asyncrat | 8d83a0e36057dd1d65a54dea417afccf11009f0ace2738f387f8de611fb262bf

Resubmissions

08/07/2024, 04:59

240708-fmp46avhld 9

08/07/2024, 04:49

240708-ffygysvfna 10

08/07/2024, 04:34

240708-e64k8avcle 6

Analysis

max time kernel
105s
max time network
96s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
08/07/2024, 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.js
Size

80KB
MD5

2a1b218812d4f6422434d97169e514a3
SHA1

a6e870ba7b5c9f330c15f3d8a212bba3fa324dc2
SHA256

8d83a0e36057dd1d65a54dea417afccf11009f0ace2738f387f8de611fb262bf
SHA512

6ad15e153dd887a76b8b5badf7869c13887f71a486983684f0e91299cbd6a9a34f6c5b0458f7c9ecfa4d02d76f9c758b856cb0c0894d0fe8e93ef3e330fbc705
SSDEEP

1536:I60JFL5SwNiecv6Q5hNFZuSuWtWWxcIBje/6apKjpcXW+NaE3qGksAG6ZJsnfJeH:H0JFL8wk6VIBje/6apKjpcXW+NaE3qGk

Score

10^/10

asyncrat default execution rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

127.0.0.1:4449

127.0.0.1:1337

127.0.0.1:60723

147.185.221.18:4449

147.185.221.18:1337

147.185.221.18:60723

Mutex

gqjnxiopseukzyk

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133648878244409710"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-299327586-1226193722-3477828593-1000\{FA768120-6306-440B-8745-A2C3D0A500FE}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-299327586-1226193722-3477828593-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Loader.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3472	chrome.exe
3472	chrome.exe
952	msedge.exe
952	msedge.exe
5060	msedge.exe
5060	msedge.exe
1344	msedge.exe
1344	msedge.exe
5396	msedge.exe
5396	msedge.exe
1344	msedge.exe
1344	msedge.exe
6084	identity_helper.exe
6084	identity_helper.exe
5176	msedge.exe
5176	msedge.exe
5616	msedge.exe
5616	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe

Suspicious use of SendNotifyMessage 60 IoCs

pid	Process
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 124	4484	chrome.exe	85
PID 4484 wrote to memory of 124	4484	chrome.exe	85
PID 3472 wrote to memory of 1156	3472	chrome.exe	87
PID 3472 wrote to memory of 1156	3472	chrome.exe	87
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 3472 wrote to memory of 1764	3472	chrome.exe	88
PID 4484 wrote to memory of 3196	4484	chrome.exe	89
PID 4484 wrote to memory of 3196	4484	chrome.exe	89
PID 4484 wrote to memory of 3196	4484	chrome.exe	89
PID 4484 wrote to memory of 3196	4484	chrome.exe	89
PID 4484 wrote to memory of 3196	4484	chrome.exe	89
PID 4484 wrote to memory of 3196	4484	chrome.exe	89
PID 4484 wrote to memory of 3196	4484	chrome.exe	89
PID 4484 wrote to memory of 3196	4484	chrome.exe	89
PID 4484 wrote to memory of 3196	4484	chrome.exe	89
PID 4484 wrote to memory of 3196	4484	chrome.exe	89
PID 4484 wrote to memory of 3196	4484	chrome.exe	89
PID 4484 wrote to memory of 3196	4484	chrome.exe	89
PID 4484 wrote to memory of 3196	4484	chrome.exe	89
PID 4484 wrote to memory of 3196	4484	chrome.exe	89
PID 4484 wrote to memory of 3196	4484	chrome.exe	89
PID 4484 wrote to memory of 3196	4484	chrome.exe	89
PID 4484 wrote to memory of 3196	4484	chrome.exe	89
PID 4484 wrote to memory of 3196	4484	chrome.exe	89
PID 4484 wrote to memory of 3196	4484	chrome.exe	89
PID 4484 wrote to memory of 3196	4484	chrome.exe	89
PID 4484 wrote to memory of 3196	4484	chrome.exe	89
PID 4484 wrote to memory of 3196	4484	chrome.exe	89
PID 4484 wrote to memory of 3196	4484	chrome.exe	89
PID 4484 wrote to memory of 3196	4484	chrome.exe	89
PID 4484 wrote to memory of 3196	4484	chrome.exe	89
PID 4484 wrote to memory of 3196	4484	chrome.exe	89
PID 4484 wrote to memory of 3196	4484	chrome.exe	89
PID 4484 wrote to memory of 3196	4484	chrome.exe	89
PID 4484 wrote to memory of 3196	4484	chrome.exe	89

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\sample.js
1⤵
PID:4624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdeb4bab58,0x7ffdeb4bab68,0x7ffdeb4bab78
  2⤵
  PID:124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=1796,i,15771415275430671304,6594726609574601316,131072 /prefetch:2
  2⤵
  PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1796,i,15771415275430671304,6594726609574601316,131072 /prefetch:8
  2⤵
  PID:3912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdeb4bab58,0x7ffdeb4bab68,0x7ffdeb4bab78
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1592 --field-trial-handle=1820,i,4816782595666490915,4019488237752730761,131072 /prefetch:2
  2⤵
  PID:1764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1820,i,4816782595666490915,4019488237752730761,131072 /prefetch:8
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1820,i,4816782595666490915,4019488237752730761,131072 /prefetch:8
  2⤵
  PID:3428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1820,i,4816782595666490915,4019488237752730761,131072 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1820,i,4816782595666490915,4019488237752730761,131072 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4264 --field-trial-handle=1820,i,4816782595666490915,4019488237752730761,131072 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=1820,i,4816782595666490915,4019488237752730761,131072 /prefetch:8
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4784 --field-trial-handle=1820,i,4816782595666490915,4019488237752730761,131072 /prefetch:8
  2⤵
  PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 --field-trial-handle=1820,i,4816782595666490915,4019488237752730761,131072 /prefetch:8
  2⤵
  PID:1420

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffde8ed3cb8,0x7ffde8ed3cc8,0x7ffde8ed3cd8
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1776,5120577719464882109,13224745491152671881,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1848 /prefetch:2
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1776,5120577719464882109,13224745491152671881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x110,0x114,0x118,0xec,0x11c,0x7ffde8ed3cb8,0x7ffde8ed3cc8,0x7ffde8ed3cd8
  2⤵
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,11167742197574217884,10070804449790559981,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:2
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1840,11167742197574217884,10070804449790559981,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1840,11167742197574217884,10070804449790559981,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2492 /prefetch:8
  2⤵
  PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,11167742197574217884,10070804449790559981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,11167742197574217884,10070804449790559981,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,11167742197574217884,10070804449790559981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
  2⤵
  PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,11167742197574217884,10070804449790559981,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:6072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,11167742197574217884,10070804449790559981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:6080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,11167742197574217884,10070804449790559981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,11167742197574217884,10070804449790559981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
  2⤵
  PID:5648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,11167742197574217884,10070804449790559981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1840,11167742197574217884,10070804449790559981,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,11167742197574217884,10070804449790559981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,11167742197574217884,10070804449790559981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:6028
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1840,11167742197574217884,10070804449790559981,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6480 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1840,11167742197574217884,10070804449790559981,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3508 /prefetch:8
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1840,11167742197574217884,10070804449790559981,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6496 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,11167742197574217884,10070804449790559981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,11167742197574217884,10070804449790559981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,11167742197574217884,10070804449790559981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1840,11167742197574217884,10070804449790559981,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3448 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffde8ed3cb8,0x7ffde8ed3cc8,0x7ffde8ed3cd8
  2⤵
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,9353061638684059528,16466211985493542330,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:5388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,9353061638684059528,16466211985493542330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5696

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3348

C:\Users\Admin\Downloads\Loader\Loader\SolaraBootstrapper.exe
"C:\Users\Admin\Downloads\Loader\Loader\SolaraBootstrapper.exe"
1⤵
PID:5632

C:\Users\Admin\Downloads\Loader\Loader\SolaraBootstrapper.exe
"C:\Users\Admin\Downloads\Loader\Loader\SolaraBootstrapper.exe"
1⤵
PID:3432

C:\Users\Admin\Downloads\Loader\Loader\SolaraBootstrapper.exe
"C:\Users\Admin\Downloads\Loader\Loader\SolaraBootstrapper.exe"
1⤵
PID:5296

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Loader\Loader\Enjoy!.txt
1⤵
PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ccf0c873a03cfd35e9623affd395bc1a

SHA1
2ce3bf03152d68820fc41f6481faf85c89fc89ce

SHA256
5fb8324d5936093ba063662c4d02d5aba3d65c6dd5766fbcb3305ef4e85236db

SHA512
b964fa10cdd2ba7b2d4cf39f1d50b1d5a4e4cc9c9eb913fd153e186a2ab5e55f1b4598257e9884b886055abb8659e17f7b899e93c09c064d6fb70961d007869c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f67e0c1c7354d9fd27a748c4ceebf18f

SHA1
61c40f36b2f2b26b6f170a811bed2d722a336b68

SHA256
a67cbfda7baee8276bb3460ac4db5b612ef35f34db2271c8a6f20f0348ba3e11

SHA512
efa60ef02250ecc53985516c79e0cd5861e6a01f3d2336b3d96017ab8ce58c069cf449f7f2428dea6fe36022810b11d400f402095c2cafbb343fb800a38bcacb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c46674aa96db69b19bcfbc41e75ab672

SHA1
2291f734af35a9bade45e69246920ea1f7ce1986

SHA256
e3a163e5dd524c2edcfbff6c9483f0ba1f1d9cd09d3b452cef274eeefe72a7f6

SHA512
97515d2fdb55480e07cfc8dcda04bbe2247ff07d05692602b82550917d29128636d8c20196c472ad018691c25f4ae6bc4f8ab8f53ab5b41dd47cd4a1a89cdaac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
52c8c0eb438bcee9eab0f71082d56f6d

SHA1
782f57b682cc191cc804ab1bc012d5e48d00205d

SHA256
ee67737c27642ae332911664063db5aa637966bc72ca29baecd4151ef5c34e4a

SHA512
08ea12f58d059790aa1ef1030ebd653c32a6e94c7feca7266e5d38138c1558227443e47f0109076fd108f4b897e8a859f04eacc4f33e5caeaa4624b43dfd7499

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
16e023cc5cc2d9c6fc5ea1a4fabd12a0

SHA1
0dff2ef6942034d00e1b926e852c201bfdfeebf1

SHA256
cdcb6b199c0aa63551ad87746bf5be39fc1e9ae5c225745411959d717e84a47a

SHA512
2a1581222a01a37a1a1ec5ee5936c015282f2052210074d25ea401e487a904f854eeaf205ff3260bc9e51a03788442183cc160b449a023e13598b1620f3f9ce3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
f2b6844d27b78c8e7cbf192d0cc329ac

SHA1
a1acaf7e6eec093beeec4930cda0404491e0b349

SHA256
c05e98266a722fefb2e053645e48e3efbd73a0e353a813d56be6be4604dda9ad

SHA512
61c2b6b7174d43e78c4ce9e1eff2c5d42b1a4da136e32664bfd97afd307551dd10deab7cf325a22c1e1d695a75abdad63c468c2fddc68e12fcac23e3f83bb440

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
fad6568cb5d765e4b62a445246f7b1fc

SHA1
996609415dc2c701136aaabd6bc2cdc80b85649c

SHA256
5810aafc77101af703c105a7235b276c0cf33e8f35683dba5c49a8fb5f8261c4

SHA512
90aa5d1a6df9c93d1a7df73f9e6475b7020d36206ca3ff7f0f16d10a4c23b86818561942a069bcc9dc6100bab7604c42236dc3771a5d8dcaa4216736453ebbd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
55812db15cc560df7a550a35c89a5130

SHA1
51bc8e124b40f1515900f40e597483382d19aa65

SHA256
f369200e69744355ba1b4516d86857cf84479445938b4d3c61128de8d6d7b878

SHA512
c9df2b9350601eda7b35f6e50ceda03e31cdbcd1ae2dba8eda433da0ae4aab3655fc0d2e044fc9b48b816dc51ea8c3c303ba7d72cced6ad727350e27c2e078f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
c5620089a99753557be402eec18935f7

SHA1
baa6c62c90b9327c1da7ecf654b43d78f407f8b8

SHA256
0b096e26d4d73f94ad021ede6dbf8f270939a559e3180e4b1739c3e5f2aeafde

SHA512
fcfd28cc2f4cc09d064b4b969bd79a818f41abbb2ae49465edf8c10a45537614168e559624b64b6b6f2a7a4fd0e51a86100a7ce9b2608a75dd89249ac9399e07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
f732dbed9289177d15e236d0f8f2ddd3

SHA1
53f822af51b014bc3d4b575865d9c3ef0e4debde

SHA256
2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93

SHA512
b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
85B

MD5
bc6142469cd7dadf107be9ad87ea4753

SHA1
72a9aa05003fab742b0e4dc4c5d9eda6b9f7565c

SHA256
b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557

SHA512
47d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7ac791b98b7f83120520dcd95e82799d

SHA1
75963fa3b9b307ba75e2428d877bca599c05e60b

SHA256
9dfd6df7c97d71ded9642e2b8320566d9342e83ff9a621f9f6730bb62f6a592c

SHA512
d291dec9d39eddfd71edbe001df0b6749db9780bfd8733cce0fb3d1f5526ae7d3f40d926e6e0d3a137315d73467ade05e208e46ab1231374c85a9ac674dbba2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b03d35a1e3ffb7a9f63b3f24a32b8e85

SHA1
878b3c3c4877e1f132819392c12b7de69e1a500a

SHA256
832cc8b01bdcc3a2edda654aed8b35bd35b4b308f2843187157e805c61c90435

SHA512
fe947eea87acd7d8052bf802f5e1e0105379f07f84160ac51b7771c9d03ae0822b5d56e2ef09b13f0a16b53071df3001f4fe4f255307096477d3db2c9671ee23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8db5917f9989b14874593acc38addada

SHA1
e2f1f19709d00cef4c7b8e1bca9a82855380a888

SHA256
69518d96a22b831de7923bc73ef0ce86cd8394befe8e1c20bf4f95285a15cc63

SHA512
39a70a4207338e819b5dd8dcb5b2b4edaa136a27d51edadac3f76f7de224c54753173a13a55667129f0310b3bbc9f258da0a5b9a7f8b7be6c3c45b64a04e40a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a5d2b1105665313e0d0d4345ab3a6455

SHA1
885922f40fd7fa06b97735fd28a11c15f3b6fd9d

SHA256
ad48e26d2baa8f86a9e34d7842ec52affb6b93cfd37c31c152c7605fcdc8f02a

SHA512
2764977f6d227dde4944c4ef9bc95397d15b1493e341203094557a8b4a461d58f9bbc142d0b0dbf52f9aef1dfdc26a2093b71cc4a092ae71ca14486834e70a3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2837f3e54423d0b75c69cf7f2d5cde7e

SHA1
8f77d29b450a1e8f93a9970dc6861e0dc8968461

SHA256
90a4262eb06b74a1972e73a1a44536171bd31ac0859d8a1ba4706f10444fd05e

SHA512
ef746ea3042ef3edf35efde5620e7b5acc665ca5b67de77c98a38d6fff96f4754584ed17b831e9d244d78842e62f48fbcb3122e4fde2e124e23ea03992f0bc69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2f84e9c724b4e164de33fba898bd858e

SHA1
e115fe5b795526cbcf1e9ef66d6b0f6c72a94a72

SHA256
86e82c575434c13df405ab6bfcb061aff182d80b941dab1729964bd47c9fc1be

SHA512
ef0030252d4b2f7af95cbf6896b31047eeec774fbf4fdbf697290b3ae71800045fb28598c466378affeebb174e4dbbc750522ebcdb099649818680760f936c1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
240f155c02916f13e5d09be3645f0268

SHA1
1e3ac383107195069048e69b43f3d0ce5a51a8a3

SHA256
d97aa7f5be5f20337e6c249e673c750368c10035815f088c610e21d403618a79

SHA512
f394b115d3455c10d8d01165bed1819e4206bf1151122fb637519308468c04ebaa5469f5fd00d509cce99a9ca5fc55686f4bf10af6716d79364f4e1e3d364743

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e634132b9b9f2ddb424ac7bc5d65998d

SHA1
61a2a0828a0694802a1da75418c65b74fa25c7fa

SHA256
08a8578f95813c2fd406b7a533bf439ab59dad52228afc451ad1a1d535fa2c8f

SHA512
5290a4b2fdb4a2a4e5ed658e48af984c4e66f61f44581d601320a17386e197eb4f104cf5abeb64c993e730d487553b6e0f9a3b81d43ee8e0f088db02e72047dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
772d5d6605d1cba4d2e87d063ed54f1a

SHA1
cbe59a8d047f145031d2e8b2983de9e9118d88a3

SHA256
82784062b62bc7f6759ea68a97f1728f2efa3fd67217fe7709e727077c6bd406

SHA512
f5e1267c0833df7abb163211306be0bf485c7d474fe0c2b45b8e0fcdf0646309c3e840b61f29c7208212039b14f6fedbd21c331f95fe903e18d315996b2a8f2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
17cc6a2281dc6569d8a254e1b71f5695

SHA1
4182b79fa4bcddc7acba365f6cee734169fe9d36

SHA256
b7a7b05d6f740a31c7b708ca9885a53ba2f108c1c812a47e55ac3c20b6f5b9ec

SHA512
370a14c19493a341932a50f52a7270a592961a836cbad48e735d1f505858f7f6595a605fb2d4442cd08e152a2dc8a64d30b50c60eb8cdd98ea6a408ceb477bdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6a72474ad0018a2b4aa9955be7eeb934

SHA1
8b6fdae421b2e662b12976c098aa15ab962a5f22

SHA256
ee6e4cacd94ec5907bc18a71e03b6d6a62cac89dc5755acd0aa769e5bb9f13b3

SHA512
7c05df56c77799cdd32fef3b5245480844c903845566e1daf766a7cea6db5be838f7af3bb43a080de1ebe234543a0f98f697e1c218556f927cd80a3791c2b878

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
d3c6c73ecadfaf350f63bf06c8d1812e

SHA1
594d845adf7528ca9b843eb4be850be9edcd5a89

SHA256
4a127e71993365b32a247246d48bf02dfb53381b0c01477fe40a202b8dabecf6

SHA512
cf6d965f8fedf48f47ef1f5466af0b5c3e783784fb0947b9bd0d4c5d02fbc53d2c58768737370595731e20ac96dadddccf4ecf71c412f7794ced35bba42b949e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ad5d5a06e924dd7141ac713150e818f6

SHA1
8208e6778af116ad6c5df52c00b5c663f3dc3f38

SHA256
f92d4a8055eabf930b460eea63c52a738c998b2ca14d08a58356a9cecc10b1bc

SHA512
7d869e55953cffedeac1886e4d60adb573899c886ca31ee0417251d7123173426ecb330bf593d7e96deac5fe46e15ca370c81aa45a97bc8d004280489a1ddee3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
6619e14dbf990255280babaf9cb1759d

SHA1
3d9d71b6da77949aeadd074b17404fe2196b4837

SHA256
d7bcf1e8150d76f764485ba480b8b5a95ec0dfe018e728eeb59f713c8cee5e9a

SHA512
b186c4033f90628b17f8814c31b9ebde8fd45b7a7c199eeec6a6ba019f6279209267a846292586a08ada8209e6f5b112df3eee22511ff22d02cd664d94275104

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2c923d1c4b9ccd9fe2d44b95706f9a20

SHA1
39ac659b1cb29c46da1bc7aa247fae17ba910b54

SHA256
69521e825e83c0c08a4bc8ee3e5f849fe5242b02b804e43274c1635b0de8613b

SHA512
c07a6b068838e7caf6f527935a9a542e45eebfc28dd44a79d8b97d50084e17e82b6769cb1ac31d9e82c6bdd1335c950fb1ca04dd8e0878254f9a667e1605ccaf

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\Downloads\Loader.zip

Filesize
35KB

MD5
7b7a5abd3bb19abd6df2ab168bda3a4c

SHA1
ab82c5e6643b3785a89b3f3e2641f13f25153a17

SHA256
14811e984ef898c52423015fde06bd527028c370308d007aa2300722c6f466c8

SHA512
985e54ad4bd9117fbf2f48b753cda07b6c4ed97a824e9d2e2fd80059a134f19bc01fcae0b0c091e0f9c384779dc0cb457f3ebb496aabd56503d2781bf69fda92

Download Submit
C:\Users\Admin\Downloads\Loader.zip:Zone.Identifier

Filesize
98B

MD5
27b93c1ef57fe4136cd638a0c2e0be20

SHA1
3b750b1935306493e04b4c26d41da312183c9b6b

SHA256
c1506264a71590873a4b292df546091d660c30deb6868e857f5a92adf4f4fecb

SHA512
96c155937685b4a031f7f10b8b6f546317b6616db45eee3fe3995b8692b3ec6d1de578cef0bf8d904d92a99c55c47d96c72d30409bef766394142b993d36432e

Download Submit
memory/5632-419-0x0000000000E10000-0x0000000000E28000-memory.dmp

Filesize
96KB

Download