mercurialgrabber | 3759744039346620e9613f40f90e8f318e5f54ad49c070e2bd23b667f7e65bf6

Resubmissions

12-06-2024 16:00

240612-tfqzrsvcnj 3

12-06-2024 15:48

240612-s86p9avanp 10

Analysis

max time kernel
600s
max time network
601s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2024 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mercurial.exe
Size

3.2MB
MD5

a9477b3e21018b96fc5d2264d4016e65
SHA1

493fa8da8bf89ea773aeb282215f78219a5401b7
SHA256

890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645
SHA512

66529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c
SSDEEP

98304:5kjozJ9/im8XVBKl6t1buVfRhq+5tXzgCa/T:lzJpjS346t1bIfuq07

Score

10^/10

mercurialgrabber agilenet stealer

Malware Config

Extracted

Family

mercurialgrabber

https://discord.com/api/webhooks/1250469925844422666/BD-Tigm4fkPmP0RlEY8wwv-FWGIHKBjbd-FhybGk0UlWFhFpFQxr9bs21Y5aaghj7K9X

Signatures

Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber

Obfuscated with Agile.Net obfuscator 11 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/3476-5-0x0000000005CC0000-0x0000000005CDC000-memory.dmp	agile_net
behavioral2/memory/3476-6-0x0000000005CF0000-0x0000000005D10000-memory.dmp	agile_net
behavioral2/memory/3476-9-0x0000000005D50000-0x0000000005D60000-memory.dmp	agile_net
behavioral2/memory/3476-10-0x0000000005D70000-0x0000000005D84000-memory.dmp	agile_net
behavioral2/memory/3476-7-0x0000000005D10000-0x0000000005D30000-memory.dmp	agile_net
behavioral2/memory/3476-11-0x0000000005D80000-0x0000000005DEE000-memory.dmp	agile_net
behavioral2/memory/3476-13-0x0000000005E40000-0x0000000005E76000-memory.dmp	agile_net
behavioral2/memory/3476-15-0x0000000005EA0000-0x0000000005EAE000-memory.dmp	agile_net
behavioral2/memory/3476-14-0x0000000005E80000-0x0000000005E8E000-memory.dmp	agile_net
behavioral2/memory/3476-12-0x0000000005E00000-0x0000000005E1E000-memory.dmp	agile_net
behavioral2/memory/3476-16-0x0000000006710000-0x000000000685A000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
150	discord.com
151	discord.com
55	discord.com
56	discord.com
57	discord.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3169499791-3545231813-3156325206-1000\{A4771CAA-61F5-4F81-A883-8F2D5CBF4A83}	chrome.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3476	Mercurial.exe
3476	Mercurial.exe
3476	Mercurial.exe
3476	Mercurial.exe
3476	Mercurial.exe
3476	Mercurial.exe
3476	Mercurial.exe
3476	Mercurial.exe
4988	chrome.exe
4988	chrome.exe
4860	chrome.exe
4860	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3476	Mercurial.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: 33	3568	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3568	AUDIODG.EXE
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 5116	4988	chrome.exe	95
PID 4988 wrote to memory of 5116	4988	chrome.exe	95
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 3412	4988	chrome.exe	96
PID 4988 wrote to memory of 4556	4988	chrome.exe	97
PID 4988 wrote to memory of 4556	4988	chrome.exe	97
PID 4988 wrote to memory of 4520	4988	chrome.exe	98
PID 4988 wrote to memory of 4520	4988	chrome.exe	98
PID 4988 wrote to memory of 4520	4988	chrome.exe	98
PID 4988 wrote to memory of 4520	4988	chrome.exe	98
PID 4988 wrote to memory of 4520	4988	chrome.exe	98
PID 4988 wrote to memory of 4520	4988	chrome.exe	98
PID 4988 wrote to memory of 4520	4988	chrome.exe	98
PID 4988 wrote to memory of 4520	4988	chrome.exe	98
PID 4988 wrote to memory of 4520	4988	chrome.exe	98
PID 4988 wrote to memory of 4520	4988	chrome.exe	98
PID 4988 wrote to memory of 4520	4988	chrome.exe	98
PID 4988 wrote to memory of 4520	4988	chrome.exe	98
PID 4988 wrote to memory of 4520	4988	chrome.exe	98
PID 4988 wrote to memory of 4520	4988	chrome.exe	98
PID 4988 wrote to memory of 4520	4988	chrome.exe	98
PID 4988 wrote to memory of 4520	4988	chrome.exe	98
PID 4988 wrote to memory of 4520	4988	chrome.exe	98
PID 4988 wrote to memory of 4520	4988	chrome.exe	98
PID 4988 wrote to memory of 4520	4988	chrome.exe	98
PID 4988 wrote to memory of 4520	4988	chrome.exe	98
PID 4988 wrote to memory of 4520	4988	chrome.exe	98
PID 4988 wrote to memory of 4520	4988	chrome.exe	98
PID 4988 wrote to memory of 4520	4988	chrome.exe	98
PID 4988 wrote to memory of 4520	4988	chrome.exe	98
PID 4988 wrote to memory of 4520	4988	chrome.exe	98
PID 4988 wrote to memory of 4520	4988	chrome.exe	98
PID 4988 wrote to memory of 4520	4988	chrome.exe	98
PID 4988 wrote to memory of 4520	4988	chrome.exe	98
PID 4988 wrote to memory of 4520	4988	chrome.exe	98

C:\Users\Admin\AppData\Local\Temp\Mercurial.exe
"C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z0ckg5ci\z0ckg5ci.cmdline"
  2⤵
  PID:3760
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A17.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFA9B8512A3C04F848EE54F89CE90E626.TMP"
    3⤵
    PID:4208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j4znmtlk\j4znmtlk.cmdline"
  2⤵
  PID:2460
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC78.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF0DD78CAE4414B9892CD28B25A31EA8D.TMP"
    3⤵
    PID:1748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc7234ab58,0x7ffc7234ab68,0x7ffc7234ab78
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 --field-trial-handle=1840,i,8653282446233923186,486887086307855309,131072 /prefetch:2
  2⤵
  PID:3412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1840,i,8653282446233923186,486887086307855309,131072 /prefetch:8
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2284 --field-trial-handle=1840,i,8653282446233923186,486887086307855309,131072 /prefetch:8
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3124 --field-trial-handle=1840,i,8653282446233923186,486887086307855309,131072 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3140 --field-trial-handle=1840,i,8653282446233923186,486887086307855309,131072 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4360 --field-trial-handle=1840,i,8653282446233923186,486887086307855309,131072 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4544 --field-trial-handle=1840,i,8653282446233923186,486887086307855309,131072 /prefetch:8
  2⤵
  PID:3468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4652 --field-trial-handle=1840,i,8653282446233923186,486887086307855309,131072 /prefetch:8
  2⤵
  PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 --field-trial-handle=1840,i,8653282446233923186,486887086307855309,131072 /prefetch:8
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4928 --field-trial-handle=1840,i,8653282446233923186,486887086307855309,131072 /prefetch:8
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 --field-trial-handle=1840,i,8653282446233923186,486887086307855309,131072 /prefetch:8
  2⤵
  PID:3360
- C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:896
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x258,0x25c,0x260,0x234,0x264,0x7ff6641eae48,0x7ff6641eae58,0x7ff6641eae68
    3⤵
    PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4728 --field-trial-handle=1840,i,8653282446233923186,486887086307855309,131072 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4024 --field-trial-handle=1840,i,8653282446233923186,486887086307855309,131072 /prefetch:8
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 --field-trial-handle=1840,i,8653282446233923186,486887086307855309,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:3544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3168 --field-trial-handle=1840,i,8653282446233923186,486887086307855309,131072 /prefetch:8
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3160 --field-trial-handle=1840,i,8653282446233923186,486887086307855309,131072 /prefetch:1
  2⤵
  PID:32
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5012 --field-trial-handle=1840,i,8653282446233923186,486887086307855309,131072 /prefetch:1
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3384 --field-trial-handle=1840,i,8653282446233923186,486887086307855309,131072 /prefetch:1
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4268 --field-trial-handle=1840,i,8653282446233923186,486887086307855309,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3404 --field-trial-handle=1840,i,8653282446233923186,486887086307855309,131072 /prefetch:8
  2⤵
  PID:2684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=1528 --field-trial-handle=1840,i,8653282446233923186,486887086307855309,131072 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4920 --field-trial-handle=1840,i,8653282446233923186,486887086307855309,131072 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5252 --field-trial-handle=1840,i,8653282446233923186,486887086307855309,131072 /prefetch:8
  2⤵
  PID:676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5408 --field-trial-handle=1840,i,8653282446233923186,486887086307855309,131072 /prefetch:8
  2⤵
  PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5560 --field-trial-handle=1840,i,8653282446233923186,486887086307855309,131072 /prefetch:1
  2⤵
  PID:3688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5856 --field-trial-handle=1840,i,8653282446233923186,486887086307855309,131072 /prefetch:1
  2⤵
  PID:3440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5924 --field-trial-handle=1840,i,8653282446233923186,486887086307855309,131072 /prefetch:8
  2⤵
  PID:3760

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4200

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510 0x508
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3568

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:716

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000048

Filesize
107KB

MD5
171e6cf25882b3de492c41615a30e2b2

SHA1
a8f030a4d782753a125490db737e669e398cabe5

SHA256
8982eb7de3ace95b0bc0377bc1c343d73644a7557dd262ab44c1b9c60054ce1d

SHA512
0d09e0a7b84484dfc1b8c5a4ceaac2fdfbd8b543ab81ac3333be4cb449e01cdcbbd03e60ecac5c5d7b9a6924c23544493dbdd8385fda43d8662f4a189f392f79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000049

Filesize
204KB

MD5
80e22d8522ac0cbbf0dafceaf995dd8b

SHA1
1735dfa82bf98acb25a88856da49b8e5f598456f

SHA256
4112206a7dfcc16cc5fa963aeb6dcd2162450514e7ad1588728e3417b285632e

SHA512
79f808d839cce99311b5f98fe265e62522326895f8b3283d2a537685ea512d0363b922d41068170030b9ce5d8dbb6e8f5189793c25134fef98961f08b507d0ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00008b

Filesize
202KB

MD5
6a16cbefd2e29c459297b7ccc8d366ad

SHA1
40da0213a9e5ea4cb6948f4a8e92b5e8b97e6cfe

SHA256
9462da5aa6e2a762b02a24b7305bac86349e5b5ea182d36fd6a163de550cde60

SHA512
6a9de0231f9987554a20208a89c6c802d28c57ecb6f9e95771c94156b65c61ac1e18298ce6d3f0559d3a08052845cc2014dab335e119fde731d745e4857b7d74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00008c

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
bbf3a2926e023fa0cfec9fbc229ddece

SHA1
92fa4305ca3fa3a28c88276f7d476c4d5f86614f

SHA256
452b817f60d600571915dd00bc07eca53cd5d5a98e38f11cd8710f557bc60253

SHA512
c2301bd293dab84518c3fdb39da72f0df5ec38c6545ae14ab4b2f9ba1b90d2c8f314a08567599936bf529a9c5e64a6929db360cdaeeaf30a667dd24e09d97204

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
5888bc3d6d96ef4f3dec793c088ed048

SHA1
9350bd26601c49ccd026ee1ccd7e74db589641eb

SHA256
f89ead6bbbad88a6384fa3ea8ecf58ab7eba3f85ea8caf88acf49654d193221c

SHA512
e7e5d21d7dd8997fbb4d3756efdf46a1ea3a1f077f092c517ace0aac0a8ed2fc919aea7fc41ab3e1e108683cb2660a89193dc3e4205fc8253559f9f571998770

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
5cd93fd9af847be19ba1a5a348bb31a5

SHA1
806b69b9a5baf58c63474e1c02e14c46b62fb138

SHA256
a60be5e41ccf371301eb6e4d964939f9d8d7149be80706f3a2dbf7057f8e75dc

SHA512
759afad950a7f568039a38ddda13a23d7ca9b2ed9857fd38602af003575965b9aa44d25381a561b6b601097fc240443dd9d93688b76a93bc3c83de153142c03a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
ef8cb47d124f50bb7e35e1682afa6c2d

SHA1
19d066c9615c18b64ac8fc6c20d418de748d8395

SHA256
b9a547b5219d228b8ae6c126a30152b376e988f99c2cd46f7b2bc1ddf892d07c

SHA512
21a3372d76ce14a895f99fd4f4daa1674e878e20a26bb28eb09af0fa99adc97b17749c1a4d678cc5f6e0b9c26b08fb8a6dcf2e0d21431675585b1b1ae9db1202

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
38dbc41de054d37d2bb2b63f50302e61

SHA1
7f09c6668d4b4e42871f59ae3ccd1e507dde4061

SHA256
57581e0a5f1889e06ffaf3ee644b03386bc315e0941c3a83ff3ee3e73a14d120

SHA512
41d216f89beb466a1df73351e2fa8b6840e1f72f78a9a9dd80271c4e7a797bad7cf69a0d0a354167639e18130aa9c3015144f2878161d4f034aa782e28c88bb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
1ea13c1a99f480a1793ebb8a78f2b348

SHA1
2146a2709fea64442e095fd27e5d62b960abd113

SHA256
26a4762e69152bb065738aa106300abf33f0285588a6e4ba9f821122cab84e96

SHA512
eda72f08aa4809d42cc70da3b8e68dfaf8737177c99d1d05dfeca7552d69910329dce664ba165237e7f8ec9dd73c58ff273c613e0bfcfe30d01ac3bf47b66162

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
0aae967c78d74d06a42bc5cf0671169b

SHA1
cceae901f8ee4034d1ca2f7f6472bc7b01b1963b

SHA256
202b9c2763a3fa30b0aecdf3954280c9388084f3eb2dbc20c267ed1c4639c64f

SHA512
0f4a5918d90984eb29f92c7cf2a9305cd2a9b2b4bd28a622c8afa44aa1e463c3b3de1fbe58a6ba1df25f0b8ec1421ae4326c07c3399dd8675b286ec5fa28c72a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
7417de58af1940728259b3e57ed8047a

SHA1
83d85de560c2ff203db3213beabb7a44b2b86f13

SHA256
241635fc5a8217b4957f556bf9d0ee12592d555a39b4fd58551ed1ed0842dc30

SHA512
4553c895653b625963e4fd746fc9d65d292c61f09fbe3ddc91a91b8a90d34b2f5b47e18934931b7f0b8a004988ca9207898eb2dd9bc098bc6a84c309811cef80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a0f92b84a43cdd70b1871c21e768c62f

SHA1
26b39180a6f135bfdb2543a79769b23fb3f70b01

SHA256
65e317ade17002c22365792c5a560c3fc087c3f3fd932550fe980166e266e700

SHA512
3b8dbb12a5fac09c833924059a04c6c4509b611dce2f345a080578e55bcbb8d7d907879e6101fb7746df045bd9e7dd2f036639ece191d050ebdabf4f915a59cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2075f50e9d3e487e74a2521b6edeaf50

SHA1
4992b55f39af5c3192541c7e6b23f8e2eb333148

SHA256
eba4a3b5f6a2838510ce833f86196c1cd855d9663fa2d0c76ec1f09c2fc2a79e

SHA512
d73688dd97e1545305843812a6dc45ad9495c39d960031cc7e622da78300eea8126a00bd1151982f91c8c36aa1ecc2c51b94959237d926769957679d695c82c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
56580ff0cee2200b4317fb88b85c5274

SHA1
658ae2867341a919ecb71d09e3cbc33e33b86785

SHA256
5fb56b6a570db6e3255a03cf69676d35fbd1fe0e6fa76b8babc0947d7512d6ff

SHA512
2487d4face64334396f281d9d8de3d78233a4b324c2d5d6be5eb99f2471d27d90a25abe49c54defc364b8568af16e81ca78e40c0e2e7c7d21c548921aa5c4134

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
629c2e2a70ffb091f677766b5d171942

SHA1
aae14d0e3782d2476632cc247b249bba41ebcb6e

SHA256
1cbf8ae398647135fa324565a719d1e0ced610082c33faafc41298122dc24cd4

SHA512
df7dcc105d260331b61d6c50ba9e2c9c6bc1a802e3aef33bf78ef05cbaaa8e12259fc306b720b7d553b9e4af832d7005b0d7bcd17d22ee7f214b64286e0f9313

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
c09a965b08f91aa1a3395ca1d8eb36f2

SHA1
4f70639684d0fe23909a43bd4f28dd5f034e8d74

SHA256
e3bd2742e168231e438408af5d0b15fb06ea10ec74477660d9b9791c66af719f

SHA512
287be5b13ecfefce6813e4c14473eb3a285af8802346d8e5a4ee30c9c04d600568fbc08d0b131afdab2062544e3ec3bf2f552445aebbe8eb7f5cd9ff55697472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5209131e2503a2330afda7e941f375bf

SHA1
4dfd508ca75535ca97ffcb2670c4417462660ff0

SHA256
fb400572b9bc040e93bd4d4c2ff7fd55c8beb90423eba1db23cb83c26cc649a3

SHA512
03d6a6ac58ef425f23483a21045ace57afea79bdc4f4e7377c55cf59ea11733602b040b63b218da6c1d9cdbd0f02c828f5a185818e6a88bcf43863c88f070c57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0f57907acd11577cecfa32888abdb389

SHA1
ec06cc475d16237f6e51b66d2eeafd8339d27755

SHA256
9655d0878f2838cd6e9a48b20a88206ad35123389939cba1312a6566c05b4fc6

SHA512
6553ad9556e13b0a08a47c8448ef01ab78b13807f6bfd8a9915d0e4608cd70a57712a83c58fa377abb2090dae6e64ed1697fc0b2732b9ed7af557514690c0eb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
4a03b3ad2e2731511aac716503bf44a3

SHA1
aeadcb6e01054aeaa68b4f8f411c043748ad2b92

SHA256
90243f75015db6bdb73f74f699827377766d77062b667fb3791aea787bf13c7b

SHA512
2ed799f4da60fc72e61dd753f905c28707844d64b551223dd55aee39c4ae2bb99713b0f0dc92b56977edfd7b09c5d65a7075a60b5721d96d4710a56ad465864a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ea61a848784aabe9b2e475560c87554e

SHA1
49f81dae2cf275248851bf3f65119216115c5ff5

SHA256
6b6b5baa5d02fa414a89753057280672a65b824e60007d06d68471ed0b52a323

SHA512
28e624cd3ac4c4b0c49e1a072edd3f7da74cb6070b07763acb3de884f07f2e2d30727302d107bed841999e4c8158f445e0d1be184649504057501500bc3de8e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
37ebc83c96167b902dd48c28d30f91a0

SHA1
b83a667c568c42e8464cc664405b06d6fff94ad3

SHA256
eb479bfeca7cff2b9511b4752c6892cd8a7e8bd3901b4abd03bbde50d0fd921d

SHA512
1fe862e9824b4b59fe048f31f73e03f4d4387949125463d0f03ea08ddd63c514fe7ad9c13d90fcedcfad9469ddd43e12d3f5ef3c52c32d873496db1df04c1d4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
449056d778aa79ee6edca8da49bbbdd9

SHA1
4cd838b231131262413dff1a5bce41837f96ca66

SHA256
82ae2f571ceb6d36c2711a024b2d98f523b9ee7e63753bddaf3b03a492447da7

SHA512
4b1bf7fb43f4129c74d5bbcbe4c1f85c1d7e8e8b5cc855ff7e9585f1d55722b6bea8eaaab22948c2cc6a5123f202bac85cff5730dddaf48d6213475b605776b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
074b85edf5118d4e127bf14ec2cc9488

SHA1
f5f11c8f6c73876389f55ec6216d3ddc03af6a56

SHA256
0f502efb3dfcc117c89ed6c2165e3c0952a6b346d229cf1b48db80749e3bf791

SHA512
928441fc78f72059a3620ce644b8349e14f7baf8a6c1acf12739fb384ac8e5f1180cec1d1bc1c971aff6f4a81569bc983fbf2313e0801cce18875edf3fa9bf95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
3a2a91ac5cd0a2c96d2f31176733a854

SHA1
4a6f05a5fb49731a92a21d8a11c09d1706a5ae6f

SHA256
4f6ea89d64e3e150c43eb3edbb7555e7ca748b4a3cfe1f5839940b3b33e918f3

SHA512
44ce03de3482a054801c5d9aad7a7521e7ef48713f9921f4457a3981208e158b129bfe28806ab5ab9fcd3feb43f1895b84d0f782c95841de7e34db56c33c6080

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
e58ad46d5eca61872ad2c1748c974b1b

SHA1
6c11ab0031b8114ed8e0c0c02e2efbca6ee49c86

SHA256
81146e04648861b02737fca2f6fdc8b9139287018229d0107c3fb9d28a27585f

SHA512
0978245a33b585e0bef2008540bd36c2e79e54d66c6e0dc56c8663b76152f86bf0095d45fb374327e3984caf82880b1c1296e33ddeb3f5b369cb65bd4978fa19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a9867dd4d27407876bed2a81da017596

SHA1
09c05c0e9352b18c715e63452fbf53a345ae1863

SHA256
e58122aebd3fd80be0379688edc51f0fc4ceb51ccd0ad18fb395c45c5f1f19c5

SHA512
59ac38970df257e6bc16ba717c934f5d67cbfc507b31ab2dcbf1e17b179aa36d0855f03cbb8bd7038f2d2c70e5c86f8af91bde0f5914696bc2063f46b168d9d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
82a0ac3c965e31c6fa7d7fea53dae1d9

SHA1
734b320d81360e350b0013272592d81933f9c9dd

SHA256
549effb84c015630a86e576c41281e7d398663828ee74f30b3f674c676b90fd8

SHA512
771fb6447b600d3076bb3295a73873c1b1b3e5114dcce0b2ea1eeef7c8f05662743e6deb960b3d54115418944fb0c128bca0165655ab49bbe0d8f3bb54dc3bc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
33ac0c5cfc30414bebb285dfa041be0d

SHA1
19a3deb57f7a94eb0c51d2683c38852813cadcc0

SHA256
2f9ac977bae6e8f00e048c67c848641d9f86e218904974852117da3600b10ec3

SHA512
7a9721692d7c26211f5b64e7155de124b831e3fd84c0a9c2170a2ba651c92ad81b95ace6cdd9a8c06772e5a61ee41a021d20f0d9c74745b2c2e73f9afba2aa5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
9e5d12e249a10a189d2fec23fe8bfd64

SHA1
12e05c74ad18cfc4712a704a9afc5feed508400a

SHA256
1f4dc6a263a6b29a35c01fda3fafaf6b7268f029fa7273dced6d255e3ab29908

SHA512
fed67602b9a78b2b7a30a4cb79fb63a235fdcee1a46f25b309788a1386c4e000be3292e1c074eeddacb5ece839d531353a63e9a5ac3969d0fba014643e74e77e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
b2dc2696d77a73d3d209290887c96a9b

SHA1
e44e69afaf7cb928bc953e2b099d6437bf58cc64

SHA256
d350c16130e41bffd9953bcc7d7208ee6f7141cde3427a2f8c7dc629118f437d

SHA512
3955064f65978197f1436b0de79abb0f66a765397c411916e7ee77eef3f887226cd10759d4a2f466b78b85d3449b39ea0130775650cdb037ede0482b85785403

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
273KB

MD5
1d5f2fabcf3cb24028a3551a4d3037a2

SHA1
931446606f1b335183b2453a4aa835ad8c1dcb43

SHA256
f888789d72d419d35b5fc0b0114d22ea5caef50db6066f5008cf5a0f48cbba8c

SHA512
b228fe6bfabb9f9428666e58d8e12a4f99c8c9ee6208ae1fa3f2df80229580c4107eff632d5c0b7fc6ec2ea6dd35e5cb7b25051e95ce4654bd79294bb9b3830b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
273KB

MD5
755d797be5977f86a75b8a7da24fefe5

SHA1
7f35ad25d8c7c2e73bddf91c7c704dbe3b3b0704

SHA256
8c88be582972841eea68c1dcac4364c48d583d74ae629b1dfd18dff8d7c9f3f3

SHA512
a42543945ab52253a746ec3eca4430c3d06a77675c099bc3c4112e210a1b6f1d66f0af424a3182db81f4a3d453f404e5cbba3419049e3e8eeff618ec502fdbe2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
92KB

MD5
f5b0180e8da64cbd479994bccc407d05

SHA1
ae3a7ec2c2b3beacaa4eae4bb37266e08c4a6ce0

SHA256
40021cd0e66f926329bbf0199d4a2044a22fd810f7ca3d7e11eda06e5c2a87e4

SHA512
da817f01586c1031a197319a2f3029d880299c675dd1e35564a62c722bee6cecb3dfdaf95de77c2c8719d1f0430d0fe6f24a925af9bfd7dddf0545a8b7104231

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
94KB

MD5
9dd5c690352733b23bf237942360c34b

SHA1
09f9c6bc5af9b19f76b7b633f868bbb3703d55e8

SHA256
78797cfc21d6d5585e2f2d0c151ea9d021cf31d13a998909b8922adad15067ab

SHA512
cbb6a366c081780900e4f29c4bf388de5d556b7bf3ab82f1cd448c8f83b51830ef9ca7fbec4a4c04d3b0634e59f34ec6ce4c219cc9b14073c906505b68c179ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
93KB

MD5
c289ed5a8a7eb461e9bbeac43d491529

SHA1
7dcf25e019843405397ae237ddd79467f566c5b2

SHA256
c5d25de7a0f072a2bae2fe1e7febaf87053a4f031ef6693098eb3e935c44228e

SHA512
ec024761b447b8c722f45dd79aaec27ef5aab331043532ac3e4875dfda02f845e27f1f314c0184262f095e241f798beca4bd2fb1f9027782e7cf48d937e2fc9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5ab23a.TMP

Filesize
89KB

MD5
c34bfbec0714df1c016106528aa9e32f

SHA1
25f7b8f4a2122b6d20b63d3e47e5800669fd0691

SHA256
11a0c219b1a9274f2bd5aa97815ed3a373f2ce4e894a8ef9d24a1e2b9e7e11ef

SHA512
878b6b8e72dfe30673166b83842b8112764f73160dce592f8126fe80d2692471e137e16153884dbcc6b66da73cb22b978406b269a637e1f8c0b347254682a9ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4A17.tmp

Filesize
1KB

MD5
74133c168716194434757b089e693dc0

SHA1
0995533a7f606834c8a60476c2190e6bce232bbf

SHA256
39cc73245d79c6c49f5bb221d7c8f6f08b8abf458967981f78bf4e67cb1e5475

SHA512
16c397a49f195f65dd3b1e5945ff008947ab6f076ec299dbcdf5f3d306845f1905a54b7f523a4e0ca3ea230b0c86edad430b4227375eab584d628eab267a905c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBC78.tmp

Filesize
1KB

MD5
d5adf8ad923f1498ee83632bc48b392f

SHA1
d36e624d76f6744e6a49afa90560372d75648806

SHA256
4efcfa789a83f90bce441cf1972352d3842d68a83a6fc7ba4cd2b83657a13d2a

SHA512
7d5193dad3a5d03275867d7bed8101c8c0a4719025bca53f4f7540a92625b7d140a0e5c1177182a59b24eab0e26519db04b0399929c68579cda35bb956c36b75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCFA9B8512A3C04F848EE54F89CE90E626.TMP

Filesize
1KB

MD5
b8da7e4c0d9192fbc2d70dce588b8a90

SHA1
e1ae41b169fe97551eac9131ee3654ed038c0f04

SHA256
3dafa0f91e5f49e3f45113c6e2aaf8d94f08cf4170b380c0ea4383096982bae2

SHA512
a142a5e2a28c3f3fca74f2b16e119cc3146515c464cbb6dbfa4490978c314761addc8e221f69f57720bdfec051ab145d035540013eeab84c14411b32afea3fd6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\Minecraft AltGenrator.exe

Filesize
42KB

MD5
b75c04fbf7d7f3ca6f785f8828db5d7b

SHA1
55e91adc0406b5ba4af6e8abe59cf57928ca8638

SHA256
ee13f588802a2eccb932fe5efe282b6d4bddee2013164f2bc76525c1475a0cf7

SHA512
deb7376e577fc47c5628faf1e706ca27eb251221fa645d3bc1c4971b8029d2e414eb3a79ec9aa017c82a8a1ae2c22446a1d85917083162c0de266e330b57b8ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j4znmtlk\j4znmtlk.cmdline

Filesize
848B

MD5
c6be19c24ef6a8e1d0025d17208c5fe8

SHA1
2feb350aca9fdce7691b16a77977f5b78c696c9d

SHA256
a6a7d47eaa90ab645113941fc368821ac0a20a412c240bda28bb392f307f2bc0

SHA512
a44fcda3040d4af33730379e5a3fcc66aa0103f78cba3465709a1dd60de0f8a6f52a39f05347190403ed817136945c6faa9ac8ab24f64205c93be51d8aca518f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z0ckg5ci\z0ckg5ci.0.cs

Filesize
11KB

MD5
9e4fffd67f28203f610de333ce5a5ae6

SHA1
f26937bac2a010348ab31fa1a8bcd0119cfc5ceb

SHA256
1f2ae1057eeecc01b5bbbcc9b175775ce4b42308526261adb8ebd4dfb95694ad

SHA512
6c6328caeb390873eea4df4b9685fc0877c6265034fe885240c6b5b2bd53b976e1ab9d761bda19d25d767c877ebb2b760bab70151d3a4ee66dad89a904e1d07a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z0ckg5ci\z0ckg5ci.1.cs

Filesize
5KB

MD5
8aab1997664a604aca551b20202bfd14

SHA1
279cf8f218069cbf4351518ad6df9a783ca34bc5

SHA256
029f57fa483bbcee0dd5464e0d4d89bd03032161424d0ffd1da2b3d5db15977f

SHA512
cf0efea853d7e1997dcfcc9a73668ed9a5ac01cf22cbb7082a05abc141fccc7c92a936b245666071df75389cd7ebe60dc99b3c21279173fe12888a99034a5eda

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z0ckg5ci\z0ckg5ci.2.cs

Filesize
7KB

MD5
6fdae9afc1f8e77e882f1ba6b5859a4e

SHA1
33eb96f75ffe9a1c4f94388e7465b997320265a5

SHA256
a365264dd2d3388acc38b2f5c8f3c267bbf83ca463f70fbf6c8459123a7cc33d

SHA512
97bb77e8c9c7a1a46fa416a917787ddced3439f72ea35558f22fa2450fbbd11928f3442baec0b33b14576683baa6c1c6b3e1376bd7742da358c808bf07db28e9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z0ckg5ci\z0ckg5ci.3.cs

Filesize
8KB

MD5
6ba707982ee7e5f0ae55ce3fa5ccad17

SHA1
d094c98491058ed49861ce82701abe1f38385f18

SHA256
19af9bea270f830354af8250cd82db32fdcab6327d139e2720713fb7d43a5797

SHA512
d9cf480c32bfb806c72a2dc6fe211c4806388ccf548d55b059e633e8f814d46c80ef73eacfb02398fd3b1e75b7c44b8a1ba0b29476edbf9fe1b29322798d3cfa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z0ckg5ci\z0ckg5ci.4.cs

Filesize
2KB

MD5
fae5458a5b3cee952e25d44d6eb9db85

SHA1
060d40137e9cce9f40adbb3b3763d1f020601e42

SHA256
240478bb9c522341906a0ef376e0188ce6106856a26a3ae0f7b58af07a377a06

SHA512
25f406f747518aef3a1c5c3d66e8bd474429b05ef994303c5f7bc5d3669d691d9dc21ea8f8a35e20b84f8c406bf89835f2f5007a8f743df755e67b4c380fa236

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z0ckg5ci\z0ckg5ci.5.cs

Filesize
4KB

MD5
42f157ad8e79e06a142791d6e98e0365

SHA1
a05e8946e04907af3f631a7de1537d7c1bb34443

SHA256
e30402cd45589982489719678adf59b016674faa6f7a9af074601e978cc9a0ed

SHA512
e214e1cd49e677e1ed632e86e4d1680b0d04a7a0086a273422c14c28485dc549cc5b4bde13e45336f0c4b842751dfd6ef702df3524bc6570c477a4f713db09dc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z0ckg5ci\z0ckg5ci.6.cs

Filesize
6KB

MD5
8ec0f0e49ffe092345673ab4d9f45641

SHA1
401bd9e2894e9098504f7cc8f8d52f86c3ebe495

SHA256
93b9f783b5faed3ecfafbe20dfcf1bee3ce33f66909879cd39ae88c36acbdfac

SHA512
60363b36587a3ace9ae1dbc21ffd39f903e5f51945eebdcf0316904eee316c9d711d7a014b28977d54eef25dec13f659aab06325f761d9f3ce9baca3cb12f248

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z0ckg5ci\z0ckg5ci.7.cs

Filesize
16KB

MD5
05206d577ce19c1ef8d9341b93cd5520

SHA1
1ee5c862592045912eb45f9d94376f47b5410d3d

SHA256
e2bbdc7ba4236f9c4cb829d63137fdac3a308fd5da96acea35212beafe01b877

SHA512
4648fa7ea0a35a148e9dac1f659601ebf48910ca699ed9ef8d46614c7cbe14fcf47fa30dc87af53b987934a2a56cd71fd0e58182ef36a97ed47bd84637b54855

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z0ckg5ci\z0ckg5ci.8.cs

Filesize
561B

MD5
7ae06a071e39d392c21f8395ef5a9261

SHA1
007e618097c9a099c9f5c3129e5bbf1fc7deb930

SHA256
00e152629bdbf25a866f98e6fc30626d2514527beef1b76ebb85b1f5f9c83718

SHA512
5203c937597e51b97273040fe441392e0df7841f680fcca0d761ac6d47b72d02c8918614f030fbf23d8a58cb5625b702546e4c6f93e130cc5d3b41c154c42655

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z0ckg5ci\z0ckg5ci.9.cs

Filesize
10KB

MD5
380d15f61b0e775054eefdce7279510d

SHA1
47285dc55dafd082edd1851eea8edc2f7a1d0157

SHA256
bef491a61351ad58cda96b73dba70027fdbe4966917e33145ba5cfa8c83bc717

SHA512
d4cbaad29d742d55926fea6b3fa1cf754c3e71736e763d9271dc983e08fce5251fa849d4ecdc1187c29f92e27adab22b8f99791e46302b5d9c2e90b832c28c28

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z0ckg5ci\z0ckg5ci.cmdline

Filesize
848B

MD5
2be1201dba9c3f6643269f8e8b54b895

SHA1
c70e226db218ae960830f25bb6e425d2a4a6a635

SHA256
2fd42cb832d0d168dc7df593bc6c6edd795a381669c45da282cfbd6354201af6

SHA512
dde9d3b4b9ad41d31c63a05b188b2bf6020cb05cb03f4ea28ff108b66b1b3547734128152f0e6215163b9613ebdc910ae30ab617364dbc26bff76b02893887ed

Download Submit
memory/3476-20-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/3476-12-0x0000000005E00000-0x0000000005E1E000-memory.dmp

Filesize
120KB

Download
memory/3476-24-0x0000000074D7E000-0x0000000074D7F000-memory.dmp

Filesize
4KB

Download
memory/3476-25-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/3476-26-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/3476-27-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/3476-28-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/3476-0-0x0000000074D7E000-0x0000000074D7F000-memory.dmp

Filesize
4KB

Download
memory/3476-22-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/3476-21-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/3476-29-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/3476-19-0x0000000007460000-0x0000000007468000-memory.dmp

Filesize
32KB

Download
memory/3476-18-0x00000000066D0000-0x0000000006700000-memory.dmp

Filesize
192KB

Download
memory/3476-17-0x0000000006860000-0x0000000006976000-memory.dmp

Filesize
1.1MB

Download
memory/3476-16-0x0000000006710000-0x000000000685A000-memory.dmp

Filesize
1.3MB

Download
memory/3476-23-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/3476-14-0x0000000005E80000-0x0000000005E8E000-memory.dmp

Filesize
56KB

Download
memory/3476-15-0x0000000005EA0000-0x0000000005EAE000-memory.dmp

Filesize
56KB

Download
memory/3476-13-0x0000000005E40000-0x0000000005E76000-memory.dmp

Filesize
216KB

Download
memory/3476-11-0x0000000005D80000-0x0000000005DEE000-memory.dmp

Filesize
440KB

Download
memory/3476-7-0x0000000005D10000-0x0000000005D30000-memory.dmp

Filesize
128KB

Download
memory/3476-8-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/3476-10-0x0000000005D70000-0x0000000005D84000-memory.dmp

Filesize
80KB

Download
memory/3476-9-0x0000000005D50000-0x0000000005D60000-memory.dmp

Filesize
64KB

Download
memory/3476-6-0x0000000005CF0000-0x0000000005D10000-memory.dmp

Filesize
128KB

Download
memory/3476-5-0x0000000005CC0000-0x0000000005CDC000-memory.dmp

Filesize
112KB

Download
memory/3476-4-0x0000000005C40000-0x0000000005C4A000-memory.dmp

Filesize
40KB

Download
memory/3476-3-0x0000000005B70000-0x0000000005C02000-memory.dmp

Filesize
584KB

Download
memory/3476-2-0x0000000006120000-0x00000000066C4000-memory.dmp

Filesize
5.6MB

Download
memory/3476-1-0x0000000000D60000-0x000000000109A000-memory.dmp

Filesize
3.2MB

Download