hxxps://mega[.]nz/file/J7UAwYCI#acftDB2EEfo0kf8m0zooHORXKl05GlSs9EAuLEjjKH8

Resubmissions

10/06/2024, 21:13

240610-z2snda1dmj 5

10/06/2024, 21:10

240610-z1d4la1cmq 4

10/06/2024, 21:08

240610-zyzbrazfrb 1

Analysis

max time kernel
161s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/J7UAwYCI#acftDB2EEfo0kf8m0zooHORXKl05GlSs9EAuLEjjKH8

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File opened for modification	C:\Windows\system32\NDF\{1A9CC4F2-CE71-464A-B5D9-A3B736A8F930}-temp-06102024-2114.etl	svchost.exe
File created	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{6f27adef-25d4-440f-9a1d-2b9afaf84af8}\snapshot.etl	svchost.exe
File created	C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-4124900551-4068476067-3491212533-1000_StartupInfo3.xml	svchost.exe
File opened for modification	C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4124900551-4068476067-3491212533-1000_UserData.bin	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	svchost.exe
File created	C:\Windows\system32\NDF\{1A9CC4F2-CE71-464A-B5D9-A3B736A8F930}-temp-06102024-2114.etl	svchost.exe
File opened for modification	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{6f27adef-25d4-440f-9a1d-2b9afaf84af8}\snapshot.etl	svchost.exe
File opened for modification	C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk	svchost.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4848	ipconfig.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\RAS AutoDial	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\RAS AutoDial\Default	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133625276040172254"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1812	chrome.exe
1812	chrome.exe
3180	sdiagnhost.exe
3180	sdiagnhost.exe
680	svchost.exe
680	svchost.exe
5096	chrome.exe
5096	chrome.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
2700	msdt.exe
2700	msdt.exe
1812	chrome.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 3324	1812	chrome.exe	82
PID 1812 wrote to memory of 3324	1812	chrome.exe	82
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 4520	1812	chrome.exe	85
PID 1812 wrote to memory of 1404	1812	chrome.exe	86
PID 1812 wrote to memory of 1404	1812	chrome.exe	86
PID 1812 wrote to memory of 1076	1812	chrome.exe	87
PID 1812 wrote to memory of 1076	1812	chrome.exe	87
PID 1812 wrote to memory of 1076	1812	chrome.exe	87
PID 1812 wrote to memory of 1076	1812	chrome.exe	87
PID 1812 wrote to memory of 1076	1812	chrome.exe	87
PID 1812 wrote to memory of 1076	1812	chrome.exe	87
PID 1812 wrote to memory of 1076	1812	chrome.exe	87
PID 1812 wrote to memory of 1076	1812	chrome.exe	87
PID 1812 wrote to memory of 1076	1812	chrome.exe	87
PID 1812 wrote to memory of 1076	1812	chrome.exe	87
PID 1812 wrote to memory of 1076	1812	chrome.exe	87
PID 1812 wrote to memory of 1076	1812	chrome.exe	87
PID 1812 wrote to memory of 1076	1812	chrome.exe	87
PID 1812 wrote to memory of 1076	1812	chrome.exe	87
PID 1812 wrote to memory of 1076	1812	chrome.exe	87
PID 1812 wrote to memory of 1076	1812	chrome.exe	87
PID 1812 wrote to memory of 1076	1812	chrome.exe	87
PID 1812 wrote to memory of 1076	1812	chrome.exe	87
PID 1812 wrote to memory of 1076	1812	chrome.exe	87
PID 1812 wrote to memory of 1076	1812	chrome.exe	87
PID 1812 wrote to memory of 1076	1812	chrome.exe	87
PID 1812 wrote to memory of 1076	1812	chrome.exe	87
PID 1812 wrote to memory of 1076	1812	chrome.exe	87
PID 1812 wrote to memory of 1076	1812	chrome.exe	87
PID 1812 wrote to memory of 1076	1812	chrome.exe	87
PID 1812 wrote to memory of 1076	1812	chrome.exe	87
PID 1812 wrote to memory of 1076	1812	chrome.exe	87
PID 1812 wrote to memory of 1076	1812	chrome.exe	87
PID 1812 wrote to memory of 1076	1812	chrome.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/J7UAwYCI#acftDB2EEfo0kf8m0zooHORXKl05GlSs9EAuLEjjKH8
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffad9aab58,0x7fffad9aab68,0x7fffad9aab78
  2⤵
  PID:3324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:2
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:8
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2188 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:8
  2⤵
  PID:1076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2852 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:8
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:8
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5092 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4880 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:1
  2⤵
  PID:3304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4556 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4468 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3112 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3168 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4376 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:1
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4116 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:1
  2⤵
  PID:1308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3380 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:1
  2⤵
  PID:868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4236 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:1
  2⤵
  PID:760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4892 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3396 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:8
  2⤵
  PID:856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=1644 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:1
  2⤵
  PID:2460
- C:\Windows\system32\msdt.exe
  -modal "393312" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDFCE2D.tmp" -ep "NetworkDiagnosticsWeb"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3928 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:1
  2⤵
  PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4508 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=1872 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5100 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=3244 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5060 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5036 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=4136 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=4528 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=4840 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=4944 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=3380 --field-trial-handle=1884,i,12526122529085615951,12339371018269740649,131072 /prefetch:1
  2⤵
  PID:4548

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4960

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3180
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  PID:5024
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  PID:3816
- C:\Windows\system32\ipconfig.exe
  "C:\Windows\system32\ipconfig.exe" /all
  2⤵
  - Gathers network information
  PID:4848
- C:\Windows\system32\ROUTE.EXE
  "C:\Windows\system32\ROUTE.EXE" print
  2⤵
  PID:4288
- C:\Windows\system32\makecab.exe
  "C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf
  2⤵
  PID:1292

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:388
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun
  2⤵
  PID:2036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:4664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5036

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2340
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.0.990366976\1668060078" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {18c608b5-fd4d-4d4a-b931-25c42cf7e967} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 1848 1f14f20ed58 gpu
    3⤵
    PID:4512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.1.269186712\1571552912" -parentBuildID 20230214051806 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 22280 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98442fca-9b2f-4c4c-b589-41b3c898b396} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 2412 1f142588d58 socket
    3⤵
    - Checks processor information in registry
    PID:640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.2.1705890544\117842125" -childID 1 -isForBrowser -prefsHandle 2832 -prefMapHandle 2836 -prefsLen 22318 -prefMapSize 235121 -jsInitHandle 1332 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f539dea4-b4c8-49df-92d8-797b8fcd8fa5} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 2984 1f151acf358 tab
    3⤵
    PID:212
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.3.1025382279\288212706" -childID 2 -isForBrowser -prefsHandle 3672 -prefMapHandle 3668 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1332 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6109ced5-6be4-48b7-8fa3-5ae0f0cd5718} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 3684 1f14257ab58 tab
    3⤵
    PID:3200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.4.1581970577\1547092518" -childID 3 -isForBrowser -prefsHandle 5112 -prefMapHandle 5104 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1332 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7e6fbf7-b2a6-4a98-9352-166ce7385721} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 5076 1f15635f058 tab
    3⤵
    PID:4940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.5.440648332\1418514782" -childID 4 -isForBrowser -prefsHandle 5240 -prefMapHandle 5244 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1332 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c539cb9a-1912-4bd5-bf18-398e1b22c049} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 5308 1f15635f658 tab
    3⤵
    PID:4196
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.6.2074073959\680712385" -childID 5 -isForBrowser -prefsHandle 5428 -prefMapHandle 5436 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1332 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f6da6fe-e4c8-49f0-a416-3f09493e9185} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 5420 1f156360558 tab
    3⤵
    PID:532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.7.74344694\923496215" -childID 6 -isForBrowser -prefsHandle 4904 -prefMapHandle 5912 -prefsLen 27771 -prefMapSize 235121 -jsInitHandle 1332 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e25463f4-55de-4c50-815f-d6b8f25471a8} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 4840 1f154ccb658 tab
    3⤵
    PID:4188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061021.000\NetworkDiagnostics.debugreport.xml

Filesize
209KB

MD5
98bbd1aaac9530d470659113a9beb24d

SHA1
456e3d90dda41fc29aec2236b0f26d7b8c38b23d

SHA256
7e2eb622429ea41ca36fdb884d642bba2de3ea3863611f76a7bd65f2cc99dcd0

SHA512
17252f2a2c2baaf6cf8f122d3727ef5c1a33ae3df2bd1a8319ff2876d88cc574e899882b99365c6d115ad519d148b4c805f3f93c05456832ffbedca1e95e02ac

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061021.000\ResultReport.xml

Filesize
38KB

MD5
28292573c656b71858ff8efee96b7dd5

SHA1
34738018fb652682b5880164e8950ca489a95d24

SHA256
a99663012f94428d4585fecde0d67e573db600a341de4d6d17fba7fcb1314993

SHA512
fa31a254766aeec74ee09c192b9be753c12ac82dc1065cac22bdf77190199d2a51248537209ab4caf82619223536261e7bd99e40ae85d22e8c1906f6ce761ce8

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061021.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
811B

MD5
6b3e8269cae5cfab0c294411aa0aa798

SHA1
603e4931799407b6038fe2badd0a1d3cb2452216

SHA256
1de7fad961ee7fee151ec6848bc15ca4a0820353a4290e997cbffaaac3c6b3c5

SHA512
54e21b9c045c601145d7e8133c03aecbaff7f6ad918d7afc6f14b596d335d86022415d9601f87355d8d0eaaff7f422ab00e077469d1c0a15f9082e742f20f266

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
1cd00a0fd1c1620e4853b697842ede8e

SHA1
3bbad1e292486de31a0a328f75ee149873be8d71

SHA256
8bca3bc390f4d8e1357f4ab3865cf15c21869b4b67a6a78ceb7b0cad65b744db

SHA512
ce7e1f3637e47321259b5dae9de22092247028506319855f4b6eac01b7f2c621b405566810059b18f43cbdeb46f7cfdb2c9b230a375a73c0c8f4e1f25f7678e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e5f1b9750dbd0792fba03c1e0d6eddf9

SHA1
4bf46b1781f257a3bc14878765c2ae892b30fa8b

SHA256
1f819b525756055a3b2eab360ac5ffef84b860e86eb55ed73e53e69ecec33e70

SHA512
72d5ac143d7c5f95b77f266ca51b74974a3929f08deb94c6edc46f8119f53852f21d2d114a6ab837e9de50fc616fe800d3f712e3f48accbdae84549fe939bd41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ba0e71c0d90408c56173cc78e8b35b24

SHA1
129a9a675c747c1d433cddeaae5569a321cd2bd9

SHA256
645f88464776c9b59f924013d8bf963179378ada63e601c84c9dc95dcecb8558

SHA512
e1a1fb11c7c06afd7e1049ab38b61421ff0772d932191163ac12f52a33c0fae3712f228cd8af411691ac2b4f6b61f8bc197dc97c7551ee905c4fc588c9e6c9ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
6095ccdc158b252bb87cdc2bb5bd7a3c

SHA1
b14a7e5133fb7dd7c5b311e83f2f60c751c6dd4f

SHA256
1e1b4ca0574b02d17a5dca46d81c9af7ac5385fc6174bde8fda67471f1e8a4e1

SHA512
cd752986e245426fe6f89d14480559d211b85c8f13fb2f39b1fdc66132f3a646b0466eb7bc6080904670d9224824b8f40ed8cdd4ff4bcee7c2964f72c25227ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f99eba0132a5722af042b321a27c0b29

SHA1
077e2b7025b5e7946d0ad7ce1a1e6815e08a6095

SHA256
c41910ae506b3b19c61d7fd9ff985111a3549bf70cafeb2f25a83127adb0af38

SHA512
92b6b35fe75dbad38e48238cc42fd879a95fda32b2b5cbfa16a63473db277a94f92f93988118a08c0f19a07ea0c4a71b5b6eb8ab747eefdc3e2465771961052b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
5991b1008ac4a586a5d08638492ecb1c

SHA1
00c88aa18a0918394701c038a08e4d68811623e8

SHA256
e3b1b5ed46acac150750c24ef0ff856441a3efbb4a23d4bbad57de4c6d1a6c09

SHA512
ed65f7751aa657260e560f422710d193148d15afb80204da6a60362a1783c83e563a724f835d309e9622d17110bc1084f10483884a4cabdba669b86194d2b4f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
2652cb87261962ea1448d3121fc2fe57

SHA1
912e37261160e2d8f3ca449bb7c1f47949781a28

SHA256
5db613842cfc38de343c29ec5a64d0c89ab47c384623688c7a6b5976f08efcd8

SHA512
593368dff8d2d7365587852a411f35f2cbc739675c13933e74c0119114fad431296ff55de17d47f2d47e8cc580139e3ec82c01a647b5ac7d512ed26d323977f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
7b83720f28b0bba8ccdffe6cb2744cf3

SHA1
79b9eb2949bde598cd7dea55f819db59f07ae974

SHA256
a617096f698b8bfb61118726ea491402b1113157b4f756be17541ca53fb81c5e

SHA512
8886cb72186e59f24aeb7fac5b3968f8c2860004ccecc5330948e88eec596fa2aa40718f110c4bc56448957e07f9d0cfba42ad78fc7ac82d855793e8319218cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
a265fde5315e15935294520e43f4303a

SHA1
72edb002a7330c35d690a1e9e8eeef4aa443e47f

SHA256
866709fe5552aa0d6353772f570f344730649e6bec383007ec101dac8c9df05e

SHA512
2d0f96e7717660f518f4946ec08a2b7c0d515598bbfbe72c817de524d0f37e08988236b463a912f10f79a533722852974d464ef9ff6cbc9e9a8e3a015af5bca5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
7ce23be86d4fa1cd2ec2b06ab83cfb00

SHA1
389d9a83b25a2c60c1ca785ecb8d876b418eca0e

SHA256
539df6661230f7590449842862fc9c65e121b7d2d537c54c1f16e680833c58f4

SHA512
3ad0247d4060e6e7ebe3cf9d60c90f9ced3f7d769d7ff187f605b9711891ed8e86518e04f511956d6c16498ae2c3db7c19159d8b258cd98237ae41fa661751dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
95KB

MD5
35cb918b5396146f417da7f508c0430d

SHA1
6ae6256cbb8937ed6234b520f9ca23c7a8865223

SHA256
76eaf517fba1499a8f3481c96442f47bc49c3a88a887294dddb42154c4b0e4e7

SHA512
7e64a6b5fd3db0345fd866bc77741d0c29def6e0c24ee7afcce33465f1b38439dd66911f515a789cd424b855ee788af1fea0fea061368e7eb406e2491919b21f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57f54d.TMP

Filesize
88KB

MD5
f99143ade956c2a8f37ac298c73a8c2d

SHA1
2fd3b80590522daeee99292112da38710c27a428

SHA256
b54ca98b9dc763b1ce7255a1057606c367adc1a20220343d4c2d3c3c2cc60ea9

SHA512
57a4a2789cb0a0be8f3028405e1295190ebc9fab4d7194bd7e2506166b6b279c34684a51ae56294dd19979de59ac977ee6f247630fa6ec8869d183c70aed10c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
4d9d59585e7ba0a03d0b6fed814058b1

SHA1
1b4c9b99837a208b7a521842ea4146a0736c4366

SHA256
ecbb07b6321f0005307027c77aeb3f9f47be0a8b89b9685463667082a3b2e426

SHA512
0f2a23577c821a3e699ef1cb31e2527e5b48718c9481a481f40328df5777c7d276ef70dd3a0adcd25e2278b8cc9243d863ae6f07a5879a81c1cb025333f8147e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
3a21f7d01fdf3eac34c597f93f2bd985

SHA1
96a815db91d888bf1c06f418e3e00e4b11a2278d

SHA256
cf835f1578afc41903a1809f846e6f2a828a77ec0d63fbc2217cccf2e281b20a

SHA512
456e9ad9553f7c06cbdc89fc4687ec63a0aa4b39b35328d99cbd3b115ee1eda2ff75500986d33e70440c3b8a5a90018fc4be0369df901d5290d38f9e7ff25bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDFCE2D.tmp

Filesize
3KB

MD5
e310e5578a38aa0803fe501af84e061d

SHA1
ec4e52893b7da842778df8d6658b356de731249b

SHA256
904b48d7f7c6f079ddf5453bfe05bd98118a7e69d0bba17a75f2209a7a5389bd

SHA512
36465ac3ee139947b6623b0efc85cbf66dc8640dbb41abb613057b7d4b48e816bb67cc4893bd994f4f81d2978397f0a8361b2300eb5fb38cb0dcf01a546bceb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5xb4nav4.p2f.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6675.tmp\NetworkConfiguration.cab

Filesize
1KB

MD5
6871cf97330fa9589484a71a16a0ec29

SHA1
e601e75fcde5912f3fe9ffc2f3049581944cf2eb

SHA256
0f4b1bb6a22885dbcf5968f90b781b5fea7718fa03f51de02bc2e8869d9e6307

SHA512
fdcff0a105bab4926d8b2ace13e3a217f28737fdc9fcd6f115cd2db00e8ebb4af98dd303bc75724b97c8ce93777020a207b367bdff668c29263c2a1c9a4998e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6675.tmp\NetworkConfiguration.ddf

Filesize
231B

MD5
00848049d4218c485d9e9d7a54aa3b5f

SHA1
d1d5f388221417985c365e8acaec127b971c40d0

SHA256
ffeafbb8e7163fd7ec9abc029076796c73cd7b4eddaeeda9ba394c547419769e

SHA512
3a4874a5289682e2b32108740feea586cb9ccdad9ca08bf30f67c9742370c081ad943ea714f08dbf722f9f98f3b0bb307619a8ba47f96b24301c68b0fd1086d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6675.tmp\ipconfig.all.txt

Filesize
2KB

MD5
b1a9fb141db4b8bd8811b4f80763af26

SHA1
44a79a13cd8564fe078ca2a5efe8f76a0f5fe73e

SHA256
9776be5006ac5a49f6cd428303801b906fec261d40b4a95e8e97e449bc81f117

SHA512
25f2bae839bbd79cc927ef4b86928154973ff097b6932054d1a6f8889ebcb5ba7160db618424dfafe4f7260934444bc174747955d45216afbfa91108f080136a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6675.tmp\route.print.txt

Filesize
4KB

MD5
404a4b3801c005d7c5f186f957a4f7a4

SHA1
81f81834299e88aedd244fec1b97ca279f72c2b4

SHA256
8e1fbbc3c4615b6d010af5cf4384596eec66781181f7adcb83b893b60e62625c

SHA512
15780b65d556757d4679d752668b4be08cae39c163a7661d4a1362b6af28cb9bfe945e383a91a020de9c25dd25fdec0f652b694cc94d771a722899e47c751faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6675.tmp\setup.inf

Filesize
978B

MD5
bf09e68476038d98804a7dfcaf0f61fb

SHA1
53d26f3257f000baf9f5e13f0e9f69df91156812

SHA256
4ef13dcf36c5afb6c1733d69f427469566d6bda132626ea86f9fb65a100af7ce

SHA512
736b0e01afd0d69d0633bfe9ebced8b471e26451bab1126086b365d39745b27454ee0170a5eb13a585096803e7d9f625352a0440f4daf980f86965fd8e6d78a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6675.tmp\setup.rpt

Filesize
283B

MD5
8ae15003813f7193b175c7e12ee474bf

SHA1
b874478456f8aa076aa36eab77c843a9a84c55a1

SHA256
0377dc2d9859b22443dc8ec3cd03966c2f9785736e92c92367f0b1f698d3f93c

SHA512
33a507996b704ef52cf01e6bf9ba2ef048e8082e78dbd2b3653756b4c3390aaf0836aed8f3ccfc01851f3a0b880158a00ac539777dcfed3376300b12453438c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
6KB

MD5
be225e79801609f6dde8264f9df60475

SHA1
dbde529dd3530838fb87e27dfc9f56b13ffe65f4

SHA256
92bd2e7630ba1663dd5f06783a32daa312e8089a9c2a62a0026ec7f46c80e4e8

SHA512
9d50c6ca47ba7d0c6d20e0c0c1d5b199372c6d18f6e767465ef39b437e947ae877588dfd9a35faa0892fe42616983fbc5ed0b0438fd5462db24f161c79a871f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
7KB

MD5
94617fffb585cebed9d49b1be6e75b5f

SHA1
29587903dfb951d4f0b8ba4027b080029f692e21

SHA256
0321b1e28463fff1502e7011f6ff34db6b9653baabde53042cc9cd37c682fb3c

SHA512
b4a098bd978f07d3a6fb78ab7f4d88f04663d5c382e9e707b649c0a3ec9c0d817b0db1f5a9d673098859f69fbb1cfbdf81dd07ce4f97adba63fb47e40653a530

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
7KB

MD5
97c87c3bc46525d04ef10f652971d022

SHA1
885f4e3725c349747f315b02bd12bab16ab7a03a

SHA256
aece40bf00f81c50bd6cf41c006476f1221629bcf17998e706d0d0159e9f0b14

SHA512
f4a148fbd59faa7438648ce74abaf654f0ace2ea25506206feca2c0bb4865ba70c603a19bd9a4770c4f8631a4172c1288f38910af6eef45cd26c65439df4ad84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.js

Filesize
7KB

MD5
97cf40eeacc1b8a3a89539ae0f4515b4

SHA1
a9aa08b0d3fb61ba1b297e29672a20f6ab7a6cc9

SHA256
220b65cd05988fee6a9082fe10c2609e7227a51aeb258b29c32e1930f9527968

SHA512
bb3f4acbce68b9b7c2a16715cc37248fa2e6c1bd04e2fe0c571294196005ca70b883e53a61bcefcc463ab5f3830774c507e02d56ed021603ef824a490a156d81

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
11d6016044485ea2a273e122286eaac5

SHA1
fd5f57e1fa683773771f2e08410a57b5c1b9ddb3

SHA256
ba8507f8467144cf94da680654b612ae9812da2dcd660095925f3608716d3467

SHA512
ff627fdd04928840d26da67f942f005c815a7be8f868ac3f563414e79b26dbb6bc533dcbd7070ef37e8426169b788c6435c542881bc4c32c4332d163c7577585

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore.jsonlz4

Filesize
1KB

MD5
837fe411862d17e68f4360ffa2d31da3

SHA1
e3024fcf3a19d58624e9ad565fa83e41dac4f11d

SHA256
2bc6a9b0c6b600f650c39e9bdfc411a2d0d01b66fd5a93826978c76643954e31

SHA512
a968e19ed9b8e244418a53d6770c5fc1e05dd948c04055e7e6d942d90431da66e6e7ed519693d25b1414049323fa6d12ea9c49432fb4fba39fea3b819dce418b

Download Submit
C:\Windows\TEMP\SDIAG_413670fa-6cf1-4536-bb00-08aff945ad39\NetworkDiagnosticsResolve.ps1

Filesize
11KB

MD5
d213491a2d74b38a9535d616b9161217

SHA1
bde94742d1e769638e2de84dfb099f797adcc217

SHA256
4662c3c94e0340a243c2a39ca8a88fd9f65c74fb197644a11d4ffcae6b191211

SHA512
5fd8b91b27935711495934e5d7ca14f9dd72bc40a38072595879ef334a47f99e0608087ddc62668c6f783938d9f22a3688c5cdef3a9ad6c3575f3cfa5a3b0104

Download Submit
C:\Windows\TEMP\SDIAG_413670fa-6cf1-4536-bb00-08aff945ad39\NetworkDiagnosticsTroubleshoot.ps1

Filesize
25KB

MD5
d0cfc204ca3968b891f7ce0dccfb2eda

SHA1
56dad1716554d8dc573d0ea391f808e7857b2206

SHA256
e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

SHA512
4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

Download Submit
C:\Windows\TEMP\SDIAG_413670fa-6cf1-4536-bb00-08aff945ad39\NetworkDiagnosticsVerify.ps1

Filesize
10KB

MD5
9b222d8ec4b20860f10ebf303035b984

SHA1
b30eea35c2516afcab2c49ef6531af94efaf7e1a

SHA256
a32e13da40ac4b9e1dac7dd28bc1d25e2f2136b61ff93be943018b20796f15bc

SHA512
8331337ccb6e3137b01aeec03e6921fd3b9e56c44fa1b17545ae5c7bfcdd39fcd8a90192884b3a82f56659009e24b63ce7f500e8766fd01e8d4e60a52de0fe67

Download Submit
C:\Windows\TEMP\SDIAG_413670fa-6cf1-4536-bb00-08aff945ad39\StartDPSService.ps1

Filesize
567B

MD5
a660422059d953c6d681b53a6977100e

SHA1
0c95dd05514d062354c0eecc9ae8d437123305bb

SHA256
d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813

SHA512
26f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523

Download Submit
C:\Windows\TEMP\SDIAG_413670fa-6cf1-4536-bb00-08aff945ad39\UtilityFunctions.ps1

Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_413670fa-6cf1-4536-bb00-08aff945ad39\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_413670fa-6cf1-4536-bb00-08aff945ad39\en-US\LocalizationData.psd1

Filesize
5KB

MD5
380768979618b7097b0476179ec494ed

SHA1
af2a03a17c546e4eeb896b230e4f2a52720545ab

SHA256
0637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2

SHA512
b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302

Download Submit
C:\Windows\Temp\SDIAG_413670fa-6cf1-4536-bb00-08aff945ad39\DiagPackage.dll

Filesize
478KB

MD5
580dc3658fa3fe42c41c99c52a9ce6b0

SHA1
3c4be12c6e3679a6c2267f88363bbd0e6e00cac5

SHA256
5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2

SHA512
68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

Download Submit
C:\Windows\Temp\SDIAG_413670fa-6cf1-4536-bb00-08aff945ad39\en-US\DiagPackage.dll.mui

Filesize
17KB

MD5
44c4385447d4fa46b407fc47c8a467d0

SHA1
41e4e0e83b74943f5c41648f263b832419c05256

SHA256
8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4

SHA512
191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005

Download Submit
C:\Windows\Temp\SDIAG_413670fa-6cf1-4536-bb00-08aff945ad39\result\1A9CC4F2-CE71-464A-B5D9-A3B736A8F930.Diagnose.Admin.0.etl

Filesize
192KB

MD5
e7e390b7852da680d215a2fc3c1af44c

SHA1
301aa001ae5a7fa6f9734e1d1157b77a04170f26

SHA256
10265602e66dae368008971f93bada47e33e6bbc7dc1eb15d5c7ddee12185b77

SHA512
b591e6742f9735fa530dfaea1755ff24da990c7892e3133e4cd6eb06eab455b7c8f31d4a32436f5d799eb312e9cc7cfe8104e004683031724a04a53c0e13d5f6

Download Submit
memory/680-483-0x000001B4F9E20000-0x000001B4F9E30000-memory.dmp

Filesize
64KB

Download
memory/680-487-0x000001B4F9E60000-0x000001B4F9E70000-memory.dmp

Filesize
64KB

Download
memory/680-491-0x000001B4F9FE0000-0x000001B4F9FE1000-memory.dmp

Filesize
4KB

Download
memory/3180-504-0x00007FFF9B3F3000-0x00007FFF9B3F5000-memory.dmp

Filesize
8KB

Download
memory/3180-455-0x000001CEB3A20000-0x000001CEB3A42000-memory.dmp

Filesize
136KB

Download
memory/3180-454-0x00007FFF9B3F0000-0x00007FFF9BEB1000-memory.dmp

Filesize
10.8MB

Download
memory/3180-444-0x00007FFF9B3F3000-0x00007FFF9B3F5000-memory.dmp

Filesize
8KB

Download
memory/3180-506-0x00007FFF9B3F0000-0x00007FFF9BEB1000-memory.dmp

Filesize
10.8MB

Download
memory/3180-610-0x00007FFF9B3F0000-0x00007FFF9BEB1000-memory.dmp

Filesize
10.8MB

Download