xworm | aa3daa9044183fdddd26aa666da037906992cd6d5ab3c89d189078cc5887113f

Analysis

max time kernel
1050s
max time network
449s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PortCount.exe
Size

72KB
MD5

84bf1bad48c4ea407fb8d5f080bdfcba
SHA1

cfa07b44804435278db73c59038f10dd9eec526f
SHA256

aa3daa9044183fdddd26aa666da037906992cd6d5ab3c89d189078cc5887113f
SHA512

bae4d0d53260b33cdf1f3f833f6e3b0d58db7573b28cb00c704ad5a47d83461bd8877cad4b9efe4ebb443a0290fb76abbcf86f3a848d8f464ebd2bd57e98fa09
SSDEEP

1536:o0h6oNWojEoKOv8X2Y2HyTB+b5z3ih9ehqL6785O+bm+Pa:oMjim7m+b5CehSO+bmsa

Score

10^/10

xworm execution persistence ransomware rat trojan

Malware Config

Extracted

Family

xworm

exchange-extends.gl.at.ply.gg:45129

Attributes

Install_directory
%AppData%
install_file
RRStealer.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/3404-1522-0x000000001C0E0000-0x000000001C0EE000-memory.dmp	disable_win_def

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3404-1-0x0000000000810000-0x0000000000828000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\RRStealer.exe	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1116 powershell.exe
724 powershell.exe
5072 powershell.exe
2712 powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PortCount.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	PortCount.exe

Drops startup file 2 IoCs

Processes:

PortCount.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RRStealer.lnk	PortCount.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RRStealer.lnk	PortCount.exe

Executes dropped EXE 7 IoCs

Processes:

RRStealer.exeRRStealer.exeRRStealer.exeRRStealer.exeRRStealer.exeRRStealer.exeRRStealer.exe

pid process

2320 RRStealer.exe
3052 RRStealer.exe
4892 RRStealer.exe
5520 RRStealer.exe
5564 RRStealer.exe
5256 RRStealer.exe
4780 RRStealer.exe

pid	process
2320	RRStealer.exe
3052	RRStealer.exe
4892	RRStealer.exe
5520	RRStealer.exe
5564	RRStealer.exe
5256	RRStealer.exe
4780	RRStealer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

PortCount.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RRStealer = "C:\\Users\\Admin\\AppData\\Roaming\\RRStealer.exe"	PortCount.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

27 ip-api.com

flow	ioc
27	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

PortCount.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	PortCount.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4280 schtasks.exe

pid	process
4280	schtasks.exe

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exemsedge.exechrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 19 IoCs

Processes:

LogonUI.exechrome.exechrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "156"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133598975113126445"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

PortCount.exe

pid process

3404 PortCount.exe

pid	process
3404	PortCount.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exePortCount.exemsedge.exemsedge.exeidentity_helper.exechrome.exe

pid	process
1116	powershell.exe
1116	powershell.exe
724	powershell.exe
724	powershell.exe
5072	powershell.exe
5072	powershell.exe
2712	powershell.exe
2712	powershell.exe
3404	PortCount.exe
1608	msedge.exe
1608	msedge.exe
4408	msedge.exe
4408	msedge.exe
2232	identity_helper.exe
2232	identity_helper.exe
3604	chrome.exe
3604	chrome.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe
3404	PortCount.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

PortCount.exe

pid process

3404 PortCount.exe

pid	process
3404	PortCount.exe

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

pid	process
5744
5664
3968
5508
1524
3584
5608
5460
2240
3912
5344
5632
5792
6036
2868
2556
3840
1812
5784
2268
5036
5692
5752
3380
6124
1580
6112
4600
2264
2032
2576
1160
1740
3136
5160
1492
420
3572
4692
5528
5184
464
3952
1672
5712
6016
2752
5244
5660
3944
1188
3976
4568
5256
2316
1696
2036
236
3568
2208
5416
3956
412
3388

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 40 IoCs

Processes:

msedge.exechrome.exechrome.exechrome.exechrome.exe

pid	process
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
5688	chrome.exe
5688	chrome.exe
5688	chrome.exe
5688	chrome.exe
5688	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
112	chrome.exe
112	chrome.exe
112	chrome.exe
112	chrome.exe
112	chrome.exe
112	chrome.exe
112	chrome.exe
112	chrome.exe
112	chrome.exe
112	chrome.exe
112	chrome.exe
4408	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

PortCount.exepowershell.exepowershell.exepowershell.exepowershell.exeRRStealer.exeRRStealer.exeRRStealer.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	3404	PortCount.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	724	powershell.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	3404	PortCount.exe
Token: SeDebugPrivilege	2320	RRStealer.exe
Token: SeDebugPrivilege	3052	RRStealer.exe
Token: SeDebugPrivilege	4892	RRStealer.exe
Token: SeShutdownPrivilege	3604	chrome.exe
Token: SeCreatePagefilePrivilege	3604	chrome.exe
Token: SeShutdownPrivilege	3604	chrome.exe
Token: SeCreatePagefilePrivilege	3604	chrome.exe
Token: SeShutdownPrivilege	3604	chrome.exe
Token: SeCreatePagefilePrivilege	3604	chrome.exe
Token: SeShutdownPrivilege	3604	chrome.exe
Token: SeCreatePagefilePrivilege	3604	chrome.exe
Token: SeShutdownPrivilege	3604	chrome.exe
Token: SeCreatePagefilePrivilege	3604	chrome.exe
Token: SeShutdownPrivilege	3604	chrome.exe
Token: SeCreatePagefilePrivilege	3604	chrome.exe
Token: SeShutdownPrivilege	3604	chrome.exe
Token: SeCreatePagefilePrivilege	3604	chrome.exe
Token: SeShutdownPrivilege	3604	chrome.exe
Token: SeCreatePagefilePrivilege	3604	chrome.exe
Token: SeShutdownPrivilege	3604	chrome.exe
Token: SeCreatePagefilePrivilege	3604	chrome.exe
Token: SeShutdownPrivilege	3604	chrome.exe
Token: SeCreatePagefilePrivilege	3604	chrome.exe
Token: SeShutdownPrivilege	3604	chrome.exe
Token: SeCreatePagefilePrivilege	3604	chrome.exe
Token: SeShutdownPrivilege	3604	chrome.exe
Token: SeCreatePagefilePrivilege	3604	chrome.exe
Token: SeShutdownPrivilege	3604	chrome.exe
Token: SeCreatePagefilePrivilege	3604	chrome.exe
Token: SeShutdownPrivilege	3604	chrome.exe
Token: SeCreatePagefilePrivilege	3604	chrome.exe
Token: SeShutdownPrivilege	3604	chrome.exe
Token: SeCreatePagefilePrivilege	3604	chrome.exe
Token: SeShutdownPrivilege	3604	chrome.exe
Token: SeCreatePagefilePrivilege	3604	chrome.exe
Token: SeShutdownPrivilege	3604	chrome.exe
Token: SeCreatePagefilePrivilege	3604	chrome.exe
Token: SeShutdownPrivilege	3604	chrome.exe
Token: SeCreatePagefilePrivilege	3604	chrome.exe
Token: SeShutdownPrivilege	3604	chrome.exe
Token: SeCreatePagefilePrivilege	3604	chrome.exe
Token: SeShutdownPrivilege	3604	chrome.exe
Token: SeCreatePagefilePrivilege	3604	chrome.exe
Token: SeShutdownPrivilege	3604	chrome.exe
Token: SeCreatePagefilePrivilege	3604	chrome.exe
Token: SeShutdownPrivilege	3604	chrome.exe
Token: SeCreatePagefilePrivilege	3604	chrome.exe
Token: SeShutdownPrivilege	3604	chrome.exe
Token: SeCreatePagefilePrivilege	3604	chrome.exe
Token: SeShutdownPrivilege	3604	chrome.exe
Token: SeCreatePagefilePrivilege	3604	chrome.exe
Token: SeShutdownPrivilege	3604	chrome.exe
Token: SeCreatePagefilePrivilege	3604	chrome.exe
Token: SeShutdownPrivilege	3604	chrome.exe
Token: SeCreatePagefilePrivilege	3604	chrome.exe
Token: SeShutdownPrivilege	3604	chrome.exe
Token: SeCreatePagefilePrivilege	3604	chrome.exe
Token: SeShutdownPrivilege	3604	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exechrome.exechrome.exe

pid	process
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
5688	chrome.exe
5688	chrome.exe
5688	chrome.exe
5688	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exechrome.exechrome.exe

pid	process
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
5688	chrome.exe
5688	chrome.exe
5688	chrome.exe
5688	chrome.exe
5688	chrome.exe
5688	chrome.exe
5688	chrome.exe
5688	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

PortCount.exeLogonUI.exe

pid process

3404 PortCount.exe
2684 LogonUI.exe

pid	process
3404	PortCount.exe
2684	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

PortCount.exemsedge.exe

description	pid	process	target process
PID 3404 wrote to memory of 1116	3404	PortCount.exe	powershell.exe
PID 3404 wrote to memory of 1116	3404	PortCount.exe	powershell.exe
PID 3404 wrote to memory of 724	3404	PortCount.exe	powershell.exe
PID 3404 wrote to memory of 724	3404	PortCount.exe	powershell.exe
PID 3404 wrote to memory of 5072	3404	PortCount.exe	powershell.exe
PID 3404 wrote to memory of 5072	3404	PortCount.exe	powershell.exe
PID 3404 wrote to memory of 2712	3404	PortCount.exe	powershell.exe
PID 3404 wrote to memory of 2712	3404	PortCount.exe	powershell.exe
PID 3404 wrote to memory of 4280	3404	PortCount.exe	schtasks.exe
PID 3404 wrote to memory of 4280	3404	PortCount.exe	schtasks.exe
PID 3404 wrote to memory of 4408	3404	PortCount.exe	msedge.exe
PID 3404 wrote to memory of 4408	3404	PortCount.exe	msedge.exe
PID 4408 wrote to memory of 2040	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 2040	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 3680	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 1608	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 1608	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 2724	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 2724	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 2724	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 2724	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 2724	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 2724	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 2724	4408	msedge.exe	msedge.exe
PID 4408 wrote to memory of 2724	4408	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\PortCount.exe
"C:\Users\Admin\AppData\Local\Temp\PortCount.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\PortCount.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PortCount.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\RRStealer.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RRStealer.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RRStealer" /tr "C:\Users\Admin\AppData\Roaming\RRStealer.exe"
2⤵
- Creates scheduled task(s)
PID:4280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6a8646f8,0x7ffd6a864708,0x7ffd6a864718
3⤵
PID:2040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,16364288819838798784,8828728990949980219,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
3⤵
PID:3680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,16364288819838798784,8828728990949980219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,16364288819838798784,8828728990949980219,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:8
3⤵
PID:2724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,16364288819838798784,8828728990949980219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:1
3⤵
PID:1772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,16364288819838798784,8828728990949980219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3068 /prefetch:1
3⤵
PID:4060

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,16364288819838798784,8828728990949980219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:8
3⤵
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,16364288819838798784,8828728990949980219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,16364288819838798784,8828728990949980219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
3⤵
PID:1588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,16364288819838798784,8828728990949980219,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
3⤵
PID:4768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,16364288819838798784,8828728990949980219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
3⤵
PID:392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,16364288819838798784,8828728990949980219,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
3⤵
PID:4956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,16364288819838798784,8828728990949980219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
3⤵
PID:4716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,16364288819838798784,8828728990949980219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
3⤵
PID:1208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,16364288819838798784,8828728990949980219,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4784 /prefetch:2
3⤵
PID:5292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,16364288819838798784,8828728990949980219,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
3⤵
PID:5856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pornhub.com/
2⤵
PID:1772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6a8646f8,0x7ffd6a864708,0x7ffd6a864718
3⤵
PID:2028

C:\Windows\SYSTEM32\shutdown.exe
shutdown.exe -L
2⤵
PID:1740

C:\Users\Admin\AppData\Roaming\RRStealer.exe
C:\Users\Admin\AppData\Roaming\RRStealer.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2648

C:\Users\Admin\AppData\Roaming\RRStealer.exe
C:\Users\Admin\AppData\Roaming\RRStealer.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Users\Admin\AppData\Roaming\RRStealer.exe
C:\Users\Admin\AppData\Roaming\RRStealer.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd6ad8ab58,0x7ffd6ad8ab68,0x7ffd6ad8ab78
2⤵
PID:2640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1932,i,11687248052949194742,10269337744521621737,131072 /prefetch:2
2⤵
PID:756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1932,i,11687248052949194742,10269337744521621737,131072 /prefetch:8
2⤵
PID:2752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2128 --field-trial-handle=1932,i,11687248052949194742,10269337744521621737,131072 /prefetch:8
2⤵
PID:4932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1932,i,11687248052949194742,10269337744521621737,131072 /prefetch:1
2⤵
PID:3536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=1932,i,11687248052949194742,10269337744521621737,131072 /prefetch:1
2⤵
PID:1172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4236 --field-trial-handle=1932,i,11687248052949194742,10269337744521621737,131072 /prefetch:1
2⤵
PID:2236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4492 --field-trial-handle=1932,i,11687248052949194742,10269337744521621737,131072 /prefetch:8
2⤵
PID:4528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4616 --field-trial-handle=1932,i,11687248052949194742,10269337744521621737,131072 /prefetch:8
2⤵
PID:4604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5068 --field-trial-handle=1932,i,11687248052949194742,10269337744521621737,131072 /prefetch:1
2⤵
PID:1184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3476 --field-trial-handle=1932,i,11687248052949194742,10269337744521621737,131072 /prefetch:8
2⤵
PID:5388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1932,i,11687248052949194742,10269337744521621737,131072 /prefetch:8
2⤵
PID:5512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4840 --field-trial-handle=1932,i,11687248052949194742,10269337744521621737,131072 /prefetch:8
2⤵
PID:5576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4504 --field-trial-handle=1932,i,11687248052949194742,10269337744521621737,131072 /prefetch:1
2⤵
PID:5360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2648 --field-trial-handle=1932,i,11687248052949194742,10269337744521621737,131072 /prefetch:1
2⤵
PID:5804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5428 --field-trial-handle=1932,i,11687248052949194742,10269337744521621737,131072 /prefetch:1
2⤵
PID:5864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5736 --field-trial-handle=1932,i,11687248052949194742,10269337744521621737,131072 /prefetch:1
2⤵
PID:5180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5896 --field-trial-handle=1932,i,11687248052949194742,10269337744521621737,131072 /prefetch:1
2⤵
PID:5416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5780 --field-trial-handle=1932,i,11687248052949194742,10269337744521621737,131072 /prefetch:8
2⤵
PID:3964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5584 --field-trial-handle=1932,i,11687248052949194742,10269337744521621737,131072 /prefetch:8
2⤵
PID:5648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5336 --field-trial-handle=1932,i,11687248052949194742,10269337744521621737,131072 /prefetch:1
2⤵
PID:5308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4568 --field-trial-handle=1932,i,11687248052949194742,10269337744521621737,131072 /prefetch:1
2⤵
PID:2252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=6080 --field-trial-handle=1932,i,11687248052949194742,10269337744521621737,131072 /prefetch:1
2⤵
PID:5576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5592 --field-trial-handle=1932,i,11687248052949194742,10269337744521621737,131072 /prefetch:8
2⤵
PID:5892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5468 --field-trial-handle=1932,i,11687248052949194742,10269337744521621737,131072 /prefetch:8
2⤵
PID:5968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 --field-trial-handle=1932,i,11687248052949194742,10269337744521621737,131072 /prefetch:8
2⤵
PID:2744

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4224

C:\Users\Admin\AppData\Roaming\RRStealer.exe
C:\Users\Admin\AppData\Roaming\RRStealer.exe
1⤵
- Executes dropped EXE
PID:5520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6ad8ab58,0x7ffd6ad8ab68,0x7ffd6ad8ab78
2⤵
PID:5736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=2000,i,14909075299115626276,15141032356182744232,131072 /prefetch:2
2⤵
PID:5804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 --field-trial-handle=2000,i,14909075299115626276,15141032356182744232,131072 /prefetch:8
2⤵
PID:5996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2256 --field-trial-handle=2000,i,14909075299115626276,15141032356182744232,131072 /prefetch:8
2⤵
PID:5800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3008 --field-trial-handle=2000,i,14909075299115626276,15141032356182744232,131072 /prefetch:1
2⤵
PID:4896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3016 --field-trial-handle=2000,i,14909075299115626276,15141032356182744232,131072 /prefetch:1
2⤵
PID:1204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4376 --field-trial-handle=2000,i,14909075299115626276,15141032356182744232,131072 /prefetch:1
2⤵
PID:5716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4520 --field-trial-handle=2000,i,14909075299115626276,15141032356182744232,131072 /prefetch:8
2⤵
PID:2320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4660 --field-trial-handle=2000,i,14909075299115626276,15141032356182744232,131072 /prefetch:8
2⤵
PID:2548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4696 --field-trial-handle=2000,i,14909075299115626276,15141032356182744232,131072 /prefetch:8
2⤵
PID:5148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4936 --field-trial-handle=2000,i,14909075299115626276,15141032356182744232,131072 /prefetch:8
2⤵
PID:4080

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:5600

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6a6e9ae48,0x7ff6a6e9ae58,0x7ff6a6e9ae68
3⤵
PID:5432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 --field-trial-handle=2000,i,14909075299115626276,15141032356182744232,131072 /prefetch:8
2⤵
PID:5844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4536 --field-trial-handle=2000,i,14909075299115626276,15141032356182744232,131072 /prefetch:1
2⤵
PID:2572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3156 --field-trial-handle=2000,i,14909075299115626276,15141032356182744232,131072 /prefetch:1
2⤵
PID:4916

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:1972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6ad8ab58,0x7ffd6ad8ab68,0x7ffd6ad8ab78
2⤵
PID:5224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1688,i,1208680320020167277,2625217554809523232,131072 /prefetch:2
2⤵
PID:3656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1952 --field-trial-handle=1688,i,1208680320020167277,2625217554809523232,131072 /prefetch:8
2⤵
PID:5988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2124 --field-trial-handle=1688,i,1208680320020167277,2625217554809523232,131072 /prefetch:8
2⤵
PID:5400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=1688,i,1208680320020167277,2625217554809523232,131072 /prefetch:1
2⤵
PID:968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3108 --field-trial-handle=1688,i,1208680320020167277,2625217554809523232,131072 /prefetch:1
2⤵
PID:3884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3628 --field-trial-handle=1688,i,1208680320020167277,2625217554809523232,131072 /prefetch:1
2⤵
PID:5204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4524 --field-trial-handle=1688,i,1208680320020167277,2625217554809523232,131072 /prefetch:8
2⤵
PID:5852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4672 --field-trial-handle=1688,i,1208680320020167277,2625217554809523232,131072 /prefetch:8
2⤵
PID:2252

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5856

C:\Users\Admin\AppData\Roaming\RRStealer.exe
C:\Users\Admin\AppData\Roaming\RRStealer.exe
1⤵
- Executes dropped EXE
PID:5564

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3b8 0x4e8
1⤵
PID:5912

C:\Users\Admin\AppData\Roaming\RRStealer.exe
C:\Users\Admin\AppData\Roaming\RRStealer.exe
1⤵
- Executes dropped EXE
PID:5256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6ad8ab58,0x7ffd6ad8ab68,0x7ffd6ad8ab78
2⤵
PID:1416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=2020,i,16628066093394561024,2005609901756689292,131072 /prefetch:2
2⤵
PID:860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=2020,i,16628066093394561024,2005609901756689292,131072 /prefetch:8
2⤵
PID:3416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2288 --field-trial-handle=2020,i,16628066093394561024,2005609901756689292,131072 /prefetch:8
2⤵
PID:4200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=2020,i,16628066093394561024,2005609901756689292,131072 /prefetch:1
2⤵
PID:4612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=2020,i,16628066093394561024,2005609901756689292,131072 /prefetch:1
2⤵
PID:5176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4372 --field-trial-handle=2020,i,16628066093394561024,2005609901756689292,131072 /prefetch:1
2⤵
PID:5732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4516 --field-trial-handle=2020,i,16628066093394561024,2005609901756689292,131072 /prefetch:8
2⤵
PID:5780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4664 --field-trial-handle=2020,i,16628066093394561024,2005609901756689292,131072 /prefetch:8
2⤵
PID:5004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4164 --field-trial-handle=2020,i,16628066093394561024,2005609901756689292,131072 /prefetch:1
2⤵
PID:2752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4544 --field-trial-handle=2020,i,16628066093394561024,2005609901756689292,131072 /prefetch:1
2⤵
PID:5684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4236 --field-trial-handle=2020,i,16628066093394561024,2005609901756689292,131072 /prefetch:1
2⤵
PID:4076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3448 --field-trial-handle=2020,i,16628066093394561024,2005609901756689292,131072 /prefetch:1
2⤵
PID:3092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4944 --field-trial-handle=2020,i,16628066093394561024,2005609901756689292,131072 /prefetch:1
2⤵
PID:5080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5252 --field-trial-handle=2020,i,16628066093394561024,2005609901756689292,131072 /prefetch:8
2⤵
PID:3804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5400 --field-trial-handle=2020,i,16628066093394561024,2005609901756689292,131072 /prefetch:8
2⤵
PID:1160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 --field-trial-handle=2020,i,16628066093394561024,2005609901756689292,131072 /prefetch:8
2⤵
PID:6132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5016 --field-trial-handle=2020,i,16628066093394561024,2005609901756689292,131072 /prefetch:8
2⤵
PID:4344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 --field-trial-handle=2020,i,16628066093394561024,2005609901756689292,131072 /prefetch:8
2⤵
PID:5632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5308 --field-trial-handle=2020,i,16628066093394561024,2005609901756689292,131072 /prefetch:1
2⤵
PID:3048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4932 --field-trial-handle=2020,i,16628066093394561024,2005609901756689292,131072 /prefetch:1
2⤵
PID:1740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4804 --field-trial-handle=2020,i,16628066093394561024,2005609901756689292,131072 /prefetch:1
2⤵
PID:1856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5584 --field-trial-handle=2020,i,16628066093394561024,2005609901756689292,131072 /prefetch:8
2⤵
PID:5376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5512 --field-trial-handle=2020,i,16628066093394561024,2005609901756689292,131072 /prefetch:8
2⤵
PID:2372

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:6088

C:\Users\Admin\AppData\Roaming\RRStealer.exe
C:\Users\Admin\AppData\Roaming\RRStealer.exe
1⤵
- Executes dropped EXE
PID:4780

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa389d855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
ecca8993047150870094c763386eb4e0

SHA1
e77376a1868359b6270fe9924477d645bd5d7d1d

SHA256
bc2822a5efb199dcc655254b162e8e690280697a639ba9b6901133798470dafc

SHA512
28eee493fd526ef4227665583b28d600954d71babf027c2aa6bc8d72684d4ebe8b84436dd75a7fe29b6d17c8fd91f27a08e4d9deb53e8460a518bd7c09ca297c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0
Filesize
44KB

MD5
5fd70ba044d3e0d4a6d4463c693fd5ff

SHA1
567c8474c107d6723b146cfaa33c6424b6d0698c

SHA256
99b833c51b8924d1c1fab5b7c5b029c00dfc471131ec7d03aa2a9d34aae0be8a

SHA512
2e3ea23005241cf65d20fda04e6d3959ef38339fa204d1debde2784e7f0494b48d6d6595770ccdd179183ed8fbe9453b756b4d3399e01e10456f6b47f6b098eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1
Filesize
264KB

MD5
84c43e83e9e80adeffda9d3b7a8f9f17

SHA1
8d7397ba2193fbb2bbb6c07ea3b9c872c9fcf99e

SHA256
85398adf39290ecbbe222eb4a053698b2223dbf6337eff8ad48a3e8b0fd16721

SHA512
ba5201411c2a4b6d26ce454b50826f86f892b071668ed150de774f2e6204d0045acfee4e207102f04a511b226c7546fe4c43a94a02a2a40b8d3a57f4a70b68d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2
Filesize
1.0MB

MD5
9075809548a983c7a99037da209fafdf

SHA1
444e219ea65edf298208b02bc8f472d0844bb503

SHA256
109a4cd9dcb121c18046348d8a318796d61ac73af403755371c8172a35803551

SHA512
13486ba7e4101e7578101442a11592ce2c6664d192b7111f71ba6275495d04f974f5598a9d8288b4be76a7b48e8154feb4602498c0c410eebc623006e9ba06b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3
Filesize
4.0MB

MD5
fc1f50a30c85304c43f37b507fc4f778

SHA1
3e30e7f43c0df58300b9b52c64cbed06e9fb8d7f

SHA256
dce2e2225892fc5bd95946d4f83cfd1addadeac61923716ff0beee19d82cefda

SHA512
a908d788be8ed97e1f14acbce7fbe6a1ee6cc7e022fd9176c5d925b364c5f4dc418a2d1db069bc8687cc62117d7e004df0d2a902df772fd5cecc539dc2231d33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006
Filesize
58KB

MD5
188496839a8ec880e8955e85b5d98e48

SHA1
63c0f3876ad72a170ba618ad765132048acb970e

SHA256
875394931d73230a8688b89796970d4513c45bffad839b5e448ad48c9a3285e3

SHA512
8288040c3a97cca7528ae5ecbd6fc73ec389a492ecdb7443979297f50e324e86220b8beeb2ada80cd836cdf32046d2199afb4d81d3a62078559335cc0b1be162

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00005e
Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000073
Filesize
68KB

MD5
aa86646964183bf2ebe438948bb5f13c

SHA1
e2cfff808e31d0d313152ed9187c3e970572959b

SHA256
c496fad570eec018595ef4c05371462bb36e680cfc8e7c931669d08f507500ba

SHA512
1953f199e08c01c8d4fad27d8494261f4e9d4ed29685e49c100fb712daaaf47209ce9fac13a1c98afc6e5fc0caab929e0fb5f89fb612c42133e5229f51568dc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
f1ead7098bd0afd22a17fea8ddb8eaab

SHA1
b9312b6ada8cb02616a1722169c297e2a3dc4883

SHA256
65d3b25635c8348e9daccfb70dc4de69e4410a5edc1e7aaf73bc5ba41d5f9395

SHA512
f2142a68e3572836799c4ef125d8f48c40ad26c9b7968d07337fc1cd738dd510b1175080846300fe94b5841255fe6c7f49a5a6aa389166591ba5e31155978af7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
79252fc2ea1480dff3d1bcae28a3ccdb

SHA1
1524c94d6ecadcbe389c3db6c3234b86a8d3b882

SHA256
239b741a18768e38daa495aacf644de1105c96327a3283d7f32616b4f034b892

SHA512
3f494e29173a58482e4e152288682db718fe5c4a320ce48e302b37d7c44b05f19bc46d509029c94783c647614324739fa69b43e09d3f7f229c14ffd3a8662942

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
c3c0a3db5301d7d3b02ab62aa8d1540f

SHA1
d0de9fff29858e6e4eabe22715948514473e5921

SHA256
3a402fbbf2a12184abb57cecfa376b375db93f6ae494ca3cc1bf752f0d2f1416

SHA512
9948db65cbae01df0f73ab423cae84b0dc730e59f017068fc5b317ceea2d742589f6fbd349d9dc2c33b401295a4ecf68c74df63929614ebe3db73d6623001455

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Favicons
Filesize
20KB

MD5
853def175999783d80c9b39d71cce33d

SHA1
f3e11fee0f075d714d165f2cc3d75c6286f8a067

SHA256
01dd3c92dd34d567a7e181b3ac6f2f9455889b1cec8859a880d884faa1af16f6

SHA512
9a30597fb28d72488a9c6b2bc4c32cc9f45685dfffb66b01abec04e7fa1cd449f98fd66677ec789492d1f4489f109efd3eda83bc9c7a9f3060dfb2b80f617450

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
89ffb07aec17915384706c1190faf08b

SHA1
a8b0543d21415579ac2fdac6acb1f6e2a8c5fda6

SHA256
e19e75d72e416e9d44c556a2650b0987473fb46bbb4fbe290ae9c9c2044b98b9

SHA512
87f90c5289505798fce4846e0924e4cf7ae7252c118a866d30016b7822de2a16ed8e0d432b69f06ae86c3776bd01331b226c691d9aeec2d87442e7a0717c56c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History
Filesize
152KB

MD5
97beb59535895c433a56a27ae591e9a3

SHA1
458870c3424e355f30d4a6ab358822ac615e36bd

SHA256
c8af9fc8a7e107398bfd9379d588448a5a5417b15b3f52bcbef82649a5fc0fba

SHA512
a98a5f087bfdb5f0e5e4471807f14f24ff3ce4a1c60ab2caddb9f6df850979cddd5e9ce187383d2fa547255759dcb67837e60e8a09ab2f5d4ae3d576cf682cce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
4KB

MD5
0effef447de4f8dd3b7a2e1fa1ca8ff5

SHA1
82be91adf219be2a0ce732b70ea3b02a1b218757

SHA256
bf36e09b80f6629f608c1d1faf01fb7e7809cf89b2a48afb5080fdf44e40fa6f

SHA512
9a1c429b01f7cc8146f47831f4c25293c3172c381d75ecd30767b9b711ebd9f379ecc66bd6ba93d44a331a0846cfe3c9d808c153d7729c2b5525fa63670bae46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
446ae2a5a42415d23ee4e86eaf9ad4d7

SHA1
7f627702ce0537d15dda67198a2d17fda0d70905

SHA256
66d0229fb0a9cdfd4cc119e7c3513189abf8af677347d80458c38daf23393c0e

SHA512
7f7933bd9d33eb895dbcd965e7a7391eb88c478af945a77589a09a7dcb6d3ec76b26d1691a9a2723b9513087a3fe5e4f824dce4a221dea9fd4717047219b49b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
4KB

MD5
5c61fc771e0142ac7a898544cbe6b125

SHA1
4257b7ae44338987315a5b28f7541e0c0e1b6198

SHA256
1bdbb5697b2618ae31fb05ac814fbd85918b8af6811f8d6ef5f8b6443ab3ee9e

SHA512
6c399ce72bf9a3c0b05c1411d9abb33b37642c96781d27be91d8f303f62dfbc5109c03e50b32402ff98e317f52c995f052b78751b5c25328491fb8be3f690d67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
4KB

MD5
68ba12295dbec96584d501cbaa7fe50f

SHA1
e979e00563ad0893a6ae7a4dd8da6a7b8d9326d5

SHA256
1e65b30d684ced3aee12ad02dc9f848dca218511fbeaa635a196cf0b13b2cc30

SHA512
86a72e262fbf2ce3d462ed3405bf7e5a28f79e1e6252fc7cda6b3c3362b32b2f1d09c03b773b16f3343e318627d251c4a511a36ed0933d9dbd6910d76b0c0c07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
4KB

MD5
1f66f7919f35f07b53d6d3fbf63b9973

SHA1
00d9363905dd4ac773afefff92acf1bf50bb10f8

SHA256
eb99f649f2cc9b828ea2989853878fc41e62340573c87b4bd318314c56186637

SHA512
6bc07ae764202491e5b83f8c5444426a81e867c7a71eeda85f3d3ddc1673aa08457aa80660c4f6e89b28d99e0fc93b0a73de1d396e4d8b9bb5d8da873cfb78f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
4KB

MD5
fccae9c78e9dd0a337f6e2fbf2b83860

SHA1
bb49252e2929e99f304fe0bfe17c49378f622b22

SHA256
c2e78b814c27d6f647af4adc1fa567d3c7e9fe667cfb4311126c0a572744efc8

SHA512
a0d811992db25a21bfe43d6a0d370275f22cf6cae0813db43f62e5b527f578c09803bd83e32db0f199177eb3e13c5fcd8e96c35501fa549762b3308aab6e148b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
a9d7c204580a48713e2cdfbc74d63592

SHA1
b6969aaf30d99cb4f7a01c9985d3344899d55964

SHA256
4952bf9ad992f639e504aea0497edb8265c7bbef425fe7764e92356441ddb230

SHA512
cf4765413de1b12c9ee5b05a4917ecf0c28ae6622a0e1d5f2544b70650c5cdbdd5434be3bd0871b19242998040913e51747f09e1194909d7eda95a75cb1a4bdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
4KB

MD5
81cac503ae0f04306e827eae0c4cbc3b

SHA1
eebd1b0a97be6c3f1076328f38724788278d75b7

SHA256
dda56e227863785f936e50c97905ddbc5b9fb819820ca1c2d1881b14030591d0

SHA512
9c52df73119c4f2e480431e231eb6896041748adfa228487ddb3a7a7a55edf8463a072bb999db1ae5cfda1be314146829ce5009749d603a968bbde83ccd46b87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\f9a9b924-5cc3-4653-a702-86ce7304ead8.tmp
Filesize
11KB

MD5
b832e5d49c3290532d12e9b9812f98c9

SHA1
a6309b1c9f0342c0d62b37cea88e2d7355dfd785

SHA256
d3bacc9832ccd7deecfb619bc195fb94a2a5038b2c94c222d93e3dec90d19dec

SHA512
8f0dc53cbc651babb1137e1bf4b6ea1dff5ea3ff66570bcfa7f2eccfb52f3629ce18e23b73819765a7e598991ceee847aff5fc00d6c9427e173d1ffa952a9298

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
971acffa264cee29a743ffcefbb18292

SHA1
71daa1b23168b3432cb42b7eedb57bde266ac801

SHA256
ff7aac9fc9dfd875d29875fb6b61a5b723c087834cf7cc22a1149dedfbeda6eb

SHA512
004d178a574aa07779a17fef497362c335603d27e2e11dd21da9c932433a6a955cd225cabf716379e51c1fc6e01510ca2cc61bc6cb9049f448bdcdc5c66445dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
4791e36712536a13f6ab3d5bdd343ec5

SHA1
621723ab4952d2e810dc36fae2e0ab8334b0753a

SHA256
5d4c1d2b7ff71d52a58ba2108edf92cfe81b37780792551b0797ccb83fc497ae

SHA512
270ff64b1b6970b30cf6d70bf0a75e66def1c957af333c6f49705d03878a57bbda001b984df5303a0bb08f5fe8e612812a1092ca9302aee0c0e190372a6ee444

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
baecb501c90219dd4493c6d90502d73e

SHA1
7fa92cbc0887be8bc9ea86a741dfc00d8931b180

SHA256
9dcac857e0c6ba89c9bdb54f2cfe30f510e7867cceed1aaa83d0f2fb656dcb2a

SHA512
25e72eb3d9cd45a282c8d7e7fbd95c0f114a42bf8479a16c5ebd2a65b704d6a4dd5c70ada95c35c1523a6c6f8be46fd58e5a02d43155642723664e432aa2bf4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
11d2ad174fde94fe2d8cf09c70af43f3

SHA1
63ca1503bdf9f0a17e7aa4fbe1d8b77b61709f18

SHA256
451a0a3cb90c1f96cb719e4a48f59c3ef39fc95816e64adeb5db908bc429f8ed

SHA512
9531a2bc3141a455c1757b9ca5e0b329487ff258f064b85421d01af998552e2313b0b8c1dde71025071f13a2ed5dcf41392e17e2f3eb8f4d8b686d713a2eefa7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
cb851659a8e3fdf2f7538a1d5aa8f5f9

SHA1
848ffbf83badd510a45b98727efd2d52f6ede915

SHA256
e4b25b93cbfe8c52ca6f6a229c30bb089f69f2936f12ec2329d76a0337c1cd7a

SHA512
5a7f1e9c6a8a4b25bbdd99c6fa032ab61086c874a9a176b849f797399c2a7e3bb256138380650dbbf60132ed25c6d2aaf2cde30b58b0d98869e408ab80928b50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
8611d47fea89f2301b7d48b45c9867bb

SHA1
8bbef8e86d940705f022cfb8f8e9c55b3ccd2bbb

SHA256
9354bd0932707f2a230d760a2537a3b1dc649ef5bd4374a594d6f1dc74fcf6ce

SHA512
04011a69a57b719e2591059c92a59590b7f376408779d9141fb32992c512791c337d2f1d9055380caa2fafebbc07f564ac0c4cd39262654feb4541caa34dd595

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
e29167fda233ad4399d836904d130917

SHA1
e72e6eb7db0651a9b39e1f71bbb7908d1c571e70

SHA256
e2d141dae83107ce3494bb945641f0d9530ac1d9eec9994563ef4a43d24e0a33

SHA512
51f0db2882813fff1cda2baa76d6852a48b6e806707889933bad43d3208e2afd447f75c44af373194e0ce1182cedeb6d16c4e9958ae27032fd4bb4c51b076a8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
1d8a967fb4de1920f36158ced95b24f6

SHA1
4a2c86628cf9a4f57f37f36c22cd22743d72a0ff

SHA256
3b74b25947a956b8075553c6e51b96d9f0573f78c9da33fe64bd25d9a3df9a98

SHA512
ce76099ec4cd4f0464f59e3e224d81c5bdce307f83c5bf334dbd738ba283aa5d45f7867b228bbcfe6b5b390cba33b754b198146052eedb19fa9963d5f2183f74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
1684781e1bc371cbd53a82426406a914

SHA1
913357e610c92ea58af142f2c51d1a91e15c4a76

SHA256
974c09ded1d8da9b708e2e608359d23c839de4487c069e3c7caeb93c530064e4

SHA512
2609f94303feeece13082a2db822bc60a202fddd294aff75c1c94e229396e5facf2ae0f160bade7e6419c5815792aa25555712e4965048ea1257006b313c21b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
c2cb0dd5643fb90a79e690e49a0c6ba6

SHA1
52b626a881503d6dc8c8a108a8569c712fb5e94b

SHA256
f115ced56f9c728fe3205616811e3542d874e66adbd2372c12ad7e0026dadc6c

SHA512
c21ef34e265e8caaf574203b142d4164ad29a903cef2cf56c2a9314a410d4515ee5073f3a3578cf4be1a37e8e44e6fc191231f608f2d56db188c344f4358544e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
91d4102e84fa7dabdebb5fa38c92636f

SHA1
5f9dd4381204858ce9b978bb8619c8611ac7c641

SHA256
967bcbe6dede5348652af9b9dfc14b5b029b676121adf4da85e11f80b0153881

SHA512
a17eb3eff01ddab49ec26b0fc06848306a9449f57a97d4e708fe96e1ae28b594fcbfa31273218b157766d58cbdafc887093ddf59c49243a4d61c1bad36177973

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
120B

MD5
b900235f3ea9c02eab72677011a95c5f

SHA1
a5b89083f7ae19a37a730f5ddc760dc06117fb03

SHA256
3b161f15205ca3d48852a541d49022e66c0650f2f7644bb8d5e15341cbc503e7

SHA512
687adf0eb7e9814864bfb90af1a9937a107be1022f0a10e71f35ee4847dd2c1dd058c684bf3a8e55236365170387a33f92f6ffba1b275ed1d928b76ad806d6f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG
Filesize
345B

MD5
e46397eb2662ced4e07827dffdac0f31

SHA1
ba1d62bb2fec145295c446672c72520cdf859556

SHA256
46010676b6a7e6bb8f818c17a871336878ad0c79c976c7a956b9fddedcae6cf6

SHA512
ba633a9b7cbd23e9901667953b4fb164d1609a8efa8707d06535671b79f979fc67e73efd1a409d5ef9fd57e1917dd762ee3753a6815f71785b1c1e16f63875f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Visited Links
Filesize
128KB

MD5
f651baa74a5c4ae0a6b3cb3ff2138b2f

SHA1
6bd8f561cf380b753386dc41bea0e1c28ebafa22

SHA256
0ffeaabc09c50ac494f65b567088c0736c38af3caef2e260dcf92d9878a254ec

SHA512
7cecf5401017f6af41f6e66606043392d98544db94a434c0c4b9c6bcd12a8c8dd7614fb1b713ccaf1539b3859455e99c5d4255733f3a92d439e185bc2bb8c885

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e34dfb9a-57ec-48db-8b9b-98bfbac50969.tmp
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
Filesize
14B

MD5
009b9a2ee7afbf6dd0b9617fc8f8ecba

SHA1
c97ed0652e731fc412e3b7bdfca2994b7cc206a7

SHA256
de607a2c68f52e15a104ead9ecbaa3e6862fdb11eac080e408ba4d69f1f7a915

SHA512
6161dd952ae140a8fb8aa5e33f06bc65fdc15ce3fbfe4c576dc2668c86bce4a1d5c1112caee014e5efa3698547faad3bc80ec253eedb43148e36e1a02ce89910

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
256KB

MD5
259b36703ee8c5b4d58a1c9f0304e8fc

SHA1
59f43b909f78a5b4849676c702ba38d3293e8846

SHA256
294a2f25934c49e444d96285fb64c670b048caf51d88e254e2a5b669cde68682

SHA512
f91a632ce3ac1de201934129384910a2186d3c50a84040d3bce535f1e21913f66361baa43283e77a82a268f3b636c547ecab70644cc14c923a8a38ba0c2402f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
d2102b9e6249021fb00712621cd1a84b

SHA1
7d6266c5e9a54f57ef650aaddcce757b1810539b

SHA256
54be000300d9609fa1ab9f441cdf92a7774659743a643ba53f07e3cae6a9c4a8

SHA512
a9b141f80d0f7d1d3d31fa61d4e81bcde7bd1d25de060c7076904fd212dbde3b9a5d1c42e00ab53f384332302990f4882043b4c948d3336f3ff4fdd7ddca5cf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
411a72de4573e0d7ed77e1e0d461addd

SHA1
0a561a1a2de18984d2f2151add5a8051c2ed0f13

SHA256
ef87c4bb7f4370479ce80711933f94a9f748f44067bec57c4e300e977bf7dff6

SHA512
cd8b37a3fddb21b16926831b6710bf2d5d8b5e268591f3c87c9a637904945bdd68fa4527d95a8d585bba213c0fd94ad43fea188250bdf42761971e38aed11124

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
256KB

MD5
6fc77e0126dfa48539cd559f0e872457

SHA1
24ea9b809e51c20421515f64083c5ada3fd03880

SHA256
eea07dd95b3b05db348702e6125c5a06dfbd41b1c6d6fd34065d0b42a387a5ce

SHA512
16a3e368a56def16461d40b51591d23add4cd65147d560073f33d2d1fc14700bfc4ebbd6fc342834db77159324a31c90ba73fcf9e6eefc1957b9e9d0ef631efd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
f6f4e8df420218adbadedbedded093d6

SHA1
6ad2ccd4a9f19232b29939d20bdf8851b78c7821

SHA256
bb0c75dc49c629c3a60cb5c7ac5b89d86cdb19d81ba28aa84aec5ac2993d6020

SHA512
095bddb13751576150e683ead0bf87b1fc6b42002ec0ea4f16405056ca69a75c9c0d8c64f5c608ae45421ea7fc730da4c5d2c073e3eb4ead944e75e9d8e301c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
5ca71a89160bc764bf21abd0a129523a

SHA1
97a975f20a1935c9a4532677fb3ad1647deaa526

SHA256
354ac811acbc739cdc966d66ef265adc2d8f1d8b0b67f8b978dd3c19f56fd1ec

SHA512
c4c95d0a510af8ae28f8ef9f2ad6c4989678d1db38d7ba6fb57beac7371a5a24bcc5572e075aab3d842a9d0f835974017500fab1ec838e67af81c0dd5db35a46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
6b316ae01d00ba67f5531801081d1eec

SHA1
a4867ede2653e4ea6f540f639f60ae87f9c9cd34

SHA256
08c5ded36faf9759c9cb37623e4e9c6cbd345079dca592a72e056df1a16077b3

SHA512
3f4e26217c376e1adcd7612c1c7f3bf6efd3d8fa8e3a0c07abda5edb9a4510c9a1f55efd8e43ad21ad40457cd6fd0478aed216bb76aad63c50e09ecd816cac48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
256KB

MD5
252ca568bbf9fa9b263f8589e844013b

SHA1
5295e33a0ad320567f0267babbb55a7e2b74be34

SHA256
6e28d7a3ca4a7e8fb8796a5c1b02a13586db3b778f5b10d1f394c8566469d959

SHA512
8da54b031383ccb3b5503ac549d1a223f53757f94921d9cee5e6bfb7d89fb3fd3cd0c82f7c74eee38f7418247dc47baf257624eacf45f2fe802c723a0c33c3b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
9e0fa629a6a6eb695073e74d04a2038b

SHA1
3b3215aabfea783fab59659b8f10d71447da90bf

SHA256
b90910286bf500d045874b7877cddce9793d6e822fb3466ab016f64832a759bb

SHA512
dbe2d168dd13cbc9a329784cdde007e23f908427a09f9ec8a7ca420dad6b9e3ae962af130dccc808f73cc4c7436f0d339cd8e614489e4b8a2d27ff4093c30558

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
256KB

MD5
94dac403c37df38adcb60921ac245066

SHA1
ed855361ead34ff3ec4cee2b04b9d4c3e1f20168

SHA256
ce9a10cde017fdb354da2a98e56e57c94e625ac8b07fa3fc377d72668351e5ed

SHA512
3b891db6cf59965c8bef01646f88593fe32c71b59a5f5eb9e7ac7212778f157bda530dcc320e92250e7a8c0e92b17956226729cdf4591f51b31dd74d0b4ebf86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
2f0cc96901aead5c23adb16a72188382

SHA1
b9a9b66c286984e672f7800ed2241770cf539404

SHA256
242b6f48a469df88fd37c3b1354575bbae0a0d88540ef818627e8928029e3c33

SHA512
299033edadcb78844f73d7865639664836f4e091777e96dbd6ace6788e8118b5d7f24e5670be8400b0f08d41d986e41e6c8309cafb3aa83e5bd0feeeb7752e87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
96KB

MD5
11d967fe6ba12502fa1aacaa06480f89

SHA1
a8ff60f835d43e1a3918c96ccf50d1a5e0e8271a

SHA256
c40d68004df2f04fa4707e333452471adeea897b1de8eb554071cf5e815adc5c

SHA512
938d696e31d338ca8f0ea2a45f99a911f093e744a4f0ec1184d537e54715f4ee1b9355c1eb728e6c21649567671a5f3918187e7c023dff03f0e32ba539bd0222

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
95KB

MD5
a20faf47bd175c777b3498e59cfbbf94

SHA1
424f071d1daf0cbbff271ddd03a6ed4781d5c66d

SHA256
034c05b394a3d89b58a588b3d148103191fc0b8dcabc86921502df8e3b569795

SHA512
72a1e137026169e0baf64e000c736c38cfc5b2405a5b0795b819f09df33400ad98257b72c40a80474fe9c2d0f10e93671b056d776f21d48a4c384a4a6f7e6547

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5aeacf.TMP
Filesize
89KB

MD5
415417d57cce70bf6ad388b0c7be5bce

SHA1
c0467d30176de543b9888b5510ddee15c34e1e1d

SHA256
559bc1df70be4ec23d8ebd1855563de86eb311a4248129e5d909c933b95ba743

SHA512
87773a09d7cfbd8e955b346a2c76824bba3809018415a664a256c8dd6a74855b1134cc3ff163404eb54c71ba78bfc7fa2298ee6f8345ae56f8a02750a7f2b1cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
39478ecef2b6f8ef9d1cdbe1eebb1ae8

SHA1
b4b52395c188b650ef14a8d20d88694aa473e40a

SHA256
8789549e8acec0da78a2c7f5383224f93f7c9bb7d72b14d0c1722d182635ade6

SHA512
082edd487dcf03903730a921e456aa003ebfafd0aa0b11aad6c4b38ba7dece502732fe531b490bf006e301467d1ac5ed86d1e50389b2620758b6c137a7e76eb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RRStealer.exe.log
Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
840B

MD5
e57c0819292504f9063bad5dd69114a3

SHA1
5a3a92c0092fe3d6c84fdf8812c87567a22352a5

SHA256
e2736e33f740cc4c55c35d4a3a24661286df49d3c56483a98a24d696f1637d11

SHA512
b24ef0a0e665044edc3f3d3d59e958eacfee1d295a98f3f3f109a63ec8811e30a310c89f9f42b37267293e41365b1f510a30118589d21e0a40eac8bff47f3524

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
3cd0bb1f9d8f643bc14e5b1a6561374a

SHA1
8971826f8a5a7d39063b86af02c7a2d1b3d69bfe

SHA256
658bbfe55d8638d6b00bcd525ce02eb914b2ae6ba25ab60b703b64638564da77

SHA512
0e17ceb4c418cf6775886423da15a69160f9b52e9f11278f87b6c74c0edf3bc85d71997b71f01f35a59799b4fa1c31a5ae01c602475c6b82570918d56118adc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
4bc7d081489b0440f105a6fd47ebd522

SHA1
92c49af1d0803acb800dca3d76006d1d54de7aa7

SHA256
ca1d4203da476ec997fd04fcad15c92519fe3ff1e30b6d08e3b443ca63553d22

SHA512
f6ac723b05b6c560de396d1365dbfc0cf38ff02978a1478671cbf6c1cbabb64403e395df5de1952dafe0be7dcddf25295d141fb7532b6e204db0159aac46858b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
f850d440f50bcfab449a26acf7d9d1cd

SHA1
ae3b2a31c7b8fb4dffbe525cefa63a2e98ec31a3

SHA256
fd10dccd9a28b86fcd90b6759183419a528ac2879b557b99b9ee77f7d2707bbc

SHA512
4030b9fc96ed3311b3131459a5bd58bff55cd4ea85efcb5364a9da5b27570ab2cdef1158458ed386b4a7fc9993b421098f67c2378f2521744f929cc2898e6901

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
8e6ae25a402774f2ec90761719e3a705

SHA1
4e840a6e88ef11fd3a829ac9012fe3d9f2e471a1

SHA256
f00c684f69474f0900665e282c4ecac9942d072980c559a8adb5882358372084

SHA512
873127b2b499d2083b8187f45bfa881e1bde44099c977661cb7cb828b67903b5911fd9a051301d8f6502a75f38a711b8a1fb787c3b6a52790a54d37e28f5e528

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
5059c60ca4c602b4d11aae7c6a1e7965

SHA1
ca4e538a18d17c3dee65edfc6305218f6c773888

SHA256
2705fd015ac610fafba686d131d72ced2038ce19ca111fb9daa8868e4bcccd1a

SHA512
60c6dc700db8dde724ca62d071a4eb56e356eb2b01b341e7cf72228f45c1cd53fb26b81a724d6697f9e021d7daacf31ccc9bca0440b0963c9bf4a759442296a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
96B

MD5
b8365bfc3b25a6e3e3fe508ced1ac8d5

SHA1
9990cf81cc1aef46473985dd4e97e091088685a5

SHA256
2c6065721090095d4a86f97373b78ac4550ffd3aa06ddfe1b39fca76f5fbfd2f

SHA512
535c266d81198dc0eafdfd09df5e5d214f4c3d2d746405e9e9d19501b7027e4056d592f9b2f64edde113526d2e37d3b5799ab0edf8c94d6f17c37f9927591463

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe593176.TMP
Filesize
48B

MD5
e6887ecaaee99f5e1cc259061d3ff4ba

SHA1
6450d10d453f357b08cb1207d4f179514c984f35

SHA256
d5d92fdf3c58974940c1625b759cbd7f5d38e39921f2db0c2eb81db5b6365a0f

SHA512
57db3ae025aad3658198f708e9c466c3e9b07b38dbcc8a29bfc35df4e0de7ffde0d2ac9ee259c6574302109907fc94846c460b453d43da1f75ad3d232af91a18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
6f6f3c6c2f48da91b9b12f10755e64fd

SHA1
028c6a8944321d1f2d62ab0375e5e0a3a50f997f

SHA256
18df55d1dc9b2c72f8ea87ab343611bfe97eeb8947605fd989eebd27cc3acede

SHA512
a5c2eaee70543c62b03d734a4d860b8120d94f1dcaefe5127566baa850584dd46a4930daf8626fecedfd94b496b90b7b76ebda7f3285d3bc65ff9e3a88cf0f6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
39fe6b5fe3562f5af6bf542555ce8fd6

SHA1
8c496d0dbb38f0e81e4a6e97f387bde51c112518

SHA256
d285006c134d6ecb8df7ad3723b7871dcd1a268d4c14fe35695529b749deee13

SHA512
c3554e28544deef8ecfca800c7ff6f34bf0cf92f5e48892b12a0bf1847370e84fab4f746d7a1571055991fe18b04acc24a5c4d991bb2025d63f8624d5bcbdcb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5eb81cde8cee124b01a4d426231847d1

SHA1
b12e8b550d67367d5b1e3d26fc0b904492a92f78

SHA256
bd1ff506985459324bb82850df64c3799b3d97288b1e16a4e8366ae42f178cd9

SHA512
0af8f6adccd1df70ee3fe2f7b0e362ffa0ecfbd868a6b156b2b46fea0c30f2f3ff71b5bd454cb0d1f715d302e2ad7b544acb7a799b47cf007172df2246a9e0f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
65a68df1062af34622552c4f644a5708

SHA1
6f6ecf7b4b635abb0b132d95dac2759dc14b50af

SHA256
718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35

SHA512
4e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
f0b4a970a2d1c2af82c57c3c4d103630

SHA1
359d6f49f824626e36102af871a3f0de864a0531

SHA256
f55419719619d6f12eef7e369a1901e1764030a884cfe6fae3d35c088bc8da4b

SHA512
39a1d0e1876262f978f42d97734111dd18d2b5747c12bd1e85218916e7d85b0f2991873c2b43f9b3378d9b102c048309d96fb6ff956af1211fe2b6b2fc997db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jwsalk0y.3hd.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\RRStealer.exe
Filesize
72KB

MD5
84bf1bad48c4ea407fb8d5f080bdfcba

SHA1
cfa07b44804435278db73c59038f10dd9eec526f

SHA256
aa3daa9044183fdddd26aa666da037906992cd6d5ab3c89d189078cc5887113f

SHA512
bae4d0d53260b33cdf1f3f833f6e3b0d58db7573b28cb00c704ad5a47d83461bd8877cad4b9efe4ebb443a0290fb76abbcf86f3a848d8f464ebd2bd57e98fa09

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html
Filesize
639B

MD5
d2dbbc3383add4cbd9ba8e1e35872552

SHA1
020abbc821b2fe22c4b2a89d413d382e48770b6f

SHA256
5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be

SHA512
bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

Download Submit
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC
Filesize
16B

MD5
f6f90d7d5a55ed1fe911f02649bc75cd

SHA1
f56c1b4a315c39f7184753b675d1d518482227e6

SHA256
f799e6766cdc9dcdcf471685fee84110182766f03b20560ee6366bdfe6848c64

SHA512
4aea3acdc2ccbcbcc4e98bfb2ef1fdb889f7b11ae7d54441664656cd94225c938a4575087aa6f2b54acb6d52491de7f78f0f4655f1424eeff23c7a30adbfc0bc

Download Submit
\??\pipe\LOCAL\crashpad_4408_LEXYLOVKIFQZSAGC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1116-3-0x00007FFD6E660000-0x00007FFD6F121000-memory.dmp

Filesize
10.8MB

Download
memory/1116-14-0x00007FFD6E660000-0x00007FFD6F121000-memory.dmp

Filesize
10.8MB

Download
memory/1116-13-0x000001F61C3B0000-0x000001F61C3D2000-memory.dmp

Filesize
136KB

Download
memory/1116-15-0x00007FFD6E660000-0x00007FFD6F121000-memory.dmp

Filesize
10.8MB

Download
memory/1116-18-0x00007FFD6E660000-0x00007FFD6F121000-memory.dmp

Filesize
10.8MB

Download
memory/3404-58-0x00007FFD6E660000-0x00007FFD6F121000-memory.dmp

Filesize
10.8MB

Download
memory/3404-1527-0x0000000000F30000-0x0000000000F3A000-memory.dmp

Filesize
40KB

Download
memory/3404-1526-0x0000000000F20000-0x0000000000F2A000-memory.dmp

Filesize
40KB

Download
memory/3404-1525-0x000000001C060000-0x000000001C072000-memory.dmp

Filesize
72KB

Download
memory/3404-1524-0x000000001B9E0000-0x000000001B9EA000-memory.dmp

Filesize
40KB

Download
memory/3404-1523-0x000000001B910000-0x000000001B99E000-memory.dmp

Filesize
568KB

Download
memory/3404-1522-0x000000001C0E0000-0x000000001C0EE000-memory.dmp

Filesize
56KB

Download
memory/3404-57-0x00007FFD6E663000-0x00007FFD6E665000-memory.dmp

Filesize
8KB

Download
memory/3404-63-0x00000000010F0000-0x00000000010FC000-memory.dmp

Filesize
48KB

Download
memory/3404-0-0x00007FFD6E663000-0x00007FFD6E665000-memory.dmp

Filesize
8KB

Download
memory/3404-2-0x00007FFD6E660000-0x00007FFD6F121000-memory.dmp

Filesize
10.8MB

Download
memory/3404-1-0x0000000000810000-0x0000000000828000-memory.dmp

Filesize
96KB

Download
memory/3404-497-0x000000001B530000-0x000000001B53C000-memory.dmp

Filesize
48KB

Download
memory/3404-1873-0x00007FFD6E660000-0x00007FFD6F121000-memory.dmp

Filesize
10.8MB

Download