amadey | hxxps://bit[.]ly/3ERsq8X

Analysis

max time kernel
170s
max time network
409s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2023 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bit.ly/3ERsq8X

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.80

http://45.15.156.208

http://second.amadgood.com

Attributes

install_dir
eb0f58bce7
install_file
oneetx.exe
strings_key
2b74c848ebcfe9bcac3cd4aec559934c
url_paths
/jd9dd3Vw/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Bandicam.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	Bandicam.exe

Executes dropped EXE 3 IoCs

Processes:

Bandicam.exeBandicam.exeBandicam.exe

pid process

2752 Bandicam.exe
6012 Bandicam.exe
6076 Bandicam.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2752	Bandicam.exe
6012	Bandicam.exe
6076	Bandicam.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133454027997034327"	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

chrome.exemsedge.exemsedge.exeidentity_helper.exetaskmgr.exechrome.exe

pid	process
2116	chrome.exe
2116	chrome.exe
4224	msedge.exe
4224	msedge.exe
2072	msedge.exe
2072	msedge.exe
1916	identity_helper.exe
1916	identity_helper.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
2880	chrome.exe
2880	chrome.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

Processes:

chrome.exemsedge.exe

pid	process
2116	chrome.exe
2116	chrome.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7zG.exe

description	pid	process
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeRestorePrivilege	2768	7zG.exe
Token: 35	2768	7zG.exe
Token: SeSecurityPrivilege	2768	7zG.exe
Token: SeSecurityPrivilege	2768	7zG.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe7zG.exemsedge.exeBandicam.exetaskmgr.exe

pid	process
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2768	7zG.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2752	Bandicam.exe
5516	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exemsedge.exetaskmgr.exe

pid	process
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe
5516	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

4484 OpenWith.exe

pid	process
4484	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2116 wrote to memory of 1464	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 1464	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 2248	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 3692	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 3692	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 404	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 404	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 404	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 404	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 404	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 404	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 404	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 404	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 404	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 404	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 404	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 404	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 404	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 404	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 404	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 404	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 404	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 404	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 404	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 404	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 404	2116	chrome.exe	chrome.exe
PID 2116 wrote to memory of 404	2116	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://bit.ly/3ERsq8X
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd15969758,0x7ffd15969768,0x7ffd15969778
2⤵
PID:1464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1836,i,2932375600112174096,5831934060956570690,131072 /prefetch:2
2⤵
PID:2248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1836,i,2932375600112174096,5831934060956570690,131072 /prefetch:8
2⤵
PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1836,i,2932375600112174096,5831934060956570690,131072 /prefetch:8
2⤵
PID:3692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1836,i,2932375600112174096,5831934060956570690,131072 /prefetch:1
2⤵
PID:4836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1836,i,2932375600112174096,5831934060956570690,131072 /prefetch:1
2⤵
PID:112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 --field-trial-handle=1836,i,2932375600112174096,5831934060956570690,131072 /prefetch:8
2⤵
PID:3020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 --field-trial-handle=1836,i,2932375600112174096,5831934060956570690,131072 /prefetch:8
2⤵
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 --field-trial-handle=1836,i,2932375600112174096,5831934060956570690,131072 /prefetch:8
2⤵
PID:3928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=2796 --field-trial-handle=1836,i,2932375600112174096,5831934060956570690,131072 /prefetch:1
2⤵
PID:6020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5532 --field-trial-handle=1836,i,2932375600112174096,5831934060956570690,131072 /prefetch:1
2⤵
PID:5172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5708 --field-trial-handle=1836,i,2932375600112174096,5831934060956570690,131072 /prefetch:8
2⤵
PID:5224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5892 --field-trial-handle=1836,i,2932375600112174096,5831934060956570690,131072 /prefetch:8
2⤵
PID:5248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=6020 --field-trial-handle=1836,i,2932375600112174096,5831934060956570690,131072 /prefetch:1
2⤵
PID:4764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4544 --field-trial-handle=1836,i,2932375600112174096,5831934060956570690,131072 /prefetch:1
2⤵
PID:3836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5884 --field-trial-handle=1836,i,2932375600112174096,5831934060956570690,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3208 --field-trial-handle=1836,i,2932375600112174096,5831934060956570690,131072 /prefetch:8
2⤵
PID:1492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4488 --field-trial-handle=1836,i,2932375600112174096,5831934060956570690,131072 /prefetch:8
2⤵
PID:2932

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4168

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4484

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2600

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap7774:98:7zEvent14554
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Downloads\RequestDisconnect.htm
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd040b46f8,0x7ffd040b4708,0x7ffd040b4718
2⤵
PID:2472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,10170708522834309085,4727958219871200103,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,10170708522834309085,4727958219871200103,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
2⤵
PID:4480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,10170708522834309085,4727958219871200103,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
2⤵
PID:4180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10170708522834309085,4727958219871200103,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
2⤵
PID:3928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10170708522834309085,4727958219871200103,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
2⤵
PID:4764

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,10170708522834309085,4727958219871200103,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
2⤵
PID:3536

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,10170708522834309085,4727958219871200103,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10170708522834309085,4727958219871200103,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
2⤵
PID:3176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10170708522834309085,4727958219871200103,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
2⤵
PID:1748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10170708522834309085,4727958219871200103,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
2⤵
PID:5276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10170708522834309085,4727958219871200103,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
2⤵
PID:5348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,10170708522834309085,4727958219871200103,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4696 /prefetch:2
2⤵
PID:4336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3536

C:\Users\Admin\Downloads\Bandicam.exe
"C:\Users\Admin\Downloads\Bandicam.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2752

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"
2⤵
PID:5736

C:\Users\Admin\Downloads\Bandicam.exe
"C:\Users\Admin\Downloads\Bandicam.exe"
1⤵
- Executes dropped EXE
PID:6012

C:\Users\Admin\Downloads\Bandicam.exe
"C:\Users\Admin\Downloads\Bandicam.exe"
1⤵
- Executes dropped EXE
PID:6076

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5516

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\4334992c206e4605ad9139c583e79bc3 /t 2296 /p 5516
1⤵
PID:5784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014

Filesize
186KB

MD5
9f61d7b1098e9a21920cf7abd68ca471

SHA1
c2a75ba9d5e426f34290ebda3e7b3874a4c26a50

SHA256
2c209fbd64803b50d0275cfd977c57965ee91410ecf0cafa70d9f249d6357c71

SHA512
3d4f945783809a88e717f583f8805da1786770d024897c8a21d758325bcd4743ff48e32a275fe2f04236248393e580d40ae5caf5d3258054ea94d20b65b2c029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
c72b1788a960ab70959d037e25c06131

SHA1
89a8e9e2f88e2e1131fbf1c9bfac8e652275c726

SHA256
8ddeeccca979f04e49784a8f936bf61592857fd11f541fb14efa66659b66c837

SHA512
230a653a90b4df450f42a7a4cd66928b6bf87ee28d4d54780b5b2677b0289010e7034280eacf521ceaebb9cb2f1514bfccea0a31ea360da01d1e66197bedc076

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
883B

MD5
ea861aa31a755bcdd2fa7af956f6db60

SHA1
ac90cd40c22a7238bfc7a491cebf7b257eaa2145

SHA256
5c61e640d83dd043fe06e0cf9792a6c3b139c18d52005e8eb3bc8a01b53f2899

SHA512
e138d0f603415e57caa2ea8cbbe294170865f4a252ad77fec132e79a6bd1c37d98469c547134bc019030400786c67bc7d72aac681277616923a12213fe8587cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
392232256ceea90be128600c63cefe16

SHA1
ea15d50f40be2b86638632b070f5ce05febe8e41

SHA256
e68ebad287fcc409055d7497974e21430f8d1eb23f4bad9dacbb4165a06f36cf

SHA512
e382bb023ea95907fc9777fa0891ee342d2b89fa2f8aa326fbbdbe273f29fb5e6d0a0f74ec038afcb44070863513184df6d7c6e36d42ef2bc21f3ca5eac0be40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
536B

MD5
ff6a5ce84ba13a9bd2a72fbb3a50f011

SHA1
182a4ef2d26bd336ede0efcd2d24b97d1cd8b261

SHA256
54db0149da7c2597ddc470bc7ccda28ca5f938f3e076189e8bf15d027f8d3ee1

SHA512
1e54d1b7ecd316ed2369a345d1ea79ecfa0cdccde23bf3ae039d61932ae3e9421574bdf75f9422eccf0bdfecafb78b4cc26aa8854bcae97a39dbe5c0fb575b59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
779503a6e418960cc51eaa4ec8a74a1d

SHA1
f62f43e96fd9632ffc47b81ae011f2cfcb68112a

SHA256
9d2255c388346029ef7c220cb8b2d7af6e11c024e8d51986dd92c0ad4240c268

SHA512
18f608528a12e3eb5fe47541b9d6c19a574553e8f71a7d77a97002b2df045181d0969e4211a63098ca4c76fda022de159b95f3436cb7c409a14e7838e91dddad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
df0cdbac6a4c58da0d505ded43ee9df1

SHA1
ae6c1bb53960ba3a093f2d781e9a9a33da2f5ae5

SHA256
0676bd1911118343f9cc08b8f6c3091512f8df63600d598669cc59064c75102a

SHA512
3056a47aff003a1cf60eb624ab917e72a2ccaa9600fdcf72a31a21b25fcba5bfddd84a66863d92a1d2a48aca31f69d04415be81a1013dda7e0f1bfe17d67f8ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
921fbd0c91ea0df10efe93c7d623871d

SHA1
2dc5380a02d857009b70a97a0e66afab8f739b57

SHA256
7c2d3fb33622685dbf078e6ab9e700123fcf7e06f6647dbddbbf4eb7413ea227

SHA512
ca36884552e15e673f2a496ace475d840fc43501340f973ffc24bd40c8474ac44b44d5d2b81ea3d3f117e69877dd37d0f57315fbc68aad2c36e0aba79de3f8de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
2f0508143ff4ef33aa8d0599b34ae65b

SHA1
e19faf1ab7fb0a60e6f34944206de4dd5ce02e61

SHA256
cec2c56678ae082271049f26f03414d6bf24e927fcdea6b7a5d8dc7320683b6a

SHA512
6fdee76f23f24401b20c1197a028ef692854210edded3f7f64c5bcb127e2ff20b31c54165949b66e538b88d58a7890a486cb71eeb31c1859c7ea93eeb542ed41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4c8f54181a18c9511759ece82f264249

SHA1
37f9a45a4cce9a36dd4bbb77037ac504a42bbbe7

SHA256
3356cc84463c18a51b98adfcdf32bca84084dce53dde29cbc9d9f265d4d8d88c

SHA512
41ca7f8fa569abacf000e3811fd3a30ed9159c87e2c976d12cb155f7c8866be5941a8e93784c6582e2ec382e1cc9c66c2fb257e23c002ba3d39545106364ce26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7cd4fb3a4085c5891d42e9955b527f50

SHA1
0b651d272f2e8758dd74f3e833f8e1bce7de5a77

SHA256
2da6ffc2e925253863626424b7734c7519b7a601d53a3cd0a83ecaa63b570f6f

SHA512
9154fcedb8192fa5ab4e06e4de991496afd3f8c1bb19d3e59c77893d99fbc098a194b0ea309e5b57e1746f925443710bb49d66d19dd540d6385d5a09bbb741db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b80d9d44876d494902ac26c9629d6da8

SHA1
57c080490f1f49a5ab9e8715eaa2f1dec14680d1

SHA256
b4a097f3d54714c436844e3ed4fee330cfabffb381c4766528e9787aefe6dfef

SHA512
e82f4377e6c962181b77401dd1a423c58791749324ffaa5d12fa72031dcafc5955dc89cccfa6e3117eb738a2cdaef6b9d568ce922e287a56fc852adc3f3623f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b13786c065d96aac03795b50cc8399fd

SHA1
1d340ff4b9b771b2274ddf7c6dcdffbda3845f03

SHA256
3fe64e8ae668b84f5251a3d0120d89b17d48ba4a27d5b80339cf1df6be0032fc

SHA512
47bd80083537cd7fcb6b9af4c2746ccfb6ba99ceb1424a944748467789b01131dca59f318a1feb056409ff647baac7e6a62757537c2562d9dcdd95f59985219a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
4b236be22c1280ff2d031c3ac7b6ad33

SHA1
8aca577d3c15743ab5db6d775e78eb32e345a104

SHA256
892bddb7338c5907a49b08c1ab9e83e7b2c408af81c3c94f4a4b25b4ed26b27d

SHA512
5e93b44995dedddd5490ce7467f78d30b074b6e5ea40c0dadb725eef9c259a4062953355c74aec68143372663d76e051222b8c52cdeb32bd21e44d027c429038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a50e0.TMP

Filesize
48B

MD5
f6776152745d3b5c13b1cc4a31bd0f38

SHA1
67de5170ef4a2e3e04d9eff3e79e776fa2cf11fc

SHA256
ccdbaab167ae015de5140b8639e88459807660d65e5629488e26480c80dbfae5

SHA512
c11464be444521be340d0f7a67fae82874d869df16dd0b75fcee6fa442042932ca35008051fb8fdf0aa220212ad5df4a3870d0ba40478052f54133b4246f29c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
c1664f04b4d9b2e98ece84cf7b00cfea

SHA1
8ce21dfba96008fcd099f7a9aea2a0e581a8ef1d

SHA256
57637365324566e11c0323b67163b510937b65c26867596da9f0c04d27b1cf0b

SHA512
7805538bfd1aab84f5f6c60d4f289c4c3918e942f8299e65bd47e8b31595fa3b6918eb80146958bc56318c432f873bdcae21a2b9dda257cc9d85f0923871a705

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
01576493b58a61e9d92e7014218c75d9

SHA1
01cbd06c50a4ca7997e007916fe5a5eb1b7f4cab

SHA256
5c06a713d44b09054e41a140c4709b95c4779006a63af5efcda2582dece9184b

SHA512
ba531370d3c7d6a68cac8208230cfcb78d6624dd5070f3c2655572ec7b95231a652c746f839e58043f72c5e72ecd0c79477216563d6a36210bb00940bb70778d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e6d923810276f7afe15d6205582b8ff3

SHA1
cd1cde40c240d62ef4bf9363bd05d7815372265d

SHA256
b19e11062e97a7ebb0add730529e2101fddcd6128860ef088a4d9e72fa84e0db

SHA512
1b88cc00706543ac0b7001b87a8bdc85e49634c187977ea560a788a2ea1982d024b9ef32db340e32098b7af6111fe4a925e29ab8399beadf2d6e0943785bbd3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e3a81f908f10084c637e42493fb6415f

SHA1
f7da231d117e2fd70ba9136e5faeca4733eb167d

SHA256
e9d36e11b588931e213bf4c947849956c85233a347aaa851c98a9a10cd220aae

SHA512
666bdf0b96c7ab80e25b8cc5a1414ff83726d72d1da6d5655f5904d02d930ab07cbd9f03c333f32fa910c1e309280886da7ddbecab470a592d2c47a2ab4e72bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f38a2eeac9e54f53a2142947f30ddce9

SHA1
7d5741774b372e4b444021c550d4b95f8d3fe026

SHA256
2414a8c408c80858c467c3f25d2afe151e0025aa811cd6c183395c090c482ada

SHA512
3284585ac5552d356733c80b3eb6508e449ffae90d38f436cc62a50288be5726541e07c001941d6082b2190f13754a22e63c02cc65b6e5f3c7fa1bc8d13cedea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
f1881400134252667af6731236741098

SHA1
6fbc4f34542d449afdb74c9cfd4a6d20e6cdc458

SHA256
d6fcec1880d69aaa0229f515403c1a5ac82787f442c37f1c0c96c82ec6c15b75

SHA512
18b9ac92c396a01b6662a4a8a21b995d456716b70144a136fced761fd0a84c99e8bd0afb9585625809b87332da75727b82a07b151560ea253a3b8c241b799450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6e3b456224bec572976b4dc457132994

SHA1
b28140349b0e3c4d3235d450b62fc449c92b823d

SHA256
cd9c0ff64fc22073b13c7f21bcd77489cd701f15f3d5022b08088ef66cf2ce71

SHA512
18566e6eb58350c536f456c1eeca807da437a1faa827495ea7b3791c46bac4962821a9da17ada351eb43609938cc264baffd6cff9fceac48532732750c22ff60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
dd54524b10b3d6f827afd0f1e1b34bb1

SHA1
f3da2c0dd2c1a14f9074555f4b5c9f483c7b11e1

SHA256
641b22a90efac0084a9867d58674b6ef2bbac59379d4162181350966ce214c52

SHA512
c2bb7c3a5b1d99720d39794135834318a9303e7fd39d853928f3e5c99039f08e4ad8b9f587833222e1f930ea6631e039fdb81e3d4727dde77bf73c98815fd3ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
28KB

MD5
603fb496f3db40c3b13d13fab8e2394b

SHA1
0b938c6b4805acc09d3122c414e08f096b1cdd63

SHA256
6eb80cbc2ed810483159cc51bd4f8c4adf36ce11f499aa3fe3f0b95a8315c4c5

SHA512
d01589eefa22bb189e96e9134b7cf2976759c662c27ab1c3d7ddd96eb10e256cc31ed6234d8b145cb1424181d815e2ce7d15f14a0dfcc96aa3b59458b5c0f8a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
695.6MB

MD5
0709c115b458c9958bb2bb917b26d876

SHA1
2e5aa0322d311590aea1480289d55cb6d03867e9

SHA256
9596db12cb36d78e94a7b8d1d96b74a01ee4f106a8a28dbea1824a8bb5433d57

SHA512
e338c1000f0dc0ab0b69b5089ae22ef6868cd9fd4145fff3c788c67982405efd6eae0e657385843d9dea363bd78aa8e75c2c4f7fb3a3f3606aaaadbce852b3a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
622.4MB

MD5
bdcf9ae280271f2db2b48fd4a4a5bae4

SHA1
24dea76699c516393885a02cbf929f5b55ca6cb9

SHA256
aac15b9f5799180364da0b905de95482944555b2c41cf618d12727b804e3d413

SHA512
ff64ae71fa6d77b7d26e8f6753e3f8c155a50bef1018b537df3d0700e9bff3b41f5d6ba508c2aab4fe2ea91ece4c195a7a1a06b7e93a7193af9dce7de33fc202

Download Submit
C:\Users\Admin\Downloads\Bandicam.exe

Filesize
764.6MB

MD5
08aae91bb0af1524da7a7b13d57dd15c

SHA1
664a5efd480f638ab23fcf97111c1bbc84f4bb2c

SHA256
ccc6279c3b53353c999ae0ee189f12c87369eddd50de84a5ca2652afcbebd417

SHA512
4d43fca2b3110b246c6c5edbb54bd9e40eb2b827a0d874c859e2da377bd3816218070a5de92c06144d8fba4bf744551b4273dfd63644adfdc4bc25b309c59fa5

Download Submit
C:\Users\Admin\Downloads\Bandicam.exe

Filesize
728.2MB

MD5
576529e992885dc24f0dea46566b7fb8

SHA1
7aa992ee1e66d57e0c18f350cc4edb3a6b43ce32

SHA256
2737468b765a1256daceefc8be73c4068ff82ee75e49cc4045d09defccb7e77a

SHA512
b5aca10def09a58fab27a31e9448bd997065b961f888cdd858b61d883718c9808b25a074eea5b2071231b4206882fd063b1304111f2b8f10adc7ff8fed123319

Download Submit
C:\Users\Admin\Downloads\Bandicam.exe

Filesize
649.3MB

MD5
e266f8ceb7f6bbf19925328665bbc81b

SHA1
ab34fed9685507fd3b32824e1c2e282c57e1e989

SHA256
1b79cc0c77f76218bd9e6a71c68cfb5700c0575a6da94f8dcb05eb4a576443c3

SHA512
4ade402d33ca8109d8d7f4fbb4015ed302f7db22984f33a177947b579dbf1f34552aa022278baf79f50d4c1c474b4f97ef641e87acee778fd7f065620b84a83f

Download Submit
C:\Users\Admin\Downloads\Bandicam.exe

Filesize
628.4MB

MD5
1a97ec813eaeb049ae3266662ab0d79b

SHA1
c29db994c3bd3474a18a8646b5a88c5dbeb0a90a

SHA256
f6aebd311af3d87a08ea32be47ba0927a5de586043c9495c07a939b3dc33bcf6

SHA512
529134ee5b0f3040c54c7c685f478b01df5525260cc11c18ae12fdbd6c9f4740a3777802a7e247003f60b572527fd90ce4a504bb090bcc8250094e4a45570648

Download Submit
C:\Users\Admin\Downloads\Passw_123_Bandicam.rar

Filesize
5.1MB

MD5
98780465f85b3c4302242516de124cc4

SHA1
3fa71438743d5e91017895aeb6fbf0650587ef3d

SHA256
256f73eb3e22faf888f5a2e402b8b3ac5c4a607dba89e4a2652baa95fcaa16c8

SHA512
c2d7d3637745b4d4e8950b55e6bd82597af68327961442ddb78f57569f574d013352b67608cfa46697f779a55b9f4d5454d974bbcfd56552c91b4f1bcbabadc4

Download Submit
C:\Users\Admin\Downloads\Passw_123_Bandicam.rar

Filesize
5.1MB

MD5
98780465f85b3c4302242516de124cc4

SHA1
3fa71438743d5e91017895aeb6fbf0650587ef3d

SHA256
256f73eb3e22faf888f5a2e402b8b3ac5c4a607dba89e4a2652baa95fcaa16c8

SHA512
c2d7d3637745b4d4e8950b55e6bd82597af68327961442ddb78f57569f574d013352b67608cfa46697f779a55b9f4d5454d974bbcfd56552c91b4f1bcbabadc4

Download Submit
C:\Users\Admin\Downloads\dlls\04QRK4CKC.dll

Filesize
7KB

MD5
dd2052353cf60c21c73754f96223b93e

SHA1
7c337c032869379f1b6ab1ad32dcbc0b0aa0bdbc

SHA256
a899391ff8a4be1ff5d037c785a7aae4fc66c42155c58fde5f0008ee67386b76

SHA512
c3e4fdfb0e08975b5a9ac83184f935002ab878f412dfbd53d9ba02fccc946c18ec24447341d0a412e5100558633adcbd45231047e34bf8138e792972341d9445

Download Submit
C:\Users\Admin\Downloads\dlls\9JDYGN2CUE79E0JI.dll

Filesize
142B

MD5
918ba1f6ab44585b60086a1036c983b1

SHA1
7e7dc66b62fc5eab000f7f0e1b48c800be41ded9

SHA256
354925b0a3362e65f1f7b7dcf32ffa4428224329271288fbe05e96fcc6073ebf

SHA512
7277cb843e8e7f8ac567505d2fed9031443c22e0fdc22f1c1495e8401155610819315ca559da31ddea69dd38507f0a28839518d4663d35e8d858d707bd3ff7a4

Download Submit
\??\pipe\crashpad_2116_GHRJLUUCYIRIKXUL

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2752-310-0x0000000000120000-0x00000000006E6000-memory.dmp

Filesize
5.8MB

Download
memory/5516-458-0x0000025B9DBE0000-0x0000025B9DBE1000-memory.dmp

Filesize
4KB

Download
memory/5516-459-0x0000025B9DBE0000-0x0000025B9DBE1000-memory.dmp

Filesize
4KB

Download
memory/5516-454-0x0000025B9DBE0000-0x0000025B9DBE1000-memory.dmp

Filesize
4KB

Download
memory/5516-453-0x0000025B9DBE0000-0x0000025B9DBE1000-memory.dmp

Filesize
4KB

Download
memory/5516-452-0x0000025B9DBE0000-0x0000025B9DBE1000-memory.dmp

Filesize
4KB

Download
memory/5516-451-0x0000025B9DBE0000-0x0000025B9DBE1000-memory.dmp

Filesize
4KB

Download
memory/5516-450-0x0000025B9DBE0000-0x0000025B9DBE1000-memory.dmp

Filesize
4KB

Download
memory/5516-446-0x0000025B9DBE0000-0x0000025B9DBE1000-memory.dmp

Filesize
4KB

Download
memory/5516-445-0x0000025B9DBE0000-0x0000025B9DBE1000-memory.dmp

Filesize
4KB

Download
memory/5516-444-0x0000025B9DBE0000-0x0000025B9DBE1000-memory.dmp

Filesize
4KB

Download
memory/6012-361-0x0000000000120000-0x00000000006E6000-memory.dmp

Filesize
5.8MB

Download
memory/6076-363-0x0000000000120000-0x00000000006E6000-memory.dmp

Filesize
5.8MB

Download