86553adc36ef6c4f1343c7989779e42bfe579b0e5f2288ff96bca00297da3a27

Resubmissions

13/06/2023, 13:00

230613-p81x8agg6t 9

09/06/2023, 12:34

230609-pr319acb29 9

09/06/2023, 12:09

230609-pbwl8sch51 9

Analysis

max time kernel
1852s
max time network
1219s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09/06/2023, 12:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

YHNCrew-Launcher-V12.exe
Size

5.1MB
MD5

76689a8033e9cbfe024578129626d59f
SHA1

913d5d2b6705a4295268d7a8fac02a6ef47c37f8
SHA256

86553adc36ef6c4f1343c7989779e42bfe579b0e5f2288ff96bca00297da3a27
SHA512

c7070e132f9f40f5c5b4df908b99c13522cb93e85897981f1967a673e72ebc35ffa9aada77e60fb642cba24bdaf2c3539b01f6715f4dd372a8beb1219e9c7522
SSDEEP

98304:lIVdSNYJud6FqlhJyt6wp+9QUluCsbva7l2if4TqYpMZmM2ssdX7ZZpTL341Yt:ESeTqlhJytLp+LluCUvaBh4uYaZwsgrb

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	YHNCrew-Launcher-V12.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\eEVPzQLHqNlYQlrpUGunQMEnAp\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\eEVPzQLHqNlYQlrpUGunQMEnAp"	YHNCrew-Launcher-V12.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	YHNCrew-Launcher-V12.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	YHNCrew-Launcher-V12.exe

Themida packer 17 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1728-133-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp	themida
behavioral1/memory/1728-134-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp	themida
behavioral1/memory/1728-135-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp	themida
behavioral1/memory/1728-136-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp	themida
behavioral1/memory/1728-137-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp	themida
behavioral1/memory/1728-138-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp	themida
behavioral1/memory/1728-139-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp	themida
behavioral1/memory/1728-140-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp	themida
behavioral1/memory/1728-141-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp	themida
behavioral1/memory/1728-142-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp	themida
behavioral1/memory/1728-143-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp	themida
behavioral1/memory/1728-144-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp	themida
behavioral1/memory/1728-145-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp	themida
behavioral1/memory/1728-146-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp	themida
behavioral1/memory/1728-152-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp	themida
behavioral1/memory/1728-155-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp	themida
behavioral1/memory/1728-156-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	YHNCrew-Launcher-V12.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1728	YHNCrew-Launcher-V12.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System\hwid.bat	YHNCrew-Launcher-V12.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133307879106972353"	chrome.exe

Modifies registry class 28 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000de49248a6d45d901520faf9b7b45d90136de254ccf9ad90114000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3644	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe
1728	YHNCrew-Launcher-V12.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1728	YHNCrew-Launcher-V12.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1728	YHNCrew-Launcher-V12.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1028	WMIC.exe
Token: SeSecurityPrivilege	1028	WMIC.exe
Token: SeTakeOwnershipPrivilege	1028	WMIC.exe
Token: SeLoadDriverPrivilege	1028	WMIC.exe
Token: SeSystemProfilePrivilege	1028	WMIC.exe
Token: SeSystemtimePrivilege	1028	WMIC.exe
Token: SeProfSingleProcessPrivilege	1028	WMIC.exe
Token: SeIncBasePriorityPrivilege	1028	WMIC.exe
Token: SeCreatePagefilePrivilege	1028	WMIC.exe
Token: SeBackupPrivilege	1028	WMIC.exe
Token: SeRestorePrivilege	1028	WMIC.exe
Token: SeShutdownPrivilege	1028	WMIC.exe
Token: SeDebugPrivilege	1028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1028	WMIC.exe
Token: SeRemoteShutdownPrivilege	1028	WMIC.exe
Token: SeUndockPrivilege	1028	WMIC.exe
Token: SeManageVolumePrivilege	1028	WMIC.exe
Token: 33	1028	WMIC.exe
Token: 34	1028	WMIC.exe
Token: 35	1028	WMIC.exe
Token: 36	1028	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1028	WMIC.exe
Token: SeSecurityPrivilege	1028	WMIC.exe
Token: SeTakeOwnershipPrivilege	1028	WMIC.exe
Token: SeLoadDriverPrivilege	1028	WMIC.exe
Token: SeSystemProfilePrivilege	1028	WMIC.exe
Token: SeSystemtimePrivilege	1028	WMIC.exe
Token: SeProfSingleProcessPrivilege	1028	WMIC.exe
Token: SeIncBasePriorityPrivilege	1028	WMIC.exe
Token: SeCreatePagefilePrivilege	1028	WMIC.exe
Token: SeBackupPrivilege	1028	WMIC.exe
Token: SeRestorePrivilege	1028	WMIC.exe
Token: SeShutdownPrivilege	1028	WMIC.exe
Token: SeDebugPrivilege	1028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1028	WMIC.exe
Token: SeRemoteShutdownPrivilege	1028	WMIC.exe
Token: SeUndockPrivilege	1028	WMIC.exe
Token: SeManageVolumePrivilege	1028	WMIC.exe
Token: 33	1028	WMIC.exe
Token: 34	1028	WMIC.exe
Token: 35	1028	WMIC.exe
Token: 36	1028	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4152	WMIC.exe
Token: SeSecurityPrivilege	4152	WMIC.exe
Token: SeTakeOwnershipPrivilege	4152	WMIC.exe
Token: SeLoadDriverPrivilege	4152	WMIC.exe
Token: SeSystemProfilePrivilege	4152	WMIC.exe
Token: SeSystemtimePrivilege	4152	WMIC.exe
Token: SeProfSingleProcessPrivilege	4152	WMIC.exe
Token: SeIncBasePriorityPrivilege	4152	WMIC.exe
Token: SeCreatePagefilePrivilege	4152	WMIC.exe
Token: SeBackupPrivilege	4152	WMIC.exe
Token: SeRestorePrivilege	4152	WMIC.exe
Token: SeShutdownPrivilege	4152	WMIC.exe
Token: SeDebugPrivilege	4152	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4152	WMIC.exe
Token: SeRemoteShutdownPrivilege	4152	WMIC.exe
Token: SeUndockPrivilege	4152	WMIC.exe
Token: SeManageVolumePrivilege	4152	WMIC.exe
Token: 33	4152	WMIC.exe
Token: 34	4152	WMIC.exe
Token: 35	4152	WMIC.exe
Token: 36	4152	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4152	WMIC.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3564	chrome.exe
3564	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 4104	1728	YHNCrew-Launcher-V12.exe	85
PID 1728 wrote to memory of 4104	1728	YHNCrew-Launcher-V12.exe	85
PID 4104 wrote to memory of 820	4104	cmd.exe	87
PID 4104 wrote to memory of 820	4104	cmd.exe	87
PID 4104 wrote to memory of 4604	4104	cmd.exe	88
PID 4104 wrote to memory of 4604	4104	cmd.exe	88
PID 4104 wrote to memory of 3264	4104	cmd.exe	89
PID 4104 wrote to memory of 3264	4104	cmd.exe	89
PID 1728 wrote to memory of 1084	1728	YHNCrew-Launcher-V12.exe	97
PID 1728 wrote to memory of 1084	1728	YHNCrew-Launcher-V12.exe	97
PID 1728 wrote to memory of 4740	1728	YHNCrew-Launcher-V12.exe	99
PID 1728 wrote to memory of 4740	1728	YHNCrew-Launcher-V12.exe	99
PID 4740 wrote to memory of 1028	4740	cmd.exe	101
PID 4740 wrote to memory of 1028	4740	cmd.exe	101
PID 4740 wrote to memory of 4152	4740	cmd.exe	102
PID 4740 wrote to memory of 4152	4740	cmd.exe	102
PID 4740 wrote to memory of 3248	4740	cmd.exe	103
PID 4740 wrote to memory of 3248	4740	cmd.exe	103
PID 4740 wrote to memory of 4048	4740	cmd.exe	104
PID 4740 wrote to memory of 4048	4740	cmd.exe	104
PID 4740 wrote to memory of 3972	4740	cmd.exe	105
PID 4740 wrote to memory of 3972	4740	cmd.exe	105
PID 4740 wrote to memory of 4724	4740	cmd.exe	106
PID 4740 wrote to memory of 4724	4740	cmd.exe	106
PID 1728 wrote to memory of 4808	1728	YHNCrew-Launcher-V12.exe	107
PID 1728 wrote to memory of 4808	1728	YHNCrew-Launcher-V12.exe	107
PID 636 wrote to memory of 4556	636	chrome.exe	111
PID 636 wrote to memory of 4556	636	chrome.exe	111
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114
PID 636 wrote to memory of 5072	636	chrome.exe	114

C:\Users\Admin\AppData\Local\Temp\YHNCrew-Launcher-V12.exe
"C:\Users\Admin\AppData\Local\Temp\YHNCrew-Launcher-V12.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Sets service image path in registry
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: LoadsDriver
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\YHNCrew-Launcher-V12.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\YHNCrew-Launcher-V12.exe" MD5
    3⤵
    PID:820
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:4604
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:3264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd C:\Windows\System
  2⤵
  PID:1084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System\hwid.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1028
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4152
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get serialnumber
    3⤵
    PID:3248
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    PID:4048
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic memorychip get serialnumber
    3⤵
    PID:3972
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic desktopmonitor get Caption, MonitorType, MonitorManufacturer, Name
    3⤵
    PID:4724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /F /Q C:\Windows\System\hwid.bat
  2⤵
  PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbcfca9758,0x7ffbcfca9768,0x7ffbcfca9778
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 --field-trial-handle=1828,i,14053047144486386426,1363540887017804341,131072 /prefetch:2
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1828,i,14053047144486386426,1363540887017804341,131072 /prefetch:8
  2⤵
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2268 --field-trial-handle=1828,i,14053047144486386426,1363540887017804341,131072 /prefetch:8
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3236 --field-trial-handle=1828,i,14053047144486386426,1363540887017804341,131072 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3260 --field-trial-handle=1828,i,14053047144486386426,1363540887017804341,131072 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4540 --field-trial-handle=1828,i,14053047144486386426,1363540887017804341,131072 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4744 --field-trial-handle=1828,i,14053047144486386426,1363540887017804341,131072 /prefetch:8
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4904 --field-trial-handle=1828,i,14053047144486386426,1363540887017804341,131072 /prefetch:8
  2⤵
  PID:1100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4888 --field-trial-handle=1828,i,14053047144486386426,1363540887017804341,131072 /prefetch:8
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4740 --field-trial-handle=1828,i,14053047144486386426,1363540887017804341,131072 /prefetch:8
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 --field-trial-handle=1828,i,14053047144486386426,1363540887017804341,131072 /prefetch:8
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 --field-trial-handle=1828,i,14053047144486386426,1363540887017804341,131072 /prefetch:8
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 --field-trial-handle=1828,i,14053047144486386426,1363540887017804341,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4860 --field-trial-handle=1828,i,14053047144486386426,1363540887017804341,131072 /prefetch:8
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5332 --field-trial-handle=1828,i,14053047144486386426,1363540887017804341,131072 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4536 --field-trial-handle=1828,i,14053047144486386426,1363540887017804341,131072 /prefetch:8
  2⤵
  PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4772 --field-trial-handle=1828,i,14053047144486386426,1363540887017804341,131072 /prefetch:8
  2⤵
  PID:5052

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbcfca9758,0x7ffbcfca9768,0x7ffbcfca9778
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1932 --field-trial-handle=1960,i,8306038359059557549,7942629019311765499,131072 /prefetch:8
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3188 --field-trial-handle=1960,i,8306038359059557549,7942629019311765499,131072 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3220 --field-trial-handle=1960,i,8306038359059557549,7942629019311765499,131072 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1976 --field-trial-handle=1960,i,8306038359059557549,7942629019311765499,131072 /prefetch:8
  2⤵
  PID:3336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1960,i,8306038359059557549,7942629019311765499,131072 /prefetch:2
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4560 --field-trial-handle=1960,i,8306038359059557549,7942629019311765499,131072 /prefetch:8
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4852 --field-trial-handle=1960,i,8306038359059557549,7942629019311765499,131072 /prefetch:8
  2⤵
  PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4672 --field-trial-handle=1960,i,8306038359059557549,7942629019311765499,131072 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5016 --field-trial-handle=1960,i,8306038359059557549,7942629019311765499,131072 /prefetch:8
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5148 --field-trial-handle=1960,i,8306038359059557549,7942629019311765499,131072 /prefetch:8
  2⤵
  PID:520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5108 --field-trial-handle=1960,i,8306038359059557549,7942629019311765499,131072 /prefetch:8
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4980 --field-trial-handle=1960,i,8306038359059557549,7942629019311765499,131072 /prefetch:8
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5412 --field-trial-handle=1960,i,8306038359059557549,7942629019311765499,131072 /prefetch:8
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5416 --field-trial-handle=1960,i,8306038359059557549,7942629019311765499,131072 /prefetch:8
  2⤵
  PID:3276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5340 --field-trial-handle=1960,i,8306038359059557549,7942629019311765499,131072 /prefetch:8
  2⤵
  PID:4152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4592 --field-trial-handle=1960,i,8306038359059557549,7942629019311765499,131072 /prefetch:8
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5600 --field-trial-handle=1960,i,8306038359059557549,7942629019311765499,131072 /prefetch:8
  2⤵
  PID:3712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4632 --field-trial-handle=1960,i,8306038359059557549,7942629019311765499,131072 /prefetch:8
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5016 --field-trial-handle=1960,i,8306038359059557549,7942629019311765499,131072 /prefetch:8
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5312 --field-trial-handle=1960,i,8306038359059557549,7942629019311765499,131072 /prefetch:8
  2⤵
  PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3872 --field-trial-handle=1960,i,8306038359059557549,7942629019311765499,131072 /prefetch:8
  2⤵
  PID:724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5200 --field-trial-handle=1960,i,8306038359059557549,7942629019311765499,131072 /prefetch:8
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5036 --field-trial-handle=1960,i,8306038359059557549,7942629019311765499,131072 /prefetch:8
  2⤵
  PID:3244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5052 --field-trial-handle=1960,i,8306038359059557549,7942629019311765499,131072 /prefetch:8
  2⤵
  PID:448

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1392

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log
1⤵
- Opens file in notepad (likely ransom note)
PID:3644

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\729d484c-f4ab-418a-8415-d84ecb1f1b05.tmp

Filesize
90KB

MD5
2a2b92ee5c6260bf8636848de0db8216

SHA1
6b3d6119b77b247221aeb3bf997618b3a3d8a94b

SHA256
9902a73ef1dc08fd48c60c933f3632d8280d0249d0a861982a4576f91a5f0367

SHA512
ebe67bca3dc194c3b3ce1eb54d88c9b318c6750ee7ccb4c051b0bd6877d0b80cf4ba0792f85383bec78ba3f92bbb58e67de6e824b42ed4ff62347a974bc8601a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
bab948aab646d615b0fbbb90b55433ab

SHA1
0ee46cc7db939e55dcc3a5cd17e2fb893ece7a34

SHA256
e02daa351bf7a75dc1b7e9b11c5d716b89f108058e70326f0a8b7b8ba489ce0e

SHA512
a1f82c1aba6d15216d2313673a200d1fd24f99577b06245f4e326df99ab0bd4c3c509b2ddab14753225b47f4c973ce5ac0e08c90c75430bc65c61c48a5969fed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
bab948aab646d615b0fbbb90b55433ab

SHA1
0ee46cc7db939e55dcc3a5cd17e2fb893ece7a34

SHA256
e02daa351bf7a75dc1b7e9b11c5d716b89f108058e70326f0a8b7b8ba489ce0e

SHA512
a1f82c1aba6d15216d2313673a200d1fd24f99577b06245f4e326df99ab0bd4c3c509b2ddab14753225b47f4c973ce5ac0e08c90c75430bc65c61c48a5969fed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Bookmarks

Filesize
1KB

MD5
f89d6370785ca0b58fda79b1ceaa4f37

SHA1
3e4c0b36f5f1608520588f6a2cb8a7e8e6b605a7

SHA256
5b345ae4f1b9f4b5297cc27772eeaa5dd11bb54ba8e19c54385ebf698f883425

SHA512
3e366f4cf583b84ab506f0e97cf10f7ad004e4caa22136304e4f4bcfe26caf81b457d7bd78dc523bde04857748b2941426ebb78a6ee34ab3d3dbabc7aeb13aa2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
1fc9cdd2cd86f66b4ae328116180cf6a

SHA1
06b721faec822c83f81f9950a605f24fa8c727f0

SHA256
fcb5110667196aca5101f9c4063b36725d97add32c08c120c34da2b028583ba9

SHA512
f4862682e87765203df34f8afea0ffaddabbc2f3244baf25bd949b5e6eb72b949e8d50e9587d25e90cc32493b5112391be0d278c671657751aab936a5db81f22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
b1b962be82de6669e130c3983ee2b1b4

SHA1
8402f644c5c8cf08ccf2a7d7ccbcd5cedf0c0ebc

SHA256
8f6a4b34c5efc8e90a1018da47e9a4124176e5ade8cba6f52e38304cf922c072

SHA512
baf2398f0e650fcfe07f30dadc5b004690bc3806ad4eaf81415ad0c55a619894c2500100c9d142f8b5236ba564fc6c26097c01b107792d8cd909ab2d4bf29431

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
2e9354bf2e0e943e3907e148e4fb9d91

SHA1
bbd28e318a27385dcef62bb0a33b5facea3c831e

SHA256
a3cc459bc33f8ee52c39b4ca0715855a59aa1f4fcdbdae8dbde3d74e1037e59d

SHA512
7778ee8344a9faf631ea42e42fd8697173baa7dd94555874aeeb11ebff3ec29f7108ab67790be7a7c718dbab35d22c6d9c338a110840ca3e80921c0845b592e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
8ab54620acd4a8e375ccc397324a9cf5

SHA1
38a55f93c28fdae5564bcb4d294404c026e10a25

SHA256
2f805c823d8e4c80753e77b26deaef408a0c4636da9af5e1887343d6a8fa7807

SHA512
aa1ba1103744eb23e293da4ad4f05fab565668dcc1cd29900475c76707e74c538450930f6dd9ad678ea763586063306e226f7466485b1f2d119b937754895227

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004

Filesize
32KB

MD5
e5d4e8e6855bb6cd2a5e8c2e0cc725d7

SHA1
ddda82686209eb251bd6ba20cd2587efad3babbf

SHA256
b1faf6bdd421740d44482a28657737f2cabde30c9cfe9fd99868d2ff5764e576

SHA512
dfd2cdea57173c8c834cccf4ca0257181b2039ccb3a07239c8cacc7aba1de95d86c9eeea4807cde10193bc1e5459c3f6b5f94b29df136e73383e45e86ebe7374

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
48KB

MD5
bf4e7743eb5b136a8a63d6769f497295

SHA1
30a6adfa8f68acd19d34a63b3750fc77d515c725

SHA256
e3f0071edc0361bddb7f9f13119fe3b6282937a1a3909083c43a297c4650d146

SHA512
7a78c0e1d4b6cae5f7bc8951116e7388a3de822a0c1d16e733d036776aa150c0c2f0a7ced715ff08d651d0ec7e6d25f57b4779247fa9652cf45be8326aa56410

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
37KB

MD5
5b0c0d429185ff30e04c93f67116d98f

SHA1
8eb3286fe16a5bee5a0164b131bc534fd131f250

SHA256
f1a0b957050b529afc0e94c436976326124ed8968183859c413986487623294d

SHA512
6295bcd662325172b15c476d26f23c8794c4f1454e0e8cfd43bca79b45aa03e1ae721ebdada1c52fe7699027fa97699156280ff259ce3cc476e322ccc0337902

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
36KB

MD5
756e5fce96773fbf9dcd84643ac8b6be

SHA1
123a43b3706f2fd5c149b2acc4600aaf24681b9c

SHA256
e55ac364c1daa85990da4d2a4e7dc3c4bc791fc46c656c1d82573ef04a575627

SHA512
cb10ad2662c2eacac9f4d9aeb0a27ca468ee35160db4cd39eec7ac6f81619c0845afabffecf72b0f357ccd4f1100467090718c8329b1888fb4caba1ff856e383

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

Filesize
320B

MD5
b6fa722b0ec1ba192b0b59e3663efa8a

SHA1
e0113caa1041d2efe8e4fc64239f4185a27aa60d

SHA256
d0172aca15f165d0478bf868e4568ff1e7ac1038d0c549ebe081d3c0ba782c75

SHA512
dcfbf0c321397cbfacd4b30533e4de6f8944f26a3183807422ecca1adea582e35bb8d699e95ffd5c430366e8f393c12fd8ec620dac7c4aeee21d850fe999acb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
329B

MD5
5a8e40862a0bde1e11d46e9329792f7e

SHA1
b09df203f7870a4cf5b38e133ceb46c27cacc060

SHA256
5d1d03108bab5918e99a2947ea71120e514fd15bec1a0cdd0c395c5daf1f770d

SHA512
68d9de9e5d82afac66d56fd9b371a2e8c134704b04c1c70ef242dcd0d53f49eaf5b77435fc4d6ff3ce6082f2ce2a00e0c7b9694dd59b7325771f09a15b2682c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\0a3bb468-d8e0-4d4b-9c08-be28ddda9c96.tmp

Filesize
1015B

MD5
e403d0586624dd08fcb979066ec0dfad

SHA1
bb06a8e44ae20eae2cf28a48581b2bec099d8f6e

SHA256
764a44bb13996340fd95d41b52d5710e2f8ba72e91ac15c9c3c608bcd0474983

SHA512
9b1c9b41710734c15d0b986a8a307512efbb10707005bcb20753215ef65630ff672204b3fd3a69c51ac1cf36f83e64cd59bf3e6955ef0ccbdde8b9572bd0550d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1015B

MD5
e403d0586624dd08fcb979066ec0dfad

SHA1
bb06a8e44ae20eae2cf28a48581b2bec099d8f6e

SHA256
764a44bb13996340fd95d41b52d5710e2f8ba72e91ac15c9c3c608bcd0474983

SHA512
9b1c9b41710734c15d0b986a8a307512efbb10707005bcb20753215ef65630ff672204b3fd3a69c51ac1cf36f83e64cd59bf3e6955ef0ccbdde8b9572bd0550d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1014B

MD5
7ce3f544d0117cd7e967c187aed2be83

SHA1
54a190d43c4e75127d34c38be736548d68ae439d

SHA256
0a9b8bdf62abd9e8c87b941c3459d1026c27ba877af597932ae1b218df04be34

SHA512
1cda42ad86eaec9c76cc4d5fcfd2c0176fe398f9225c713db8c1d29634a6b21a5b0d50865b9b779a73830b250e7046b365f9ea5423d3d8442ac1098b69953dca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL

Filesize
36KB

MD5
804a7cc2b8179832d18a04afd1952c4d

SHA1
217a9fe3ec8138523d1486b3d169cf5a5065b313

SHA256
53a77baf1d375b4cda8ccf64350a4d9be89041eb75559fb28bb45c8abfaab9d6

SHA512
2b5159782d8f3d4fea421ebd357989cabb73412d79868267a4c5ce1fea52e38eb60852c1469385966318efb1f19868fcef344390c007c091d0b6ee69f3e3d2ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
e5394bb88be4bbb9c26a00cb0352903b

SHA1
78266005fc1be80f9d119c25cf53b06baf66c93b

SHA256
8c46ffa7b931477f930d24576fa75960ceb750215fc78d16134c36d105ebd15c

SHA512
fd236ea662f03af6b1590974b4ec444c3904ab7c9db16ceb81bb94af4aef538489c8dc7d5595d00a72c3907304b277361e22a73e4c9af279eedb621c07694ade

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
9160bd005946adc56b255d4f3699bdd1

SHA1
4e465724e41a6cfa719acd5c4398b9fd0bba4053

SHA256
8a6706f37e62ad762288d0a29887b1f6222571c3dc290100342eaac32054d8da

SHA512
c33889203f8be5f49c0b569543746949b9f850ef47af76d731aa53c6514388e7aa598fd6170d5cfe4d94d3a74011d5d376461df2f5d2522015bd14f97cec0a1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
9160bd005946adc56b255d4f3699bdd1

SHA1
4e465724e41a6cfa719acd5c4398b9fd0bba4053

SHA256
8a6706f37e62ad762288d0a29887b1f6222571c3dc290100342eaac32054d8da

SHA512
c33889203f8be5f49c0b569543746949b9f850ef47af76d731aa53c6514388e7aa598fd6170d5cfe4d94d3a74011d5d376461df2f5d2522015bd14f97cec0a1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
fe46eb46cebba029805285f44ae5f4b2

SHA1
4766da8bd8e60afc8e9a4e52e3eb7d348cd27cdc

SHA256
af91220a43bc353564c70fefc0ec92d9bd768d93811ea13e7543497d6cd78909

SHA512
1fe47e54dbb4c91bc54b64418e584d0dd8c7fb3c86e4e41d7c1361bdb807482667e8cbc49426e9e9787a9207ab7c59e38ac02a1a983ee1449c6cf7095fd68d0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
a5f24b21abb1088966251a922b02ced1

SHA1
faa3c120a6306cb15fd70f7e441fd1e6ec5fe4ae

SHA256
f7e91d89d8eb8f7c1d2af61281c73b8ebd830953fc10a04c1736130cc6daf6b9

SHA512
ba8ba0a670a49cf261ccdb3cedaf98255a827661a53a40339d073790fefd822b7948c5016fd3f12823ce606aca39d6d636caa66613a8b6b1181e109f40c011a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
a819416a018c09843ac5344adde776c8

SHA1
fb9e5d1e41df20d7c0ed5ffc1e24deaa4566dedb

SHA256
870570692d9a0afbdbf74373dac1fb0e847ec906f63b65765f89b9a91ed73d47

SHA512
52884708c6711110d02d8ee98e3f095a1b48ddbce50a8e717a82ad0bc70e43972ee88a3c1242a43f0a941c0858d6f473b208954678c3033b245db3cebc3ea4e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
a4f93bc2e7d176dc901f5bc1751c2f94

SHA1
c4133296430aa1f5dbd6fb160fe0b160dadc16d1

SHA256
f4dac9770ff05677de5a88fda8c6e2e768c81e4999cf0b0e0793de9dc0113f26

SHA512
ded04133babd93aa07ed4d56ff857ab189999f4dfa662f74f832994412f9616cc912330acc1fbdaadc493c771fae8973beb00ad93935e30c39aede0ee9abbb91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
a4f93bc2e7d176dc901f5bc1751c2f94

SHA1
c4133296430aa1f5dbd6fb160fe0b160dadc16d1

SHA256
f4dac9770ff05677de5a88fda8c6e2e768c81e4999cf0b0e0793de9dc0113f26

SHA512
ded04133babd93aa07ed4d56ff857ab189999f4dfa662f74f832994412f9616cc912330acc1fbdaadc493c771fae8973beb00ad93935e30c39aede0ee9abbb91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Search Logos\dark_logo

Filesize
29KB

MD5
425ed112d940507249a4db31cfebe8d1

SHA1
b716401ab31a8b13f8052e1fd66145c1f51f5c0c

SHA256
6507f7fbfaedc01516c15073dfacdebfc78d27f6ba5bdf68428d42cf652182ad

SHA512
693243e26332dc3a480b96b485d7b4be3e9977461cc1ed0735dfd0128f4dfd41946f4653a21b879e3290c8fe6d2251c160644bfa60d50f8d36f4efe706e720d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Search Logos\logo

Filesize
29KB

MD5
425ed112d940507249a4db31cfebe8d1

SHA1
b716401ab31a8b13f8052e1fd66145c1f51f5c0c

SHA256
6507f7fbfaedc01516c15073dfacdebfc78d27f6ba5bdf68428d42cf652182ad

SHA512
693243e26332dc3a480b96b485d7b4be3e9977461cc1ed0735dfd0128f4dfd41946f4653a21b879e3290c8fe6d2251c160644bfa60d50f8d36f4efe706e720d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Search Logos\metadata

Filesize
2KB

MD5
5c7dacf9d0ed7af37ac0b0f2e31877e1

SHA1
fce33afc04dd2a7d4705fbd436ada1b3f7e86e3e

SHA256
be92860c4d5e4116266c35b28bd13a7d6f80b09445eba679515a3832f77e26a4

SHA512
4cee369b363a1e69604e3fa3947158078f9f0ad7618028f843770a27a65c6c3103d554f78735b3131e7af436130d5f60721ee1e15ae40a7b88db4b87ac7d18a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

Filesize
175B

MD5
6153ae3a389cfba4b2fe34025943ec59

SHA1
c5762dbae34261a19ec867ffea81551757373785

SHA256
93c2b2b9ce1d2a2f28fac5aadc19c713b567df08eaeef4167b6543a1cd094a61

SHA512
f2367664799162966368c4a480df6eb4205522eaae32d861217ba8ed7cfabacbfbb0f7c66433ff6d31ec9638da66e727e04c2239d7c6a0d5fd3356230e09ab6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

Filesize
317B

MD5
59adacccf0a8b7208ee74c5c03215c11

SHA1
8759a50100492930e1f6fa130b5938d1660f4ebf

SHA256
fe1a39b17834bbd9ac5f4a4e8670ed1baaa90c0ac3d520feb7e47088c034a99a

SHA512
20018d247d322fb104c3478b244cac4c19ffd317460a32193f3b544c8276c50f75c04f0835af9351b30cbfd68957631987461452703b6aa7a1a213a8ab5c29cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
348B

MD5
b73f3905e78a33b53237c44b42c99f43

SHA1
47658e81ee9ed165d3d964b9b113f4742da24aa4

SHA256
9a6e4b8120317c0e087e5ce1255a8b8f3bf8ad944a1e342439bd5310c767b8ba

SHA512
4f99e1c085bc8bbe8b0fa6d2c3f736e31bb8e18ba03166e7b23ee897e9c58a351a330847022acf845f9f08ac15ecd22a3ad5c5ab736c0b31afd7a76ac13f3f8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
324B

MD5
78bf32011f92dc09027b333803076c51

SHA1
8c7fa0fcd482db32b829c144490eed1ce1ba23cb

SHA256
c1218b7e4c1369192fe3b36013271329ac6e8b07970e507b015698d143ed9453

SHA512
d0f7a6a5ea1e28095f55ebd99d59eb0f0f865812c1d395bd2cd08473c7e1c85d20759741f576a3e79a5ecf93145c4e74d60835bd9f765bdba30ab0381791910a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

Filesize
760B

MD5
c93537ed0541c0f40c2a2ae57d56b091

SHA1
bda05a606f0c8d721cac3654b878f1775daccca7

SHA256
e7c7d2ee89f2bdcd15f6d3bbb28aa2a7c824d131f2ffd75ea342451d3ffe4e2c

SHA512
dd36b33a20638fc317949fc1f7e048f384624e3819f4dbebbfc4081572f2b0ec00e521fe10be250de96f01fe6424e1fed54637f609b1a34e1be7cc561f4c15f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

Filesize
320B

MD5
dfc1e8b4fbe938850909d0bf8df07333

SHA1
da712d0d47bfe8832014ec90aeff514e41f879e6

SHA256
fcc5b5b874dcd9089d0a8c2309dc7ca851bccd471e1b58a6d7c6d25774e6e2b6

SHA512
9f3eeaa5e0417910d90694ac1bd8c6751177be1d0038dc5d3595450375dadfe82f71717f2159d3a9783d0b32e2b162353cfac097b73a493c8bfa5be74d4e46ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
855B

MD5
3dac7e4a55a9c183d2a6514a43a88067

SHA1
e70a5240a2ddc9b09e26dedfd7ee20253b0d537e

SHA256
dfb185607281fb56a4e47146d19804029dffcedf6afa0b8ebd67700efa3f7861

SHA512
d4d63bca7432e529e581ff5951acd73e120c64d1531839b5693f1ca68cea895fe3cc3598282520ac05c0dfe33429b35a018a8194e67f15484d6b9bcad4d3c54a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
338B

MD5
b7cb07725dac9f8cd14ea98f84adae2e

SHA1
30306e8b0cf910654c2ee264f3a448421056c153

SHA256
ae57fcb7987869dc3f9a44e1edd8e341f8d6b51d59af126da5c4cf04f4e343d8

SHA512
881ec994e9bee9870534ee6262dd35323ba5caeb290c9536bd0b904aea6536631d43990d375f02d897e61a50628cd1f80d3b36570a7c8e7044867fe3e17299a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
158KB

MD5
3eaad9d89ae7f263dabefac8b1c0b905

SHA1
c5d4f37263341e5dea5fe4e767cff26c498a1189

SHA256
167890dab69c0c10aa833c8ff60a58406b9c9c1e9b9fa69a636223f61c12d84e

SHA512
8c7329092807300c5072084afce20060d019c6f36eebe1950bae98321303cbba77277bd08cab746890e32951f613cdc9164587748976e910ebaa34e60179b79a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
158KB

MD5
3eaad9d89ae7f263dabefac8b1c0b905

SHA1
c5d4f37263341e5dea5fe4e767cff26c498a1189

SHA256
167890dab69c0c10aa833c8ff60a58406b9c9c1e9b9fa69a636223f61c12d84e

SHA512
8c7329092807300c5072084afce20060d019c6f36eebe1950bae98321303cbba77277bd08cab746890e32951f613cdc9164587748976e910ebaa34e60179b79a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
158KB

MD5
dacdfa04020c423ea4cdca873f6721f7

SHA1
30dd21800a522857d491e30775df15139df59fc7

SHA256
b260e3da77fb674918d5e1e87cfff4b2b6c3aaaa5fd0bcff8cb27b204b77e15e

SHA512
4d1270daf729e4575176383d32b452c8b8060b2f0923c8083ed6a9075f517e9937c5b8c3e432ac1ee9edbbc0731fe44b2821dd49c341f2c3d5990933ece8132b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
85B

MD5
bc6142469cd7dadf107be9ad87ea4753

SHA1
72a9aa05003fab742b0e4dc4c5d9eda6b9f7565c

SHA256
b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557

SHA512
47d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
20b7e89c6a50fdd17266d98d046a89b8

SHA1
48c719ceae6adf77b74c58109e581d805c3e2665

SHA256
3c3c695989b4d47efbd157faa83213175c916598edacb57feaca805b1bbdd5be

SHA512
bd127363a68445692a227086de94a659f6104829333dd345ba04e223d3ee46c0a994739570650216ceb38e7352ed3b46277ea40392234e915a61f37d810605b7

Download Submit
C:\Windows\System\hwid.bat

Filesize
451B

MD5
f9a38c921fcd4e4cc80deb4fb6418ad3

SHA1
c1bc132c76951c89e077300563cdf8f0854e28a9

SHA256
4e0f9e4eccb0a1438a1f2466494d6c711bd1ce5e289545b32ecac2e10cafb8ee

SHA512
703bbad754ea789bf75f98de20c48609a3c38bf15ef8a338cd50fab0676b3e5e1a63610be1324562c5f728a8bd2c314584afcb0663c4415ea308e6b26f842622

Download Submit
memory/1728-156-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp

Filesize
13.8MB

Download
memory/1728-139-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp

Filesize
13.8MB

Download
memory/1728-140-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp

Filesize
13.8MB

Download
memory/1728-138-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp

Filesize
13.8MB

Download
memory/1728-141-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp

Filesize
13.8MB

Download
memory/1728-142-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp

Filesize
13.8MB

Download
memory/1728-143-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp

Filesize
13.8MB

Download
memory/1728-144-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp

Filesize
13.8MB

Download
memory/1728-145-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp

Filesize
13.8MB

Download
memory/1728-146-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp

Filesize
13.8MB

Download
memory/1728-152-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp

Filesize
13.8MB

Download
memory/1728-155-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp

Filesize
13.8MB

Download
memory/1728-133-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp

Filesize
13.8MB

Download
memory/1728-137-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp

Filesize
13.8MB

Download
memory/1728-136-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp

Filesize
13.8MB

Download
memory/1728-135-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp

Filesize
13.8MB

Download
memory/1728-134-0x00007FF6E69C0000-0x00007FF6E7786000-memory.dmp

Filesize
13.8MB

Download