a6d321e586c594603

SHA1
986fed2dd0e3978268c07bfb433a7dd810e6ae9d

SHA256
ba391cba329f81e4635a12476d6d1353cafd9a2a42839be18eae6c6643d0216a

SHA512
1ec1aab832f28676446474b7909db25488f74205992abdc996648fdeb656920f9429dba22554a97842af887c6dc2e49797c353802b20ea359a965281bf9aca8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1008B

MD5
3516f35fd1fd68d03fdef90b22e3ee85

SHA1
bd4877b0452dc4321b0568e12caae24aa72f63b7

SHA256
aee69021d809d6358b4b3d275b08cb05187a808ab8f745185fb87c6029d22e1a

SHA512
97f62d92a7cadff5d8b8bb46a195ac8e43e7b481f891fb0217c7f8ec40ce1a055d4932efdeca236c61fb633b2ee7333db45f9a23034df428d033237b3beb8fdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
8dbefd30656561e2989c7a83e4abb2e8

SHA1
cbf4e14bc32197bcfff4c8bbc51f0207be14c24a

SHA256
4f7dc912afc707c00f6e8f9f1e2ae0c3047d9b38801cb7ddb28611a8f9899c5a

SHA512
70ff3095fae4ae38efe8c85a7c6316040f3f0c6af7d82b44750bb97b8e53b48f546e3c8da9b5b6cce5c339396af5a261aed1e23af3e279c5e6f2a434dc6ef8c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
1b9149e627ee7446fbb51450b93b4386

SHA1
8264616209c03c51fe0573c163001bad4cb3d865

SHA256
56d1d516dfe95885e52acdc03d1909c6b183e4728c6981aba741debf67eb960e

SHA512
540d910d8c755de95742f443993d6dc73917222934e1a791b8faab6dab664d5a024e8ca7ec787cf27b3809214efb5d3f9f1f017f307dc5e7b088e56cf0f3f848

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9a22d1284f2ab8b5db9569b7f20d1ba9

SHA1
dc2d365216f845a862f40afcc24d698fe49efbb9

SHA256
0a5ed771849cc93724f934da56842be8eb1e845aff36c820e02bcc910507eae9

SHA512
4850bb2cdf6d622921f2794f9bd22d28a444c2b2ba4ce25b44f7a816cb7b6a4c4250aca6ab49921bad5782e3ed50b6cdcfffc54c59ca09289ffb8a681dee141b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
290ec62e2ebad65d7830eb365d148f14

SHA1
7b6985284e030749ac4c43f59d8afe7dd45532fe

SHA256
83bd3ab5cb48fe4c9ccf749353c760e3dbca1155ad912310993c513d54b32658

SHA512
3febc6158771602e44a9547c4e746cbce8bfcbfb57eb36187e342f6f6ad690e90f571ccca05d73f046f417496a6e1eae46560100e2fe40642f117dfbad681599

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a8a8da3f568c69865b8eb196b2a44f18

SHA1
27595303580c4ef399a9216e1166afb4c369a028

SHA256
88814f832cc0d20ff12b0c10a7eeee391a820c6d9d63d976bec38284344b7512

SHA512
a2174980633e255377aaa6c5e9f8d66fc6a18dbd2bee75f2fd6c0a05f53c8cb1eaf16de5ee47af2bf26b6b595c5b4872f8476d6e9b96b6893b6f1680d21305a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
302ccde05f23cffb074f1241923cd5aa

SHA1
8d05d5302d13f4e4fe777137bd9dce3b0e37ff22

SHA256
df65d80c6caebca895850fccf85b4e0bf2568237dbbf9fdc9587ac034f8840f5

SHA512
7ca077dbdc52f8c7d917a04e3843502bb7d055a7874a7bc744c81443b9a065dc389ea712177ec3c0e16180500b5e1ea9232704a47f9ab37ac4126377eed7c8c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
86645d75704e99814bc29f0749012c88

SHA1
44b400efd42f6458b4748a0b03044f66e66cafd5

SHA256
e4cf333e4dd36e443b67294c16b7da0e5cb90859794f5e563413e8589121599f

SHA512
b979f29ff1dd8be134f6ace25d980b1558cfb22c1488655e68cac3c579ef7e9b257bf64e9b87c321934a254f18a4ae0c2994d37ec033fed4c682a1d21d3ad70f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
8714cc6214233cc9f117195091bda317

SHA1
19aa803c46519a5fee37cfe56a35a60819b32b2b

SHA256
6ba48c65cb472d32156572ca1926a355dce198af280f6315c9db8ec3e71ccfe2

SHA512
240526be48932c8b3d03bb259fd749f4f7aeeedce5ee44db2d9f6d94ee540da1e4dce41cd922d6a9fceb0a46c2f70b86180fc8de21c761fda9075c1a0ad5b210

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
bd219871e482434b296e6587373bb4b8

SHA1
b7b0ebf36bc36bbade02cd5479818bcdb76e8d2a

SHA256
5f9ab24ce569960e6ec8f4c82ba946e1ce4847bb85e8585324334e8dff28373c

SHA512
74ebbacc9c634a1249dd275de237f80ec50f6e00ce01550c9a7d50d8c0ce8433791897957ee6baf7e15017c5805a2957082582d8816305c6f7ee07769083fbbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe591265.TMP

Filesize
48B

MD5
01794d5e7a9dd27952423f0bec3f6ac9

SHA1
1d4638844bc6b671011cbd3c3e2b78be3b49eb26

SHA256
4b3bf57f4ca1646ed87ad5579faaafbe594e18938076ad3668a76fd9593033d8

SHA512
21f1e162c6c20d0fa9ffc21fb3777c37fc81bc7ab0f961405833b873b75204731e5782946e05850e9f6cd386822185d2809218d41f92a46f398152d6d4f1f2cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
ff495e917fda0acb14ec3162c7c2af14

SHA1
4eaf0e4ba8ec429c0239255adbd8dd32fed57236

SHA256
b6228741d0a8f6c27137c3989b1c8b4f6ab8313d2fec3c9f87aca0fc2911f348

SHA512
a9a190f922692640d745c5fb619a0eee62d03cd2d8f7576c92181b67b4d217754b859b1bcb45275a1abe61c8b0777b700dda5490b4fbacf614a337a6c52a6dfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
140KB

MD5
029d8b866648c68f98605ae2559a5747

SHA1
43895c55cded4a369cf1d724aa49ad00c0b3e74d

SHA256
fd4bb7c43e688bd5dfea5fb84c5f975506e412fdde0f6fc539f15fd2374a84ab

SHA512
c900f794e78cb4076d3539be9d5aaf36c3c2150cfe7291b95b99f5f8bf37070e35cf1c6a0245d3d30734c434de0053b1322497138007174c57f70a2758ec1d94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
140KB

MD5
0ecd60b8897e8f51b45c06bdadefa595

SHA1
29beb00437f1ca133680d4d720289742c81e2bc9

SHA256
18d020b44423e36ff6ea8c92fa033b2b3f63de049b8e7a7beb2ad6e5c39a11ac

SHA512
43eca502f4c21f89c544fa034a3981454b4a81496766a0d6fdcedae4ddd4c849f7d73b57a0ec2ad7820dd993c16c6d2cba6e4e8f5a7d404caab419bc7e70e07b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
28KB

MD5
0016810ab5b8d95453074279a2e630f0

SHA1
1fbf3217154b84504210160b6c8bc16b656f81ed

SHA256
f2826ddb69282aa07569d81cc8a7949127215cbd19d344b9c9cf19a7d5399c73

SHA512
17584b5929920cfd1bde8e13d40e7b433f795bcee6d46d184780b3bb4d234d008b37c8ee2e49747ce924644b9739e8ee82cb374d70120e2eb958f5cf7d5fa72a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Contract_02_21_Copy#55\Contract_02_21_Copy#55.exe

Filesize
1.4MB

MD5
cdb03be450c2adf39f3c046fa439ddb6

SHA1
71a68c9af50349af6189d7d65932838933c1f76d

SHA256
606e836b58f7865acb47d624e4406fe6ace29c708bb3dba98d351af19256277b

SHA512
bdb76e34cb61f3fe983eea76c68291a6e69fe2befc5b94bde8c7c783701dff91572581d6c58a09fb57993ee845bc5a8daebf39d68fcfb9bfc1aee038bdf619f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Contract_02_21_Copy#55\Contract_02_21_Copy#55.exe

Filesize
1.4MB

MD5
cdb03be450c2adf39f3c046fa439ddb6

SHA1
71a68c9af50349af6189d7d65932838933c1f76d

SHA256
606e836b58f7865acb47d624e4406fe6ace29c708bb3dba98d351af19256277b

SHA512
bdb76e34cb61f3fe983eea76c68291a6e69fe2befc5b94bde8c7c783701dff91572581d6c58a09fb57993ee845bc5a8daebf39d68fcfb9bfc1aee038bdf619f6

Download Submit
memory/1260-137-0x000001FC1DF80000-0x000001FC1E0E1000-memory.dmp

Filesize
1.4MB

Download
memory/1260-138-0x000001FC1DF80000-0x000001FC1E0E1000-memory.dmp

Filesize
1.4MB

Download
memory/1260-139-0x000001FC1DBA0000-0x000001FC1DC2B000-memory.dmp

Filesize
556KB

Download
memory/1260-140-0x000001FC1DF80000-0x000001FC1E0E1000-memory.dmp

Filesize
1.4MB

Download
memory/3160-168-0x00007FFA48500000-0x00007FFA48501000-memory.dmp

Filesize
4KB

Download
memory/3160-169-0x00007FFA48230000-0x00007FFA48231000-memory.dmp

Filesize
4KB

Download
memory/3648-144-0x00007FFA49850000-0x00007FFA49851000-memory.dmp

Filesize
4KB

Download