6569fcc8ecc5e6dbc85dd0ebca9d248454446a7f6ff806c34c598303fc989060

Resubmissions

15-06-2023 12:49

230615-p2sm9sha28 10

14-06-2023 18:35

230614-w8mtxsce42 4

13-06-2023 18:00

230613-wll9wahh26 10

Analysis

max time kernel
1801s
max time network
1698s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
14-06-2023 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

expressvpn_windows_12.38.0.60_release.exe
Size

57.9MB
MD5

c2f43c3bd04b18b42538f21d5c35769c
SHA1

c82bd94359c17d96d7e6195fb3350e5944747fa0
SHA256

6569fcc8ecc5e6dbc85dd0ebca9d248454446a7f6ff806c34c598303fc989060
SHA512

e220f439900da7058b430e0ee98eaf92b7063143071026ddb1234f1800978c4a3a4ca55252811d45ef8339a5cddcbd2a1f5deeb7036c8b23f4f09f207a6bf6a4
SSDEEP

1572864:dKaNvbJ8xod7dyy6KsEcOEhn8Oi2dLLflzBfaAThAz80FcaTT2uqGN:dKYCxod7dDHHUVvdL7LSTSgT2uT

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

expressvpn_windows_12.38.0.60_release.exe

pid process

2416 expressvpn_windows_12.38.0.60_release.exe

Loads dropped DLL 23 IoCs

Processes:

expressvpn_windows_12.38.0.60_release.exe

pid	process
2416	expressvpn_windows_12.38.0.60_release.exe
2416	expressvpn_windows_12.38.0.60_release.exe
2416	expressvpn_windows_12.38.0.60_release.exe
2416	expressvpn_windows_12.38.0.60_release.exe
2416	expressvpn_windows_12.38.0.60_release.exe
2416	expressvpn_windows_12.38.0.60_release.exe
2416	expressvpn_windows_12.38.0.60_release.exe
2416	expressvpn_windows_12.38.0.60_release.exe
2416	expressvpn_windows_12.38.0.60_release.exe
2416	expressvpn_windows_12.38.0.60_release.exe
2416	expressvpn_windows_12.38.0.60_release.exe
2416	expressvpn_windows_12.38.0.60_release.exe
2416	expressvpn_windows_12.38.0.60_release.exe
2416	expressvpn_windows_12.38.0.60_release.exe
2416	expressvpn_windows_12.38.0.60_release.exe
2416	expressvpn_windows_12.38.0.60_release.exe
2416	expressvpn_windows_12.38.0.60_release.exe
2416	expressvpn_windows_12.38.0.60_release.exe
2416	expressvpn_windows_12.38.0.60_release.exe
2416	expressvpn_windows_12.38.0.60_release.exe
2416	expressvpn_windows_12.38.0.60_release.exe
2416	expressvpn_windows_12.38.0.60_release.exe
2416	expressvpn_windows_12.38.0.60_release.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133312413882880739"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1568 chrome.exe
1568 chrome.exe
3028 chrome.exe
3028 chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 37 IoCs

Processes:

chrome.exe

pid	process
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

expressvpn_windows_12.38.0.60_release.exechrome.exe

description	pid	process	target process
PID 2148 wrote to memory of 2416	2148	expressvpn_windows_12.38.0.60_release.exe	expressvpn_windows_12.38.0.60_release.exe
PID 2148 wrote to memory of 2416	2148	expressvpn_windows_12.38.0.60_release.exe	expressvpn_windows_12.38.0.60_release.exe
PID 2148 wrote to memory of 2416	2148	expressvpn_windows_12.38.0.60_release.exe	expressvpn_windows_12.38.0.60_release.exe
PID 1568 wrote to memory of 3656	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 3656	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5040	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 1420	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 1420	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5024	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5024	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5024	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5024	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5024	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5024	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5024	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5024	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5024	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5024	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5024	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5024	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5024	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5024	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5024	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5024	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5024	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5024	1568	chrome.exe	chrome.exe
PID 1568 wrote to memory of 5024	1568	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe
"C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\Temp\{15AA65A2-E83E-42BC-843D-0980D8F52631}\.cr\expressvpn_windows_12.38.0.60_release.exe
"C:\Windows\Temp\{15AA65A2-E83E-42BC-843D-0980D8F52631}\.cr\expressvpn_windows_12.38.0.60_release.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe" -burn.filehandle.attached=532 -burn.filehandle.self=540
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffb6d69758,0x7fffb6d69768,0x7fffb6d69778
2⤵
PID:3656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1824 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:8
2⤵
PID:1420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:2
2⤵
PID:5040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2116 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:8
2⤵
PID:5024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:4896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2952 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:4852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4364 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:1020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4568 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:8
2⤵
PID:4248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4696 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:8
2⤵
PID:4108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:8
2⤵
PID:1372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:8
2⤵
PID:656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4568 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:1640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4992 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:4244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5544 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:4900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5164 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:4784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5088 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:1384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3112 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:2036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4940 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:2056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3036 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:1804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=6448 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:4988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=6280 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:2064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=6132 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:4972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=6128 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:4020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5848 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:1556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5800 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:3144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=6900 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:4108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=7092 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:1488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=7056 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:2252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=6892 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:4872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7644 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:8
2⤵
PID:264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7764 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:8
2⤵
PID:4136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=7944 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:4856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=8108 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:4880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=8072 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:1836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=8464 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:5224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=7800 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:5308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=7616 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:5320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=8760 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:5492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=8912 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:5568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=8764 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:5672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=5244 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:5836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=1776 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:5988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9160 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:8
2⤵
PID:6048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9284 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:8
2⤵
PID:6076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=9464 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:4292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=9476 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:5292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=7668 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:5488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=9816 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:5564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=10120 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:1
2⤵
PID:5852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=8668 --field-trial-handle=1868,i,7333782283884250953,6551137540720663376,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3028

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005
Filesize
49KB

MD5
e753dcc2ceac54c6c5b0619a7126f04d

SHA1
b4a85d46ac70dbaef2bf98e8fad3033777f00510

SHA256
2567f11fd0788cbea9ee96dde5b7b27fc77242a97a90c960a947aaa9a9f38e0c

SHA512
1ff65d9653e5372860f4f27c2baeaa5de15c1dff9fdec5e595c7b165a0923a90615ccb85c16034fc8ac02650773e2567dbf1d6ff2fbac94724018f00f13b5cbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00004e
Filesize
37KB

MD5
5b0c0d429185ff30e04c93f67116d98f

SHA1
8eb3286fe16a5bee5a0164b131bc534fd131f250

SHA256
f1a0b957050b529afc0e94c436976326124ed8968183859c413986487623294d

SHA512
6295bcd662325172b15c476d26f23c8794c4f1454e0e8cfd43bca79b45aa03e1ae721ebdada1c52fe7699027fa97699156280ff259ce3cc476e322ccc0337902

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
4582a531527601d9cb44cb38d8005e56

SHA1
83a342220425a8cf6ce921de48eb79ff71352f62

SHA256
35d7ffdd432e2800ca1598ca680bd70c9267d983570436a0bc19e5a29fa79eed

SHA512
68b49bd9c466cdde35f3dc2a6457e58f3ad7b29628eeca0b88cc664e45a2660749ae0800749bd495374a65cc81b4d0f5d3be949b58c52481627bf30f28bd1e1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
12KB

MD5
8c491bde9a393a72e5b77c7f5b150b49

SHA1
cd15f2ebb9bdb967493454a590be16b4e1888042

SHA256
374f5a5e58e60083444b413e222540b34fbaff3e1b3c7959d90b1d127ca645e5

SHA512
41d52c885bbdfa82d804b627572c1fa0423273c5f781371b541af17967f62edbf2fec59a5b63d3b11dbe3fc6bd1afa65006f7ed80cf90e518bc260dbdf07e5aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
ff4866d1fa8d3f86e3e5955c51046abf

SHA1
463e5f5f40b4621fe50caec81f3eade2c666d78f

SHA256
1fe95ffb740ee4da0ba5682a4a845b7b221d598a0c054e69a352321d056e442d

SHA512
daca24ce5ba8d8b378c75402d869b9cd61e58cf9942072b6f8b8730f65663fbeb0ad62611243c035c60e94d8931334d6db1809395548f7eeb2153c33b5ae94a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
0fe4773221e69c380203b117e349c831

SHA1
ed708bc9768bc34dee4739e0120fcb5a2b89f8aa

SHA256
920ca5970a73dbb5929dbe977e10b060c68b9ea7c1e5c5032e283cdc9054607e

SHA512
f2ac42d6ab77a1d268e0a053977559b9115ace5860ba82e9366767c6c328341c81f478c376b0580eb2dc78478a2c47f9fce82c90f25bfbe568d2dc63f65096e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
4KB

MD5
eb0510f3d39fd60e3dfdc154103aaaae

SHA1
e92c9b5586561da216412ab1c14887700f042921

SHA256
28e343989974ec3848bffd9f8735f351c74443840da3e6d193b22a09b18ea38e

SHA512
8f9b6bb54eca609131260bb350273146f9ce4513d060c0bc1c5f2660188a545afa3cb7aec57713ce4ba023ac2a9c0ca209fc6e0902aebd745bad5cc31342064f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
526c0bd3f5cc9466bdecb5b71ad12b6a

SHA1
64d7a3652fb508f01901017773973c07e0690647

SHA256
e012153dbe7742aa27571a9261cbafa649a923e955922436bc4137e69e378e96

SHA512
0970ae8e838e22462e426574959a5036603306d94b6a7c2d8a3d50b86b7e8c2da485b614dc2b94cdafb255ca6e452858da7563cde145a24356916d13340ecee3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
b75588badbce41c8aea4c27f1189700d

SHA1
d0c64d5edcbda5b15b3b56cfb4ca080bbbc233a0

SHA256
3a74133e8f3f996aaed26d2f70d15ddafa5ac4318f54eba470ecc30c76582161

SHA512
ce50c15ff9d686fba938dd406107e8855e28bbc1ca8d58750766a4c4fcc858ca477480e2e3b2bd7e30b0c3b5b34cb41acd2bd6158f62428f4db7e152adfa7d59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
ba6e29176bcb6e0ae119521b997dd097

SHA1
c192bc336a082ea0c722abdd9cb97eb54093c05a

SHA256
e79c031e2f20b5a5ecf9acf8770328a937b4669445aaef22507488e39e8b4d00

SHA512
570fc0d2ee26cbcbfe3210edbcb9d9b10bbefa5d4069fd15e7b6793dc75f6dfdb640791520812efea8c4710c5ddebcb9d906201946d34d9c111c3fbecd5bafbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
faeed6f6e812525fc5bc7bce3378d93c

SHA1
a214a9b236f6daeb66f4e72ec31f5001eb055e81

SHA256
c4ece62cd447c5fc5dba5cd363f3a73cb3151ec04151f4c95bcf173a704e10ae

SHA512
3bc20ac89303a82a009a8bce1479f28580f24a27c64d0779550de3df9b24ea620a09c568e740c995acb84c7b0471e889a95d2b008a097f015661e432a275456e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
159KB

MD5
18a266b2d4750308a5e72787753af75c

SHA1
746bb393f1224e472aa861eeab55b9c0d8b54fe0

SHA256
691e81461dae59cec27b648a62cfdf45e4a01e084ac22aa86d967498e6c0f56d

SHA512
93b355c99722b342f8abed0b47008c238a50aed484e22da60cec9762809e05ff745c31940a4ed9db5771a85c2001788f12c29b82c8ee95d7fbed59f7298c64ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
159KB

MD5
6ce727a18548bb29042f2d96ea511627

SHA1
94a6721e66063a92a73f012e7335763a4d2f3a75

SHA256
83167c9b64f94b29ffd3304ebf09fa1e35c03976ba7fa41abd6fe3079bac6a1d

SHA512
287b63f94376f8f00b61f1e8fac9dfc022b1d61eedaa0f8ea30236fa821b2ab5a9e385b8bac60fe4f5953896702c53b1c292ca6eea26e92b6fd163d213dbe21c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Windows\Temp\{15AA65A2-E83E-42BC-843D-0980D8F52631}\.cr\expressvpn_windows_12.38.0.60_release.exe
Filesize
10.3MB

MD5
07c7857ac0338fdc449755eddac67c94

SHA1
db057f68b70c981978855a2b02d8a8a397c79b0a

SHA256
efde80da6ad11fdcd949c24ea07338a4ed1bd1dac31bc9753ac776607e9cd23a

SHA512
842e01b17306e3f6250d685d27ac67855b5db2cb79f0efc1118f33aff5029fe761941b81bbebf5294794664ee7490eba562a71cf1ab558de708555cf85166e9d

Download Submit
C:\Windows\Temp\{15AA65A2-E83E-42BC-843D-0980D8F52631}\.cr\expressvpn_windows_12.38.0.60_release.exe
Filesize
10.3MB

MD5
07c7857ac0338fdc449755eddac67c94

SHA1
db057f68b70c981978855a2b02d8a8a397c79b0a

SHA256
efde80da6ad11fdcd949c24ea07338a4ed1bd1dac31bc9753ac776607e9cd23a

SHA512
842e01b17306e3f6250d685d27ac67855b5db2cb79f0efc1118f33aff5029fe761941b81bbebf5294794664ee7490eba562a71cf1ab558de708555cf85166e9d

Download Submit
C:\Windows\Temp\{27D86719-97BB-4728-ACFD-E9DE670606CA}\.ba\BootstrapperCore.config
Filesize
1KB

MD5
0c79473766c4a706b8acacbeff369bc6

SHA1
f5470d0ec6fd98403fa756d1760ddf0ecb3c5b81

SHA256
c044ee99956b0b7628f29d2c7f8d0aaaf18054156acf910915c86edbb09476aa

SHA512
991a357bcea62be7e926a9768e3cf3d399303b5cc7667bfe71c9487de289efbeaca91d98e18880125daac6b7f73b6d298bbbd2276452f155e82173ac5aac1c02

Download Submit
\??\pipe\crashpad_1568_JSABRFEKNUCPVUTP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\Temp\{27D86719-97BB-4728-ACFD-E9DE670606CA}\.ba\BootstrapperCore.dll
Filesize
87KB

MD5
b0d10a2a622a322788780e7a3cbb85f3

SHA1
04d90b16fa7b47a545c1133d5c0ca9e490f54633

SHA256
f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426

SHA512
62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

Download Submit
\Windows\Temp\{27D86719-97BB-4728-ACFD-E9DE670606CA}\.ba\BootstrapperCore.dll
Filesize
87KB

MD5
b0d10a2a622a322788780e7a3cbb85f3

SHA1
04d90b16fa7b47a545c1133d5c0ca9e490f54633

SHA256
f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426

SHA512
62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

Download Submit
\Windows\Temp\{27D86719-97BB-4728-ACFD-E9DE670606CA}\.ba\ExpressVPN.Common.Shared.dll
Filesize
60KB

MD5
8d3bd603070c5341750804592de30739

SHA1
19b27c7834ad7cbf1b9d6a396dfa0a5fa5588112

SHA256
74fd8ff3b37e161c04c4a17ada1138cc44f52b4af93f946237affb040b0c916b

SHA512
8c366f1a037e448edec3d324f559ccb56ac184c5f504764c8afec8cc56048d4532b8a0926e10316d6d41fc2b21a9bd673899ff459c665e6d3d8e371bce980c35

Download Submit
\Windows\Temp\{27D86719-97BB-4728-ACFD-E9DE670606CA}\.ba\ExpressVPN.Common.Shared.dll
Filesize
60KB

MD5
8d3bd603070c5341750804592de30739

SHA1
19b27c7834ad7cbf1b9d6a396dfa0a5fa5588112

SHA256
74fd8ff3b37e161c04c4a17ada1138cc44f52b4af93f946237affb040b0c916b

SHA512
8c366f1a037e448edec3d324f559ccb56ac184c5f504764c8afec8cc56048d4532b8a0926e10316d6d41fc2b21a9bd673899ff459c665e6d3d8e371bce980c35

Download Submit
\Windows\Temp\{27D86719-97BB-4728-ACFD-E9DE670606CA}\.ba\ExpressVPN.Utils.dll
Filesize
111KB

MD5
f162ee7a69d27493bd375907f666ca94

SHA1
b79c97c0cdb592f7ce01f3b4bddf5ab5db252547

SHA256
a8609434e1d3481f153b811e5f7c1a0a98b205a0a6d5a176b45b4b8b1ff1b95e

SHA512
cd32829c002d236014e45d14232f7104f4518291c39fa0dd55b5d29a1c5bf991b287b1ae3c6f16e5e8d31efba5f27e61d3c7241648936f1157d0564a1a47d32b

Download Submit
\Windows\Temp\{27D86719-97BB-4728-ACFD-E9DE670606CA}\.ba\ExpressVPN.Utils.dll
Filesize
111KB

MD5
f162ee7a69d27493bd375907f666ca94

SHA1
b79c97c0cdb592f7ce01f3b4bddf5ab5db252547

SHA256
a8609434e1d3481f153b811e5f7c1a0a98b205a0a6d5a176b45b4b8b1ff1b95e

SHA512
cd32829c002d236014e45d14232f7104f4518291c39fa0dd55b5d29a1c5bf991b287b1ae3c6f16e5e8d31efba5f27e61d3c7241648936f1157d0564a1a47d32b

Download Submit
\Windows\Temp\{27D86719-97BB-4728-ACFD-E9DE670606CA}\.ba\ExpressVpn.Client.Setup.Shared.dll
Filesize
18KB

MD5
46e1d39b4319db3517b9fa2d7d0b67c8

SHA1
33af5ab0df4b9d690fe283fb8a8bd63508f3ada3

SHA256
b509e2c677b73b4cad4f09d0c3f94724bf3fd952b3f4c24c30985636ff2ed30c

SHA512
dfedfc09ca7c1dbe611015c19464918d1b13b0f9828d504ac11598be442d61ce3ef8038f0d9c9ea0275fa5d95630e41ffe6a0bb1b0b67f955a46a858669a345e

Download Submit
\Windows\Temp\{27D86719-97BB-4728-ACFD-E9DE670606CA}\.ba\ExpressVpn.Client.Setup.Shared.dll
Filesize
18KB

MD5
46e1d39b4319db3517b9fa2d7d0b67c8

SHA1
33af5ab0df4b9d690fe283fb8a8bd63508f3ada3

SHA256
b509e2c677b73b4cad4f09d0c3f94724bf3fd952b3f4c24c30985636ff2ed30c

SHA512
dfedfc09ca7c1dbe611015c19464918d1b13b0f9828d504ac11598be442d61ce3ef8038f0d9c9ea0275fa5d95630e41ffe6a0bb1b0b67f955a46a858669a345e

Download Submit
\Windows\Temp\{27D86719-97BB-4728-ACFD-E9DE670606CA}\.ba\ExpressVpn.Common.Logging.dll
Filesize
79KB

MD5
988912a8a5ae0cafeb29f80b4e3af6d4

SHA1
1ca87bea628fff4c8995d92168e736ef7fffd1ae

SHA256
5c67aca3caf64cb4a2ca3111ce00da9aa1364583344896dfdcb6d85c5050f43e

SHA512
2d58cde0d8f2d2aca423a612c77f34a146f46c64f8e5c877e7395baf2669ae1537bcff6431c7c0c01bb0889ced875604f9c4743b0974c2f89e300aaa13b01d3f

Download Submit
\Windows\Temp\{27D86719-97BB-4728-ACFD-E9DE670606CA}\.ba\ExpressVpn.Common.Logging.dll
Filesize
79KB

MD5
988912a8a5ae0cafeb29f80b4e3af6d4

SHA1
1ca87bea628fff4c8995d92168e736ef7fffd1ae

SHA256
5c67aca3caf64cb4a2ca3111ce00da9aa1364583344896dfdcb6d85c5050f43e

SHA512
2d58cde0d8f2d2aca423a612c77f34a146f46c64f8e5c877e7395baf2669ae1537bcff6431c7c0c01bb0889ced875604f9c4743b0974c2f89e300aaa13b01d3f

Download Submit
\Windows\Temp\{27D86719-97BB-4728-ACFD-E9DE670606CA}\.ba\Microsoft.Bcl.AsyncInterfaces.dll
Filesize
21KB

MD5
48efe61d6ca3054309907b532d576d2a

SHA1
f36403aabb16540c93fb35245ec0b4e435628aae

SHA256
295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78

SHA512
778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3

Download Submit
\Windows\Temp\{27D86719-97BB-4728-ACFD-E9DE670606CA}\.ba\Microsoft.Bcl.AsyncInterfaces.dll
Filesize
21KB

MD5
48efe61d6ca3054309907b532d576d2a

SHA1
f36403aabb16540c93fb35245ec0b4e435628aae

SHA256
295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78

SHA512
778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3

Download Submit
\Windows\Temp\{27D86719-97BB-4728-ACFD-E9DE670606CA}\.ba\Microsoft.Extensions.DependencyInjection.Abstractions.dll
Filesize
46KB

MD5
405bf969e7e50ef47422e54fa33605c8

SHA1
4f3c5c8803212719ee74c60813b9ae08604684b3

SHA256
95a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1

SHA512
d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a

Download Submit
\Windows\Temp\{27D86719-97BB-4728-ACFD-E9DE670606CA}\.ba\Microsoft.Extensions.DependencyInjection.Abstractions.dll
Filesize
46KB

MD5
405bf969e7e50ef47422e54fa33605c8

SHA1
4f3c5c8803212719ee74c60813b9ae08604684b3

SHA256
95a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1

SHA512
d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a

Download Submit
\Windows\Temp\{27D86719-97BB-4728-ACFD-E9DE670606CA}\.ba\Microsoft.Extensions.DependencyInjection.dll
Filesize
82KB

MD5
f2a9c263e730b94057d26d8e6562e342

SHA1
e36e4c8100585db5c7dbd07ff66f4adad8ccd37f

SHA256
d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c

SHA512
976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9

Download Submit
\Windows\Temp\{27D86719-97BB-4728-ACFD-E9DE670606CA}\.ba\Microsoft.Extensions.DependencyInjection.dll
Filesize
82KB

MD5
f2a9c263e730b94057d26d8e6562e342

SHA1
e36e4c8100585db5c7dbd07ff66f4adad8ccd37f

SHA256
d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c

SHA512
976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9

Download Submit
\Windows\Temp\{27D86719-97BB-4728-ACFD-E9DE670606CA}\.ba\Microsoft.Extensions.Logging.Abstractions.dll
Filesize
51KB

MD5
1237591a98cea80b03eaa68dbbcb2176

SHA1
5761dfe8070d1e273c20bf6ce50eb46a8780e065

SHA256
ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1

SHA512
1446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07

Download Submit
\Windows\Temp\{27D86719-97BB-4728-ACFD-E9DE670606CA}\.ba\Microsoft.Extensions.Logging.Abstractions.dll
Filesize
51KB

MD5
1237591a98cea80b03eaa68dbbcb2176

SHA1
5761dfe8070d1e273c20bf6ce50eb46a8780e065

SHA256
ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1

SHA512
1446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07

Download Submit
\Windows\Temp\{27D86719-97BB-4728-ACFD-E9DE670606CA}\.ba\System.Threading.Tasks.Extensions.dll
Filesize
25KB

MD5
e1e9d7d46e5cd9525c5927dc98d9ecc7

SHA1
2242627282f9e07e37b274ea36fac2d3cd9c9110

SHA256
4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6

SHA512
da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

Download Submit
\Windows\Temp\{27D86719-97BB-4728-ACFD-E9DE670606CA}\.ba\System.Threading.Tasks.Extensions.dll
Filesize
25KB

MD5
e1e9d7d46e5cd9525c5927dc98d9ecc7

SHA1
2242627282f9e07e37b274ea36fac2d3cd9c9110

SHA256
4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6

SHA512
da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

Download Submit
\Windows\Temp\{27D86719-97BB-4728-ACFD-E9DE670606CA}\.ba\WixSharp Setup.exe
Filesize
1.5MB

MD5
a1124e760bc0cbf9e261cdfe7a418832

SHA1
0795b0adf6cf467fb7942b1f7405bd0ed754a9d6

SHA256
0502f8da948a642e4db4cea611ce28dd3da8c2928d3626ce530cfafbb4d11f7a

SHA512
5ff54162d73559133b64bf35bf07da1d3ee064ce32c071caf137f9eea41d0fb30879e7835b6cf537639cd2442c9117a9cf68d4a5e89b8af5d1319b82f9f4afcb

Download Submit
\Windows\Temp\{27D86719-97BB-4728-ACFD-E9DE670606CA}\.ba\WixSharp Setup.exe
Filesize
1.5MB

MD5
a1124e760bc0cbf9e261cdfe7a418832

SHA1
0795b0adf6cf467fb7942b1f7405bd0ed754a9d6

SHA256
0502f8da948a642e4db4cea611ce28dd3da8c2928d3626ce530cfafbb4d11f7a

SHA512
5ff54162d73559133b64bf35bf07da1d3ee064ce32c071caf137f9eea41d0fb30879e7835b6cf537639cd2442c9117a9cf68d4a5e89b8af5d1319b82f9f4afcb

Download Submit
\Windows\Temp\{27D86719-97BB-4728-ACFD-E9DE670606CA}\.ba\mbahost.dll
Filesize
119KB

MD5
c59832217903ce88793a6c40888e3cae

SHA1
6d9facabf41dcf53281897764d467696780623b8

SHA256
9dfa1bc5d2ab4c652304976978749141b8c312784b05cb577f338a0aa91330db

SHA512
1b1f4cb2e3fa57cb481e28a967b19a6fefa74f3c77a3f3214a6b09e11ceb20ae428d036929f000710b4eb24a2c57d5d7dfe39661d5a1f48ee69a02d83381d1a9

Download Submit
memory/2416-243-0x0000000003AA0000-0x0000000003AB0000-memory.dmp

Filesize
64KB

Download
memory/2416-286-0x00000000034B0000-0x00000000034C0000-memory.dmp

Filesize
64KB

Download
memory/2416-287-0x0000000006BC0000-0x0000000006BC8000-memory.dmp

Filesize
32KB

Download
memory/2416-290-0x0000000009050000-0x0000000009088000-memory.dmp

Filesize
224KB

Download
memory/2416-285-0x00000000034B0000-0x00000000034C0000-memory.dmp

Filesize
64KB

Download
memory/2416-307-0x00000000034B0000-0x00000000034C0000-memory.dmp

Filesize
64KB

Download
memory/2416-280-0x000000007F490000-0x000000007F4A0000-memory.dmp

Filesize
64KB

Download
memory/2416-272-0x00000000064C0000-0x00000000064D0000-memory.dmp

Filesize
64KB

Download
memory/2416-318-0x000000007F490000-0x000000007F4A0000-memory.dmp

Filesize
64KB

Download
memory/2416-320-0x00000000034B0000-0x00000000034C0000-memory.dmp

Filesize
64KB

Download
memory/2416-321-0x00000000034B0000-0x00000000034C0000-memory.dmp

Filesize
64KB

Download
memory/2416-268-0x0000000006450000-0x000000000645A000-memory.dmp

Filesize
40KB

Download
memory/2416-264-0x00000000062B0000-0x00000000062BA000-memory.dmp

Filesize
40KB

Download
memory/2416-260-0x0000000006490000-0x00000000064A8000-memory.dmp

Filesize
96KB

Download
memory/2416-256-0x0000000006470000-0x0000000006490000-memory.dmp

Filesize
128KB

Download
memory/2416-251-0x0000000006270000-0x0000000006284000-memory.dmp

Filesize
80KB

Download
memory/2416-252-0x0000000006290000-0x00000000062AA000-memory.dmp

Filesize
104KB

Download
memory/2416-247-0x0000000003BA0000-0x0000000003BB8000-memory.dmp

Filesize
96KB

Download
memory/2416-239-0x00000000034D0000-0x00000000034D8000-memory.dmp

Filesize
32KB

Download
memory/2416-235-0x00000000062C0000-0x0000000006446000-memory.dmp

Filesize
1.5MB

Download
memory/2416-228-0x00000000034B0000-0x00000000034C0000-memory.dmp

Filesize
64KB

Download
memory/2416-225-0x0000000003430000-0x0000000003448000-memory.dmp

Filesize
96KB

Download