hxxps://google[.]com

Analysis

max time kernel
117s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2023, 08:20

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://google.com

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	LogonUI.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_9A3B75337E594FDAB7B50EC2D0C3D19A.dat	utilman.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_9A3B75337E594FDAB7B50EC2D0C3D19A.dat	utilman.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1945310375\3976769073.pri	LogonUI.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech\CurrentUserLexicon\ = "Current User Lexicon"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{abfed10d-2123-4c24-a1dc-3145638f0e2b}\DeviceName = "Speakers (High Definition Audio Device)"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech\Voices	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Japanese\Attributes\Language = "411"	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\French\Attributes	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\UXLanguages\Tokens\en-US\Recognizer = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\ = "Microsoft Speech Recognition Engine - en-US Embedded DNN v11.1"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_MarkM\Attributes\SharedPronunciation	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech\AudioOutput\TokenEnums	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\English\PhoneMap = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 2 0009 aa 000a ae 000b ah 000c ao 000d aw 000e ax 000f ay 0010 b 0011 ch 0012 d 0013 dh 0014 eh 0015 er 0016 ey 0017 f 0018 g 0019 h 001a ih 001b iy 001c jh 001d k 001e l 001f m 0020 n 0021 ng 0022 ow 0023 oy 0024 p 0025 r 0026 s 0027 sh 0028 t 0029 th 002a uh 002b uw 002c v 002d w 002e y 002f z 0030 zh 0031"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Attributes\UPSPhoneSet	utilman.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\TIP	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Attributes\Revision = "1"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Lookup	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_DavidM\Attributes\DataVersion = "11.0.2016.0129"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Autodetection = "0"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\LocaleHandler	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\VoiceActivation\Tokens\en-US-HW\ = "Microsoft Speech HW Voice Activation - English (United States)"	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\German\Attributes	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\SpeechUXPlugins\Tokens\SpeechUXPlugin\Attributes	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\UXLanguages\Tokens	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Models\1033\L1033\AMs	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowShiftLock = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\AudioInput\DefaultDefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\AudioInput\\TokenEnums\\MMAudioIn\\"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\AudioOutput\TokenEnums\MMAudioOut	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Japanese\Attributes\NoDelimiter	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Attributes\Vendor = "Microsoft"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\CLSID = "{00000000-0000-0000-0000-000000000000}"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\English\Attributes\Language = "409"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Spanish\ = "Spanish Phone Converter"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_DavidM\CLSID = "{179F3D56-1B0B-42B2-A962-59B7EF59FE1B}"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\PhoneConverters\\Tokens\\English"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_MarkM\Attributes	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\VoiceActivation\Tokens\en-US-SW\DataFile = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_en-US.dat"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}\Files\Datafile = "%1a%\\Microsoft\\Speech\\Files\\UserLexicons\\SP_9A3B75337E594FDAB7B50EC2D0C3D19A.dat"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Japanese\CLSID = "{C6FABB24-E332-46FB-BC91-FF331B2D51F0}"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Universal\Attributes	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\UXLanguages\Tokens\en-US	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_ZiraM\ = "Microsoft Zira - English (United States)"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Spanish\Attributes\Language = "40A;C0A"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Attributes\Distance = "Near"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\VoiceActivation\Tokens\en-US-SW\SidUbmFile = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\sidubm.table"	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech\CurrentUserLexicon\Generation = "0"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\French\CLSID = "{C6FABB24-E332-46FB-BC91-FF331B2D51F0}"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Spanish\CLSID = "{C6FABB24-E332-46FB-BC91-FF331B2D51F0}"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\TraditionalChinese	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\VoiceActivation\Tokens\en-US-HW	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\German	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Attributes\DictationInCFG = "Anywhere;Trailing"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Lts\Datafile = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\r1033sr.lxa"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\TraditionalChinese\Attributes\NumericPhones	utilman.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-618519468-4027732583-1827558364-1000\{D376ACFD-F994-41A6-B8F5-6216D9C52B51}	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2884	chrome.exe
2884	chrome.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2316	LogonUI.exe
1748	utilman.exe
2316	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 3616	2884	chrome.exe	31
PID 2884 wrote to memory of 3616	2884	chrome.exe	31
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4776	2884	chrome.exe	84
PID 2884 wrote to memory of 4176	2884	chrome.exe	86
PID 2884 wrote to memory of 4176	2884	chrome.exe	86
PID 2884 wrote to memory of 4168	2884	chrome.exe	85
PID 2884 wrote to memory of 4168	2884	chrome.exe	85
PID 2884 wrote to memory of 4168	2884	chrome.exe	85
PID 2884 wrote to memory of 4168	2884	chrome.exe	85
PID 2884 wrote to memory of 4168	2884	chrome.exe	85
PID 2884 wrote to memory of 4168	2884	chrome.exe	85
PID 2884 wrote to memory of 4168	2884	chrome.exe	85
PID 2884 wrote to memory of 4168	2884	chrome.exe	85
PID 2884 wrote to memory of 4168	2884	chrome.exe	85
PID 2884 wrote to memory of 4168	2884	chrome.exe	85
PID 2884 wrote to memory of 4168	2884	chrome.exe	85
PID 2884 wrote to memory of 4168	2884	chrome.exe	85
PID 2884 wrote to memory of 4168	2884	chrome.exe	85
PID 2884 wrote to memory of 4168	2884	chrome.exe	85
PID 2884 wrote to memory of 4168	2884	chrome.exe	85
PID 2884 wrote to memory of 4168	2884	chrome.exe	85
PID 2884 wrote to memory of 4168	2884	chrome.exe	85
PID 2884 wrote to memory of 4168	2884	chrome.exe	85
PID 2884 wrote to memory of 4168	2884	chrome.exe	85
PID 2884 wrote to memory of 4168	2884	chrome.exe	85
PID 2884 wrote to memory of 4168	2884	chrome.exe	85
PID 2884 wrote to memory of 4168	2884	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://google.com
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb2aaf9758,0x7ffb2aaf9768,0x7ffb2aaf9778
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1856,i,4879532963264825889,12950627452534645599,131072 /prefetch:2
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1856,i,4879532963264825889,12950627452534645599,131072 /prefetch:8
  2⤵
  PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1856,i,4879532963264825889,12950627452534645599,131072 /prefetch:8
  2⤵
  PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3020 --field-trial-handle=1856,i,4879532963264825889,12950627452534645599,131072 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3004 --field-trial-handle=1856,i,4879532963264825889,12950627452534645599,131072 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4604 --field-trial-handle=1856,i,4879532963264825889,12950627452534645599,131072 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 --field-trial-handle=1856,i,4879532963264825889,12950627452534645599,131072 /prefetch:8
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=1856,i,4879532963264825889,12950627452534645599,131072 /prefetch:8
  2⤵
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5116 --field-trial-handle=1856,i,4879532963264825889,12950627452534645599,131072 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5260 --field-trial-handle=1856,i,4879532963264825889,12950627452534645599,131072 /prefetch:1
  2⤵
  PID:708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4628 --field-trial-handle=1856,i,4879532963264825889,12950627452534645599,131072 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5680 --field-trial-handle=1856,i,4879532963264825889,12950627452534645599,131072 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5980 --field-trial-handle=1856,i,4879532963264825889,12950627452534645599,131072 /prefetch:8
  2⤵
  PID:3300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=6104 --field-trial-handle=1856,i,4879532963264825889,12950627452534645599,131072 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6072 --field-trial-handle=1856,i,4879532963264825889,12950627452534645599,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5048 --field-trial-handle=1856,i,4879532963264825889,12950627452534645599,131072 /prefetch:8
  2⤵
  PID:3780

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5040

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa399c055 /state1:0x41c64e6d
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2316

C:\Windows\system32\utilman.exe
utilman.exe /debug
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1748

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500 0x508
1⤵
PID:3424

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\SystemData\S-1-5-21-618519468-4027732583-1827558364-1000\ReadOnly\LockScreen_O\LockScreen___1280_0720_notdimmed.jpg

Filesize
235KB

MD5
cff5d3d5762717318176b3a19a2e2631

SHA1
c4733492deb307340a6f63bb7dccafea84e4b7de

SHA256
0b337352c2efe31146d4f6b1ad756f3c79b1eec68a4f30675e2867becb758305

SHA512
848b47e84c4f05c6269f373daa5967c71125f2ce23bcb03eb5ff8d43ced5154b3a0464ca73e9ae156cc467d8c01254d5923e6653d31ed1002934e765982bb932

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
c7230597ca16dd4709272c49a1d63158

SHA1
a3c5030684b7c39e894b50ebd778b5d3e69ba59b

SHA256
59ccf839e88266762a452679d678f50b1e35f81300001f681929ec54d0f8f01e

SHA512
de0c36f5edea397605fcd6dc24c8caefd3b7335ecef417b9ac5db100311218d3b896611a5ed2e68332d612cb3df8f8b443ee0eff7e0d540a052b6427dd44ff6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000028

Filesize
646KB

MD5
ad39a087b89fe2dc3ccfe320fe854d51

SHA1
503c23dbf8419f8141ac129d3d166ef1859afb34

SHA256
ca565b8ec0be7df4bfaf370c1bd98e20b95f9e0656386250a260f86247c0b2e7

SHA512
a91da7032e5b122acae618cbbc18ed890b5ef93395f7f4b6ceb4c46c48e33c606df47bada97af2fcc47ea6e8a2c21e8d55b81ccb434f4a63d07f06bf05e3c2e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
aa5adb8b0a35b4c33d0cd95c3e57edc7

SHA1
ec259e3290c345b0f0365bd94f61c137f768e51a

SHA256
02b642c9896dd138a77a7e9d0a4ec2b23bc78ed397e8317c3bb586eb118cbbc5

SHA512
b79a6462880942684f6c71b02ddd626b93af9c0399842963d75ae93023128a47db564dc2af03693ed17e2664c1429bf7007cea29917e509ef2dcba1292957bdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
cad0c70920b6f69c5e75be2772c8430b

SHA1
cd59d41a14e5db641e93c6961b425791e499b767

SHA256
494c132e59ba9297869f2b6fdd134411d8709fd9e9e97bd999d1539bf643395d

SHA512
ba172aa18400b0c4b089cdf1ba94e499ecae992bf5c791f98b351de832786c9cbd4585535e52de94bddfe82881fc1f39b3c50409fb414cd383380c1112f472c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
ceb9ab6dedf270808a499dc78a423842

SHA1
d5c02589c8e051f47d51e8fa495d4c4dcba09853

SHA256
a499cae06e0112d194f6ff450f7e376dc61a1f812e86f73fde102e3ea3bf3364

SHA512
69873ba083861fcc99e34c598818a0cf624445328f22fc381321de5570981f0df4c942d951cbf75f5648736aee05e9f89392d3271e45669bd3aac0f1943b90ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
6fd2cd675596a59f5c815ea24ca0fbe2

SHA1
65a6ad6bb8b684ea7c00b5cd22b30419b35f2803

SHA256
1c5f02c0d99b3b9ef6138e356adc597fcd356e5849b68a051e0f8af78e64987d

SHA512
9bcc7bd1f39dda0db2c168e83b5a9e758629a732ba1600f6f5132adc037aa818c2371082018de763ccb8110a8e694afc48690deabdb14422778253d9c7fbff81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
036a56cfe2db4f9698556e56dbec4f27

SHA1
c8f42d332c695153f069225f5569fe2d028e9fad

SHA256
6fd04a019d90814829bd4b5a51e6566c0d011ae2cba9ffe42607713e97490d2a

SHA512
6745fd3023e1c429183dc5e9db39d42fd75e84409fb6a5a744ea90966dad8d075454bab504d6d3196aa62c22a681e23ec79f8df75a29aa4aff92db5be8e0fb3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
1d738600445c7f4e0bd904693021c8f5

SHA1
596c74f87bc42c055a6322a45212228b68b51781

SHA256
76246f276873e50c4a8ec719d260a989906bd1cf02c7c1ef720fa5bf167fa595

SHA512
62a7aad0267630436defbfb38bb1b98664b27502d2e4b0ec5384139bdeeaee2b6d48fbd6bb3c9427248b86de5fe4d80b361e829cc1dad686cf8c097ea67adf28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
7e4ec5f062a605ee9dc0404d1aae3014

SHA1
e8dd0ffa8c8ed501798b30da8120afdeb82a05d9

SHA256
996c868b6340cc93e0b508d89691a92f09d1a30e72df1b7ada4daa428d06ea3b

SHA512
d3b47bdbb49c55f80da392dd990225fd55c9d40ac5cbe62bc77259f1903ea89cc1278b19aa1f62c12773a4fff4a428d52f71e5ef28f6b6cc0035af9cc2122c47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
49bbf91df61416212ac9463250b6a399

SHA1
cc41e741b1083f247bac93e0312fd4336033a455

SHA256
22071898b0c9980688d686a41ad96e8a152dbcec9e5bf0398a064677337576d2

SHA512
2c82c10c3913be78aee2b21a26b9161f358b56027970378f89cf1b7d82f745fdd127e042974c9fefe0f636991344c6c84d89873ce4767fe9d057b334e0c347e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
3493b1a6e382f2518de72c16660d8509

SHA1
0fac116297b2cc447039018c6a88e2ca82bdcf5e

SHA256
0e7827fdb8253bf02736534264395bb517681e254c29e2e297f83788016c61c7

SHA512
e6e23026c7a45c8e334b77f6a078da4336a5e7b33a3df8476f77121a547cd368f43ed34a21feb1dd0f505effe56d621b6b67688179a5660c0f9d226a4435784a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9dd473ef6daae646a2b4c6f135238d0e

SHA1
96f3a279f26a02d21d94bd6c14f91673a8768484

SHA256
62cd2fccbee57a5e246d017343f191eba0f2ed306f07c0584d3509d834dcc76e

SHA512
a0b1893e3da4b995b395f30d611d6dbed2466fca52611051b5e0d3acad2d3641c2138c774e8d704b33759949ac5049c99bd4109e8dbb7e6c2dc62a873c2a409d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5cdb0f4af4a60ebb80d3191082613b5b

SHA1
fde8c709bb0b88f9947f7499d584aaef86ba1247

SHA256
f330b6b17d6800372bac583a64b51db4de36111454f7cf03d45ca82760b2055a

SHA512
4a1ceb708ac364bd0fa2d55248e1d4a9a265270a42cb96f382961f2447552b547465ef0a4585065e10ec8bb585ca628efeb656a31db3999baa3114f5b104130f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
4b9a6b20a1c1efa08d66f7ee5722e412

SHA1
2174a4450801d5aa77747b9eec09ad686f9508bf

SHA256
440e5fe7ecd155387779b6f28463bafa67a0e9ea0822f1cc650ad2605f3795f5

SHA512
f270a17dd2cdfea7cb0b98e673aa666cddbc02a20cbfd1c5b3a3bec1c86856763c77d06af4d45f5bc5c29660311f9956e0e4db4252c61c22ebbd1693d2d54c99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
a6800fc994740a686f1faeb7c6f40eb7

SHA1
a9a9ef8195ef6bd14e443d35eed079b594383b28

SHA256
c343926b88d2aa1ff1a6d93a445c61bcbeeff6304ed4d9c0d5d0f0b9198be161

SHA512
71a1bd5bb4b2cd8aed08c817b3f18d5bc40e6abebfd3cc2cf4c7d5ce5a492f95259ed7d2f638931ae9e5a036b26be1f64489420fd6e2716a96790b00c2646004

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
0e783496948bf4c5334dce1335cf93cf

SHA1
a0891f13c5411d8c3dd0ed993922f4d4274b4568

SHA256
13b607d2f26de49aac5820cf005d4d81da5d1102983be2c2535c495933c53ee0

SHA512
afdf87a53dd0d54360efe27178055f56b224b6ab06e7ede43534dd6c9484d574e043c9c92afc075285863ccc7b0109a27cc72e4429803bd49b2908bea4a7a69d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
6cd876af54e092d0da1a867ed3a38dcd

SHA1
135d50dc4eaedd12b236b20820b84d5fdbc35d8c

SHA256
1b450822da6c3665259b6df30523398007ec50597bfc27b1fd21bd962b48d6cd

SHA512
36ea56fd9843684cc07fcd4755f26aa557ec8bfd8d978ff19df09de76397fd8ebf659d78561834b251e2b313a17f2d87d03b691baf7f65c8977265e783ecd778

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit