03ee5437a1dad818f417db18dd50e16bc08c890b442874d841cd1a6a643c4010

Analysis

max time kernel
138s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-03-2024 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

5.0MB
MD5

e9a24c7a42f9b296cc1e31dc3ea73b2b
SHA1

06e9607fb973400f0f110854ce90382965cd43d9
SHA256

03ee5437a1dad818f417db18dd50e16bc08c890b442874d841cd1a6a643c4010
SHA512

48af794e0042ce3cea37ff11e3f9b74d0a8e463018fc827d7ef459cc58252a5f436632c19b5d4674a6b54f02543005a294ef94f86d46d1ecff574ba6fab0464b
SSDEEP

98304:XrdCegVSGMzByLXMfivQayGnOht5RTc7kjRX1LNNDw7:waGMlyLXvvQdmmt5RTcGzLNe7

Score

7^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5080	ZB6ZYMZI7M.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/2208-0-0x00007FF6C9800000-0x00007FF6CA220000-memory.dmp	vmprotect
behavioral2/files/0x000200000001e7f4-7.dat	vmprotect
behavioral2/memory/5080-8-0x00007FF677390000-0x00007FF677DB0000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
740	ipconfig.exe
3920	ipconfig.exe
1032	ipconfig.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3700	taskkill.exe
4460	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133539874273710916"	chrome.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5032	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1416	msedge.exe
1416	msedge.exe
4856	msedge.exe
4856	msedge.exe
2272	identity_helper.exe
2272	identity_helper.exe
4916	chrome.exe
4916	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4460	taskkill.exe
Token: SeDebugPrivilege	3700	taskkill.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2208	Loader.exe
5080	ZB6ZYMZI7M.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 1688	2208	Loader.exe	90
PID 2208 wrote to memory of 1688	2208	Loader.exe	90
PID 1688 wrote to memory of 3756	1688	cmd.exe	91
PID 1688 wrote to memory of 3756	1688	cmd.exe	91
PID 3756 wrote to memory of 2860	3756	net.exe	93
PID 3756 wrote to memory of 2860	3756	net.exe	93
PID 2208 wrote to memory of 1120	2208	Loader.exe	94
PID 2208 wrote to memory of 1120	2208	Loader.exe	94
PID 1120 wrote to memory of 4964	1120	cmd.exe	95
PID 1120 wrote to memory of 4964	1120	cmd.exe	95
PID 2208 wrote to memory of 1680	2208	Loader.exe	97
PID 2208 wrote to memory of 1680	2208	Loader.exe	97
PID 1680 wrote to memory of 4460	1680	cmd.exe	98
PID 1680 wrote to memory of 4460	1680	cmd.exe	98
PID 2208 wrote to memory of 3356	2208	Loader.exe	100
PID 2208 wrote to memory of 3356	2208	Loader.exe	100
PID 3356 wrote to memory of 1032	3356	cmd.exe	101
PID 3356 wrote to memory of 1032	3356	cmd.exe	101
PID 2208 wrote to memory of 4032	2208	Loader.exe	102
PID 2208 wrote to memory of 4032	2208	Loader.exe	102
PID 4032 wrote to memory of 740	4032	cmd.exe	103
PID 4032 wrote to memory of 740	4032	cmd.exe	103
PID 2208 wrote to memory of 5080	2208	Loader.exe	107
PID 2208 wrote to memory of 5080	2208	Loader.exe	107
PID 2208 wrote to memory of 1504	2208	Loader.exe	108
PID 2208 wrote to memory of 1504	2208	Loader.exe	108
PID 1504 wrote to memory of 5032	1504	cmd.exe	110
PID 1504 wrote to memory of 5032	1504	cmd.exe	110
PID 5080 wrote to memory of 2420	5080	ZB6ZYMZI7M.exe	111
PID 5080 wrote to memory of 2420	5080	ZB6ZYMZI7M.exe	111
PID 2420 wrote to memory of 2804	2420	cmd.exe	112
PID 2420 wrote to memory of 2804	2420	cmd.exe	112
PID 2804 wrote to memory of 4988	2804	net.exe	113
PID 2804 wrote to memory of 4988	2804	net.exe	113
PID 5080 wrote to memory of 4260	5080	ZB6ZYMZI7M.exe	114
PID 5080 wrote to memory of 4260	5080	ZB6ZYMZI7M.exe	114
PID 4260 wrote to memory of 3468	4260	cmd.exe	115
PID 4260 wrote to memory of 3468	4260	cmd.exe	115
PID 5080 wrote to memory of 5000	5080	ZB6ZYMZI7M.exe	116
PID 5080 wrote to memory of 5000	5080	ZB6ZYMZI7M.exe	116
PID 5000 wrote to memory of 3700	5000	cmd.exe	117
PID 5000 wrote to memory of 3700	5000	cmd.exe	117
PID 5080 wrote to memory of 1692	5080	ZB6ZYMZI7M.exe	118
PID 5080 wrote to memory of 1692	5080	ZB6ZYMZI7M.exe	118
PID 1692 wrote to memory of 3920	1692	cmd.exe	119
PID 1692 wrote to memory of 3920	1692	cmd.exe	119
PID 5080 wrote to memory of 4556	5080	ZB6ZYMZI7M.exe	122
PID 5080 wrote to memory of 4556	5080	ZB6ZYMZI7M.exe	122
PID 4556 wrote to memory of 4856	4556	cmd.exe	123
PID 4556 wrote to memory of 4856	4556	cmd.exe	123
PID 4856 wrote to memory of 1508	4856	msedge.exe	125
PID 4856 wrote to memory of 1508	4856	msedge.exe	125
PID 4856 wrote to memory of 1680	4856	msedge.exe	126
PID 4856 wrote to memory of 1680	4856	msedge.exe	126
PID 4856 wrote to memory of 1680	4856	msedge.exe	126
PID 4856 wrote to memory of 1680	4856	msedge.exe	126
PID 4856 wrote to memory of 1680	4856	msedge.exe	126
PID 4856 wrote to memory of 1680	4856	msedge.exe	126
PID 4856 wrote to memory of 1680	4856	msedge.exe	126
PID 4856 wrote to memory of 1680	4856	msedge.exe	126
PID 4856 wrote to memory of 1680	4856	msedge.exe	126
PID 4856 wrote to memory of 1680	4856	msedge.exe	126
PID 4856 wrote to memory of 1680	4856	msedge.exe	126
PID 4856 wrote to memory of 1680	4856	msedge.exe	126

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net start w32time
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\system32\net.exe
    net start w32time
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3756
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start w32time
      4⤵
      PID:2860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c w32tm /resync /nowait
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\system32\w32tm.exe
    w32tm /resync /nowait
    3⤵
    PID:4964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM RainbowSix.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\system32\taskkill.exe
    taskkill /IM RainbowSix.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /flushdns
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3356
- - C:\Windows\system32\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:1032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /flushdns
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Windows\system32\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:740
- C:\Users\Admin\AppData\Local\Temp\ZB6ZYMZI7M.exe
  "C:\Users\Admin\AppData\Local\Temp\ZB6ZYMZI7M.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net start w32time
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\system32\net.exe
      net start w32time
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start w32time
        5⤵
        
        PID:4988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c w32tm /resync /nowait
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4260
  - - C:\Windows\system32\w32tm.exe
      w32tm /resync /nowait
      4⤵
      PID:3468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /IM RainbowSix.exe /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM RainbowSix.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /flushdns
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /flushdns
      4⤵
      Gathers network information
      PID:3920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start https://klar.gg/index.php?link-forums/official-discord-server.16/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://klar.gg/index.php?link-forums/official-discord-server.16/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ff84a0146f8,0x7ff84a014708,0x7ff84a014718
        5⤵
        
        PID:1508
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,7132760546940960132,362760509624597162,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
        5⤵
        
        PID:1680
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,7132760546940960132,362760509624597162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1416
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,7132760546940960132,362760509624597162,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
        5⤵
        
        PID:888
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7132760546940960132,362760509624597162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
        5⤵
        
        PID:4512
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7132760546940960132,362760509624597162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
        5⤵
        
        PID:4788
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,7132760546940960132,362760509624597162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
        5⤵
        
        PID:2332
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,7132760546940960132,362760509624597162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2272
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7132760546940960132,362760509624597162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
        5⤵
        
        PID:3552
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7132760546940960132,362760509624597162,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
        5⤵
        
        PID:1064
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7132760546940960132,362760509624597162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
        5⤵
        
        PID:4660
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7132760546940960132,362760509624597162,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
        5⤵
        
        PID:4716
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7132760546940960132,362760509624597162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
        5⤵
        
        PID:2972
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7132760546940960132,362760509624597162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
        5⤵
        
        PID:3496
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7132760546940960132,362760509624597162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
        5⤵
        
        PID:1252
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7132760546940960132,362760509624597162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
        5⤵
        
        PID:1284
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7132760546940960132,362760509624597162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
        5⤵
        
        PID:2712
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7132760546940960132,362760509624597162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
        5⤵
        
        PID:3136
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7132760546940960132,362760509624597162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
        5⤵
        
        PID:4556
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7132760546940960132,362760509624597162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
        5⤵
        
        PID:4208
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:5032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff849a09758,0x7ff849a09768,0x7ff849a09778
  2⤵
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 --field-trial-handle=1916,i,10879914303227387437,8845889204970383514,131072 /prefetch:2
  2⤵
  PID:744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1916,i,10879914303227387437,8845889204970383514,131072 /prefetch:8
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 --field-trial-handle=1916,i,10879914303227387437,8845889204970383514,131072 /prefetch:8
  2⤵
  PID:636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1916,i,10879914303227387437,8845889204970383514,131072 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1916,i,10879914303227387437,8845889204970383514,131072 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4652 --field-trial-handle=1916,i,10879914303227387437,8845889204970383514,131072 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 --field-trial-handle=1916,i,10879914303227387437,8845889204970383514,131072 /prefetch:8
  2⤵
  PID:740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5264 --field-trial-handle=1916,i,10879914303227387437,8845889204970383514,131072 /prefetch:8
  2⤵
  PID:888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 --field-trial-handle=1916,i,10879914303227387437,8845889204970383514,131072 /prefetch:8
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5516 --field-trial-handle=1916,i,10879914303227387437,8845889204970383514,131072 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1652 --field-trial-handle=1916,i,10879914303227387437,8845889204970383514,131072 /prefetch:1
  2⤵
  PID:1660

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
195KB

MD5
89d79dbf26a3c2e22ddd95766fe3173d

SHA1
f38fd066eef4cf4e72a934548eafb5f6abb00b53

SHA256
367ef9ec8dc07f84fed51cac5c75dc1ac87688bbf8f5da8e17655e7917bd7b69

SHA512
ab7ce168e6f59e2250b82ec62857c2f2b08e5a548de85ac82177ac550729287ead40382a7c8a92fbce7f53b106d199b1c8adbb770e47287fc70ea0ea858faba6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
b7653dc326237a9b0b24d48428fe2eac

SHA1
990221ab1e9ed09cb2f198e97f5eb3e0428ac86a

SHA256
b787e3c988331feb47a555afb6916c88d6a14352070507e8bef3b3f428df2bf9

SHA512
8fdf2c6bf33246e08a37895609a4f4fef24e7968eb56c3df2c148fa343201785c770ea8d0f9999595050f060199343afbdc45fafe7c2609335e07c6cf03fb908

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
7d681eb62ee6c19b67e44621ffd671fe

SHA1
45f38f4ee9a1b6a413b722c8a00235d62645bdef

SHA256
285103cd275abc876383d062f5f8b12d68110b3211307fc4dd09ca9752c7c9e8

SHA512
2f7da0ddd18f41abaa6082b38a89e19ac7d1776b2de012db6a0691dc24d4c056c2874a3e660f58b964ec63215939f36d340dcc345b8e2ac2a75fce3e0b5a22eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
b2e561435659a5760172e6ff78b9b848

SHA1
4a17c10b9be9da9566649b950178ef76a071f1b3

SHA256
7a979095d876e9321b0529c0f6f13bd96e2bdcdc8dbbb6cc77613117bafdbc26

SHA512
3829d1e555afcc8fb46419feec8d4faee4126e6c5c1fe35478aad371f5b8755e24b0cf0d3bf74d45f46a6f4df997d0b080614bb1e90dbdd6e78ddceb0a615d61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7542c82f5a969bf61c350e73f5c27111

SHA1
8b5af3718622b5e7631b8a7b464263e462e91bac

SHA256
29de44f095a5e0286fee52b26661fad859093f62dec01e57fd97b7dad8dc2a43

SHA512
7bd220d577041e9559c032c56ab20f15daa7b78d982c03072dc9162527ca87cc5483b0b3a178958df59df06d87151f33ac950f31416cc399265f0581346a3a96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e650165ba4b149f5ca79b455bb645c58

SHA1
0a72e460ab1c4f55620fd074f2c227c01d7c9fbf

SHA256
a38f88bc982b11fe020fbb3b5e52c88c4ca25b1f1acf1110cd820046b685f95a

SHA512
9aeffdb4abe5ace39a305da9dbd72eb51425489b207176aaa315278fcfbcaa5900f90dee536a1f978a94a79be97c8cbbb03e071aebd64102d43635a87c1145ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
44364b1e263f77197011f378200a93c1

SHA1
1e45ff2c3337690c8c0f8b6673a564d37696cc74

SHA256
aca78fb5616535e17e30b16347c2bc3682bc24507fcbbba35b7c23b4bb736e1c

SHA512
922e4c74261997d47e19655d21c45296cab3156ec5a73826a9135643db2f14cd44341bd82de5eb746ac1e0556479fe1e52a933c6e12de9e160bbc18857b19b8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
91b123c7a6cf5b2887f6c922f9cf96ae

SHA1
e4b067f2621742dab92404a6623102902129b253

SHA256
ae157b7798a7a99f868aceeacf1b21223c2c851a075bb39119725990a7e44d81

SHA512
62c82a7d87b9d6850662bd4ca1cf563668c9d32cd90195478501ce313aec97b684c6e050ce194e1ef643b4f8c395da4a43d8e3ebe1874184fbc0ec5bae9ca3d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
c7285318a29f682a77602aa0f972485d

SHA1
6a776282c5cea0ce9da6d67c368b278541512905

SHA256
eb5ecdcc36f4dfb166b5f49a9d76b438ce6b22cca2828667522d9d02d29628ac

SHA512
c424c15685776fc3ff9ebf3b91adb5037f823696a63452f583f78002681bbc41bab1363ac12c47b316c14c7bbfa6494e758c2c409f61bdae5882f7267ef0f0d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e3a17fab4a4f0e9e729515cabc595421

SHA1
1c9d27631eb6469fa836e90ce449b818b1813c56

SHA256
96b2071908b1684a1457df84737aaf022409d33f8cf8aeab5659fe7a540a250a

SHA512
e5f5f6702565ca3c57005264f1a41430a2f617b100d1437513cc3055c096ef34d42f96f3cb4c644fd0f42ce4349a1d7b8a2527b4cc4e3f9c0adb6897ae763540

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7409170aa501e98d017c26b99ba17bc0

SHA1
ce201f55d839761009cdfb01fc5a2bf3f4dfa61f

SHA256
84a3a0a10c3af654a1166d17a0526a753e54f987a162fee4192b6656ddf6e7b5

SHA512
59918f04d5e7a4e8093c18ddcb975908a52d01df72d8a1f21a74fd45c5031308199c5602fb9a7baa49ada321544433df69e0071ad75031aa22254aa175e349b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e8adbde7a4d62b373ffc8536538350a7

SHA1
8b1357a29df7614fbcb9cb499eff46cfc039aa83

SHA256
b7719f1e15285f1bf25a9cd01f49721523fe6b0b15e2be0ee6ffbfd76ad52f83

SHA512
2e57ed98313d04728c117c11fe75ff7c140ad497bb739b11172e539e3d2e1fbd1c7b073c29c5e854d3c129887e6cff992d0273c2b4ca88a0be3e1901cfdef6a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
621dd299ab829881449c3d9a4a7cb748

SHA1
4c6be4801b16680cced3b5a01fde22361e1b954e

SHA256
faf845a2bf4e52bc9e4b8f9fab8715430270f9d317695331531f538c6b869db0

SHA512
48745881f855b73f4fd5764087de6c15a10e442761fe9388664a2c8fb25205ae7279c784d240164eabfead78a630eac05149489acc72b1a4aab90e9c4d9a95ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
43b04b782e8450a07dc29237155c2b89

SHA1
7d40162f69a954025b3223cb7bafbcd7f9bf8e10

SHA256
cc0d64ac89cf8504488a7a7154cafa61ef75f1c1269d1fa5173e5b7b8d21d2e6

SHA512
168dfc4dede5b05f4250930f39f02a24eb5ace91f6b3424a98b23c1b4e60243e84bbcdee6ecc15fad07f89020d16d53192de686581299c5c1cc8f82be7fee838

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
02f4fcba82930b96e20f8ea09397c1d2

SHA1
eb2ad4d05043e9b5c6edeea3bd6d3ba18adc965e

SHA256
29fdf17b396bd85c4a4a2b2c461c76b7825a6febd87689f39fad54e7d2cb995f

SHA512
13f4013a698cdfbcea2d8da7ef888d2771a0a092f8b780ebdd5fbda61794986987f76ed72863792f722e1647dd251ba6e719f0435a35267a63e60d679f56ae2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
254KB

MD5
49813a539b1106b8a4a0eb279034ca60

SHA1
38cd84a4ff36b53fd537558fe0046e77ccc244b0

SHA256
7766548b53d3628506b97b3d10795a9370469780f3b6154376eff9270ac31c1a

SHA512
90a0d9746a74f8f7661f669ed59f7b1dfd7e320199752a9e3f0b201a7425fb32ae1eb4857318f35f46a063844c313f948c4c32037f404160787de9fae7316757

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
254KB

MD5
d345dd31f38610187c0fcdcd380f4e2e

SHA1
59e9b4b8ef45a5840c8e58cd065492e3ff4f8fdc

SHA256
cc8f4b2da65e3dd067b7b4f7c81c7ad0d2f0ae878fed38dd7b50135ea622d961

SHA512
5d1911b7c9442fb9712e611b7bd1d0a08bf2013a5a659d178468805c77d81e94ce02fdb8e61760722e5a049972667c9994f3e01e628439d8323119f9e1151c35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
84f4ba0a469eefcffb36aa69143d0e30

SHA1
491317978f8f0d1c4a65e45cafd3786cfc1e96df

SHA256
2dadca19323276c44d016b14631ec8357de5ecb31f7887121485ad5ef93d58df

SHA512
175e4716a73c679b5b34b7be966993662c2b9f2b53d1e1be320dd2b6c26d4431e86c80f75d2a7e1e00cc9caa09f9249b4528f6e4ac483ffcaacbea26fcd6bbf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e0811105475d528ab174dfdb69f935f3

SHA1
dd9689f0f70a07b4e6fb29607e42d2d5faf1f516

SHA256
c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c

SHA512
8374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
47b2c6613360b818825d076d14c051f7

SHA1
7df7304568313a06540f490bf3305cb89bc03e5c

SHA256
47a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac

SHA512
08d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
464B

MD5
0b62024addd71d7f46fe8f22631361e1

SHA1
c70f12b179e0330d6c8215a6ffbe7808e64c0666

SHA256
cf52840c7a4280ad66ee89aa736a0e376ff1d12438a8c6a2b14d6708c63cdba9

SHA512
72e8ca80998f78be0bba2765720194349659cd8c779b46c51111844465090a890df9c445cc0365386d316d36a430d3818299bae582c7edbd1555b2a949265bc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
87511041129c7ca625d19cbaa98ccded

SHA1
64c8c19ba881d3133b8c324d6b019a78cc58ac8c

SHA256
c1250dd9cf03768607d4e65627efbb1f8e0190c79be2f8cf6ebecf4ebb9e14de

SHA512
dc578eb0c28bb7c380b137d0c841b380c39cac97076792e230eb81b74b11234361dc86be61d3cf3894458a484bb4aee9b04463f9a0609cb56afdb4b714964029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c985b65bc0efdc3be354c28eb264ccc5

SHA1
c68bbab986c61c7b6eaecbde2ab21613284f56e1

SHA256
83d2b04dd8f66496abc42e20b3aeefd982cf9f6e2d31c14a15baa262b78e125d

SHA512
0152d08d8c9a23697f84934d0173f2df322bbfecbdb7903f600e6f61486ddaf821b5158066d9ba9163aabb5f783dbb39ab520cba968d77fe8b2a8b2832f870ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e91a38aa18afe379e4d13da03c758473

SHA1
f8eb2495c103a1cc75ff20b2c8fa430b02207d2f

SHA256
5b975abce460223dace5e508a78b1195cfc29b8f8b242019b37c0a10f84aeda1

SHA512
8d5d7ed1f9aaac10e07b6c534a8706ed34900aeefe2bb14c3395de5007060fc1baa00f293eb091b587e22a482834f416c699bfeed146e3f4fc26983f14330150

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZB6ZYMZI7M.exe

Filesize
5.0MB

MD5
ba0d6e436b6619c4c2001ba92a151a49

SHA1
52a4d81c782592a6836835fa589ffe3e09fa47c2

SHA256
01f32aef7f4f83abac53c93d5d4868135efc87e827d0265d7e908e569506166b

SHA512
fc4d5a33b3a33d5913743eebef5746808c48298043faf8fdb83c7541d647967e922518ef57b81958252186a50664b05c12db9adefdf33108cc7ded4a74801eb1

Download Submit
memory/2208-0-0x00007FF6C9800000-0x00007FF6CA220000-memory.dmp

Filesize
10.1MB

Download
memory/5080-8-0x00007FF677390000-0x00007FF677DB0000-memory.dmp

Filesize
10.1MB

Download