redline | hxxps://bit[.]ly/40EzzTq

Resubmissions

01/04/2023, 13:09

230401-qdr79sab75 10

01/04/2023, 13:05

230401-qbx1qsbe6t 3

Analysis

max time kernel
495s
max time network
465s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
01/04/2023, 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bit.ly/40EzzTq

Score

10^/10

redline @im_hilli infostealer persistence spyware

Malware Config

Extracted

Family

redline

Botnet

@im_HiLLi

37.220.87.8:42823

Attributes

auth_value
52bf9dde344e4860030827f790e28cca

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1051509822"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{69BA71E1-D08E-11ED-9346-7E4DEDD3F78C} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1051509822"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31024283"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31024283"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000af653a432a26840a7b5ec4575ca9dcc000000000200000000001066000000010000200000009df764e5605bdb725404813b222b034680dfaa4e069cd5c945d4a451b3aba3b7000000000e8000000002000020000000d1bd610bd301e2d6bc922a9c48cb12d2fffcdd7dc8deeb8241cb02f44a8c982020000000facb56ca221c618d92934472b7695c8cd2413c2b1a618a22b3e51421419a671e40000000b34e5088c569ab360827d6d0eac9f2c2049769acd6ed7fb31de3fa2c0ec83aecdec984117ade148922e319186affd617d914dce45628fe7e2aa59b420cdd5ed4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e04e7d419b64d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000af653a432a26840a7b5ec4575ca9dcc00000000020000000000106600000001000020000000fb121f977a58533c9aee4fa2014b6d9f99a14146a5287ee39ba6e67e6f95bcfb000000000e8000000002000020000000b9bf3bf67b3e70c08ed64ec925b0a8409a511225750b38bde0f599c7e3599bd520000000d4c51a87dcfc1113570cd075bb68b9d136b6b4a8ad8512a60a65a36afc76e9f740000000ac1e4821b6a723ad1e54d82ec00208e44c97e1288e2590276dd6f6090868c3595914a3d74a09c0850a8d5c58c01ca338b39bf5b9773fe88b8af0e0fd9716788a	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50e891419b64d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133248283831788604"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
5000	chrome.exe
5000	chrome.exe
4960	Setup.exe
4960	Setup.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
4400	Setup.exe
4400	Setup.exe
5296	chrome.exe
5296	chrome.exe
4316	taskmgr.exe
4316	taskmgr.exe
4316	taskmgr.exe
4316	taskmgr.exe
4316	taskmgr.exe
4316	taskmgr.exe
4316	taskmgr.exe
4316	taskmgr.exe
4316	taskmgr.exe
4316	taskmgr.exe
4316	taskmgr.exe
4316	taskmgr.exe
4316	taskmgr.exe
4316	taskmgr.exe
4316	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 53 IoCs

pid	Process
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5296	chrome.exe
5296	chrome.exe
5296	chrome.exe
5296	chrome.exe
5296	chrome.exe
5296	chrome.exe
5296	chrome.exe
5296	chrome.exe
5296	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3912	firefox.exe
Token: SeDebugPrivilege	3912	firefox.exe
Token: SeDebugPrivilege	3912	firefox.exe
Token: SeDebugPrivilege	3912	firefox.exe
Token: SeDebugPrivilege	3912	firefox.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3460	iexplore.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe
5776	taskmgr.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3460	iexplore.exe
3460	iexplore.exe
3416	IEXPLORE.EXE
3416	IEXPLORE.EXE
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
3912	firefox.exe
5428	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 3416	3460	iexplore.exe	66
PID 3460 wrote to memory of 3416	3460	iexplore.exe	66
PID 3460 wrote to memory of 3416	3460	iexplore.exe	66
PID 3972 wrote to memory of 3912	3972	firefox.exe	69
PID 3972 wrote to memory of 3912	3972	firefox.exe	69
PID 3972 wrote to memory of 3912	3972	firefox.exe	69
PID 3972 wrote to memory of 3912	3972	firefox.exe	69
PID 3972 wrote to memory of 3912	3972	firefox.exe	69
PID 3972 wrote to memory of 3912	3972	firefox.exe	69
PID 3972 wrote to memory of 3912	3972	firefox.exe	69
PID 3972 wrote to memory of 3912	3972	firefox.exe	69
PID 3972 wrote to memory of 3912	3972	firefox.exe	69
PID 3972 wrote to memory of 3912	3972	firefox.exe	69
PID 3972 wrote to memory of 3912	3972	firefox.exe	69
PID 3912 wrote to memory of 1108	3912	firefox.exe	70
PID 3912 wrote to memory of 1108	3912	firefox.exe	70
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71
PID 3912 wrote to memory of 4844	3912	firefox.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://bit.ly/40EzzTq
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3460 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3416

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3912.0.1156269678\923424315" -parentBuildID 20221007134813 -prefsHandle 1636 -prefMapHandle 1628 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {43cd5c15-a852-4da9-a4a1-b8f96c066787} 3912 "\\.\pipe\gecko-crash-server-pipe.3912" 1716 28c7e7efb58 gpu
    3⤵
    PID:1108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3912.1.959478117\1448650650" -parentBuildID 20221007134813 -prefsHandle 2040 -prefMapHandle 2036 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9b49114-9bcc-4001-ad43-bd22512360b9} 3912 "\\.\pipe\gecko-crash-server-pipe.3912" 2056 28c7e70e558 socket
    3⤵
    - Checks processor information in registry
    PID:4844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3912.2.2023293445\1777795015" -childID 1 -isForBrowser -prefsHandle 2848 -prefMapHandle 2428 -prefsLen 21052 -prefMapSize 232675 -jsInitHandle 1348 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdeb006d-9e78-4bc1-802b-1914c6012c5e} 3912 "\\.\pipe\gecko-crash-server-pipe.3912" 2860 28c02a48f58 tab
    3⤵
    PID:4308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3912.3.2015051323\754218654" -childID 2 -isForBrowser -prefsHandle 3240 -prefMapHandle 3236 -prefsLen 21158 -prefMapSize 232675 -jsInitHandle 1348 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {94d8c1d4-e76c-4682-bac3-e33aafd7466c} 3912 "\\.\pipe\gecko-crash-server-pipe.3912" 3252 28c7fe16d58 tab
    3⤵
    PID:1492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3912.4.1164504902\1793528004" -childID 3 -isForBrowser -prefsHandle 3384 -prefMapHandle 3388 -prefsLen 21158 -prefMapSize 232675 -jsInitHandle 1348 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {56280b7d-ea90-49ea-8c40-4d2869ebc9fd} 3912 "\\.\pipe\gecko-crash-server-pipe.3912" 3372 28c7fe18258 tab
    3⤵
    PID:5116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3912.5.523183733\444160480" -childID 4 -isForBrowser -prefsHandle 3528 -prefMapHandle 3532 -prefsLen 21158 -prefMapSize 232675 -jsInitHandle 1348 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb761728-cfbc-494d-a8e4-241ad85ecc58} 3912 "\\.\pipe\gecko-crash-server-pipe.3912" 3520 28c7fecd558 tab
    3⤵
    PID:4192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3912.6.1498429987\1561758779" -childID 5 -isForBrowser -prefsHandle 4452 -prefMapHandle 4448 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1348 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {45c39cf5-9925-45c3-a35e-390bf8664a8d} 3912 "\\.\pipe\gecko-crash-server-pipe.3912" 4464 28c0415d558 tab
    3⤵
    PID:1652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3912.7.955875647\1770308246" -childID 6 -isForBrowser -prefsHandle 5396 -prefMapHandle 5392 -prefsLen 27063 -prefMapSize 232675 -jsInitHandle 1348 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {939c03cf-44f8-4f7a-b5d1-07192a5fe745} 3912 "\\.\pipe\gecko-crash-server-pipe.3912" 5404 28c03a0c758 tab
    3⤵
    PID:2804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3912.8.722738340\1593032148" -childID 7 -isForBrowser -prefsHandle 5432 -prefMapHandle 5436 -prefsLen 27063 -prefMapSize 232675 -jsInitHandle 1348 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1cbef9b-be40-4a6d-9319-db053bd74275} 3912 "\\.\pipe\gecko-crash-server-pipe.3912" 5424 28c03a0dc58 tab
    3⤵
    PID:3932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3912.9.1168994596\903373215" -childID 8 -isForBrowser -prefsHandle 5116 -prefMapHandle 3264 -prefsLen 27063 -prefMapSize 232675 -jsInitHandle 1348 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d89fc76-cbb2-411a-ae54-d93d4d64867c} 3912 "\\.\pipe\gecko-crash-server-pipe.3912" 3768 28c059ca958 tab
    3⤵
    PID:2608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ffe67499758,0x7ffe67499768,0x7ffe67499778
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1660 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:8
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:8
  2⤵
  PID:784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1560 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:2
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2924 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2536 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4444 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:8
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:8
  2⤵
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4448 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2968 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3720 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5200 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5404 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5624 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5800 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=6264 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=6520 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=6396 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=7104 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:5204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7108 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:8
  2⤵
  PID:5316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=7320 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:5648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=7652 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=7664 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:5688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=7988 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:5892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=6788 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:6084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=7928 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:6112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8340 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:8
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7760 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:8
  2⤵
  PID:5412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=7808 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:5700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=7748 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=8348 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:5520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=6944 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=5188 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:5540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=4996 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8564 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:8
  2⤵
  PID:5592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=3108 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:3692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=8660 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=8744 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=8924 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=9100 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:6008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=9232 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:5824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=8652 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:6080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=8756 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:5456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=9696 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9700 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:8
  2⤵
  PID:5664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=8760 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=2404 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=5104 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=8596 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=8340 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:5568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=8740 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=6960 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:5588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=10268 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:3152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=10296 --field-trial-handle=1708,i,7297117112814110196,11337228560365541303,131072 /prefetch:1
  2⤵
  PID:5952

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3956

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5428

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4320

C:\Users\Admin\AppData\Local\Temp\Temp1_Setupp zip.zip\Setupp zip\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Setupp zip.zip\Setupp zip\Setup.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4960

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Setupp zip.zip\Setupp zip\data\remote_settings.ini
1⤵
PID:5948

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Setupp zip.zip\Setupp zip\data\debug.txt
1⤵
PID:3472

C:\Users\Admin\Desktop\Setup.exe
"C:\Users\Admin\Desktop\Setup.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4400

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:5776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:5296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe67499758,0x7ffe67499768,0x7ffe67499778
  2⤵
  PID:5936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2084 --field-trial-handle=1600,i,836001244567153991,3303297973269298920,131072 /prefetch:8
  2⤵
  PID:320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1776 --field-trial-handle=1600,i,836001244567153991,3303297973269298920,131072 /prefetch:8
  2⤵
  PID:5240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1600,i,836001244567153991,3303297973269298920,131072 /prefetch:2
  2⤵
  PID:5144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=1600,i,836001244567153991,3303297973269298920,131072 /prefetch:1
  2⤵
  PID:372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1600,i,836001244567153991,3303297973269298920,131072 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4352 --field-trial-handle=1600,i,836001244567153991,3303297973269298920,131072 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4516 --field-trial-handle=1600,i,836001244567153991,3303297973269298920,131072 /prefetch:8
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4684 --field-trial-handle=1600,i,836001244567153991,3303297973269298920,131072 /prefetch:8
  2⤵
  PID:5880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 --field-trial-handle=1600,i,836001244567153991,3303297973269298920,131072 /prefetch:8
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4904 --field-trial-handle=1600,i,836001244567153991,3303297973269298920,131072 /prefetch:1
  2⤵
  PID:5560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3824 --field-trial-handle=1600,i,836001244567153991,3303297973269298920,131072 /prefetch:1
  2⤵
  PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5000 --field-trial-handle=1600,i,836001244567153991,3303297973269298920,131072 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4324 --field-trial-handle=1600,i,836001244567153991,3303297973269298920,131072 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3384 --field-trial-handle=1600,i,836001244567153991,3303297973269298920,131072 /prefetch:8
  2⤵
  PID:1152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2620 --field-trial-handle=1600,i,836001244567153991,3303297973269298920,131072 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=1516 --field-trial-handle=1600,i,836001244567153991,3303297973269298920,131072 /prefetch:1
  2⤵
  PID:5820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5124 --field-trial-handle=1600,i,836001244567153991,3303297973269298920,131072 /prefetch:8
  2⤵
  PID:5356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5280 --field-trial-handle=1600,i,836001244567153991,3303297973269298920,131072 /prefetch:8
  2⤵
  PID:3152

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1196

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:4316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4B5D13373CB01D33583B2C5C1F66CF20

Filesize
503B

MD5
e1b03692ee0779c8238d4b7daa4aa7e8

SHA1
8b1e5f5775d8f45467cdb04e44ca8fa82de01bce

SHA256
ed6084c57c9a62131a0ca4ba269534534df83d0a291fd52256a1953e27e29b6d

SHA512
51af765815e849569d17616b1e4dc726654c576b59dacdb1a7715631d07c49d3d634a1738e4fa4de5afc7bf90f3c288976953ddd2fa2844e3ee9959d8be69081

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
c5f20d91cc08608a86cdf45c1e06e8b5

SHA1
c0fce1c4a306dc0bf372ed0907cf8b7f4a2d4d37

SHA256
48506ee2253275198c9205a541e4fc2a20a31c359ad3206550a678d1cc267a95

SHA512
3f2a0dff529fab989e0afaf3c4c43f9d1f847f8569006f5afa3ea50245e364b363fd2d8b6c9dfa8837d8cf59c1a56ec41f03f0ff6acb82e5df9980c0be3e3da6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
7a6ba0e3f1266fc93d849c97c5e0b6e5

SHA1
6e3426cbe97120f834e0d048625e6ee958db35c6

SHA256
272b3a57cb79a912415bf0827753a1266fb090775369852072da5203f09a24f3

SHA512
1710a1f9388a5599077b828dba4c22ea406b1502ebc2d852770c6bd690b9ec99db8084328acd46df8d09a0169f0cbf89217dad4af460a77bfac5386a0c4fc243

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4B5D13373CB01D33583B2C5C1F66CF20

Filesize
548B

MD5
fa41114ad80c6350a770c2eaa75b3527

SHA1
19903dfe2825e8df55af08f67162ab7e582e8d79

SHA256
12c1562e3a92d552dd3a0131d802d888cf450f62dadfced154e115529c59118f

SHA512
84e6c0c4c44294d7f0abf9efa16de1ce81b49843dc864c930413095b45cda76ff788a634d8e3a2b1a9648d82ccc0e7ac6854add60635b634cb8909ed9bcbe18f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
39869324f790cc09fc4928ce31438776

SHA1
3ccc8c8730f9a07bd6284138f2752fd312119558

SHA256
426453e960789b10967b82483f7007df3260a113a544ca44a6dcb4ec6e668635

SHA512
357ed8c01961d638cd303c55e26ee107a609a1c4876119640ef7311a728ffafe245914aa6749fe97a43276d749c618accabd0e721b0c8058008b94f8c15f8025

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\2b77bedb-3e85-4402-9d4f-a75e6e4266db.tmp

Filesize
173KB

MD5
55e8d8e26757c8afddf01a5f4bf8a60f

SHA1
e2a4d8fdf675e56bf9135a56f293360edc15c1a3

SHA256
19e65abfb91aca8ed944a500e760f4749d44a50fe1cfda7fffae888ae941865b

SHA512
118121c6bedf6264ab39e7d7b4941a878e6ace9d82e819268c8bbc50007bfcfb77e0d5ae7ff3289101934059190cb17214b6a026b9c868f716a0ad791c5a683b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
5a8ecfb2661ff9e15e20f4efc7baa704

SHA1
2dda545f20156c55351e70c38234c2a2f5d559f9

SHA256
74417d0527faf935f9199a51acf01f09f7151db5ef3bb3856ee8483febf407a2

SHA512
22ce9cb31df4c2c1309e0c8f7fee386b61bfe209ae1cf3fd4ffb711bd6dedbbe5edfb7c5285162b629a30aacccf92229801d2fe748145f12322fd4076e56bbbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\3b1e0802-4900-49d5-afe8-359f79e29610.tmp

Filesize
6KB

MD5
296750ee1109adeb0f848529a977ddeb

SHA1
d1030b22f1f24f8bf03e5b8b1b32d20d3f267d92

SHA256
a48ab8708c4804951b3ef4499eff1dab9c52edc7e771dc26d4936faf35679b23

SHA512
1695f3e6e3db01495490e93eb1e9e1ec85f3b87da8d4c800f29bbc6dd11ccc65a86554487b2599f50e2c6e0dd3599e45a85369b3515f9f5cd11030dc9b9d2396

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
43KB

MD5
c56654342fb424b87b88941ca364dca1

SHA1
26bac3d5219f6b24cf4950301709b3f91b5ebf2c

SHA256
a04c410c0eae6c5a4caa878497127d218af36d12e266a783dbe84b55e590b004

SHA512
794fb7d9d51c23f64610e339cb63d616deb6a965e2d07764c63c5d159d8af21b0aad50dac4b611c33f6ab5b5d065a64005b5f832b25b979ae171e6dcf0840591

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
72KB

MD5
7e4bf543f462ada712619f31fd56f3d9

SHA1
1d74298b2ba00b1d0e14ed7f8af592c0fa202353

SHA256
f9f48ecb24b4c59bbf028f34ad58321ae854d9b0e36830443200bd0d28a3421c

SHA512
48e91120b2e9ece1e25643f98450d293c2cc00cf440edde8facd86ba094e3dc9a201c3c08a8b290e57c7eb2b62007009012b2ed20ab03f1234765a72c7640339

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
77KB

MD5
57054ccba30c2dedde9b6139f72bf37e

SHA1
04d436872be1c702db70b33b56b97b9daa17ec48

SHA256
c4808b176fc686e19da8d088b99f9e607ea2a9040f736397343f8b35e0fc6511

SHA512
615341c2a5eb20bb491996b5a16685a1b11294c3db87d49a33f8a2162a94bc9bd1d529e8d57a8c28232a1154b2cce4b044b089954795a2855621693c2e5c9523

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
26KB

MD5
f5c35afdc4667e143d5e067484dcab4d

SHA1
e2160be32a7cef7630353fa6ef104bf891209e0f

SHA256
0e4a9f41b76ce8f39578ca9a1b66424d72085a36792a4a35b28cec9f24fe255b

SHA512
9e872dd9b90a3ecefd13e1d49bfd189bc6f7906cae0089d2a9bb3c633e3beeb83d479661fefd1444a62d86f6c652bbd2b4b5630cb4e39c0e0535d265fe9c3b86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f

Filesize
21KB

MD5
660c3b546f2a131de50b69b91f26c636

SHA1
70f80e7f10e1dd9180efe191ce92d28296ec9035

SHA256
fd91362b7111a0dcc85ef6bd9bc776881c7428f8631d5a32725711dce678bff9

SHA512
6be1e881fbb4a112440883aecb232c1afc28d0f247276ef3285b17b925ea0a5d3bac8eac6db906fc6ac64a4192dd740f5743ba62ba36d8204ff3e8669b123db2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

Filesize
19KB

MD5
ca7fbbfd120e3e329633044190bbf134

SHA1
d17f81e03dd827554ddd207ea081fb46b3415445

SHA256
847004cefb32f85a9cc16b0b1eb77529ff5753680c145bfcb23f651d214737db

SHA512
ab85f774403008f9f493e5988a66c4f325cbcfcb9205cc3ca23b87d8a99c0e68b9aaa1bf7625b4f191dd557b78ef26bb51fe1c75e95debf236f39d9ed1b4a59f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
74KB

MD5
6393931cd47074e2eef3ac09591bcb9c

SHA1
ba5da37b38258064f541cdd05054a62082c6f8b5

SHA256
0a8f04752ba662af544243813698b2a75b1313a10b3e6940fd4843eea782b051

SHA512
9c91ba1a96d06a8305acf76b997d36a3a18a091b1ea1cfd91e6157391e2ef8f64133745a6d9dc6c8878ecfde90ee319be0afe30b5366b1e61d7c36e4a2cdfb29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
133KB

MD5
671233719267b1139c3d46425c71b9b3

SHA1
be146b13878863012699adc66bbbf90c2ddbeb60

SHA256
470a8f7bd9f03807cadadc6e51b8f107b0628e781ef2c56b16fae4ac04e8efad

SHA512
40a2865b2f562f08c3ca22b5d193eab3ca76c6c73a3e401f18d347bf9e218070ba91fd418b38b2df1ea57cac633e3eb40588ef3770f3820074128d75b36631ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000016

Filesize
48KB

MD5
1e7768364a8db1e88535d1ca1ee9cd6b

SHA1
90d26fec8305c95cc5f6fa4b2398456d88627570

SHA256
eb24872de47889683879df871844b6468d59bb8126f106189b44bbe305853a0a

SHA512
a47fa27c6b7fe18bb7e82ce09f30d3cebc32a8cd63da4ca822ceeb1ac90569bf64e66632367673c1da9e3983c330f26a6edd7696e5e6e1814cfedef017d0fa19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001f

Filesize
60KB

MD5
b43fece5950b01be084450405682f466

SHA1
2ab48d8350dc63d893f847416968d52f92c824cd

SHA256
8d90740f613a26909ff9b7d37e357e91e46803259bb656fe847fcd28feb9ff03

SHA512
46d83c3168637e136d6e3d149cf42712ec798fa77e0ee31807366693afd6ee5461fd3c64b11306f7e27a5e6959624634eb9263585bb2069829eb44dcbed51342

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00005b

Filesize
162KB

MD5
b81d6636c3ad72c63e532e5180eaf7f9

SHA1
ddcd059999fff6218e98af62dbe3fa9c885a0de8

SHA256
2fb4351c49b47b7cdaa9516237a8b1e690e4448339d09d70a84c658729e461ef

SHA512
4f0b87bbf60061a8efca4906554f958b7c28cf582452e01a8316d8c5ea8c98beda6c3230afff207f0b92d316c4c2e0ca1b4631e7d7364344b4a76394115af06b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
15817028c491b68c2903734192482229

SHA1
c95a3cde11dfdeda7b1277c9843db0005e82cd98

SHA256
7b7c9fc7feefcd4a62dc9a252a73500790180356faf538757c7fcc5635c4b087

SHA512
6a1d367064b3f9efa1ce19ff852bebb624972498a5609b6babb67cf513615d77e3dffd4a369057f2135581a5e531012c8426a7ed2709993701a93deee953eb56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a70a9816e6a6e3c2a54067e13e7a827b

SHA1
ba036741df46b3a1734dd0402b9099e3610b8422

SHA256
9d0360d88a822d78424fe8c639cbd8fb81aeac740c2b2d50b630867e4e3fab75

SHA512
f0e9c2919658c87d5c3fcc3e38ce45aedfc334474afb74c898d02364e0cc2ec4e07ebb7b808c4d1adb9da247dc2bc153620a206641895c46ae3d210d99958b83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
c70a6af3aea546204790a873bc50780d

SHA1
86ebf36492d7cdf8497de623cb461fb24ee3b664

SHA256
9ed5cd9d97c5952d35c30a918b84d9113aab63a205de243a1308e9f24921a97e

SHA512
20bee7d3de310fc878a77070265deec8b4056e10fd7eca1914f1cafacabe83cbad4dcccd949d8e4471633606050399483dfc961f86ca342239554556a6c5639d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\565e12a9-ac02-4227-8004-793a4ee8a71c.tmp

Filesize
5KB

MD5
bc1fecab9ce89a56537bcfab8a81aa60

SHA1
070dac944fb2d4c5f15559c6dfa64d6f86436dab

SHA256
1845b4bff429411318783ce1f14ae245e53114e4f5043bb034c5b2193baf70bc

SHA512
3738d6ee0616790c0d5a5d9720619bfe7970f794178eac471633864d1749b31b8002d68126b5a9cc27ca37001863e5c63da5e312aff60c6b771c0111d11e5a6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\6e43eabe-243f-43f8-8fdf-3b09725b5755.tmp

Filesize
16KB

MD5
4f1cce2b6c3fc72e4e8f7a7afeca30bd

SHA1
320899a53084c9ab95beca26cc1c4f41ca5d776f

SHA256
3b62ce4382df5de1d7de6302a2004045e2badd39aa1dcde6dd58b4fd4f5b3ef5

SHA512
b1bf3232095529667f1d0fecf62a3706c3da1827f518eef476a79c6f2d4fdfb00e0378642cb3a8bf18dbcad15560774eea279aa40e526a1abce0c0baaf0a5f3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
14KB

MD5
1b58560ceac63820de3930d0a24dc670

SHA1
0ad67e7fae5e16138e54f15dc1faeacdd4196776

SHA256
604ef4372f2ee74554e5fed5e9a34ebaa9e1288229df1b6d9bf80e6e8bf32533

SHA512
01cc818f87c09461439511578a5128533959ca195f0a88e22584e35ba161b6de5fef85e5a33ebf6736968ac1bb0024423d627d39cb357fa5713e26df9f42e8fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
15KB

MD5
fd32921ef74f78de443ab1bd397c6317

SHA1
b2867c4906f3f4eb88a0e68a5185cdbe12647b1e

SHA256
3f32240e01d1aec1791db092aa2379bb948faef214da5301c8b42662a56971a1

SHA512
a43f8c7f7fbf1bbe1fcc8f42c5b90db812c815aa7f5855c0846105553dd81e61d35fd72410eb8a0a4c9424dd68f9ef4df22ef26e475625eaeab2093c4484c86b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
491bdd534791558bfa0c72a56ded1644

SHA1
e37d0144281541d22a83924d99d72c5f5da4f95b

SHA256
f1c144f3c6ddf64d8a94c83adcf898225a650594ba621e25df5e7dce20056413

SHA512
542a5c6b236f1314f33641aa304144acc85ffab0d8ef8cd74551e537666715f46f742439caae0514377df1b813b18ae518e686912bb3783854685a2fff266bc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
639a06b9de7a774d22b4c832842590c2

SHA1
d71bec1eda6eb491df92b51bafd226a7dcd461d7

SHA256
d9db47684000c807a58d4a05e7f7f941c673c41386d9338e1e174a1167004340

SHA512
afcfdf92e5f174367214225a50db7a33378672a20f60c61f1e79bb20a4091525a0b3469c1101642f7ea47d6f58f3d46d58a10ac7bd98e9109b0e28c6e7aafffc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
f823590ca16f3afee0c5ba5ec8fafe33

SHA1
b06310bc21bd3c692fc18ed6d308ab500fb7ce9a

SHA256
74b90c38259758b973707a68138315f2501f44cb74e9858aefba738cd59b80ed

SHA512
bc0dbd259740aa6cdc6071576a07f14f328f4249f1e5d0242eecee8612bebb50e75eb61358e3852321d64d7e0455eb2eb045553013925a9cac840eef746b41a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
02b59deaad6da2a73fc7e9519d2369ff

SHA1
7d72ccc21cb6c678b24bc255d5596564a24faf0f

SHA256
c56f482bbfbb2a7079bde54269011a6e8656370597fcde6472a14e354fc672bd

SHA512
5fcd02914124448fb652ad31057ef9919ad1a1e4b8ba22256eba545f7dbb47bad0d8d8669ae728b33eb614b038a3619f5b2b43c1d094020b1990dd23f19800f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
339de12bf71676ad65271a0013aee40a

SHA1
dc24934704bc34b4cd8225e3ff8b8e45e5319f15

SHA256
cd9b50f03415c3a9646ba6714f0a4ca8f60ad2de4550611a0b451ddfbbab9c81

SHA512
c0f14e704c44704e89f87c3eb05b279896d768f554c33898d43bd24df76b249189d8eab5139c147b7b8766e89c4cb8e8b8b25ac6be185532d01e7a12d1237bf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
504b1a18afe11ad05b902226a97f8d21

SHA1
a070b7699fe712342dc27d4552b9da1b80fd99e7

SHA256
654dce23f40c8b059499056eac1596a1c29ba8d822e7690d4bf7d40d20c75973

SHA512
3d5445bb6001a446f8a0a64d49bd91e5ea6c2779c3a76da4ae5b325b052ecc016270105c297dab7c48e3608df8ea16810478f03de29a588b9a426c6f24e67698

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
0d9d30290b9eac08840d356f401b5435

SHA1
6634da4de10444e9aadc76bfc029dc6b122d5497

SHA256
1f29559e66dcb2ff00be5894852237606662c83e0f4514015c866e13f41af958

SHA512
f625b5b71c573c1dc2a3f042353636d1bf5b9cd19fc1a15c23241054f267ed4544c1b9d7211b13bea6225afc3fbf96a263cebb425a6d63851cee740f38b0679e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
adb37e1f6986376f60dee536ade3f217

SHA1
4f74d67463d127197594ff790dc4227f8700f08b

SHA256
c6829d78ec7d6373cb4190fa849e5ec0f9c072f3a2539a8858b14e85ff7454f6

SHA512
5f1e519d09a793e3f5d27fdd47b136e3a65c7f8889bfe52d348fee9575bacb3312e148bbc35bc8a50e131cb21aaeb935117868b5b6c2b36673ca3e697eb77d56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
52e18edd4f0b9c01b4593cfbe21cd8a7

SHA1
13eadd731fdcc6d17bd9f8eafaa4473b996b7dd5

SHA256
8ffab57799ca5f094d8e167adac1a33d9b9a4f111d848a4112f03e6a6c65b2ca

SHA512
eda913d0227b416f365c0728c0ff11df7323fb7c7ac6da54d46366904f9db5c4b669156368d93f5bf7fe2c6f6305f08815fe316111b9be00002470702be7ece5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d79d13b430aa9b53ba6145a1eb404ec5

SHA1
5cb6a73942b0b676df4a1d5015ed888e329f44e6

SHA256
5a51be4e3dda7cef3e7a372ae2307eb45c970c0b9a9dab8e9e9627ffa1f077fb

SHA512
02c995db41cd00e60b45f581403abd82939cabb97c529e65e88ce0e30fc7a258acaf501363c84db743fd0fa152e0b3d36dcef2869826fb879699d68c010baca5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
25e77f143c95c1420c35664c3dff7ca4

SHA1
3dd0bca084fded12d982ce4853a3bf2ecdc549e2

SHA256
c53dde9b83eeaef16a3f6dac0dd50f2fdd07fcf883eef570fe3f1f1a39d6a9f1

SHA512
8ffc8064d4f9315436a0be788a888a367ed5715c0de967a2553eaa18c9c4de9be0b64bb8f310010e19365ebe232267bcfd12d94adc9da071f38d3304efc77327

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ad4f2d738bb8ea2dbf5e6243a4064934

SHA1
77ba36f8d18ba4a685ade8176f000b01dd506101

SHA256
d8e43451e225e282db25e2592b369e831dd72c6b5303bdb43666bc611d3b350c

SHA512
59d527bf0ed85d30bd277765946c92662fbda4b121c0402b68753e6360dffc0899731342af2797bc82200a40c01cf0369c8ed2b61335054d438215bfac8ac634

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3647c7163fdaf1061f33a4d57cfe338b

SHA1
388b7ef226d75bcaa613ddd46365b5018cedea42

SHA256
d81d3e89f51a115640f9a501f0c3f8635a5dd9709d618147251ec94d79e4e525

SHA512
c3457c10189de2398bd4c7bfb47e3cce752c4acb27ed34b7422b406f7586980ce0d0e93e50debd8b86baa37cb7fbee8ec21366a443d58eb5bcdb6a28b6f5a375

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
edf5339e09bd93ccbecec956cd50f005

SHA1
f563bca6e2b069ec934793894c7e50b2038c6f7c

SHA256
6a482686aa7ee3b7f18108ac10c3bc4bf7c0974cd1cf606b8050c98e4c27801d

SHA512
81a5c2ef0997214b0b51d4e65b8debffc8d555cd10f16a1feda2fbd9e7c0fb5e037afcc84e1a6ddce89fad5191ec1d3bc5c0d6c50cfe7339e806a5d060da8208

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
48B

MD5
470e3dba03d689061dfa621ebf125d6f

SHA1
577d635acd7a3ae7f802bd10cd46bcb0f617ddce

SHA256
47e704481fa90578374a5c7e21d77d335d906d590aecdef8a083b7fcfe8fbb15

SHA512
82734c4cd58e4d822ab984b7c2fe71781a2314a42353edf78021c4a8cc3e57590db368a53dd26f02c96c37f8fcc39fc72f9c5f15c61476f51cbbdd374c4495b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
319184213b284b88d5040c0a157cace1

SHA1
3feeadeb7fe4e21213af92aeafceb840d26c0160

SHA256
6b20fb757422d7903895a7a4c046ae9110497ebc1c5432c956aa9df9c22ac547

SHA512
b0cf41354dea55cc9393acaab66ad2b8edd92a477f7a4f5f695b19a8030f5b0746c553050378ee3ee8012f7b386a1b850622c9b1b131df0169279b310e20bc2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
105KB

MD5
e774a58cc110686307765a4bc9e56546

SHA1
07188c652f20c00e6a4ce01187f74faae6ec12c0

SHA256
9caa23d34df55c5e077bb101b54f6e4ad05b6d482324b88caccb519a933cc231

SHA512
1167b282bdda210c44b407a89bde5b0ffe4a9c39970e20f43dd8ea329423e5261d79773105acf09bde6b028c96ba15a90742a40b7ff5d967eefe2a51409798cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
e1df52adcf1ac42500a0d8be98f65a94

SHA1
36c0d5aef0b9e45708282b41ea15885f2196619a

SHA256
c12b48d03943e282a1afc1fe40d561d1a42a84e519a7f1c968ff860d5fcbcbfe

SHA512
a8cab5d2cfbef52c1e02cae7e0e4b41be30e5965e89bd12ac4a6a670e69cedab53bdaff4af12a4fef6877feff750a8a866e47d699414266835bfe32a9ef5eede

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
105KB

MD5
116fd07cadaa3c9e29bb8f48cd000fe1

SHA1
4275dbddebaf848e907bf5f951e6af8362d701ba

SHA256
ae7b0d0ab5681294f73ce13c02a245093faa8fd508f361c7c07139152e261571

SHA512
8f3d4d5ad1c3d7cf2cf107b5ed10914c2e1da3808e82e13c40f770a452e4d5429eabf7c233eaa423b35df4ce047798bb10afa4d77feecf2d5c58fccfbf8e2806

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
687a1d6cc3e35eab4232121fcdf049df

SHA1
ad40c1b71e5c8a03bd33ff1fe927f58e8236da9a

SHA256
dc8784d2a598b8f90bd2811f525d30b5ce53945be22657df5ff6f93a1e9d11d3

SHA512
0eb7e72be650ab183a8e2f434169cebd857558a24e40231c530629b2242a2d1a9c9915f1355682eeb4500c696002049ba2244cb378a6d911fd74a6f083013a62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BMT3HFX2\favicon[1].ico

Filesize
6KB

MD5
72f13fa5f987ea923a68a818d38fb540

SHA1
f014620d35787fcfdef193c20bb383f5655b9e1e

SHA256
37127c1a29c164cdaa75ec72ae685094c2468fe0577f743cb1f307d23dd35ec1

SHA512
b66af0b6b95560c20584ed033547235d5188981a092131a7c1749926ba1ac208266193bd7fa8a3403a39eee23fcdd53580e9533803d7f52df5fb01d508e292b3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\activity-stream.discovery_stream.json.tmp

Filesize
159KB

MD5
14af0c77bf167f5ab999618096f881d8

SHA1
dd5c00f118c483cd2d65ea40e249da165a1e342d

SHA256
57e4288a8adeec66be57c5f79d566a8a198f2b505114bfb072639abd5f8ae627

SHA512
311f07fa308ee3eb99845d07ce3d98f591957552313aecd2d32e7d3d748e39b66974feb3dbadc419b3a5d5d403a5c10c4758145908ce7e08e3c08728ce0d6fda

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\prefs.js

Filesize
6KB

MD5
fc03769491e92557713bff75b3dcae44

SHA1
a4f4687575dba8a950a014c93d8f9f086a2b68d6

SHA256
3e943e423e8dd73d3afd2444234e9c1ca4eebd430da878f5bcc15e2141da7375

SHA512
8e2266f0af8f7833397b36b31482a43a4bd798693e069f8aeb823d12b767bcdac3aed772ce10b8907fca777436e4efc39ecb5172e81d2672f1165a2427b709b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
3913f1a402b2b0b9815dfea325ae6b5f

SHA1
c7ce4718c5d690dd3c9d646cc1fbba1b863323ae

SHA256
040498b6d3134d1f2dce26e6649d923399b10883fa2e48098b0437930fa7d15b

SHA512
c3726e5f4f9f7f08db1446f00601aceec9f7fd73cc64b3d6d4d8d3e533507af1e6a6d4687fd22ce51732656dd8d7181ffaafc6fb44e9eaade2eeb8cb0b61ec0e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
99729bb2bda3e1390b32bc2b8d312f29

SHA1
a24d1092aab8a0cbee8664111ea77b154d77d31d

SHA256
312dd506e180bdadfc59f41e6065e542cbbca2d4416dcc8af5b92b98cc2b8832

SHA512
e2b88fd23379eab96117bd597e86283c80b4d83c7f626c323fba2709f7f31e5054674e8ae4ddfdf7ee77bfc27bb38876fc3dfc7251bc79510b35f213f8513f43

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore.jsonlz4

Filesize
2KB

MD5
bdc6672cf683ab43d502d2c5244a147e

SHA1
783724f4281d6d9bc6a73abdc01934a8bd55503d

SHA256
f06671ddb63a6fdc08a7b0fb4436977df17ebe308281f63ba156a61d736b34e8

SHA512
a66617d57daea90e527c6108c697f48d536597b4e823e1c34b77f93943a6a2dc6d0ee2728e761047cc6edacfdf0104caf88ae1f5ded8981d7dd46b4ca729158f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
a3948e41d2174f625e74f03b6443d19b

SHA1
ebc26d7fd2f672b8e7b9bfc276e87d9926bbef33

SHA256
161e0394a581c8fe798bbd3ed6ef02820cf8f0df9aa13db288ef10cd36c96bdb

SHA512
f8674349020fc45b01e2cea8a4dbb27e31cbf6bb85cd85a8f5adbe5877c588987ec5ba41de90dcb88699943a18dcba639e8f13be164e4bdcdb7229cabd19eeee

Download Submit
C:\Users\Admin\Downloads\Setupp (1).rar.crdownload

Filesize
2.8MB

MD5
f5c4548ed8a73925daeac63923518dda

SHA1
83dc99b52ec91a4f66bd37a933a918ed34523d8b

SHA256
8f3d68d7e18b292fb61c83815033be31fa9d94a116540600fb90af577fe77cb7

SHA512
be9b074babc54a24e4807b62e49a25248d0000d994e999be849d1895a953f4783feebaa36bda6f5d55d75cd73d8fa816ad2a95f37755cadce0e290fa9a180fd8

Download Submit
memory/4400-2189-0x000000000E000000-0x000000000E010000-memory.dmp

Filesize
64KB

Download
memory/4400-2185-0x0000000001E40000-0x0000000001E8A000-memory.dmp

Filesize
296KB

Download
memory/4400-2206-0x0000000001E40000-0x0000000001E8A000-memory.dmp

Filesize
296KB

Download
memory/4400-2188-0x000000000E000000-0x000000000E010000-memory.dmp

Filesize
64KB

Download
memory/4400-2186-0x000000000E000000-0x000000000E010000-memory.dmp

Filesize
64KB

Download
memory/4400-2187-0x000000000E000000-0x000000000E010000-memory.dmp

Filesize
64KB

Download
memory/4960-2168-0x000000000E870000-0x000000000E8BB000-memory.dmp

Filesize
300KB

Download
memory/4960-2166-0x000000000E0D0000-0x000000000E0E0000-memory.dmp

Filesize
64KB

Download
memory/4960-2176-0x000000000FEA0000-0x000000000FEBE000-memory.dmp

Filesize
120KB

Download
memory/4960-2178-0x00000000005D0000-0x000000000061A000-memory.dmp

Filesize
296KB

Download
memory/4960-2174-0x000000000F670000-0x000000000F832000-memory.dmp

Filesize
1.8MB

Download
memory/4960-2173-0x000000000F5A0000-0x000000000F616000-memory.dmp

Filesize
472KB

Download
memory/4960-2172-0x000000000F540000-0x000000000F590000-memory.dmp

Filesize
320KB

Download
memory/4960-2169-0x000000000EA10000-0x000000000EA76000-memory.dmp

Filesize
408KB

Download
memory/4960-2171-0x000000000EFD0000-0x000000000F4CE000-memory.dmp

Filesize
5.0MB

Download
memory/4960-2170-0x000000000EF30000-0x000000000EFC2000-memory.dmp

Filesize
584KB

Download
memory/4960-2167-0x000000000E0D0000-0x000000000E0E0000-memory.dmp

Filesize
64KB

Download
memory/4960-2175-0x000000000F850000-0x000000000FD7C000-memory.dmp

Filesize
5.2MB

Download
memory/4960-2165-0x000000000E0D0000-0x000000000E0E0000-memory.dmp

Filesize
64KB

Download
memory/4960-2164-0x000000000E0D0000-0x000000000E0E0000-memory.dmp

Filesize
64KB

Download
memory/4960-2163-0x000000000E800000-0x000000000E83E000-memory.dmp

Filesize
248KB

Download
memory/4960-2162-0x000000000E6F0000-0x000000000E7FA000-memory.dmp

Filesize
1.0MB

Download
memory/4960-2161-0x000000000E090000-0x000000000E0A2000-memory.dmp

Filesize
72KB

Download
memory/4960-2160-0x000000000E0E0000-0x000000000E6E6000-memory.dmp

Filesize
6.0MB

Download
memory/4960-2157-0x000000000DFC0000-0x000000000E006000-memory.dmp

Filesize
280KB

Download
memory/4960-1976-0x00000000005D0000-0x000000000061A000-memory.dmp

Filesize
296KB

Download
memory/4960-1961-0x00000000005D0000-0x000000000061A000-memory.dmp

Filesize
296KB

Download
memory/4960-1951-0x00000000005D0000-0x000000000061A000-memory.dmp

Filesize
296KB

Download