bitrat | ca90a2014f3fcf373516b62575649dfa84005a5bba929be80732076a72e5b249

Analysis

max time kernel
112s
max time network
207s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
17-01-2024 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mark.exe
Size

4.0MB
MD5

f81daa62b8a7faba9b529b0c87d3caa2
SHA1

0df66176605d810ccb12644e3c94c2de703ce1d5
SHA256

ca90a2014f3fcf373516b62575649dfa84005a5bba929be80732076a72e5b249
SHA512

065e4f88cdb4a16390475ed49c86046208e8db01313e34b09cc4965234f92ac371488a65a57c06ea27802aea9c75a4afdf59724e193e2c2a218128e43f054be0
SSDEEP

49152:0yX+ajZM0IE8omYWh5gu/8qaR2ihf6TI76DPPjhVTZW3bGnWjZ5wVg76Dcj741a0:0yXDdIE2YcGuUfRPhfoHTYeQOVgua0

Score

10^/10

bitrat redline infostealer trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

serese.duckdns.org:20612

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/2136-663-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline
behavioral1/memory/2136-661-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline
behavioral1/memory/2136-782-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline
behavioral1/memory/2136-784-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline
behavioral1/memory/2136-786-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1808	AddInProcess32.exe
1808	AddInProcess32.exe
1808	AddInProcess32.exe
1808	AddInProcess32.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1716 set thread context of 2736	1716	mark.exe	31
PID 1716 set thread context of 1808	1716	mark.exe	52
PID 2736 set thread context of 2136	2736	AddInProcess32.exe	53

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000969d72c3e5a03a40a0257479feadc03a000000000200000000001066000000010000200000002f5709f6c3ec0d831077c72c312683c72bc991b9abab0b0357f6937d13d92bdc000000000e800000000200002000000015ae6d9cb9ad79a3c11799451e4063751c634ecb419e01f9ba20bdc7ac303c2b200000000a85aad30fc3436cd5b499e7e8eb649331c4bac1b5d465609c49e27632bdcd8440000000784ad3f37b514b715ae495910dc4724fc958fbd9d46e316775c91d23884ab8bdd58b8e9999400d032eda7b5f00a1d516ee26f3f73f6be2773a069798bde28ae0	InstallUtil.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E4936DD1-B512-11EE-AB70-EED0D7A1BF98} = "0"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	InstallUtil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000969d72c3e5a03a40a0257479feadc03a000000000200000000001066000000010000200000002c3a570cca5749d0bd60ba3711017a2659d9f5cb29049fbf8ec21dfb462f15c5000000000e8000000002000020000000dbf01bfc420f3f55dd08e35d35ec040ea7625a7f23af0cab5c99085115cd262e9000000021ba2b2144ea81e7618844a8cc2bba9dddd6b610097f321459352e241e8323abac39214e201dbf712360e45e44894936b97830d90bf6374e30a0ab0acc2c40df9c1bee89837fb08ca529fd7164a25586ec691a2b4981b273370db149ce741f6324ae967052f9b89fcb048a5b9dfcf00aa38dc9801b3a264fffa3e06c0bef11d82b8d226d9e5404b5a651dbe3ab6d8e6740000000ba4e27149c820da5f5875a9626f31f65667b86668fe40f350aa2d0f0aea2998920100bd5345f74a413b21dee5c52196ef0dee84d77b4786cd2dcd04b8b9372c7	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90df0fb91f49da01	InstallUtil.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	InstallUtil.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2380	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1716	mark.exe
1716	mark.exe
1716	mark.exe
2440	chrome.exe
2440	chrome.exe
2736	AddInProcess32.exe
2736	AddInProcess32.exe
2736	AddInProcess32.exe
1820	chrome.exe
1820	chrome.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeDebugPrivilege	1716	mark.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeDebugPrivilege	2736	AddInProcess32.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeDebugPrivilege	1808	AddInProcess32.exe
Token: SeShutdownPrivilege	1808	AddInProcess32.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2136	iexplore.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2136	iexplore.exe
2136	iexplore.exe
2796	IEXPLORE.EXE
2796	IEXPLORE.EXE
2380	EXCEL.EXE
2380	EXCEL.EXE
2380	EXCEL.EXE
2380	EXCEL.EXE
1808	AddInProcess32.exe
1808	AddInProcess32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2796	2136	iexplore.exe	30
PID 2136 wrote to memory of 2796	2136	iexplore.exe	30
PID 2136 wrote to memory of 2796	2136	iexplore.exe	30
PID 2136 wrote to memory of 2796	2136	iexplore.exe	30
PID 1716 wrote to memory of 2736	1716	mark.exe	31
PID 1716 wrote to memory of 2736	1716	mark.exe	31
PID 1716 wrote to memory of 2736	1716	mark.exe	31
PID 1716 wrote to memory of 2736	1716	mark.exe	31
PID 1716 wrote to memory of 2736	1716	mark.exe	31
PID 1716 wrote to memory of 2736	1716	mark.exe	31
PID 1716 wrote to memory of 2736	1716	mark.exe	31
PID 1716 wrote to memory of 2736	1716	mark.exe	31
PID 1716 wrote to memory of 2736	1716	mark.exe	31
PID 2440 wrote to memory of 2376	2440	chrome.exe	38
PID 2440 wrote to memory of 2376	2440	chrome.exe	38
PID 2440 wrote to memory of 2376	2440	chrome.exe	38
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 1848	2440	chrome.exe	40
PID 2440 wrote to memory of 908	2440	chrome.exe	41
PID 2440 wrote to memory of 908	2440	chrome.exe	41
PID 2440 wrote to memory of 908	2440	chrome.exe	41
PID 2440 wrote to memory of 1976	2440	chrome.exe	42
PID 2440 wrote to memory of 1976	2440	chrome.exe	42
PID 2440 wrote to memory of 1976	2440	chrome.exe	42
PID 2440 wrote to memory of 1976	2440	chrome.exe	42
PID 2440 wrote to memory of 1976	2440	chrome.exe	42
PID 2440 wrote to memory of 1976	2440	chrome.exe	42

C:\Users\Admin\AppData\Local\Temp\mark.exe
"C:\Users\Admin\AppData\Local\Temp\mark.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - Modifies Internet Explorer settings
    PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1808

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ExportAdd.xht
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2136 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2796

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6389758,0x7fef6389768,0x7fef6389778
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1328,i,15008826660143689111,7743202207439571753,131072 /prefetch:2
  2⤵
  PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1484 --field-trial-handle=1328,i,15008826660143689111,7743202207439571753,131072 /prefetch:8
  2⤵
  PID:908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1328,i,15008826660143689111,7743202207439571753,131072 /prefetch:8
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2328 --field-trial-handle=1328,i,15008826660143689111,7743202207439571753,131072 /prefetch:1
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2336 --field-trial-handle=1328,i,15008826660143689111,7743202207439571753,131072 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1324 --field-trial-handle=1328,i,15008826660143689111,7743202207439571753,131072 /prefetch:2
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1264 --field-trial-handle=1328,i,15008826660143689111,7743202207439571753,131072 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3460 --field-trial-handle=1328,i,15008826660143689111,7743202207439571753,131072 /prefetch:8
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3576 --field-trial-handle=1328,i,15008826660143689111,7743202207439571753,131072 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3500 --field-trial-handle=1328,i,15008826660143689111,7743202207439571753,131072 /prefetch:8
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3804 --field-trial-handle=1328,i,15008826660143689111,7743202207439571753,131072 /prefetch:1
  2⤵
  PID:792

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2132

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6389758,0x7fef6389768,0x7fef6389778
  2⤵
  PID:500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1080 --field-trial-handle=1224,i,10308518131208364740,14897179137970354077,131072 /prefetch:2
  2⤵
  PID:992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1224,i,10308518131208364740,14897179137970354077,131072 /prefetch:8
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1224,i,10308518131208364740,14897179137970354077,131072 /prefetch:8
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2204 --field-trial-handle=1224,i,10308518131208364740,14897179137970354077,131072 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2212 --field-trial-handle=1224,i,10308518131208364740,14897179137970354077,131072 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3244 --field-trial-handle=1224,i,10308518131208364740,14897179137970354077,131072 /prefetch:2
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1448 --field-trial-handle=1224,i,10308518131208364740,14897179137970354077,131072 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3448 --field-trial-handle=1224,i,10308518131208364740,14897179137970354077,131072 /prefetch:8
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3592 --field-trial-handle=1224,i,10308518131208364740,14897179137970354077,131072 /prefetch:8
  2⤵
  PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3676 --field-trial-handle=1224,i,10308518131208364740,14897179137970354077,131072 /prefetch:8
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3728 --field-trial-handle=1224,i,10308518131208364740,14897179137970354077,131072 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3476 --field-trial-handle=1224,i,10308518131208364740,14897179137970354077,131072 /prefetch:1
  2⤵
  PID:752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3232 --field-trial-handle=1224,i,10308518131208364740,14897179137970354077,131072 /prefetch:8
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 --field-trial-handle=1224,i,10308518131208364740,14897179137970354077,131072 /prefetch:8
  2⤵
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1040 --field-trial-handle=1224,i,10308518131208364740,14897179137970354077,131072 /prefetch:8
  2⤵
  PID:1744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2636 --field-trial-handle=1224,i,10308518131208364740,14897179137970354077,131072 /prefetch:8
  2⤵
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 --field-trial-handle=1224,i,10308518131208364740,14897179137970354077,131072 /prefetch:8
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3936 --field-trial-handle=1224,i,10308518131208364740,14897179137970354077,131072 /prefetch:8
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4008 --field-trial-handle=1224,i,10308518131208364740,14897179137970354077,131072 /prefetch:8
  2⤵
  PID:1560

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
22a1a552f159324921db7f116ad004f3

SHA1
bc493ca7f3e3f395f7a68593027aaf5efff4293e

SHA256
a11c0ea395179fb210ea386f6fa86c10552ce816c8f3062c5a24d15c715a2e9a

SHA512
81d0d87068d39ace683cf01a1c79c305db8c3b2af59b9306702910f1f0d3cce942a51b2a7eb26149c555673abb3e13068de4725ac67ab41cfee39303f18d04c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4cb5d01edf0b85c2350fbe3d6fc82627

SHA1
4d243809f70d59d4bccc1eed6776f06e907ee113

SHA256
493f159b456033623dcbe8b0708b900c8c1d5248f2bca628d49928d51d593faf

SHA512
feadeae82312b38fa1ddce62177f237f39c6f5fc11f01ae347565f0a6bbab417cc5cf41295e4e82b53057c2f5aa9d4aca3b9a88beaf74ebd44b485c331213292

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b2fa4ae250513ff47d52a923bacd9c27

SHA1
a20cabceef1917206a1f3034d4a21412d18b4a4b

SHA256
0354c49b03d38b7b196bc077e51884936467d9290df27dd922c7e4152383daf9

SHA512
d258b7423aec510779ec099b1df5ef90fc5a43c70d6bb2a230d9f81ee562b7b02018af9efb0fbdce81696f14718137f53ad5c945416a5aa2f2fe2253062f49ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3fbd22479197dfdff5a5f76ffd28cc5e

SHA1
284aaa9ad9ab9749a0ac54c5a19ff12712e185f2

SHA256
c12ecb17be09683191daf5a35197c14740b92204ec08e793bbdaef9ff123fdd9

SHA512
c0baaef8b33b8faeaaabc8eda703b52fdcd2133b99f565eb5b0fa28b8abfd69f178ca8533d4137dfca087173e8f75986ba436bf52319eedf67e19cfb074e00ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\7b2c5e17-51a6-4355-86ac-5c070c833ef1.tmp

Filesize
226KB

MD5
38411d14eb02924cf22c664f3ed499e6

SHA1
d86caa77b93a879bdc68cca028ddcc380a9b53ba

SHA256
b8fad4c68fbaabf1bcac67b61d2fda1701a9328321fd5d2132aa9735ce9111b6

SHA512
1e057f9b8bc99adfd41765a895758347bfaab4fcf145406c337d7e3347462f44dfd6fd31effd3ea9d4f04fdaa950f594c039162a4edcd33aac1b6fcda3ba6420

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
f47e890b4447a4ffaef3ea52bdcd0bd7

SHA1
9ee3172de76a6579b4392c1d8e2162ce1f6d12b0

SHA256
993cb26ddcb4f560d0192a962cd11edc0298dbc861b5944961acfc587a991565

SHA512
b827ea7d27d114112ea927bafd81f2c2b5b35c17ba1872091c1f0d8f5e46d245dcb45e436b9bcea42a7f8e8ebc5dcdaa56a2620ee51b36d189cbe028a85da9ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
e328b44c3fd7b7084d18df22a8a466fa

SHA1
81e7ff69c84fa2750ec4838b8833583b88344aca

SHA256
b797c6a67386e3f5cd38de8c0da0a63e86b7630c5f04d18b291365e204f2fc1c

SHA512
5632c6374f41637f62c80c743b58d6ea24dced9cdc7d74b2796e64e5fdee184bb02167df74e3b7eb23d78b7b0eeb9c66acb3bc064564c2e41b85f7563989700f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
00e3ea82a7f476eb89ce90886eff31c6

SHA1
472bdd40461299cfe564642525447f7499b10702

SHA256
99703c5b353bde1409bf7edc26087b17c089839fa364e078bc3a173e2b28a85b

SHA512
7389b2c716a5a903d3019228b3ccb35c10564714894ec5e36fa33589d9c8ccaeb87f6374f4f2a197293dd57255e74304d38dce4e8e56b234ceaaa543fc2df301

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
d12153720fbe479c985bfdd6ff402ea3

SHA1
3d5ff47d101574936cec2543242283a8065a46e6

SHA256
4f0a0f9261b8c009c27fc058147f40b519869d8f8a3af42b3facccd812fca1ec

SHA512
61c890f46c085f460ea39409c217dc8f274364e57432160910b65be99968a1f374c0ac12f587541782a18d22c79b7c5039be4b778fd0b28bbc4acae4d5a416e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
37KB

MD5
f7e8a9e409268e8f48c0169ad04b25fc

SHA1
82d4c47cb53d6f37fd7156990adf25f2a645eed4

SHA256
56b812805d23c70859faf22239244548aff7ad0759eace366280968f38a93f1b

SHA512
20c3e911937c7608937d9700425adb811ca5ff5295f83d0f45d3e0e0421e01782d73d03fab931d0092d5bf5b8cd4952b82fe6d9d436e62e40144d07bfd89a098

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000009.dbtmp

Filesize
16B

MD5
979c29c2917bed63ccf520ece1d18cda

SHA1
65cd81cdce0be04c74222b54d0881d3fdfe4736c

SHA256
b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53

SHA512
e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

Filesize
136B

MD5
55689b470e0c4fdf7707311af0bca962

SHA1
3b6245c45a2dc4d0e2fe760011bfef8a3ad7e7b3

SHA256
90021cf8cb7415eb14e6a1ff112ec37b4fe008e672e15e3aa236f43a60d0bbc7

SHA512
4a40e8a3e2e5925d830325f6172c47fa7c094265dfe09913aab6e391e0f32c40ff1e83158b50d27783a4d94afaa786c5e459100aa105321b7f439cfac6df4e8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000007

Filesize
50B

MD5
1be22f40a06c4e7348f4e7eaf40634a9

SHA1
8205ec74cd32ef63b1cc274181a74b95eedf86df

SHA256
45a28788cde0d2a0232d19c391eae45777fe640790ac0674d6daa5672c444691

SHA512
b8f6f42d375e3ad8015d744fa2814994fa6e588b41cce0131fca48194dd40146b08169a8ce0da350525ff32a59a16edb503c72e0f07254955c82a0d38074856e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000008.dbtmp

Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
136B

MD5
d04f689c398f124291cc201df52a16a1

SHA1
cd714b33b84384ebc2505b5328bc797b4634585d

SHA256
f05a67783369e996e3b356f41bf12ffb9299776e429ba0a7cdcb2ad5fe2c5bac

SHA512
7f3a92f7cab082a6e7bb10edb3dec56c1a9be3d9cd3afbfd51f0d4c31d902028537c9e86a28ee28abd801596e990105ab018178d18b6fbc408339d8d94d64811

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000006

Filesize
50B

MD5
78c55e45e9d1dc2e44283cf45c66728a

SHA1
88e234d9f7a513c4806845ce5c07e0016cf13352

SHA256
7b69a2bee12703825dc20e7d07292125180b86685d2d1b9fd097df76fc6791ec

SHA512
f2ad4594024871286b98a94223b8e7155c7934ef4ebb55f25a4a485a059f75b572d21bc96e9b48ed394be8a41fe0208f7bfb6e28a79d75640c5b684f0c848fe3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
984B

MD5
930d2fa9f7c70b34eb65f8e4fda72bb2

SHA1
b249593f10379cbfe7433d54b033833258460abe

SHA256
da46577f174c916ee09945be5af17c8c5306ca91b92251f30540fb492ca730a4

SHA512
8b6d1d42aa4db0fb7f0cee968f676650daf38d1e578a3bcfe4541dd9b9b6bebabaf6b5bcc95c2b3d291f1cd8819175c5a841389a9bc642384e8333a1dab65209

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL

Filesize
36KB

MD5
a0d2e78ef8574698a59f04476dbef478

SHA1
3578377aee05888fc05371f5884b29487fd39897

SHA256
764c75c90869e19eb22288120fcd4cf1dd18f1823fecc1bddfe7a3e4f137a490

SHA512
33c4634f5e2284f420c7027ea018364a417675d9fc2b3b9c47777bfa5653c4d9da6a465c4bbb961281ccb98413abb650751badfd2b76bd85797d68ea4c0ecbac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
359B

MD5
e2b3d7b21f05d3ab5df4e85add612ebf

SHA1
a306147586a69af6714ccb72e853b52277adb9b5

SHA256
52352f293081806778bd387086730f2ad3a9f3afa1b296a8b64c05a65baed20d

SHA512
a9082da02b2a6d337b0748d687b72ac33c2e235b5d4ce30f896f6b94d8e6b7b9ec220e0a922cde9a29f70618df964db12e6ca05deb115aae10b4bd61f870ff29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
1083b5c364f8b55a2e003f5d321ec911

SHA1
6fda61185aa665f3ed1d9ba4f962cac777e87e9f

SHA256
e6b342faff7596eb76d0f8b939cd43de201e266eecdc8f6c02e93b3dd53085d3

SHA512
e1a2a63d531b4184675ba86cfa4463ced6ee453676d01939bc38a3d5ecb8d847f461368c2f3e9461d56bbe5c320314c0043f4604db0f4aff606c750344fb0236

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
54174e7b06efa7a959be45c266a07ef5

SHA1
f88c4fa9d9df8d03963f5f9f2067828346ed2aa8

SHA256
108f5cb415ae0831efba8ba1dc0ffb3a08851b7a635fd3d98d5e93bf4b05ee7d

SHA512
fded38d641474edaf1ac316d39ceea672eabae08f5d8c1ed68e0b6b6876193d8054538228a12bf8ce75c4ee2b5edd54fc490949b157150239b3100eee520a7e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ec96593dfad6d64d731e26af7d18fae1

SHA1
1179f5b3f29bfb061866ea1a815c7e64ed458455

SHA256
aef8b6de30672659e9a2fb988d68f53a6bab70bbf04c839f21ceba7f76ee0754

SHA512
b89e4de132236964a709aab5c77f9ae64dd41689464b974428b18ce81057277b13cc3fe2db9daa4ad8a1f9bcd3b8dc9848f5921f700f7ea5740b0c2b09134441

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
836010a7e77fd8bd1d442712110fe958

SHA1
e1a83d89e5a398bd478cd3e412f14677cec4b35f

SHA256
66a22685386454280972af41b418db1e33174fcaf022e87dd08f58c094021af6

SHA512
b53f0111b5f2b7b731da6b95d13c23263e8c3adfa6ae0084bdd582a3e95fee530b9b886264bfd8654dea37f687338602b6ae8c7295efe10308884550b21de9f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
39b5dab04915672776127314a86c9629

SHA1
97a6cdc5a7e21bc806547f7f4836e7adf86bd6e7

SHA256
e43d5104ebea32a0d2a7fc62ea9ec5be27af74bd7512152e12cf8570fc706be7

SHA512
7b8459fdd424b0a1e1bfb7de184b10e2e1b143767b249733e113b683cbe688fb793887549dd6d7c09e26705c1c6d0781870d9e3cb568eabc56173b575b6a927d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
dbb5c65445261ad347f37f229347353b

SHA1
c445da24017fe7925ed2588c1eb3a96260689566

SHA256
17cc7ed4fbc72d8b289be4be0b5558fe14c80e1874f7141bf930a4ef89d4589f

SHA512
296cdf8892c8e5a39edfc85b0739c0778f3357eb84e118a198bb3b382767c2384b1dbf37af7bdf225c43e9de944e7f4e48d777f342198584182c8c84fbe45add

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
cd07e612c995e88e83c2328e2ade1d93

SHA1
25b01141b81b2695a910c4f5c65b07c389a1e20f

SHA256
6b82efb6ac4e6aeb0aaed8c217f5e955372ffedc3eba5bac1ebee6f040ca550f

SHA512
a72409a1db433eed9ad142c148df0756850fc7cc64d462f55fc421a967895a50d7af57ab81c83c01dbe08e6089d596408bcc32982490550254faf6c4c2d42bda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000009.log

Filesize
38B

MD5
e9c694b34731bf91073cf432768a9c44

SHA1
861f5a99ad9ef017106ca6826efe42413cda1a0e

SHA256
01c766e2c0228436212045fa98d970a0ad1f1f73abaa6a26e97c6639a4950d85

SHA512
2a359571c4326559459c881cba4ff4fa9f312f6a7c2955b120b907430b700ea6fd42a48fbb3cc9f0ca2950d114df036d1bb3b0618d137a36ebaaa17092fe5f01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

Filesize
247B

MD5
a215e2cabe139f5e972eed9ae4117ca6

SHA1
729c1c2eee6699f5864ddf6e29f02a9760ce0d75

SHA256
bea259569a85d3e735a06926bda37613099927f15111012fa861215fff4e0a8f

SHA512
fd13f4733a200074d9c083cd34564605d0efdba95df5c7bfb859ad6095aa0b3cd207d95a2d9de90bb8a197cb19f015740c1968532ab5c26c1da7f8884b8bbf5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\MANIFEST-000007

Filesize
90B

MD5
b6d5d86412551e2d21c97af6f00d20c3

SHA1
543302ae0c758954e222399987bb5e364be89029

SHA256
e0b2fdc217d9c571a35f41c21ed2596309f3f00a7297a8d1ded05f54f0e68191

SHA512
5b56ae73a61add9e26f77d95c9b823f82a7fcdc75eed64b388fb4967f5c6c42cb0796b0b99dc25c89f38952786176c10d173dec7862a8a5ce5f820280f72d665

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
136B

MD5
1fe274004211e48f885a58f542cf95cf

SHA1
5206d4f89a8854a3d2d8410bc748d6d2b8dd4aef

SHA256
aced88976a8cb6f5e974416760eb5c7b235ecd9addd9486f9773f149304f839b

SHA512
78cecac4598c1bca569066367a40bdcf79a2aa8af714698a25d8733bbb0abd6a6a7b841c9c936c3ba0cecf479cccf4e613f10cf4a7fc6a2214c306c395352cb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\MANIFEST-000007

Filesize
107B

MD5
22b937965712bdbc90f3c4e5cd2a8950

SHA1
25a5df32156e12134996410c5f7d9e59b1d6c155

SHA256
cad3bbec41899ea5205612fc1494fa7ba88847fb75437a2def22211a4003e2eb

SHA512
931427ad4609ab4ca12b2ee852d4965680f58602b00c182a2d340acf3163d888be6cfad87ca089f2b47929ddfa66be03ab13a6d24922397334d6997d4c8ede3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000008.ldb

Filesize
1KB

MD5
57b3570dbf0b6db40e29d27a4a277aa3

SHA1
0221cdc507b540280fcdefe7199acd1f0fd5ea9f

SHA256
f714e77f93b54a09fde887a41447e68d3787b123056f044a7d061efb5053cf77

SHA512
906f94719fbaeeea1cc4ea0bc50641187227d4054df9261eeb5de76efbf5834c5e11480fcb540ba2e82596a0c216b91e4b4f54f958f996c689b534564ea3c356

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000009.log

Filesize
2KB

MD5
55c78d2efa88676c33ec4a8943767090

SHA1
1435e16275c8f386b336b61680d698d3712a99c9

SHA256
459ca7c11b6bc06d9bc160cddd5ed051f7ffca13e4e8c1f692fe6791be4460c5

SHA512
9697612103b83306ec1655bbc071a55e523a871f9c779b52a4878b888c4b5c193c6f264ee0723ce5ff47bec52b6b8fd2cc8a53868021ca2b36034ac9fdda7eaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
250B

MD5
182f71120f32719de4d57291dc5b9006

SHA1
d29ba942235d741aa5aea374e0d1b68c2015f7aa

SHA256
c8135f546e71e1e569c687daf940b868022da638dee3a9c38e9339952b33f105

SHA512
72f7fb9749dd6cc188fe9df460578f1ded4ba3b5a8ed9510fe8fd71cb7ef48d72521a9d6d9d7c801eafe766c083e9ab279f58ff86ddf31f70b8926a6ffb7804c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000007

Filesize
250B

MD5
d89c771f339d7d96040098a218521028

SHA1
8293720bb676440fa860b840c1e9ffcb92cb8a27

SHA256
86e1b92b3b4f5aa4ddc6190987589c86e9bd40795082413472a5ec5bf6b2f719

SHA512
6fd5d0631c5544112af4f976e48a61201f027b6e464f11fcaf818f2e92bac501a91a2135be89552fc0c15e3c7a4e9e774fe2ec75a9742375f164f1e218584158

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000008.ldb

Filesize
488B

MD5
448107918b8f24005312330cfbe5004c

SHA1
16988eb3c6aec90ae097d7d992a9381409fa00f1

SHA256
1a0430a246d105584ea0013d4533b7dd0867d4789d6f4bbfc13ccf98edef9b77

SHA512
c90890b3e1cc2fab08ba1a03bf48a56a4acb5b55fe4866582714bdef400dc3bfbe8f40900ba0dc062892627c1761e153c7f589c9395b75eebbadef994f57612d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000009.log

Filesize
123B

MD5
abe087fc2f7b0913c7d2977b2cec2e10

SHA1
9a239d61528e7e94a7c11a06c18b22989343e8df

SHA256
fb5814c11a9dd4cc44fa353820777069f7cb726c91c110d6cb3ab44f9deaef12

SHA512
b428c74fb6f629410d2837ec35dd8cffc22b0b82d8ac5d64c66d67456d88c8a7c40a5e3a10ead28fa002c2a9817092e33f96704ed65ca89c1f9de593b1630219

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000010.dbtmp

Filesize
16B

MD5
60e3f691077715586b918375dd23c6b0

SHA1
476d3eab15649c40c6aebfb6ac2366db50283d1b

SHA256
e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee

SHA512
d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

Filesize
249B

MD5
c58222c7b2ba066af4dedff2b1bdfe5c

SHA1
07c35a09c65c7c5ac8d3cd7b7057aa96f2d708ed

SHA256
257757d7d59b698924a2e0bc83ac95370813f2d10a9f369e7df6140acba6eb51

SHA512
96de21532182e5d6bfb0a4063100f845b833c1a7519b38fa74237f14b8b8fe2a3c4109d12273c39ec64758472ab7f58ee0a86fb307563589aa032bfc3af27741

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\MANIFEST-000007

Filesize
98B

MD5
05e8bcc0bb9092b93a1c3b514abecd72

SHA1
385d424eff00ad976408f6169de14a59a8ba332c

SHA256
2128f23c3954bb2d37f738858829b8f2bad759071270a5d11011777a4c16ee61

SHA512
83f509090f64ed25502de1498b8f3eed533e03db83adfaab5d0d6c36b4594effed22acc331393616181b0d4340133f8e5bc3a694126d5b9414b75bec237c22bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000008.ldb

Filesize
318B

MD5
3dbc8d2a7e9068a99d68e934cd326853

SHA1
515d19812f5c7c052c20767983bc9d2dbad9ac36

SHA256
fc3c0eb8ecc5e44c6589e3a67f8e7a264147c6e501447a618f9331ce247e6c33

SHA512
b34ecb8d8f51a9ba2dba9f98d04b188caade8c3745003a1da27ef94695bb9f0ef8cd64982e984de57596b8db114e41ff2a06ee9909a2d742e5f6aac045149ef2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000009.log

Filesize
34B

MD5
fe62c64b5b3d092170445d5f5230524e

SHA1
0e27b930da78fce26933c18129430816827b66d3

SHA256
1e1a9ca70503efd8c607f9bc7131f08aba0476d75f2586dadb4da5485a5315d4

SHA512
924daccfbfb0c0464b4c5fd769e01a8f2e96fe28b635aa27ab4cd91766b05b03bbf941af14c017436107673f01bad815ce1fac2a649e745c76b3c736994b4fd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
249B

MD5
5cb81404776bebe638efb7063d80c286

SHA1
a77907c947beb8afdff1e902d05149c6bfe5b109

SHA256
93bad8ba49b59245d1920b32fd7da4ef6c5989d99b0f0140049417fbbfbc9570

SHA512
a66348156bc8b405974284ca0df32bde9c9845396aad0e99ba771f525e3f2ebd02f86d7af718ed417e374bb770a359d8df597494310d80416f1ecbd65a6a2ebb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000007

Filesize
118B

MD5
d757e9f525200060aefbd2e00bc69809

SHA1
ae551809c3435fe3e6716b76dc23b7294189b4ce

SHA256
729406f9e7c1e50d927d0c6916ee0a97eaa26c46e6cdecef7580e61b8c0dfe20

SHA512
50c15062061f449952bda82a8b0cd4bafe6f3f434f642fadb8017e65c09886bb4d0b52967c80f8fa380447c63d79b6518f605a3efe7d8eea40c2dbbaa0d41953

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
226KB

MD5
fb0c81aac484ed6b25a00330a6fd8331

SHA1
b602bd7b2cf62318ac9bc264620ff09e20ecd72e

SHA256
d659e2a2d22e6f5db1173302e71e9c5b84c7581e2f6f3bc08a9a06ce33fa6852

SHA512
f8a898b8bbeb5f6fa6b997e6ea8e5473eb36cd7ec86e561606f0a62087f418b5d775f382b9c6ba42a18eaedbc3965a686605bc27c5cd249c4232a9328cd9608d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
75KB

MD5
834bcd3cc211911886d3d1b9b0589d1e

SHA1
2dc9f088b1784e082c70527f767cb7f259584947

SHA256
aed68771bad34336522ba4b8e4fc52da465a23a028c7cd9b4127d2cc99c768ed

SHA512
4b1dc23428c074f89819fd4348eb8a6e65ba748c88226b77014cb13bb53be7c687e2f9759ab2a536a871424159022047f2d0418970a72fa9929db6c152a66358

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAE98.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAF39.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\Downloads\mark.exe

Filesize
4.0MB

MD5
f81daa62b8a7faba9b529b0c87d3caa2

SHA1
0df66176605d810ccb12644e3c94c2de703ce1d5

SHA256
ca90a2014f3fcf373516b62575649dfa84005a5bba929be80732076a72e5b249

SHA512
065e4f88cdb4a16390475ed49c86046208e8db01313e34b09cc4965234f92ac371488a65a57c06ea27802aea9c75a4afdf59724e193e2c2a218128e43f054be0

Download Submit
memory/1716-466-0x0000000005230000-0x0000000005270000-memory.dmp

Filesize
256KB

Download
memory/1716-780-0x0000000074810000-0x0000000074EFE000-memory.dmp

Filesize
6.9MB

Download
memory/1716-1-0x0000000074810000-0x0000000074EFE000-memory.dmp

Filesize
6.9MB

Download
memory/1716-5-0x0000000005230000-0x0000000005270000-memory.dmp

Filesize
256KB

Download
memory/1716-6-0x0000000000520000-0x000000000053A000-memory.dmp

Filesize
104KB

Download
memory/1716-7-0x0000000000410000-0x0000000000416000-memory.dmp

Filesize
24KB

Download
memory/1716-8-0x0000000005230000-0x0000000005270000-memory.dmp

Filesize
256KB

Download
memory/1716-0-0x0000000000DB0000-0x00000000011BA000-memory.dmp

Filesize
4.0MB

Download
memory/1716-4-0x0000000074810000-0x0000000074EFE000-memory.dmp

Filesize
6.9MB

Download
memory/1716-3-0x0000000000B60000-0x0000000000BA2000-memory.dmp

Filesize
264KB

Download
memory/1716-2-0x0000000005230000-0x0000000005270000-memory.dmp

Filesize
256KB

Download
memory/1808-840-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1808-806-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1808-807-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1808-808-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1808-809-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1808-814-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1808-816-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1808-819-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1808-577-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1808-560-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1808-559-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1808-558-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1808-557-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1808-555-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1808-553-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1808-820-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1808-822-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1808-823-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1808-825-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1808-826-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1808-777-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1808-779-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1808-828-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1808-781-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1808-805-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1808-803-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1808-790-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1808-804-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2136-786-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2136-665-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2136-788-0x0000000074810000-0x0000000074EFE000-memory.dmp

Filesize
6.9MB

Download
memory/2136-789-0x0000000004A70000-0x0000000004AB0000-memory.dmp

Filesize
256KB

Download
memory/2136-784-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2136-782-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2136-859-0x0000000004A70000-0x0000000004AB0000-memory.dmp

Filesize
256KB

Download
memory/2136-849-0x0000000074810000-0x0000000074EFE000-memory.dmp

Filesize
6.9MB

Download
memory/2136-657-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2136-659-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2136-661-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2136-663-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2380-454-0x000000006E89D000-0x000000006E8A8000-memory.dmp

Filesize
44KB

Download
memory/2380-465-0x000000006E89D000-0x000000006E8A8000-memory.dmp

Filesize
44KB

Download
memory/2380-453-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2380-464-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2736-668-0x0000000004F20000-0x0000000004F60000-memory.dmp

Filesize
256KB

Download
memory/2736-538-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2736-540-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2736-542-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2736-667-0x0000000074810000-0x0000000074EFE000-memory.dmp

Filesize
6.9MB

Download
memory/2736-544-0x0000000004F20000-0x0000000004F60000-memory.dmp

Filesize
256KB

Download
memory/2736-787-0x0000000074810000-0x0000000074EFE000-memory.dmp

Filesize
6.9MB

Download
memory/2736-543-0x0000000074810000-0x0000000074EFE000-memory.dmp

Filesize
6.9MB

Download
memory/2736-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2736-15-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2736-13-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2736-11-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2736-9-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download