gurcu | hxxps://mega[.]nz/file/a1tDEAjJ#3JZZnt-xJSIP74QYyIEOb5jv8Sfdcu5gDFdJJfJQAb8

Analysis

max time kernel
280s
max time network
281s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/a1tDEAjJ#3JZZnt-xJSIP74QYyIEOb5jv8Sfdcu5gDFdJJfJQAb8

Score

10^/10

gurcu redline infostealer stealer

Malware Config

Extracted

Family

redline

65.108.29.210:21638

Attributes

auth_value
ad39d6a8ea7823f2a92f57ebaa4c98a5

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/1476-755-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
5724	Start.exe
1476	Start.exe
4784	Start.exe
3088	Start.exe
1152	Start.exe
3824	Start.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5724 set thread context of 1476	5724	Start.exe	153
PID 4784 set thread context of 3088	4784	Start.exe	156
PID 1152 set thread context of 3824	1152	Start.exe	158

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Start.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Start.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Start.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Start.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Start.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Start.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133608520968337302"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1184	chrome.exe
1184	chrome.exe
2852	chrome.exe
2852	chrome.exe
2284	msedge.exe
2284	msedge.exe
3996	msedge.exe
3996	msedge.exe
5860	identity_helper.exe
5860	identity_helper.exe
1476	Start.exe
1476	Start.exe
1476	Start.exe
3088	Start.exe
3088	Start.exe
3088	Start.exe
3824	Start.exe
3824	Start.exe
3824	Start.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeCreatePagefilePrivilege	1184	chrome.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
4472	7zG.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5360	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 5020	1184	chrome.exe	84
PID 1184 wrote to memory of 5020	1184	chrome.exe	84
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 3616	1184	chrome.exe	87
PID 1184 wrote to memory of 2968	1184	chrome.exe	88
PID 1184 wrote to memory of 2968	1184	chrome.exe	88
PID 1184 wrote to memory of 2368	1184	chrome.exe	89
PID 1184 wrote to memory of 2368	1184	chrome.exe	89
PID 1184 wrote to memory of 2368	1184	chrome.exe	89
PID 1184 wrote to memory of 2368	1184	chrome.exe	89
PID 1184 wrote to memory of 2368	1184	chrome.exe	89
PID 1184 wrote to memory of 2368	1184	chrome.exe	89
PID 1184 wrote to memory of 2368	1184	chrome.exe	89
PID 1184 wrote to memory of 2368	1184	chrome.exe	89
PID 1184 wrote to memory of 2368	1184	chrome.exe	89
PID 1184 wrote to memory of 2368	1184	chrome.exe	89
PID 1184 wrote to memory of 2368	1184	chrome.exe	89
PID 1184 wrote to memory of 2368	1184	chrome.exe	89
PID 1184 wrote to memory of 2368	1184	chrome.exe	89
PID 1184 wrote to memory of 2368	1184	chrome.exe	89
PID 1184 wrote to memory of 2368	1184	chrome.exe	89
PID 1184 wrote to memory of 2368	1184	chrome.exe	89
PID 1184 wrote to memory of 2368	1184	chrome.exe	89
PID 1184 wrote to memory of 2368	1184	chrome.exe	89
PID 1184 wrote to memory of 2368	1184	chrome.exe	89
PID 1184 wrote to memory of 2368	1184	chrome.exe	89
PID 1184 wrote to memory of 2368	1184	chrome.exe	89
PID 1184 wrote to memory of 2368	1184	chrome.exe	89
PID 1184 wrote to memory of 2368	1184	chrome.exe	89
PID 1184 wrote to memory of 2368	1184	chrome.exe	89
PID 1184 wrote to memory of 2368	1184	chrome.exe	89
PID 1184 wrote to memory of 2368	1184	chrome.exe	89
PID 1184 wrote to memory of 2368	1184	chrome.exe	89
PID 1184 wrote to memory of 2368	1184	chrome.exe	89
PID 1184 wrote to memory of 2368	1184	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/a1tDEAjJ#3JZZnt-xJSIP74QYyIEOb5jv8Sfdcu5gDFdJJfJQAb8
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe48bdab58,0x7ffe48bdab68,0x7ffe48bdab78
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1588 --field-trial-handle=1556,i,6361077992575341393,7228258180145728801,131072 /prefetch:2
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1556,i,6361077992575341393,7228258180145728801,131072 /prefetch:8
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1556,i,6361077992575341393,7228258180145728801,131072 /prefetch:8
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1556,i,6361077992575341393,7228258180145728801,131072 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1556,i,6361077992575341393,7228258180145728801,131072 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 --field-trial-handle=1556,i,6361077992575341393,7228258180145728801,131072 /prefetch:8
  2⤵
  PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4464 --field-trial-handle=1556,i,6361077992575341393,7228258180145728801,131072 /prefetch:8
  2⤵
  PID:4056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4320 --field-trial-handle=1556,i,6361077992575341393,7228258180145728801,131072 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4424 --field-trial-handle=1556,i,6361077992575341393,7228258180145728801,131072 /prefetch:1
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4332 --field-trial-handle=1556,i,6361077992575341393,7228258180145728801,131072 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4496 --field-trial-handle=1556,i,6361077992575341393,7228258180145728801,131072 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4948 --field-trial-handle=1556,i,6361077992575341393,7228258180145728801,131072 /prefetch:8
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3328 --field-trial-handle=1556,i,6361077992575341393,7228258180145728801,131072 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4368 --field-trial-handle=1556,i,6361077992575341393,7228258180145728801,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1556,i,6361077992575341393,7228258180145728801,131072 /prefetch:8
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1708 --field-trial-handle=1556,i,6361077992575341393,7228258180145728801,131072 /prefetch:8
  2⤵
  PID:6028

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2032

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x320 0x440
1⤵
PID:1976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe383546f8,0x7ffe38354708,0x7ffe38354718
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,18438683786251209217,14448220690469333898,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:2
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,18438683786251209217,14448220690469333898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,18438683786251209217,14448220690469333898,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:1276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,18438683786251209217,14448220690469333898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,18438683786251209217,14448220690469333898,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,18438683786251209217,14448220690469333898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
  2⤵
  PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,18438683786251209217,14448220690469333898,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,18438683786251209217,14448220690469333898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:1
  2⤵
  PID:5464
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,18438683786251209217,14448220690469333898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  PID:5696
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,18438683786251209217,14448220690469333898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,18438683786251209217,14448220690469333898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:5868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,18438683786251209217,14448220690469333898,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:5876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,18438683786251209217,14448220690469333898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:5280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3964

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4944

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Autorisoft\" -ad -an -ai#7zMap5001:82:7zEvent30843
1⤵
- Suspicious use of FindShellTrayWindow
PID:4472

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5360

C:\Users\Admin\Downloads\Autorisoft\Start.exe
"C:\Users\Admin\Downloads\Autorisoft\Start.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5724
- C:\Users\Admin\Downloads\Autorisoft\Start.exe
  "C:\Users\Admin\Downloads\Autorisoft\Start.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1476

C:\Users\Admin\Downloads\Autorisoft\Start.exe
"C:\Users\Admin\Downloads\Autorisoft\Start.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4784
- C:\Users\Admin\Downloads\Autorisoft\Start.exe
  "C:\Users\Admin\Downloads\Autorisoft\Start.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3088

C:\Users\Admin\Downloads\Autorisoft\Start.exe
"C:\Users\Admin\Downloads\Autorisoft\Start.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1152
- C:\Users\Admin\Downloads\Autorisoft\Start.exe
  "C:\Users\Admin\Downloads\Autorisoft\Start.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\86751074-51b9-490f-a98b-0e6c72d69f6c.tmp

Filesize
98KB

MD5
feffcc98415658beef9081d2ece2202d

SHA1
74c9b61728dc21c288ddf0ce1581124ce2a2b2ec

SHA256
e11a0129891cb75e5e73b116a22eb135d15d87a0de2e80387d7713f38b243a90

SHA512
cb10d609e3cf2f4d7ad111f91b6874163710631f633afed3e79908af53cc643dc0da98100ec5c790d1bd12284e17c5a3aac393252e5e17e1243267f2d060771b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000016

Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
b741594bf90cbc1183f10700b26e807d

SHA1
17f49d4d4b4f57ccb67c9b7973430b99b49658ee

SHA256
97f7c74ff3939386b2021af6074841bdf7bbcd199233edd3c0ce32e76ff7206a

SHA512
fef8cacddd4c04ecfefae0f6bbe5fce6442ba97a420e38c6a55a57c3e32ab8aa8316bd0c86383a685af54e9a003f681e36177ff6b0e28ce40e6d41d8d964b46c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
1492b754fde10d8671af08a6fc4c4970

SHA1
a2dbe0d7a4c64e6c351af84411e9daaeaf689ec3

SHA256
d4d89981c55cf0c64a9859e4f2a7259141c5c4c90f2662a54d2e14b3895c32db

SHA512
e8cf5db9ad9e411b6b3dbae17a17b03c06fb2d680ad8a4470c59b2c216975c8c79dc4082fd0d0f56d85cf65f38d9ab09d759031df02c5fa7faecb1069a9c9660

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
c773b4b2dd874c247a5ebe705033618c

SHA1
44dee353dba9f28194f8462db50727d9745daebf

SHA256
7ee520c410a70cb522623f59412cc93c5a27cf3f39437930c6ba744ffff2544c

SHA512
76fd6ef2a41eb73ff8549b12cc257e32bef53ffc7d3030ee3ab89fbf07de7b23e1d5e7e69b0b2b2c494fd3e4953fa86e083ebe9f1195fc97294767c773d10502

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6d8e038da0acb223de91f5d52691e91e

SHA1
b41b15ee570770169a8c18f11ee187554888d5a7

SHA256
b8dccc62aa6769fb6ae93acbbd71ba501de41e8506ecfde8a4ae4106c9acc9d1

SHA512
4d0296827471bad74083e1d4ae07aed3d7f650a2e0f074e5a6301d628480496b9b256dc578445b90814d1eeeac49fcfcd2b06ed3fe5a988cba44442e8fbfd10b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
59c496757b8911b30d39995339a13aac

SHA1
83a1e7447c5790a33f17710f06fcf311de6e7a24

SHA256
78c109ba5c98cf7f9517b1127c62c822d93d4ee5ef2af008ac7786777d5d2d90

SHA512
5d3a2923e18373026c922580886452ff1949a60d281e35b7916a8038323296c86f168350c6e99dcdd5c30aca2b49addfc1aa40f5a3765b804e4b312ea43f0541

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a5833afb31efe319375749b4b0e973d9

SHA1
dfe8ae917f613ba834610eab334a98f641e2c956

SHA256
e29d9fd29bfdabb965d9fdc38b2a645558701d4db005b8099f049742425f0e86

SHA512
afda8515491a66822b9072c11467b7fb3f496f90ed215eba16ac3cdccbc510a57f3cff1b831e0a7a457fea5650d265e0d88c30d86855d103eee19793194885c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
312b632643256a801378cff80a470fe3

SHA1
c6d93e2f720f9dd5745f18472c0cf203b8ade90b

SHA256
14349fa77d21dceb5f3bb595c13d1eed73802c8bd113fac0e577445b1e5fe913

SHA512
ecfa0a93b67bff3c871a3bfefbf4756fc9815adbdaf43f0d89b2e11357574990fe545aea56e835b23f8e170fe9a99282c8d135112796f254c684823071d7e21b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
99d7f9b273eb0d8c6d1067c5c25ef305

SHA1
39486f5862793fd72164348ebc26f2a20a815f29

SHA256
2c97d53b7f184de7194fc2d01be2164b5ece1144b4255f6eef731ba939988c5b

SHA512
52ba346014702b3264a2048ec141601422d966e96add2970329f2886f80b5c1bfce6301f0dd9c37f0a92fd2295cf605c4fc56fb1fcf2fe49ac28371d16852974

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
6c98cdc951d9be2d11eff7cf34042024

SHA1
df8bea92d8e39620cd4eed252f11d9a886fc41f2

SHA256
6373ea9b6f33cdbbb11a6238f34f69b325d78e4f26a17c03d3988ae16cd9d2a6

SHA512
6ac44804213d90b37c992cf6f0eec0a91689b31ed973010ac4d76c53f7b2a0769412414342eedce54f35e9d261ba6461c61a4b3316fcab82bfbd1c564fceabc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
fac09d8eeafee3cfeccc6a12b32e8d99

SHA1
312ccb556bf221185f5ef0ec9ead49c0abd64c7e

SHA256
e6d2dcb51341635229338cdd3e232c7f8597d9866db95ba502b94d9a3bcedada

SHA512
fce184e9e5b7f72ebdcf9d561fa43b5174491284480625ed10e59cdacc2a1f468dcc9acbd0a9840fc818ae10ae94948b87491b13eedbe2c94d9139d72d74a184

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
521B

MD5
25124037dd29088f5a3201d01baa3bfe

SHA1
0adeb08efa5d183011a6a8ab4e803d655e5cbac9

SHA256
0557c55d94d29f20d6f0260d4f148654ee786820a05ad5d170975ee165d08aec

SHA512
6932528f44ea7c0cef935fa2bc8f4f1630d825ec0e34ef314e458edea623f363657d88fcad4de5668af20f6deb7c7bd53a54b76e34b7ae7855049f4873a4cf2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
94591fe854bd034aedba22614c0fb84b

SHA1
200682f58b3ae9f13df1bc2024813b6ac93adfd1

SHA256
02f29c0356344da755126c89849266bf1c0a4bd0fb88b345703f09f4aca0d4b1

SHA512
da2f0253fa12f6a61a0589c06953269dccdb1bedf4b28e5736294b2dcb02cc16c42d1a31f97a6a7456fef9b5834790309ff747cb5b249fae14b7ed6aef7a4d9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a2eb38b8527024c1231d17df9224b63c

SHA1
30d76c3f8ce8ecf42f071f4662216c8459dbe2d8

SHA256
27054946e04b8fde9a7abb75b3be2070cd443b1aa4ce8f2642768418a29b483c

SHA512
6d01ecece10160e5e57f547a5f8b0ff96700453826133779fc5f94e926e53f977d53de79b96ada068e332edda9e23d585bd2f615aa835331fbda65bec9fa6158

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
cb375878129d5df348d2920d3a9fdd8f

SHA1
00287f388464b69822b781f3c2ea9160c6dc8508

SHA256
3a6e4b781ec5be0a466079167ce8bbffb903d16af2cbad3faa7db0cbce8821d5

SHA512
722f9305f40bbaba062c303f260a4f12bbfde3c87526bce7599c747a07647ad4c311f4b25a4970baa3e37f1799a98f1119fcb84bc1be81bb2e62b441eb8f505a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
856c7be29ff922ff99777652a5375813

SHA1
9526c3afddfbbdbf56e0c861752cf5b6b2eb9f61

SHA256
5f5a9a33659b71f39be1688281212c6528de2f5637c75c3b032e2f84bab8b9e1

SHA512
65ff962c3dbc28252e1410c8bbc3c770a29b1417b4c51821b2734edd76ecdada01c83699e7f4a2c58cb5ba689028c0fb692c65bd8c1141e4abd05de48589d5fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
d5e17ef6b96d1296b62a86bdb93558f2

SHA1
012fe7cf33891d5167f54a6be3e2c4b11f958d80

SHA256
ce2320fa56572258867283f23a59cbf5eb34febd1869a39035be4b616b5b5343

SHA512
b0ddaf5441061694f9b68c10898bddf8714986fd03e997fb6e15473f771a353948b33ac90ca9038f2fe0c4b75087cde0952f1a62ccd248788f1c67496c49b762

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\b142777d-b23b-4b33-ba5b-3c916df4829a.tmp

Filesize
7KB

MD5
5a8a8ba44ab76bd3e84439fababbf7a3

SHA1
862f51dad360159c1c785d5be9be1384259321f7

SHA256
ed504daf5b17f28328154ba400e886bc4879538bc78ea1e69470a86be476a049

SHA512
ec40db7336c1932d1cb51c35d609d533dea485944abb4ea780738e176aac9394074c54750bbea2aea78cc6ebcab2fa1e4d4f022fdc7ac87e9cb2c19755fdab6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
b27ffc674486728d6aad3483c9fa15a5

SHA1
4b0aa947757862a4c61283c8f50de895cf7f2363

SHA256
a4a74248e9c3dfd63ba6a4a3184f77ab56ebf17ba6769da986008098aa32e41f

SHA512
549b935725077548d226ccb7f1ae676977bdc263530683760f71bcc3ec12673108298be20e8e1fd4df5adbf574593c64bfd59206a0a82168680f68e365e1cb08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
60a2fd0772029ab65003bcba954fc000

SHA1
de4a12b052941858468ae182f52dc940aa9d96a8

SHA256
fe707174bc7eb2429919ecb5cd4e4d63ec7d59a154d12efc1cc41daedc0339e5

SHA512
e239f6ddeb39fc6263e376f72a5b04c37bb6ea797bf1ae0d362250e9d85069f9e51dfb252bba8e2f1fb26130d351964ef184a3370548fc79c5ca3a0c806ec0f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
ef2fb4166cf90cd60b3108d048db2c67

SHA1
b8c9c75736a5f1e4fbcfbba4855a99758f6cb37b

SHA256
0d8baa1963902b59d55f7785af7ab991cd12523cc6a308438786aee111668de8

SHA512
49d1ef7b086cf062bf3257c11c2ff2d1c75c1b97d641246ab29254bec3aa6c327fdffccc0e680c7f2bd2807b061569a91446b83c90e710b8a8a656a1832ad6e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5a7dcc.TMP

Filesize
88KB

MD5
adbe9476955089bcba1a93e40dedb9a1

SHA1
79feffbfa829363baff2fe3be24eacf98c300900

SHA256
1ed94efcf78e3d8815130cc69bf840e6c7f18ce2ed9d34f3bbfab8001ccd5598

SHA512
fb12011563efbc33fb3433ab8a8d349cac66882ada2c931f697d62d940c1e3a3812fa4dc5e86e3f872a0843e257ba3c6f3a2658ce7129808457f75aafe0258d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Start.exe.log

Filesize
1KB

MD5
b5291f3dcf2c13784e09a057f2e43d13

SHA1
fbb72f4b04269e0d35b1d9c29d02d63dbc7ad07e

SHA256
ad995b51344d71019f96fc3a424de00256065daad8595ff599f6849c87ae75ce

SHA512
11c89caac425bccaa24e2bb24c6f2b4e6d6863278bf8a5304a42bb44475b08ca586e09143e7d5b14db7f1cd9adacd5358769e0d999dc348073431031067bd4d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
3d323c2ec3736a7cac030567750e6870

SHA1
239857eeaef0baf46dcfb37bfe2a5bc39dc53e99

SHA256
5dae52fceec1b1fe14420d82c3c496595bae99b8400c99443a06231f7c50588c

SHA512
bdb843336bce4806bd978cf5c7652dc86cc4aa5d0ba70585d058522388e1d846f682d4276f4ab94c7a8bfe0d65e95c7996ddcb48d2a862d7acae22527690a07e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cb32212f8e0edc2c34cf9b9a7942ca30

SHA1
e8e5c0f1c49ea594a8cbbba1021978377e880d23

SHA256
591899035b5ad8aefe78e8b12ae39202c478692fd0e5ae0387c628c81b54154a

SHA512
8eece3fa7feffd1c9dcb9254f3228166f20aeea069960b46f6b63916d0218e2a924e9e774262d9ef94e6a77fab22c53028d3127054b580ae22c6fe5e6905a0cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
47193f7a374401b9881d6fb54a34d30e

SHA1
ff24835d291a69b73e1dae5ecff8c031fcfd4020

SHA256
29ede52e09458f61757e43a431a558a475b772e97547ba4d864e87e7f5a87aac

SHA512
13df5073591515d1fecf2129b6abbc8d6ccd5e0173d7489f69814f679fb0552a3ec3bc56246640ff40611eddb7be8e0cdc6973533f4e946a16a4e2eb91c76871

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
875d95da5cd060053ba61079c988f61d

SHA1
d502b887fdf6e03309dd6ea5ba93bc0d08015803

SHA256
e065cfa94492eea56b4bf85a76991f7fd09f6dc6b2711b8d1dcf0cd07a340ecf

SHA512
5ed8137f592c1a1434ec1608ce104dcf9b953fac2ae7678fdd76855db8890c982f1d16341367a6e01b08aadeed7143b4cff2e196f05aad23e1c8d4e961a2e885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
87f873f4e131206dc917462cf6042384

SHA1
d23ac01b44b0e1aa6a2d2eacb2cdef2ffc0fc179

SHA256
c9d31616fab7a8a68a747131f8207dcb2883cc5da77080456e6f025e15316da2

SHA512
3b80e16cc066684e6be5ab2cd6d0bc830c8041993ad99bdce9eb5988cf52f1a40027d0214bc6869a42f0c832ba983150dcacbf09b250db7c26e49aa5205d3226

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f7cbc4ee59f89bc047f4f226d9ae4a72

SHA1
741c45f5719745818528f22169953ee5e4d146a6

SHA256
497a6064418703cb5036b93251a09a8c861572db0c8d8b52b54a56e92a782507

SHA512
7eb8b0640fe9c585ed3e4156e8d010b1497a835051fd9479deb10082301e6981fa95f53d7a158d23e313ab760faa672cb2952ed6310ef8994193c8d2554475ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\f85b0989-66e0-492d-b576-9c27f3746c80.tmp

Filesize
8KB

MD5
82cb861c81544370ce156c44de18a24a

SHA1
c7abbda8a24cb8e8bae2170450544786e85df567

SHA256
59030d4639e07ed5acd96d5b64f69790aa0fa2f007b477f20b2197a7329348d8

SHA512
403307e54843ef10a8b141a6d6bef786d8434c855743306e7e710fb142c02c57eb5bf45705ef9c8f6859d8ecc21c29e18a155fa0cff7d8dda0a27901d0001687

Download Submit
C:\Users\Admin\Downloads\Autorisoft.zip

Filesize
17.9MB

MD5
5b879f39e57139ab17300879afa61554

SHA1
a18eab8e257c611f72ea92833584fff0ffaea1f2

SHA256
645e274fec3723d065308f9b16b33392ed7f51fbd5ffc3c00806c2efafb08b65

SHA512
54814430828c204a8b606c000e2efc1fb2586f41c322ebae44d9eba4d297db473d37b520fac02c1bf88407a8a9138a3e7de502e27e32745cd4c96d54c9994ac0

Download Submit
C:\Users\Admin\Downloads\Autorisoft\Start.exe

Filesize
301KB

MD5
9a0e31ffbe7ecc3a2a6f968b2a8d5567

SHA1
e88e76fe96616649d2558923afe457ce3b1976ec

SHA256
b371eae7b55688d307b653759c2d4ddfe3672eb7b5567bcfa9c3f75f5c6d6255

SHA512
db64b27997e5305473572ee8a60573032e51fbfbdc48670d9adef8ba23c81e8845d073383299c94f87a0100c74ca0e6968b9f468fc46e31e221a71ad69a32749

Download Submit
memory/1476-755-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1476-759-0x0000000004FF0000-0x0000000005056000-memory.dmp

Filesize
408KB

Download
memory/5724-749-0x0000000000FB0000-0x0000000001000000-memory.dmp

Filesize
320KB

Download
memory/5724-753-0x0000000005D90000-0x0000000005E06000-memory.dmp

Filesize
472KB

Download
memory/5724-754-0x0000000005D40000-0x0000000005D5E000-memory.dmp

Filesize
120KB

Download
memory/5724-752-0x00000000059F0000-0x00000000059FA000-memory.dmp

Filesize
40KB

Download
memory/5724-751-0x0000000005A40000-0x0000000005AD2000-memory.dmp

Filesize
584KB

Download
memory/5724-750-0x0000000005FF0000-0x0000000006594000-memory.dmp

Filesize
5.6MB

Download