hxxps://github[.]com/SebOuellette/LiveBot/releases/tag/v1[.]3[.]1-alpha

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/SebOuellette/LiveBot/releases/tag/v1.3.1-alpha

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
129	discord.com
130	discord.com

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4712	WINWORD.EXE
4712	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1400	msedge.exe
1400	msedge.exe
3004	msedge.exe
3004	msedge.exe
4444	identity_helper.exe
4444	identity_helper.exe
5456	msedge.exe
5456	msedge.exe
1200	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
1200	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
852	LiveBot.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
932	LiveBot.exe
932	LiveBot.exe
2672	LiveBot.exe
2672	LiveBot.exe
932	LiveBot.exe
932	LiveBot.exe
932	LiveBot.exe
932	LiveBot.exe
932	LiveBot.exe
932	LiveBot.exe
932	LiveBot.exe
932	LiveBot.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe
Token: SeShutdownPrivilege	5236	LiveBot.exe
Token: SeCreatePagefilePrivilege	5236	LiveBot.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4712	WINWORD.EXE
4712	WINWORD.EXE
4712	WINWORD.EXE
4712	WINWORD.EXE
4712	WINWORD.EXE
4712	WINWORD.EXE
4712	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 3856	3004	msedge.exe	82
PID 3004 wrote to memory of 3856	3004	msedge.exe	82
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 3000	3004	msedge.exe	84
PID 3004 wrote to memory of 1400	3004	msedge.exe	85
PID 3004 wrote to memory of 1400	3004	msedge.exe	85
PID 3004 wrote to memory of 4004	3004	msedge.exe	86
PID 3004 wrote to memory of 4004	3004	msedge.exe	86
PID 3004 wrote to memory of 4004	3004	msedge.exe	86
PID 3004 wrote to memory of 4004	3004	msedge.exe	86
PID 3004 wrote to memory of 4004	3004	msedge.exe	86
PID 3004 wrote to memory of 4004	3004	msedge.exe	86
PID 3004 wrote to memory of 4004	3004	msedge.exe	86
PID 3004 wrote to memory of 4004	3004	msedge.exe	86
PID 3004 wrote to memory of 4004	3004	msedge.exe	86
PID 3004 wrote to memory of 4004	3004	msedge.exe	86
PID 3004 wrote to memory of 4004	3004	msedge.exe	86
PID 3004 wrote to memory of 4004	3004	msedge.exe	86
PID 3004 wrote to memory of 4004	3004	msedge.exe	86
PID 3004 wrote to memory of 4004	3004	msedge.exe	86
PID 3004 wrote to memory of 4004	3004	msedge.exe	86
PID 3004 wrote to memory of 4004	3004	msedge.exe	86
PID 3004 wrote to memory of 4004	3004	msedge.exe	86
PID 3004 wrote to memory of 4004	3004	msedge.exe	86
PID 3004 wrote to memory of 4004	3004	msedge.exe	86
PID 3004 wrote to memory of 4004	3004	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/SebOuellette/LiveBot/releases/tag/v1.3.1-alpha
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcaaf146f8,0x7ffcaaf14708,0x7ffcaaf14718
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,9976866095924998203,13782164938678605604,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,9976866095924998203,13782164938678605604,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,9976866095924998203,13782164938678605604,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9976866095924998203,13782164938678605604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9976866095924998203,13782164938678605604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,9976866095924998203,13782164938678605604,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,9976866095924998203,13782164938678605604,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,9976866095924998203,13782164938678605604,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9976866095924998203,13782164938678605604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9976866095924998203,13782164938678605604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2896 /prefetch:1
  2⤵
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9976866095924998203,13782164938678605604,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2768 /prefetch:1
  2⤵
  PID:5836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9976866095924998203,13782164938678605604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:6036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9976866095924998203,13782164938678605604,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:6044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,9976866095924998203,13782164938678605604,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6312 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,9976866095924998203,13782164938678605604,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5152 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3420

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Are.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4712

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5784

C:\Users\Admin\Downloads\livebot-win32-x64\LiveBot.exe
"C:\Users\Admin\Downloads\livebot-win32-x64\LiveBot.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5236
- C:\Users\Admin\Downloads\livebot-win32-x64\LiveBot.exe
  "C:\Users\Admin\Downloads\livebot-win32-x64\LiveBot.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\livebot" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1704,i,6120607241581451593,11642312419384367873,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:5220
- C:\Users\Admin\Downloads\livebot-win32-x64\LiveBot.exe
  "C:\Users\Admin\Downloads\livebot-win32-x64\LiveBot.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\livebot" --mojo-platform-channel-handle=2112 --field-trial-handle=1704,i,6120607241581451593,11642312419384367873,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1200
- C:\Users\Admin\Downloads\livebot-win32-x64\LiveBot.exe
  "C:\Users\Admin\Downloads\livebot-win32-x64\LiveBot.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\livebot" --app-path="C:\Users\Admin\Downloads\livebot-win32-x64\resources\app" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2364 --field-trial-handle=1704,i,6120607241581451593,11642312419384367873,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:852

C:\Users\Admin\Downloads\livebot-win32-x64\LiveBot.exe
"C:\Users\Admin\Downloads\livebot-win32-x64\LiveBot.exe"
1⤵
PID:4328
- C:\Users\Admin\Downloads\livebot-win32-x64\LiveBot.exe
  "C:\Users\Admin\Downloads\livebot-win32-x64\LiveBot.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\livebot" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1732,i,4321256021131934728,4115658891336762935,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2144
- C:\Users\Admin\Downloads\livebot-win32-x64\LiveBot.exe
  "C:\Users\Admin\Downloads\livebot-win32-x64\LiveBot.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\livebot" --mojo-platform-channel-handle=2004 --field-trial-handle=1732,i,4321256021131934728,4115658891336762935,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2672
- C:\Users\Admin\Downloads\livebot-win32-x64\LiveBot.exe
  "C:\Users\Admin\Downloads\livebot-win32-x64\LiveBot.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\livebot" --app-path="C:\Users\Admin\Downloads\livebot-win32-x64\resources\app" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2344 --field-trial-handle=1732,i,4321256021131934728,4115658891336762935,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d11a3c824ef67a880239d1144994a544

SHA1
9f26c0009e882579b4709700d4a5d6877d2fa51f

SHA256
5244ae877e6f4fb437d44658d9d820fa7a325b9af5affed4c9bcdfc7e6866fb9

SHA512
611c25887d066c26bcac50d4a56337849dc12359b0996d75f799a038deef99779ad4b3973bfc9b31b9b83e969fd875bad7583b32f51f8d562bfe85cd3a323e0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
30322550d9f9c54f345ea1c71f3b2e8f

SHA1
b5a3cff2995147279c2bbed7c03b2280ecb286e5

SHA256
4e7798d8476361378f8fbfb0442db63c7f6bf7e1830d50808bfdb8a58700d8f9

SHA512
261d1f5bc9c8a369f815eb846c252f54681f70862153bd49959411450870207b3ee240cc9016533c27401922527d561cc1ea7bb23708e4a257f071d010cf55ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2193e0ea2d432ef73355a7aa88fe4900

SHA1
f227f44c5eff55c4ea8c8801bcab990d147ef358

SHA256
da54e881dc4d572c1027e87c5aff1b8b0d2e47f86f565f80d1891b2f4e86c8e3

SHA512
2b891ed105a918b37833c72180f81ac3aadbd49c9b4947cd1e953c20e07ac5444d15be21da82453718386502f6993e238a5d211957e20a9bd1a0fd4ba32dea83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ead9fed4cebebee156a4959aa06f7136

SHA1
fc7fc6eeb028a8264a14c075a13d0aa97662c54d

SHA256
ea03809329c815d2c444097167f321c12ef2db962144b0156cfbcb0897c00d72

SHA512
c77a33ffe38ad42fa8b149f5f62842034e7d1c6ffa4ec6fdb6bf32d4b0809f97f07ed66bef569b58c8030bf827ebaf04b4d22f6c26b9d0f36ef62fc252aa40fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
75f20dc08115b60dc64b3d746cec120c

SHA1
fad97482a547c54428cd61c145bee1757017b180

SHA256
7e64819432aaa80ebc27b6e03009912ac6a817f45b343f80472affdc8020092e

SHA512
7940345c1650447fed334a648d43e213f5003191e20fabc20de6c7b81c95e219b739a876ab14bcebe0e78983b6b2412cae119e065c00fd1b8ef63ba3368e48a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
421596c92619e360fcfe8221f6a7e855

SHA1
5bac03dc82dbf71f41b2fa9abb1246e3897c1ab6

SHA256
aebfc79c381bc195407a4a75a973e35fcec8bdabb8ace63ffff95a12703a8908

SHA512
5bfb556cd8abe476889fa8ad248744bc9d8ac2f974a2ed678ff3764d6bfc1b1eb044bc7088dd9714b39370b3b2a2993436b78401b44251815663979575298402

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ff00dd11cae091ed7edea813e822f1c7

SHA1
cf0160e40c844fb4271300dbc2ed3bb81c46b8d8

SHA256
d8a5e9faba7bd6a64301213d7090564e43100823f20590a83400a05ab68461a4

SHA512
a523c77eae9fee022490e9521a7f2955bb78050d8b238b7db8cae7b2a9f83e9de7eadcd2b0c8419b2cf28932f503062fb6d4a30c4b6b1f8bfef87e3a1027ab93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
b8aabbff1439232c77f5110549d41475

SHA1
a435a5e7fac67a30ae8043f4b08d20812e6d974a

SHA256
026b865517e3b2683f318291ecb2998d785161a454822698a984678d2188e203

SHA512
834e4755553cecef1f016d842b4ac5bc94615f994f966e927ef59ca93ffee91340215c87aca5df3b685acb0971be93efccc9e7d9fdc852e1bd9bb10d0adb7562

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
202B

MD5
add56ec49f8f478e84a934606effef1c

SHA1
1262ae87ef755e40752740df90d21352d5fc81ec

SHA256
22e509cf2b7202fc6b04c3d9a1b137477f11471d58a48c1f9514f89450217327

SHA512
c095f193d221696f3b087c3f224a559ad0efe4852a5392c8a3ab03f80183beec2a8327892aa481c85f1bf8165b76a029555f250e0dd5f396c823feacff4c06f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\livebot\Cache\Cache_Data\data_0

Filesize
44KB

MD5
1c9555afdfa4b9df38dd94999a10f34a

SHA1
e024889020a0bddc702fbf78784950b6860fdf61

SHA256
330e0ee04282344d70d693e9c632b6dedf561fb3cd9d8c4fb5c469a6d1543416

SHA512
524a5bad87a6219b094b76a744440d8ee0d456c3da9f915d102e5e88569f17bf9ccabdfe4caf083da5ac5a1fba1815975d945c96d44a88a5e4c503424fe81a80

Download Submit
C:\Users\Admin\AppData\Roaming\livebot\Cache\Cache_Data\data_1

Filesize
264KB

MD5
54651dad8b6afe38353015be234be374

SHA1
f197952d3d460f6180453cc06a328b95f6c91e6e

SHA256
0938000427dfcb17f278796d9383df4cd4b8db9f6aae9462723540eb99dcbdaa

SHA512
82d7b2a9c894fb3e0dae3a8b81e0a3ad1f2a772573b9eaaf5ea6d05d41427bfee64be3ecdc8ef233236b1b0d78d77108b9dcacbdf248836341114b526437b76b

Download Submit
C:\Users\Admin\AppData\Roaming\livebot\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
e411829b556fdf3a9105405a7e85e870

SHA1
5e6cb89a53588f3141e6fa8cb23472c39631705d

SHA256
f9702d3c0a4317263636797beb712f5f864b142509422f099fbf00234dfa7b24

SHA512
db063bac8569eaa860e486256b360aac4b2bda74cc22403f999bd1c3f0c79e180ceae5b2ff011db8f655e7c9e227e32e2ce3a21252e9acdd8bd56c34b0079b8f

Download Submit
C:\Users\Admin\AppData\Roaming\livebot\Cache\Cache_Data\f_000001

Filesize
75KB

MD5
ae5fed862f62a382e0acde5513fc83cc

SHA1
822f41c5d4fe482a3c40c2f4c32cc4eb826d5c74

SHA256
9e6e7f54909076190bf56c00e664e5dc7e20bf9a991646bc5c0f4cc56df34486

SHA512
d48b82d38d1c4994c894cec217aa6b94b3c2c8bd54ebcc4b6ba80a635c9ed3b407aa7e5df9f89e3510697cb3d7b317fd917736b916452ef3568676c6aad7c426

Download Submit
C:\Users\Admin\AppData\Roaming\livebot\Cache\Cache_Data\index

Filesize
256KB

MD5
e1d68f9c02ff9045ef1501e15a678c5b

SHA1
f4e34dbb6f2f60ffca92fe7403a6f1970183f5b4

SHA256
259258e95d2b167689e048d021d6e43f60817249995e987b5800d7d9a184c12a

SHA512
cfacc55033d937da96b738d50d649bc04e7961e5ea5cfea7b8134cd92451905df7967ed74cf46f30601ea2decdd31da61b6970a77e34d45ddff7b7ae9f228494

Download Submit
C:\Users\Admin\AppData\Roaming\livebot\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
bc84d1787a1cefddb599b10a7811365f

SHA1
6dfa5f1031449ad6ecb2a51c240a3738a1ea32a9

SHA256
0a9a85c85c4e5a28a7db6848128a1088a73b277341e949c9f7460d50b6825a1b

SHA512
ef1f3f65e1649a186dd14caf3eacfa3ebc9db8c812484be5f1e1de670322ba09feff851916b469d15e109c5182e5db716a07ada4926fc95b806904d2dd5adfd0

Download Submit
C:\Users\Admin\AppData\Roaming\livebot\Code Cache\wasm\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Roaming\livebot\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
0c74490a4f368064f4754bd6fcce4cc6

SHA1
ae36dad062ff257d2a01a8e8c25e29814ac2a8a6

SHA256
3dd0f5a50bea90cfecc60f42eeafe47fb9e9d574112f410e870f5c44bc934fde

SHA512
45e34376587d56c21226467194308da04a0653977e961e689737bf9b260a85a7a5060c570d9b73b8648352532c65396187c5d3f198963ff01880496c086c1159

Download Submit
C:\Users\Admin\AppData\Roaming\livebot\DawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\livebot\DawnCache\data_1

Filesize
264KB

MD5
b73a41b87f19c15478cbe72c27f9a041

SHA1
896ccb52af54ae04c14fafb67be8d8ca31c2b0a9

SHA256
d26a7506c42cafd47d14e39649a7b8d3530fbf41221e8ecd4de7de49aa2dd048

SHA512
e8d150b792355a01a25bc66b887f817965bf3a0cc1e1de045550624d33f92fadfcfd9d7302b3b88e1a4017ae258b8b8ca014bb2b7289d8c24a1647a1bdf0ff37

Download Submit
C:\Users\Admin\AppData\Roaming\livebot\DawnCache\index

Filesize
256KB

MD5
6fd7c04b5a44420083aaa27af34ccc3e

SHA1
e9d59aff80dd3d2ae8d8e66ca1fee102787f4491

SHA256
cf96ecd05fc4dd54e15ddd4118cf7c39bda27101dd7dd6e7bb8ca07dacacd90f

SHA512
a0192b1fc8b10395d6aeebc97222c2c65250917ced99a696002a333d2b2305fcb4d545298cb7285e2b1b8ff23341536fd971b7e43311639168e0b2395d9b0fa9

Download Submit
C:\Users\Admin\AppData\Roaming\livebot\GPUCache\data_1

Filesize
264KB

MD5
0214bccdf3865c19888aad33682d3df2

SHA1
7a2d98314151e41843d736426a872dc964b0c790

SHA256
738bb85b12ee88c298c77d04d519a4569bcb0befbaf0879f0d18f253faf67dc6

SHA512
6af31076959472fa20bc65285207a464cd1a58ed16dea7b902dec3bf1e970705f028e2b617e3dec48dfb819b3eca893a8b70f35391cd388d53db81ba7c3a2168

Download Submit
C:\Users\Admin\AppData\Roaming\livebot\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\livebot\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\livebot\GPUCache\index

Filesize
256KB

MD5
c80634f398cb6f6b34c1ee880e6831a2

SHA1
8349f7c06311896f28987297a5539f543987e2b4

SHA256
81561b2a194282d167575ec53d3e5626116ae17d885585e90a008618b44bec55

SHA512
ad898a481eff2735c3a5ffef7aea691b11d2182e00b218245e5f04969a1fdd3066e0fd265e3465a17c50c6b61d39928034714c61dcdf599457e8d2fd5925d0ec

Download Submit
C:\Users\Admin\AppData\Roaming\livebot\Local State

Filesize
389B

MD5
8d80836e21647afcdf5364fbe10f219e

SHA1
bf439505d687f3dd9d56dcb600aa37dc1d460f94

SHA256
b774e5864422dd123ed752a6a2109fcf0ee3349d56f5119c985fec227e8618de

SHA512
7db3ebc63d25b1babc429165fc50ea49f1f4cf618c51022d069af08cd5a0f421b30b8fcbecb635577e00e5eb8d704bf27438265cd47de659a4d1ec5c28dfd520

Download Submit
C:\Users\Admin\AppData\Roaming\livebot\Local Storage\leveldb\LOG

Filesize
247B

MD5
b281b793b732f3c828175d27416f4936

SHA1
ea1a443a68f964840eaf3891b99e5d897434e01b

SHA256
9ccb8f53f721df694d7815f19ee80e5e97a4fa206d7cf7279311efe9665ce0fc

SHA512
47685b667ff0a49f074ba3019ed8f3d1fc834e1e05bac23cfda03077c38d9a02e07e7fb8a1f77f43d3ddbdd18c7df87dd27d2c23ab7f339bc6f5516a010c0d2d

Download Submit
C:\Users\Admin\AppData\Roaming\livebot\Network\Cookies

Filesize
20KB

MD5
d1e2cc958f3468cd339f7cf98054155a

SHA1
e400ee562eaa9f64f5f44a53e49c2c297318d797

SHA256
b8d3722e417b1b55a84e56b3f0ec629b1b6fd49449825b7e8cba2b4c43375d25

SHA512
928cbb8e71d89df28c87c6af8d8a6a268d0639b7510f2d8c98a91125f7ba478c2c3a048f22b9cd2426d3f7e0b438d17f3b3cdeb89891c1ad685dd7180265537a

Download Submit
C:\Users\Admin\AppData\Roaming\livebot\Network\Network Persistent State

Filesize
694B

MD5
9dc198da0fbb4c72489f82f723a25833

SHA1
9655a2c8a30cb0fecd1812d2ac636ab5c3073623

SHA256
a7b260519d0f825e53b37f0357935e3da8072cf38f7701fe9dc44d7b28339442

SHA512
d8aaf23ad7479710e46c5bdbfe56a63de14372e6464c6b407a240ccdc9abcd693764c1f24c506cf71697418b79ad827cae684d15970a043141d12205087fcde7

Download Submit
C:\Users\Admin\AppData\Roaming\livebot\Network\Network Persistent State~RFe594af9.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\livebot\Network\TransportSecurity

Filesize
355B

MD5
dedf38e7926778ca8da389700bf3736d

SHA1
691637a06980cc7b747b41c8eaa99c970831f557

SHA256
b3651c249e9810f025b760a207f199d694234fc2864ddf0ab013c060111d1bd8

SHA512
3277a52f68f048dac223f98047121551f02bcdd5322bd689e311101f74e8c72b19e88ad76f6aec6e8767da1b20d711fd80dfb41daf68c7842d372aafb50ee6f9

Download Submit
C:\Users\Admin\AppData\Roaming\livebot\Preferences

Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
C:\Users\Admin\AppData\Roaming\livebot\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
memory/4712-156-0x00007FFC77820000-0x00007FFC77830000-memory.dmp

Filesize
64KB

Download
memory/4712-155-0x00007FFC79990000-0x00007FFC799A0000-memory.dmp

Filesize
64KB

Download
memory/4712-223-0x00007FFC79990000-0x00007FFC799A0000-memory.dmp

Filesize
64KB

Download
memory/4712-157-0x00007FFC77820000-0x00007FFC77830000-memory.dmp

Filesize
64KB

Download
memory/4712-154-0x00007FFC79990000-0x00007FFC799A0000-memory.dmp

Filesize
64KB

Download
memory/4712-152-0x00007FFC79990000-0x00007FFC799A0000-memory.dmp

Filesize
64KB

Download
memory/4712-153-0x00007FFC79990000-0x00007FFC799A0000-memory.dmp

Filesize
64KB

Download
memory/4712-151-0x00007FFC79990000-0x00007FFC799A0000-memory.dmp

Filesize
64KB

Download
memory/4712-222-0x00007FFC79990000-0x00007FFC799A0000-memory.dmp

Filesize
64KB

Download
memory/4712-225-0x00007FFC79990000-0x00007FFC799A0000-memory.dmp

Filesize
64KB

Download
memory/4712-224-0x00007FFC79990000-0x00007FFC799A0000-memory.dmp

Filesize
64KB

Download