hxxps://cdn[.]discordapp[.]com/attachments/1239589556853149827/1241678944185614386/esp_pack[.]rar?ex=664db621&is=664c64a1&hm=80c4f4d8e19cabfd14de440b9017e550e42e10bbd64aee4268f7f08010f95bb7&

Analysis

max time kernel
1799s
max time network
1685s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1239589556853149827/1241678944185614386/esp_pack.rar?ex=664db621&is=664c64a1&hm=80c4f4d8e19cabfd14de440b9017e550e42e10bbd64aee4268f7f08010f95bb7&

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133607751028802710"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

3308 NOTEPAD.EXE
828 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

5048 chrome.exe
5048 chrome.exe
3816 chrome.exe
3816 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

5048 chrome.exe
5048 chrome.exe

pid	process
3308	NOTEPAD.EXE
828	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7zG.exe

description	pid	process
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeRestorePrivilege	1904	7zG.exe
Token: 35	1904	7zG.exe
Token: SeSecurityPrivilege	1904	7zG.exe
Token: SeSecurityPrivilege	1904	7zG.exe

Suspicious use of FindShellTrayWindow 45 IoCs

Processes:

chrome.exe7zG.exe

pid	process
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
1904	7zG.exe

Suspicious use of SendNotifyMessage 34 IoCs

Processes:

chrome.exe

pid	process
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 5048 wrote to memory of 5004	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 5004	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 2800	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 3948	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 3948	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4592	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4592	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4592	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4592	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4592	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4592	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4592	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4592	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4592	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4592	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4592	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4592	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4592	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4592	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4592	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4592	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4592	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4592	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4592	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4592	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4592	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4592	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4592	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4592	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4592	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4592	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4592	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4592	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4592	5048	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1239589556853149827/1241678944185614386/esp_pack.rar?ex=664db621&is=664c64a1&hm=80c4f4d8e19cabfd14de440b9017e550e42e10bbd64aee4268f7f08010f95bb7&
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc840eab58,0x7ffc840eab68,0x7ffc840eab78
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1800,i,12532754534409780586,17158759446407789301,131072 /prefetch:2
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1800,i,12532754534409780586,17158759446407789301,131072 /prefetch:8
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1800,i,12532754534409780586,17158759446407789301,131072 /prefetch:8
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1800,i,12532754534409780586,17158759446407789301,131072 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1800,i,12532754534409780586,17158759446407789301,131072 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=1800,i,12532754534409780586,17158759446407789301,131072 /prefetch:8
  2⤵
  PID:3804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 --field-trial-handle=1800,i,12532754534409780586,17158759446407789301,131072 /prefetch:8
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4132 --field-trial-handle=1800,i,12532754534409780586,17158759446407789301,131072 /prefetch:8
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3568 --field-trial-handle=1800,i,12532754534409780586,17158759446407789301,131072 /prefetch:8
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2384 --field-trial-handle=1800,i,12532754534409780586,17158759446407789301,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3816

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3092

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap28153:74:7zEvent15169
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1904

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3964

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\esp\leakedbyMercurify.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3308

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\leakedbyMercurify.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:828

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\esp\message-20.txt
1⤵
PID:4852

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\esp\message-15.txt
1⤵
PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a45b025112d0a02fc290b2396cd74c48

SHA1
201696b0caa828dd54936d1bc9877eef0c459054

SHA256
8149533e5acc5fa54190c5242b8ff338a16771f522575ba5701d651eae7c7cd7

SHA512
2df354399d92466bfc629ce4e6f1829425a1a5374d69964203f42c2bf3166bf8c0091a417dad76a99e0e98be5831a8b59bc19193e541c43024c389044836c1b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5877eed52e72d8c7540ddcdc22f12d71

SHA1
57e40b7d3758cc36eaee82fd48b88b37cab579c5

SHA256
74b0e1c258e4920ac09058180bd6b4833287d6d54a841ddcc8c40b71ada9a18c

SHA512
dd297c298b9268a21442d8a4ec902d4053ab2f4c04cf7fd0ec9f21e5753813c00c94aa6d51e5a407fc92b981304bd97c3ab2e53f5664b6b481b50333bc61205c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d08bb5abdfe8d5ff87403ec86a81d4db

SHA1
d8df5eb23b385c011d4f2b8de0dfcfeb2e68d260

SHA256
f3bb868451d2f435e54ad69256d4115174c54ba26dfb79df20b70ef1d8804d4a

SHA512
20c101a23546526ea7739319dd1504cf83ab492640fdebe5c48788a21efeaa1fddaf10a847c109a756d9a1d12d1bb3850bfefce919d406d99b621edd6ea1c580

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
4eda23a3cff9014d842ab41ecb281701

SHA1
62230ccab29258fa0cf713117fec8edb5a01b6eb

SHA256
bc3ca25b1d2b243534f9b44ecfd3dd7e8e6e1430128d931deaf5e0210f10c202

SHA512
86a9195495eaa448b5ff0743a7a663d6086962e20be689f9cf463255732f8bbda5ab8193529fa704dc78d69d83857b5a7e28f389d401d3180cc3d3d93fac5b57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
8306d666790338051be12a4c82b9b109

SHA1
f39a42a12bf7ed268257a7a591fb36ac6bc8487d

SHA256
e034e121eeb9b4bde919aa44b1fc2bddfa06f8cd8ed1c2267df9f21e1aec679f

SHA512
d8b4868b251b42897c08a42abb038861133c9321afa9579be30ab25857c148d19cca52b20d1b61d882f8ad56e43bff5f063a1b32176e064e24988776359f0221

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
94KB

MD5
709a7d04d4bb0fc71ca6b27dfb031a20

SHA1
749121783ba7af91c3dd35933e3edb5362af193d

SHA256
32f0091d11ee23fea163764c2b2130300b2018dda317cf827d016b8311638011

SHA512
0c791c6b711d80ce07242b55acdfb1bca90123310c566aec38aff9964c7176290c3e4c9fadbb74c1ceabb6f424c4e4d8517c134b0d9bc89e517ec9ecc5e18e0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57a0e3.TMP

Filesize
94KB

MD5
4f372d9638867395324d708604b20316

SHA1
3673f2dd9440711867c77417720bc6ec361114aa

SHA256
e22596f17716883f88f189aca7174cda6b8af36b535a57482996b2dda4077c99

SHA512
cb612fd76cd9a233b76c24d65fac86be72a3d0a930d8c61da6b4c4c83110fe6b43760f3bcd2bfa85903c584c7f9e6118aaf9eef583b0de495dc7b7233dead234

Download Submit
C:\Users\Admin\Desktop\esp\leakedbyMercurify.txt

Filesize
50B

MD5
15b53352aa79593f7aeaed268ed52963

SHA1
1beda189d722d20dd50e6b792e4cd2ae859daa07

SHA256
2cf8c002213739a9f0218fddcf8e2db1aae5dede76fb413353a8dfb006fa9d1c

SHA512
e4bdbeecea5de4ba285075a88fd5479c46efab81678411f23f7becd8d6e1fb3ff707f5174736df3de4a2af56a16a81e1afe640dba2b3f079fc8cf90092ea3c83

Download Submit
C:\Users\Admin\Desktop\esp\message-15.txt

Filesize
21KB

MD5
890a4db6e9134510b10142f2480bd950

SHA1
de8095ef712d9bb3239cda0944b536808eb9732a

SHA256
4750a7bcf6987ebbff380adbf48cf349ee891b77221c3cfe0d63ef211de44be8

SHA512
9f03a806d628a431d6092cc749bf69f3aca9366d25a4c643414103e2b3da6286134ee2df216b401642b1e708655bf42766af975977fe9dbd89b4bf9d66303cfb

Download Submit
C:\Users\Admin\Desktop\esp\message-20.txt

Filesize
263KB

MD5
e94ccc96d70edc14f2291f114b3cfa3f

SHA1
7322597dd6cfe13186f88010ed856f284e5a5541

SHA256
6ef928424d024b4069e84088f3a79ff1aeb1508a2201e2557dd0aee87fde4460

SHA512
9a55146d030084bb1e57b4f89b74b96af7ae030a698dada36d8b1d1a6b2e1cd541014db826e714e304eff96eacfe58100f0ab127984fbf703bcb2a0abdfb3294

Download Submit
\??\pipe\crashpad_5048_OVZKVFVOSYGZTJBO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit