hxxp://103[.]117[.]141[.]64/chrome[.]zip

Analysis

max time kernel
1800s
max time network
1796s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 23:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://103.117.141.64/chrome.zip

Score

9^/10

evasion persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chrome.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chrome.exe

Executes dropped EXE 2 IoCs

pid	Process
3916	chrome.exe
2196	chrome.exe

Loads dropped DLL 6 IoCs

pid	Process
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pilulafi = "\"C:\\Users\\Admin\\Downloads\\chrome\\chrome.exe\" -silent"	chrome.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	chrome.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	chrome.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3916	chrome.exe
2196	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133622784299807914"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1008	chrome.exe
1008	chrome.exe
3984	chrome.exe
3984	chrome.exe
4852	msedge.exe
4852	msedge.exe
5040	msedge.exe
5040	msedge.exe
4888	identity_helper.exe
4888	identity_helper.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1008	chrome.exe
1008	chrome.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 1840	1008	chrome.exe	82
PID 1008 wrote to memory of 1840	1008	chrome.exe	82
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 2468	1008	chrome.exe	83
PID 1008 wrote to memory of 4432	1008	chrome.exe	84
PID 1008 wrote to memory of 4432	1008	chrome.exe	84
PID 1008 wrote to memory of 4476	1008	chrome.exe	85
PID 1008 wrote to memory of 4476	1008	chrome.exe	85
PID 1008 wrote to memory of 4476	1008	chrome.exe	85
PID 1008 wrote to memory of 4476	1008	chrome.exe	85
PID 1008 wrote to memory of 4476	1008	chrome.exe	85
PID 1008 wrote to memory of 4476	1008	chrome.exe	85
PID 1008 wrote to memory of 4476	1008	chrome.exe	85
PID 1008 wrote to memory of 4476	1008	chrome.exe	85
PID 1008 wrote to memory of 4476	1008	chrome.exe	85
PID 1008 wrote to memory of 4476	1008	chrome.exe	85
PID 1008 wrote to memory of 4476	1008	chrome.exe	85
PID 1008 wrote to memory of 4476	1008	chrome.exe	85
PID 1008 wrote to memory of 4476	1008	chrome.exe	85
PID 1008 wrote to memory of 4476	1008	chrome.exe	85
PID 1008 wrote to memory of 4476	1008	chrome.exe	85
PID 1008 wrote to memory of 4476	1008	chrome.exe	85
PID 1008 wrote to memory of 4476	1008	chrome.exe	85
PID 1008 wrote to memory of 4476	1008	chrome.exe	85
PID 1008 wrote to memory of 4476	1008	chrome.exe	85
PID 1008 wrote to memory of 4476	1008	chrome.exe	85
PID 1008 wrote to memory of 4476	1008	chrome.exe	85
PID 1008 wrote to memory of 4476	1008	chrome.exe	85
PID 1008 wrote to memory of 4476	1008	chrome.exe	85
PID 1008 wrote to memory of 4476	1008	chrome.exe	85
PID 1008 wrote to memory of 4476	1008	chrome.exe	85
PID 1008 wrote to memory of 4476	1008	chrome.exe	85
PID 1008 wrote to memory of 4476	1008	chrome.exe	85
PID 1008 wrote to memory of 4476	1008	chrome.exe	85
PID 1008 wrote to memory of 4476	1008	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://103.117.141.64/chrome.zip
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbaa5fab58,0x7ffbaa5fab68,0x7ffbaa5fab78
  2⤵
  PID:1840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1888,i,14194759829021992664,3571484962095311577,131072 /prefetch:2
  2⤵
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1888,i,14194759829021992664,3571484962095311577,131072 /prefetch:8
  2⤵
  PID:4432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2236 --field-trial-handle=1888,i,14194759829021992664,3571484962095311577,131072 /prefetch:8
  2⤵
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2900 --field-trial-handle=1888,i,14194759829021992664,3571484962095311577,131072 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2908 --field-trial-handle=1888,i,14194759829021992664,3571484962095311577,131072 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1888,i,14194759829021992664,3571484962095311577,131072 /prefetch:8
  2⤵
  PID:3092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=1888,i,14194759829021992664,3571484962095311577,131072 /prefetch:8
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4436 --field-trial-handle=1888,i,14194759829021992664,3571484962095311577,131072 /prefetch:8
  2⤵
  PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1688 --field-trial-handle=1888,i,14194759829021992664,3571484962095311577,131072 /prefetch:8
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4216 --field-trial-handle=1888,i,14194759829021992664,3571484962095311577,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3984

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2400

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1796

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\chrome\" -spe -an -ai#7zMap19829:74:7zEvent27620
1⤵
PID:4916

C:\Users\Admin\Downloads\chrome\chrome.exe
"C:\Users\Admin\Downloads\chrome\chrome.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://offikey.ddns.net/http2/vem.php
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of SendNotifyMessage
  PID:5040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbb28746f8,0x7ffbb2874708,0x7ffbb2874718
    3⤵
    PID:3004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,18387801984636995289,8532966793882891721,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
    3⤵
    PID:3928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,18387801984636995289,8532966793882891721,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,18387801984636995289,8532966793882891721,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
    3⤵
    PID:4612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18387801984636995289,8532966793882891721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
    3⤵
    PID:4988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18387801984636995289,8532966793882891721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
    3⤵
    PID:1064
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,18387801984636995289,8532966793882891721,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8
    3⤵
    PID:1044
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,18387801984636995289,8532966793882891721,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18387801984636995289,8532966793882891721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
    3⤵
    PID:1756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18387801984636995289,8532966793882891721,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
    3⤵
    PID:4576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18387801984636995289,8532966793882891721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
    3⤵
    PID:4936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18387801984636995289,8532966793882891721,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
    3⤵
    PID:2588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,18387801984636995289,8532966793882891721,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5408 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5080

C:\Users\Admin\Downloads\chrome\chrome.exe
"C:\Users\Admin\Downloads\chrome\chrome.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
1b60990e019caf9d03a5d0bcc892a617

SHA1
eafda08a096e380f97bc25490166f0903aa8708a

SHA256
473f18132fa79c96620100102c8d70d72e39f06ffd2f77370f380818e82bcaa2

SHA512
85ed7a26041d7cbf3ab43240dffeb740596f77d85993c6113025b36604e99ce4492800fffe5c8565b6a54c5b078af212ceac3829c8d72edd3c39bf9ace7cec63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_95776108E5303B05527E9B63C6628F47

Filesize
472B

MD5
9a40d0a37f295e4a1865d48fdf7a3bc7

SHA1
8bc29fa7582053b8f9e0b75e37ee8b9da365cf4a

SHA256
15f543686a82409ee8858ead3caa44cf8bd17301c6507cd9638b6c3957852828

SHA512
4816205d2f840032f7a165c02e104faa6a853d1a545e23082398dc05360d985a4646490ba47319ddd73453eb5c4b659745afe681c11848d1331d47b17b304c5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_89FBEB9EEBFF8AABF1EBFA20B87AFE7E

Filesize
471B

MD5
3295ab4b88c1b3d7d520598b829f3eb3

SHA1
f72f10b45cbdad85b76f58a3483835f20a9ee20e

SHA256
50d84f0600285f214d6c9a5178ea3f6d6f7c8d050045e61c29544e62754aec39

SHA512
c8c4f13a6a0560ffb6bead067914fce228cf04109c85eef2631395beeb78c6057f3f21c9b6b21665e19678280eedafabf2024c121df20038e6b6f5a94468ac9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
0fa193be779874cef362b96a34525912

SHA1
dac133ebc6c59b31557815134b05b6eb214b4045

SHA256
02466ad76e6d7a1f07a09a7386ac07808310e7321fdb8d6345c3be5419d478cd

SHA512
f635e89f717d8d5ed32e0d4d72b4ee951644e865cc573e9f60daf873e49d5221a3c5b1f353a072b999553d6df75ee3e04adf9f4b754cd308317003dcb3048a6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_95776108E5303B05527E9B63C6628F47

Filesize
406B

MD5
fe91f567d7fc7cfcd965161285f542c7

SHA1
8da40ff4eca426eae71082a381b434375c5b85e0

SHA256
35fa7d0813c8acd4ab52da58451e26f783aee413fdb7dd630d8f3e1e34664b9d

SHA512
6b69d3025199072b81bcbc3ac9b1c2e5efe5c81408d3a18402b35a420096142c19c42aa68715e744a4bd2887615bc4675730d4dfa9d1d605b9b969eacb1dcaa4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_89FBEB9EEBFF8AABF1EBFA20B87AFE7E

Filesize
406B

MD5
a37dd9f22ca8425a312a85d2f7ba7bcb

SHA1
90fe36326d10f292544254257a224c0c285effe4

SHA256
48ccd4ec41566555704bd79a939e99ffc31d1936a7df59e1e5b523e85049d589

SHA512
6046b97a106ce0da96521a9c8bf8474c705536ad79fea59d302e0163c312be15fd1c559c114adfe28ae5186ae762f32b75f614a69be611ef3832a7a1b409f01e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
8c0a0015ca5cb60d03110b59078f1f25

SHA1
df4a38c398b6e14eff21bcb31acb102c5c7e3def

SHA256
d9d39efa37d6f0fa86d476ac5ce3ce1f353f5f1f7fc059d436e61ffecc4c28b8

SHA512
038abdb1b6d6994f0046a7a259e5c937417ae76d084b7393d1354e51341ea5e019263bf89ca147f910052c7c6626712ff4c34c459e8ddce45bb8f91eacb670f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
852B

MD5
dc6510129a751c138315cf42e3c54b75

SHA1
8bd5068fc284d33ccdc10e2d35de93ca64543900

SHA256
6ec8a367df9706348cbfaf33a1078459d1d151b78fa1dedeafd90394779a9781

SHA512
1efe05b060014e7f9b9b6844f6ae5d0d8357db7c38f3af93c421612100f08a89d89fc9c5bb1fe1beb6874792f2b46b3a918de7557b62696d89875ca1a0d6bc59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
852B

MD5
4c89b845237af262ab9d97efdb2f70d5

SHA1
cf628f30b9cc16056fc7a0b029a486362d891531

SHA256
fee9952b308fa04174f220ed0bcd90399de63dc246f9ae920ff7379130abcb15

SHA512
aa1a2fd99bc139ed45d895dc6153d047c2686855ecd91dbf4d568c94359eca22575505c96af1a2a490f812052df95bc45e3167aa83eb27c86c18334eb74e1d5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
9d85b1f0f04a8d4a118fcd60e3565636

SHA1
35bfca28cf73872005937ac67d6d005454173c4b

SHA256
b3dc11dc324a7fcfa0b9ade4ebc59297fb30782e7e68f274e4bcd8e38016e9a4

SHA512
adc9be705cc9d394f93050965a7640bee3a950039998bf425bc4a60178941b7a61ae2906e95dcab3de31ccf1dc0163986b534da99f74c38964b9b23cb9631990

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
877c6a0804d593f8f97a8ba8828a2460

SHA1
5ed61a27c377075fffce83c131d609a65645b13e

SHA256
05fb865a49e4037235a2fb029166986f7147a43383ff01706b13874c1175df3f

SHA512
4c73471fa1d62b37eeb3374e758351a1548808d89a38601f32ec02c719381ce5aeb6635977cc015ea4a910f5467171128db5e07a82622b58d0eb3d8ae3e77233

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
d9cf8ebb45fd5fea747658869d64ab78

SHA1
92b630cff05df07adbaa85872b394c88edce0399

SHA256
084638d0ca5b3eb1881f1c41bfe0c2feed9751bce08d0db8994933b62c0cf758

SHA512
300c32bf1f945f1eeab3a43b5a416047dd235a18c646c8edfbe13659ca4fc47e4f2f2c3b214c53de1085bf42966b96f0f8d850b6cad410c4167e4c13fec21276

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
97KB

MD5
8f3c8e868bf9d48dfb8168ec2b00347d

SHA1
d9ba2fb23e4bfec60a771ecfad0f04817727e11c

SHA256
7b4188a4fd94504ec119a016ab56f5d8693855302e626ee7d50879adf1ad3f89

SHA512
5dda734ff5b114063b75324e531a2b8a219366f7ae407fbd9a9278def88008834ebe91345f86ad5c81285cb83ad680bfd78b3bea2157b74b626901dd61f1ea58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5874ae.TMP

Filesize
94KB

MD5
48303f4b9723276ec2a4f400f9ac04a9

SHA1
48a583f30e9f704509b4f68a25861bb5ad09fc57

SHA256
767625589f902caa4e68e014f0bbd58e6cbf8abe4d76dd2f874011d71ad7f1dc

SHA512
d56fe40718f69112ffe5cfb670d16bf9aa95bd55570e55562a5c1ae516ef9b2cb950f1e9b341cfd065e06ca1b7c48c1377ba15563a9c23d6ff2a9b3aab839ffc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dc6fc5e708279a3310fe55d9c44743d

SHA1
a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

SHA256
a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

SHA512
5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c9c4c494f8fba32d95ba2125f00586a3

SHA1
8a600205528aef7953144f1cf6f7a5115e3611de

SHA256
a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

SHA512
9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
42a66a850630fdfe811feefc258e94ea

SHA1
b80ef6ec387b3a561fc4faafd00a1985f7ca6e26

SHA256
31cece063fb0ed31997c7a71d3ac57d9e36c0c8c5d9064b8c32c52339a0bedb4

SHA512
917aafffe50b279682450f48b119ab9779a9043195e2c49db4a025036b0e37324b5a9d94243d2473871ff72b191fa985f715c670c25024f807f2da71f00d93e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
497eb10f016ebc9f4d145d2a5ee69e52

SHA1
a47ca7c199a23dee335de05fae0fbe9be74f3472

SHA256
a7fe47ec78e1da029eddf006bf17d7d1dc88809b71395d06691f4f0b00fd9e24

SHA512
399a77b4e84899dc8f05b4199023a705e662a10455ccc56d2439c8e5a313348dfae63d05b323dca5191a39f83089bfb1a2250fd36e6a929b94789f892f4fb322

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4b07e2059a83a82fe5726bb8a5c2f335

SHA1
9e16155a3d24917f46fa935d63c82b2ab302aa44

SHA256
8bfc1d2b611b7080456df1b5bd80e495c3fa5dff73d6abb9911d9c21769d8d04

SHA512
14fe6217fc01c41104b17ec404bf3b6d3475f0138fc36c7f6827da09ef39af4a5a942ca87b1c9a4d43efa97cdce8940fbec0141b8a13aba5824744ce40d1606d

Download Submit
C:\Users\Admin\Downloads\chrome.zip

Filesize
7.4MB

MD5
9bc9c81b8eb739550ced80cbe3876084

SHA1
181c1b81eeccf882041c6e4bbfcbe3b09b5c96e6

SHA256
2f78abcf8efd1843e5953bb000b487b50ba7bc1ded77933294b7c70cdc157675

SHA512
1631cee8eb5c4f801423725cef27d27b4fef7bedb9f40242b5a4ff93f3b7a10c440446bc9e7521b887bb34284096ec4fa386ebec6c5e0398189adff6150fe167

Download Submit
C:\Users\Admin\Downloads\chrome\QtCore4.dll

Filesize
2.1MB

MD5
2fe0599b45e4f112cedc69986d10d21b

SHA1
3391843c5ddde45b17df309fe182c8dee1cb862a

SHA256
29aba16000167af9217510f93e6da8def731a8a5132024a7b7d1ba4c9116b7a9

SHA512
daa55eb9c223433b4d332e6aa40f2558057fcf98b01cf17f8aa68c9f53ffee9c56a86127efb37f7904282f7670608be9b4813a758d134e4c3ab501b4d0bdf39c

Download Submit
C:\Users\Admin\Downloads\chrome\QtGui4.dll

Filesize
6.8MB

MD5
ddd7cb6f7fcb04a7a22b8c88e54960c4

SHA1
ec90b7dc14ba83b31557262f9f4694478cbb751a

SHA256
ed88922666a2323c05c08c75f7ad29d049d1a36399ab988ad5ce1e86149cb450

SHA512
0e6d046c4f4e5fab3bc0aea57a99f0a1779f7fb4a3950f0e302b65ef411c9a08c534607f1be9533fa82ea64be5a5391c28b5ab615de82680188e2b1d28c8fc07

Download Submit
C:\Users\Admin\Downloads\chrome\chrome.exe

Filesize
178KB

MD5
7cd87f8ad0cd8279f8699cd441238338

SHA1
523c83c22647164b7e7465fecaf798f3be5ac2d8

SHA256
71a7f53796731bd270704b825af080d1e84e2bb4d2184bb77926cd895dc87214

SHA512
b5ee28a24ba6fc4bb0e8a5b0c1a5adbfac204be43635ad99998bd4617726a5b5f95876dbdc7807b30cc74569b431ef7eb4a540f3e62b759e2fb36df9cff10796

Download Submit
memory/2196-121-0x0000000000960000-0x0000000001FD1000-memory.dmp

Filesize
22.4MB

Download
memory/2196-120-0x0000000000960000-0x0000000001FD1000-memory.dmp

Filesize
22.4MB

Download
memory/2196-128-0x0000000000960000-0x0000000001FD1000-memory.dmp

Filesize
22.4MB

Download
memory/2196-140-0x0000000000960000-0x0000000001FD1000-memory.dmp

Filesize
22.4MB

Download
memory/2196-125-0x0000000000960000-0x0000000001FD1000-memory.dmp

Filesize
22.4MB

Download
memory/2196-126-0x0000000000960000-0x0000000001FD1000-memory.dmp

Filesize
22.4MB

Download
memory/2196-124-0x0000000000960000-0x0000000001FD1000-memory.dmp

Filesize
22.4MB

Download
memory/2196-123-0x0000000000960000-0x0000000001FD1000-memory.dmp

Filesize
22.4MB

Download
memory/2196-122-0x0000000000960000-0x0000000001FD1000-memory.dmp

Filesize
22.4MB

Download
memory/2196-233-0x0000000000960000-0x0000000001FD1000-memory.dmp

Filesize
22.4MB

Download
memory/3916-228-0x0000000001180000-0x00000000027F1000-memory.dmp

Filesize
22.4MB

Download
memory/3916-127-0x0000000001180000-0x00000000027F1000-memory.dmp

Filesize
22.4MB

Download
memory/3916-109-0x0000000001180000-0x00000000027F1000-memory.dmp

Filesize
22.4MB

Download
memory/3916-108-0x0000000001180000-0x00000000027F1000-memory.dmp

Filesize
22.4MB

Download
memory/3916-107-0x0000000001180000-0x00000000027F1000-memory.dmp

Filesize
22.4MB

Download
memory/3916-106-0x0000000001180000-0x00000000027F1000-memory.dmp

Filesize
22.4MB

Download
memory/3916-105-0x0000000001180000-0x00000000027F1000-memory.dmp

Filesize
22.4MB

Download
memory/3916-104-0x0000000001180000-0x00000000027F1000-memory.dmp

Filesize
22.4MB

Download
memory/3916-103-0x0000000001180000-0x00000000027F1000-memory.dmp

Filesize
22.4MB

Download
memory/3916-100-0x0000000001180000-0x00000000027F1000-memory.dmp

Filesize
22.4MB

Download
memory/3916-102-0x0000000001180000-0x00000000027F1000-memory.dmp

Filesize
22.4MB

Download
memory/3916-101-0x0000000001180000-0x00000000027F1000-memory.dmp

Filesize
22.4MB

Download