discordrat | c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

Analysis

max time kernel
1049s
max time network
1036s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
15-08-2024 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

builder.exe
Size

10KB
MD5

4f04f0e1ff050abf6f1696be1e8bb039
SHA1

bebf3088fff4595bfb53aea6af11741946bbd9ce
SHA256

ded51c306ee7e59fa15c42798c80f988f6310ea77ab77de3d12dc01233757cfa
SHA512

94713824b81de323e368fde18679ef8b8f2883378bffd2b7bd2b4e4bd5d48b35c6e71c9f8e9b058ba497db1bd0781807e5b7cecfd540dad611da0986c72b9f12
SSDEEP

96:IJXYAuB2glBLgyOk3LxdjP2rm549JSTuwUYXzP+B1izXTa/HFpff3LG+tzNt:IJXDk7LI4uwtDPC1ijCHffSs

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI3MzA1MTEwNzEyMzI2OTczNQ.G7UQQo.CWRWd5HJJ8bVumSGiyWc2pDdjavw4VinikkJMg
server_id
1273454211354464348

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
152	drive.google.com
150	drive.google.com
151	drive.google.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	SearchProtocolHost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	SearchIndexer.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000132accb3b4eeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TS\UserChoice\Hash = "lZ6kntFjxLA="	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice\Hash = "3ef+CkUa5Ss="	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice\ProgId = "AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice\Hash = "3Y6A/HKi/hs="	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice\Hash = "rqSUVEvnPhM="	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.dib = "1"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ccb7c42bb4eeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TTS\UserChoice\Hash = "2UC3TJeSPhQ="	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002daf3e26b4eeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice\ProgId = "AppX6eg8h5sxqq90pv53845wmnbewywdqq5h"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004e4bdf26b4eeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a79c725b4eeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.wmv = "1"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice\ProgId = "AppX6eg8h5sxqq90pv53845wmnbewywdqq5h"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.wm = "1"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000434ee0b3b4eeda01	SearchProtocolHost.exe

Modifies registry class 29 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 000000000200000001000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\NodeSlot = "10"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 = 50003100000000008458446a10004c6f63616c003c0009000400efbe84580b628458446a2e000000b2520100000001000000000000000000000000000000e40d2a014c006f00630061006c00000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 01000000030000000200000000000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 560031000000000084580b6212004170704461746100400009000400efbe84580b6284580b622e0000009f5201000000010000000000000000000000000000004dcb23014100700070004400610074006100000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0 = 4e003100000000000f59e30c100054656d7000003a0009000400efbe84580b620f59e30c2e000000b3520100000001000000000000000000000000000000e8630800540065006d007000000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4720	explorer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
4568	chrome.exe
4568	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4720	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeCreatePagefilePrivilege	1832	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
4720	explorer.exe
4720	explorer.exe
1832	chrome.exe
1832	chrome.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
4720	explorer.exe
4720	explorer.exe
1832	chrome.exe
1832	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4720	explorer.exe
4720	explorer.exe
4720	explorer.exe
4720	explorer.exe
4720	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 5064	1832	chrome.exe	75
PID 1832 wrote to memory of 5064	1832	chrome.exe	75
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 4488	1832	chrome.exe	77
PID 1832 wrote to memory of 2136	1832	chrome.exe	78
PID 1832 wrote to memory of 2136	1832	chrome.exe	78
PID 1832 wrote to memory of 4936	1832	chrome.exe	79
PID 1832 wrote to memory of 4936	1832	chrome.exe	79
PID 1832 wrote to memory of 4936	1832	chrome.exe	79
PID 1832 wrote to memory of 4936	1832	chrome.exe	79
PID 1832 wrote to memory of 4936	1832	chrome.exe	79
PID 1832 wrote to memory of 4936	1832	chrome.exe	79
PID 1832 wrote to memory of 4936	1832	chrome.exe	79
PID 1832 wrote to memory of 4936	1832	chrome.exe	79
PID 1832 wrote to memory of 4936	1832	chrome.exe	79
PID 1832 wrote to memory of 4936	1832	chrome.exe	79
PID 1832 wrote to memory of 4936	1832	chrome.exe	79
PID 1832 wrote to memory of 4936	1832	chrome.exe	79
PID 1832 wrote to memory of 4936	1832	chrome.exe	79
PID 1832 wrote to memory of 4936	1832	chrome.exe	79
PID 1832 wrote to memory of 4936	1832	chrome.exe	79
PID 1832 wrote to memory of 4936	1832	chrome.exe	79
PID 1832 wrote to memory of 4936	1832	chrome.exe	79
PID 1832 wrote to memory of 4936	1832	chrome.exe	79
PID 1832 wrote to memory of 4936	1832	chrome.exe	79
PID 1832 wrote to memory of 4936	1832	chrome.exe	79
PID 1832 wrote to memory of 4936	1832	chrome.exe	79
PID 1832 wrote to memory of 4936	1832	chrome.exe	79

C:\Users\Admin\AppData\Local\Temp\builder.exe
"C:\Users\Admin\AppData\Local\Temp\builder.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffecc329758,0x7ffecc329768,0x7ffecc329778
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1548 --field-trial-handle=1880,i,13396099387374908353,9184216048989717050,131072 /prefetch:2
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1812 --field-trial-handle=1880,i,13396099387374908353,9184216048989717050,131072 /prefetch:8
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 --field-trial-handle=1880,i,13396099387374908353,9184216048989717050,131072 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2860 --field-trial-handle=1880,i,13396099387374908353,9184216048989717050,131072 /prefetch:1
  2⤵
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2884 --field-trial-handle=1880,i,13396099387374908353,9184216048989717050,131072 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4000 --field-trial-handle=1880,i,13396099387374908353,9184216048989717050,131072 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 --field-trial-handle=1880,i,13396099387374908353,9184216048989717050,131072 /prefetch:8
  2⤵
  PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5016 --field-trial-handle=1880,i,13396099387374908353,9184216048989717050,131072 /prefetch:8
  2⤵
  PID:3452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 --field-trial-handle=1880,i,13396099387374908353,9184216048989717050,131072 /prefetch:8
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 --field-trial-handle=1880,i,13396099387374908353,9184216048989717050,131072 /prefetch:8
  2⤵
  PID:4208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 --field-trial-handle=1880,i,13396099387374908353,9184216048989717050,131072 /prefetch:8
  2⤵
  PID:3572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2496 --field-trial-handle=1880,i,13396099387374908353,9184216048989717050,131072 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3784 --field-trial-handle=1880,i,13396099387374908353,9184216048989717050,131072 /prefetch:8
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3452 --field-trial-handle=1880,i,13396099387374908353,9184216048989717050,131072 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4788 --field-trial-handle=1880,i,13396099387374908353,9184216048989717050,131072 /prefetch:1
  2⤵
  PID:1852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2468 --field-trial-handle=1880,i,13396099387374908353,9184216048989717050,131072 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3392 --field-trial-handle=1880,i,13396099387374908353,9184216048989717050,131072 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5180 --field-trial-handle=1880,i,13396099387374908353,9184216048989717050,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4116 --field-trial-handle=1880,i,13396099387374908353,9184216048989717050,131072 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=2452 --field-trial-handle=1880,i,13396099387374908353,9184216048989717050,131072 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3076 --field-trial-handle=1880,i,13396099387374908353,9184216048989717050,131072 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=1640 --field-trial-handle=1880,i,13396099387374908353,9184216048989717050,131072 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3812 --field-trial-handle=1880,i,13396099387374908353,9184216048989717050,131072 /prefetch:8
  2⤵
  PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5244 --field-trial-handle=1880,i,13396099387374908353,9184216048989717050,131072 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4112 --field-trial-handle=1880,i,13396099387374908353,9184216048989717050,131072 /prefetch:8
  2⤵
  PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 --field-trial-handle=1880,i,13396099387374908353,9184216048989717050,131072 /prefetch:8
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5544 --field-trial-handle=1880,i,13396099387374908353,9184216048989717050,131072 /prefetch:1
  2⤵
  PID:596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 --field-trial-handle=1880,i,13396099387374908353,9184216048989717050,131072 /prefetch:8
  2⤵
  PID:3676

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3592

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2324

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Drops file in Windows directory
PID:4580
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1004
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 688 692 700 8192 696
  2⤵
  - Modifies data under HKEY_USERS
  PID:4304
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2200
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 688 692 700 8192 696
  2⤵
  PID:4836

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" "C:\Users\Admin\AppData\Local\Temp"
1⤵
PID:4392

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000087

Filesize
51KB

MD5
f61f0d4d0f968d5bba39a84c76277e1a

SHA1
aa3693ea140eca418b4b2a30f6a68f6f43b4beb2

SHA256
57147f08949ababe7deef611435ae418475a693e3823769a25c2a39b6ead9ccc

SHA512
6c3bd90f709bcf9151c9ed9ffea55c4f6883e7fda2a4e26bf018c83fe1cfbe4f4aa0db080d6d024070d53b2257472c399c8ac44eefd38b9445640efa85d5c487

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000091

Filesize
110KB

MD5
c4c3b31fb8ed06e405e2eabfee6f0ca0

SHA1
b27d7a2473a56120d70d0f57fbb17435d6835529

SHA256
beaa2dc0346767d734f891e7c794c823bb768f2d719d96f6a2ea947a0af565c2

SHA512
53b1de893a6c3364896c739e84903311a6380921345928b243b3556be16670cc3c2de3781183f82429a7be412b4491be57581bfb40334d3b0381972c5e650393

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_0000a3

Filesize
34KB

MD5
25458776d1fea661dfefc10f1d7aaf75

SHA1
606fa4b7c55a0358991dd9fcec9871f3b0748968

SHA256
15165f76ef78ddac51886d11f30c6c989435d26b9c9f6eed50f25b5c22aa6f75

SHA512
955cba389bdfff6f487c1c1502db6c07a319cef3c962a513643633451cce33586fdc0c94d7c867926306afc2961fb26a9788be9a383dcfb0355f6ef554b2153b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
f0e6520909c1ac585c30e18eaa9c1bbc

SHA1
13efb4f922f3356c681ba7d888f76c360789d580

SHA256
919ed44310140a818fe757bb5bf1a357b44a85490ae6e18bdfab3ed1cba8facf

SHA512
4971d1485aed77fc796fa647b0fd83b453ef5651bd00453595e6ab04a3a8ba275b20eb9b9ce47a1e56082b4ee39d389aef4972cfbf1311c76789cb7ff65d5271

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
47d8a9b144c04288f574a50fb725549a

SHA1
404581ac2f9b41ecdcfd3e1e07855b68fc7f03a2

SHA256
7b9ebbdd12b265b44050c38f3858b6f097b07b71ef2021652ee59f13421e710a

SHA512
069d5aa1b281561600cc9348614145e9c897dbfaf8cc5c6fa8599b1366a6b01928bfdb2836fcbbd662ea9c4f168f05ea4af77b0531551784fa5a7de8d6e1fe6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
099136610052fc3f7f34500c0ddd7aeb

SHA1
b115fcc423bbbe7fd8edb38c373b219e433a541f

SHA256
595d5bc5ba93317e4c0d37fab639a6189f5f90954a834de7370df05763b1a367

SHA512
3099fe536f244a94818675ee69119e07100cfe06711cdbae01b8154e0c27d63216ec7b5e93531c19f3b7c0099979ae39983b1f899c0c3ad4e3c86f400862b3e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_docs.google.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\769cb506-6447-461b-a9ae-20617feb8567.tmp

Filesize
8KB

MD5
bbfae61778bb805b83dc5aa5ddcce185

SHA1
5be28e83cb04566aadef3a711a22566dca03498c

SHA256
1da4a7224fd3c9cae593469c14eff09f742cff38c3d59add3bc1660f51f80eb4

SHA512
4b08bf7ce9182bce5845854ea2d5d32507cf9e5bbb2b6d0277673c51a92343c484965bb6ab5de4643e7fc7be9023189011035b4c0f2cf5b35a65ae435f831aa4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
cf1b87ccdd738abcd33839c3334e349e

SHA1
f922abd957708ca62303aa508ed34b78ab67f3eb

SHA256
b2e6e5c31cf29a59d29753f3da2103e8dd01c01b6586ca58b350e0a928715b65

SHA512
285214aeb6937a191ba541bf4ccc04c46b1590d9fb5cc4cc81689be3a14dc294d107a86e48b1e4cf8e54f329e5f294a575307cecbd78871527d1ba298756a8dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
944B

MD5
04c357cbc73a76ba8f2b78e1d621712d

SHA1
0d17660d44f943d18074e850e9cdef12a31b90c3

SHA256
604063155e9c793456ade078a044146301e6bdcfb23f45636722ebf56b5eec4a

SHA512
5e009a083efff8dbd6bcfc8ee814fe9aaddbe951c531107a3c46e2d5fe16e6343d62967f4ba8d73165afec45d4ad882a601612dda2867507b340f7ce33f23d22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
a38caf547546ae4909ccefe2ace9b8fa

SHA1
13d502c5e4843938428aad063cafb735e86c59a7

SHA256
ede2130ef5c449e8c9dd1c978b98c6d4dac5b61e480b092a6d76399a26ff9733

SHA512
8df743066a870006d63224db2955e905573eb84a55eab8e574c35af23f31b700217db57eefdd6c0773595860a9ac751d58975f420a2b40b0affe57c29db6917d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
df8c2b5d5270bdb81c534e34dfbcf7ca

SHA1
870a9eac11d1e01c46c5cfc33c8d9cc5ec6e0d42

SHA256
014e83f7a82624253ffa3737a32e6eb80d865e5b8a077773afeecc5c4b065d05

SHA512
46a03924df421830a7e0e4eb48260ecb8808bef3110ef3bcb071cd95f5e814b2a36201d306e93cfc0cf570ca1d0b4085097cddae141627a3c0b28b698e439484

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
161eb8e736742e040a9268a90b70a6ad

SHA1
5450d00e5e18a44630146c35156a62023663f113

SHA256
8439293155cede9a6671f9b0a15f1851a37ba3ea6487dbc7c719bf4ff922a261

SHA512
178d2e030125f247e3b0c80d81ec34435b0751d503164acae4bed6581e49109ba86a122c7c8c9189739de926b4eef99027531b64bbc163b784d52a9984e028a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
4ee6bbc9c33f9641ade7ba1e3d3848bb

SHA1
e206997186189dc73bb44fa66e6c871a0f40c9ee

SHA256
1424ebf029b1fffb0299dcb9f41b38a3ec074e91c38c948b784a3c39d2975b25

SHA512
242cb8dd4dd21d54709cf00c460ce597ce5c89a5ad3ddb5b5a5d618003cd8a5149b828c2122aa7a25a005e5138e3d70e81cbcde96fc7314ba4071152591e29be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
480bb0d50ba2d9a99cd27a0c254ed28e

SHA1
aaa3a507df9c7175b84f3177d8ba4ef34a44a037

SHA256
624f276cc181e30c97ec4bfdcc0fb3c6c0709651db5b4f0f331b600a4a26bc15

SHA512
60099551be08685e6b87f8a369a2e2f907a3dfd73f42beb1127202ff10e6925829a1ea03ede2899f41983b8f6b227a6020f0525c3833aa56d5007ffa28ccf441

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
982f4f0453b9c4aee4f2e14c70abcbb5

SHA1
1f13841bd438332fc16035eeef802a1788b94cb9

SHA256
bf21629ff60a79e574e0416803330f4f8267e0e9115ad2c0cbcb33a9f85887cf

SHA512
0a2df263379931645de8306ae2f30981f0dbff81b4f53dde8fbb30cf9d0135d21fa61902392657d25b2a6446391104640a36b93437785b2856588b481bc59d3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ff38661963ec82e7ff8b1146abe9e26d

SHA1
d9709077ae9359b10f911b314492498f90b4a68c

SHA256
6cbae834c1080c00fcde4a5b8613b36be64df96c227e2081314962fe55e858a1

SHA512
d55324ca474ee2654ec8ac01e11b7b69582c137f934c17c5ba95c33da3a64dbd50b4a2437530c3f5dde723416080346c8aa564a9543797927fcc9a2085a251a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
e0a00d144e5a31579fdbfd95ca5f224f

SHA1
acc3b001dbdc58df1e3956f2aa23b27ab8efd2b9

SHA256
41e3935cd0183f235a471487a5fad399daf307bed7f13b0361807725f30322cd

SHA512
4fe726441c40b4c0cbb6644feaa03c112c56b7f078b334e4daacbdf327eda2c1633b76f58145c0419f2c963766e786435d9efaf18db0862693678329cf01fc60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
bacad6acf01125aa7cc453a635820032

SHA1
60568a11b2d985c2151257c0c38d1c1bb5804147

SHA256
b3c6d669624e7dd5770806f63a930228214e0fbc483680ea3b53b4bf26bb1d13

SHA512
4526ed6308171639bad1ba6f0c821d9f6d8316f7772a9e884fc5e18a86394237839746202d5b8691224b8d8c2d02723ad705c6190d7975e8d8fb4eeab3d73018

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
53f1f0a59473d7892cdd500a4ef8860a

SHA1
426452281f10e95810ccef7882acd690d1345594

SHA256
af95a2cf98d05d0b2e7894f1102065a31e33cb72a735c806fb57b3d6e15c95e4

SHA512
5ac1fdff5de858cb1eae7c4513896657eb46b9b74c63d3cbe38c1b177fa7629276146265f875c643fd4fb79f81eb318c692121504b60a12f7e2b12bb1b7a270e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
9f6e63bee098426a470c8b6e15d5693f

SHA1
95beda08ecdef7c5894c727bc05801fe5079144d

SHA256
5425b6a29bf4d9a5cafc520ce8cb6a295e7610c3fb81e356b3376122ef0f83dc

SHA512
5586cf90aff6783ba2215da4d006c25fc4b84e48f84505c97c79051a9090d0b0284a4f01e6bc1feb65ce68c976b57a88f7543ad6bd578f5d4da4a7974e032d08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
3a2f31dda185e013367d16f7c64e9a2e

SHA1
9662b953afa06cded52a7b7d89eb0cf31e6b3bbc

SHA256
4f926bf9e643f84293f70e2eac4748c0de7006176d0906d927cea74bf180bf1b

SHA512
1298f2e33ec4d9a12417f76742282c7c909cf95318f2cad03162df9fe3cf361c8feb5692ea8eea70d55605853ddae7d27d8529bc33c330173301d0061807a7f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
5da2617c55f6f5d1d71dd5727feaeef3

SHA1
ec43dd5e064fff5c92b1a631cb18e46f35474de9

SHA256
19729fa84918166f8da8c31f81824b55d38c7b6b628d1a6cfb0b0df70a428a5e

SHA512
d70ee4148637ac7012afbfe3a6b2efa3ffd6188552a49f9ea2c7995d443a110b27486b6f053290460401d5c275223714fc6f3b7e297d163f58402d4a4a943370

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
8ff4e393774a141758af696c8c77c8f7

SHA1
ccdc372536f3a371344a1f27259155fa4352294e

SHA256
acf7c515b29293d341f918d384343c19af3d4927f7e87b592f8754634258aa16

SHA512
5cbec483d692cf0d8371afd65586909002d172e4c181504d47b9a11a56e77b514a22316c14d13b77fab78f460ec198628caa842003a6032dd4e4654c07931873

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
c895c6869fbd0e3264c1b40bb7486381

SHA1
cd10ae3bbebfd2849f24aa71848a0ea5606117c6

SHA256
72186c412f323a49b1ae2c2a392293115f40f975fbdf302b48df6d14483412f8

SHA512
ba4f02f17d3a58f4b78dfb199adbbaeef852fb72595f853a2f8b38efdb59bb9f03b603749dc2d13cb6802cd457a79f8d649dbd7fe88a9f7dcf8cd1c3e2888471

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
797c940744c22575e4eece3305d4ed9d

SHA1
22445326939dc11dc37d76868b6ae162b8e925cb

SHA256
416ca853b38b32cdd51f61ab8ff3aa3eb9fcfc5fc17d7d617ca9b0e9f8f3085a

SHA512
e52908972ef08220bc5fe76271aa833b57d072e91e48ea3d8140608da800fe3ffb85e94b0afebb0eb8c4f091419e6640ac980ab43e36110c52080348f9337c48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
3e673b31245f79fbe237694cc37b9592

SHA1
90a6a8c354eac97ab19382efbbb262b64cd11002

SHA256
9ec02e6c5e7516660fe5afd5878fc8ce3e9ec776428fd40426796b1121cf3372

SHA512
b8b845ba34ba1d3ee4f80b682db6caa81701af11304ff20f65662b356eee9db89cfbf9e94181c5ed7f0b0cbbdeb8ae9d4e3c56d70eea089e14e7cfc2bb624a15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
e723b9e67e1bbbc7383c2b1c3b9a803b

SHA1
ba83ea45bd053ab94f18d590ac1bafd987f75d9f

SHA256
0799ff1e726b09358475b9f83497842aa6991b6a67493e3bd7ee503abbf16c11

SHA512
b4afa7fadc620c69f67d30deb2f222df5318af300e3b5fe8eaff3b6496b03cea8cbea5e7c617183b0d56f4eed786aa784b359ebb6826dc96bd395c6fc08eeb85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
3cffb96b5267e11f367e1ba99bb42de5

SHA1
c211d9cd10ab6618f11b6c6f019c9cbf8f77372e

SHA256
cf2a38fb2ad3bb7695ae9656ed9ea0b1f83dbab4af4746cb0d82b0c11a1836a4

SHA512
663f9a30ce9314a0d94fe65efd4b78b7e17c35eb49beebd7e0de46c8e08112dde1c1a61cc8786f917812cc9413c39d9bad5114e65acbde85eb7fb730f416ebbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
a8a2b8541f7d95eb0e727dcfe815f7fe

SHA1
4c5a7cc6509f66654bdf53f16881a7c30cc04d77

SHA256
53051014330f953398c7b3b0b7776ebeea25f3675d5067e12b52a7a4228dba91

SHA512
027b2aef84fcafa73f4a61f883f835a6d24d2a3925db6c183b50b711c85eefe800f6c7c25d34d9249d4c6c9c84ecfaff80ca2fdebf791c82184528873f690c4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
b7897095593a49a4c7307d51d5ddc9e2

SHA1
fad734b6eaf65e6e6eada9613545ae9d01a7a5a2

SHA256
cb7862e1770583b59993bf1e13734aa4e465f253bde184b461b8bda2a2111df9

SHA512
43ebda27b6280247899988e7c37078d0745c50a69ccf35e807cc5541ac77da9f375a8c263c4459261912bed95874596931135898b8286536c05fabf83c40853e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
fb757f01740baf51248b1d6a971d7b8b

SHA1
2f81ca99905550d24fedfe4574f7f81a4caf1248

SHA256
b9a0eb069d98579fcf3c305be08397edc5c2bb967e316773a1cdbf360ede1688

SHA512
c7b4dd75b9bdc55f75dcfb562f64c13b9b149f7e8fa13c339405ba74c44164ceefdd28a9349396b79ed18589129934a227565248eedd06bf55cfa664122d3a23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
68c5975c2fdc40d053fd7485ce257518

SHA1
bb1975430b80f31782db93978998c73860d9a3dd

SHA256
63869c05778f3b7bec7b65db30ec1593dfcf676e5d3307b6f281a90d4e099237

SHA512
55c9129188a3c99e9fc679ad56c3a734b55db3ea8c52dc5b385fb12432ebbca6f75ab6efc39c44e90ddddbfd579f0f0736b2021f0214b65e8b5896c4184d7929

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
1c41bca4c4ab61ff036b57576abfd39d

SHA1
670e2b3637ae936a3eb6fc99b629ea5b49cb5cf3

SHA256
edfc7acee116ea7ecc45cf3d3f43128b652fb0bca6591272fd5c9f38894636d3

SHA512
4d0c553b5c18a202e986631512df8f4815be2eeffcbccf79e968baa6c8795a2edb26e179d60dff1283bd5c2c78325be5e71be801deff25886ae832d142a8f4ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a86b122b78135152b31a068ec8174fec

SHA1
f6b79744ae973174d010b4fe3dd2a43b0662a346

SHA256
3c6bafba001ced4daa660388025b1c8c7f69aa28c67ed4a9d9e3077306bb28cf

SHA512
b85c8a6baa446cc7a4ef5ba3e754212bdcc491590a99161863e80a96207433d4ca41f7dac3644fd7a191d19d26eac724efd0da15474a4b8399555cc5b4351572

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
24bdc460fcb9ea2feaaee85e3a5f76d9

SHA1
52c0d09043236971fb7d32363d75a4faa988293e

SHA256
246764f2a37e9bf386e2f8927e6bef4623751d0efa7083eab02c7b984d615201

SHA512
718fa78da2c37e791767e0f13ce7e4c36fab857517419e1eb0fdca3cd66737ad6611ab731bb1f49ddc33c6c4796c86f9d8fc96852c0da66884b78dd59bad00b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
78ac78978e64300443924064e2408c51

SHA1
975c3e4d98cff8629a2da38ded773d0d525bd13f

SHA256
d30eb97a8ad12978e5ab6a7d6987fab1158592d6d2dc8996f55ded6b089c9e38

SHA512
3b738064f66ec204c858ad43a27f32d6ddf362ac521b3023a9591b15386e290c98b1d9f8d7820668efec7ede0fee7101a04584646a8fcc87c5093128f9585d0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ee42a8d645cd90d5791341b34fa21400

SHA1
a4058a75e5e48940a2103f8137f231fb52432df2

SHA256
ee3443c95c66fc2667a60eb9f646795f231c8cdfce36a7a47659619ee57af13d

SHA512
bd19bedc8bf52f13bc05ebfa8eb608172917d770520f9dc85eece414238cce610a7d14e91eac56abdcd50888336ad6d35f6cb1ddb56b122bea2609d4148d2344

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
5204b3bdce418c17847f53347928692f

SHA1
2f7e674e3feee0686109495f8ac6956adf776a66

SHA256
2194f5b0e076506af988c22ed4cf4813d285781e1ef5583b9254063e56907502

SHA512
da30002dfb7bf56fdb3f7106e9bc61ebe136836600e28f93eda7a2af85577fed48f792ecf213cac2ba94d114e59368afe6b1ab61ec481319057dfbfdb14a19c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
295KB

MD5
1ccbb44c7ece09ccc40f2eb29335b85d

SHA1
dc9640d1100b08edc8f70a8c9b3f0e0635d77b44

SHA256
435bf25bc90c9a2f6a25488c21e778b6eb5d267c6d7acca149fa1ccacaa29c2d

SHA512
d3bb7ce3d43b7aba236b9b8d05c0ff11100ddc53cf6f990daa8ffdf4bedde9406605138f6b6cb01499843dbf92415536a06a92886318fe00eb6fcac48f784f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
137KB

MD5
6feba625a8b025b232a7f2df4d296f9f

SHA1
6c71c6439bf58d1b887e6617fa4be430a26d13cc

SHA256
04aaf2b24d92f3b2c134297d263ab3d009d73914df4c227a6b8ed28d5af40dfd

SHA512
728f19f78d3cc1ddbce13d8d79efcbe0f8273b295d745b04d3132dadf76bbea244c6b576df0702b19d9104bbb0d80eb0b9c36acb18f2c6d4d9259d209806d86d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
295KB

MD5
affa4cffc0f8f084dbbc103de0732982

SHA1
775261f340abc3828e16b1a9f8fac6e62830f534

SHA256
dd031aa5c549f24d974986a71feb83cd93c6d6b04a98c9867d21b3748ee87716

SHA512
2661e74cf779dc2aea1ab63eccb2e6eb07b336c62231983b8033338f012461a1ad791f2c85a7ba0e00dd7e7405e90e8a87f55ea051c04f1ca1c92e9dbf987b51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
295KB

MD5
974c4977ab723a348dc997c0bc3220da

SHA1
73e95f5ec6924228d1996dbafd091f0312fb4caa

SHA256
06dfccf70b2c6b5aad5819545407dc475b1a272dc8505d5279e38b9d9ec9fb54

SHA512
1bb9f158c9d402c90f8e7517b2ec122874c16cbbaf1fe4a6508a45627cd13047d09c9265bc3f710bb7ee7b06e5878934d408d29f3335c019c2e4366833ab9dfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
314KB

MD5
daa9dffd9b554fa78048d686b052c581

SHA1
e03c6e5ac7cf6eefde2feab4a05bdfe85bf724c4

SHA256
bad113de1d7f0af9284a790c6eaaca1b197d6110c16850916e68d8cd91f1a7bb

SHA512
74a4985f1cb1f9dbea47426ac76731c891d16f2fd4ee5cde88c922192203650cfa5f0ce948dee1ed49af509c154fbe600da44e899eb3ba69cfc31cee1c391584

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
295KB

MD5
f7e3a75f9991401207b6b2d38ed16b1f

SHA1
58174d6020abf636cbe8ee99e644c844a1a5e7f7

SHA256
94efdb7d085be02b15f085279aa9ecd72ea2950e75c08f63033f0fba323c30e0

SHA512
981ea1c3243e54b05d3b9649b288ca3d18280d29ac3143107606f6798efc7115e1a1ae3e92b9889be3d38eb5a9d93e93fcdff100a671263cb9fe9563907d75a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
98KB

MD5
ab616318b4cf80be769a3ca7630086cc

SHA1
1296be1d26266634e4f3e54709533ce2f7a6039e

SHA256
4ace95d3b6484b05b925031e4f5b1aee7baebd60997abd09b51048dd5eb9db37

SHA512
014cad8d1aae91cf861e25d2ac553d7f25cc128642cf3a9a86d7e00472d072711827e3c72319b802d152c049d4a3879d104ed83907a83464d1a5260909eaf644

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
104KB

MD5
7b66b36c20cf67a5c8ecc3363def63da

SHA1
4af6dbd23607e4a0bda76f279a96e10000a3d2e8

SHA256
19552925814402073690182335297035eb336cc2fd49c8799225bc81ed5eab93

SHA512
b58e0fd580b35f7daff17a140acad2253e5f9ba258d3e3801623c564cf83b42a8e97f6447fa2588a373d71a6c3fa7b30e26d43ffd7cceff94704bbdb4b5d978e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
99KB

MD5
bbaba40ee518150adc8859b37d687adc

SHA1
08398411fb76cdc89d7b0b4caee513dba3258725

SHA256
aab0a20bd5ad04fceb7ef52c42d4ae3471953460ffc32aa592ab4ebbb2494d24

SHA512
351b4b3b5ff5207079ff4eb5b36c46b4fbe005cc58d01e84d85643a43b67df22c8dd5d00a05b0e0c72db672b8b64a2d03f0806ccec5f967105ffc608b82eec6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe591592.TMP

Filesize
93KB

MD5
b6184b83fb5250279ca26bb22801f916

SHA1
a4d91572d3ccb14cd57a33bae8778a163a7cec94

SHA256
f82e54465f0f491eef2eff8f75586e318afe146bf9836c3146f652889e8fc3ed

SHA512
85ce38e1121d5ea25cfdac4932662e9e72c6e7d44ac6710f105e11c126d2e7dcc5f4888fac7c1208b1112897af6dc031562e666616b808b123ffbd7992738d7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client-built.exe

Filesize
78KB

MD5
7d921a8a96e652d5264847bf6645f61c

SHA1
0ef41f617e00919d102098a7c82750f6e90d9b80

SHA256
ddbdfe227d8394d50c28c4b02c39033c4d5d1962fbd1342a5ca5f236e9671619

SHA512
ac86edaf87b61f0f5b6bf3dc2a70150b43a3e5a758ee4e45162c27491b0ba02f01203446af87666d7c2346169e5445e88027cffd8fcfa64543730078d8c7aed0

Download Submit
memory/3104-0-0x00000000731AE000-0x00000000731AF000-memory.dmp

Filesize
4KB

Download
memory/3104-1-0x0000000000E80000-0x0000000000E88000-memory.dmp

Filesize
32KB

Download
memory/3104-2-0x0000000005E90000-0x000000000638E000-memory.dmp

Filesize
5.0MB

Download
memory/3104-3-0x0000000005870000-0x0000000005902000-memory.dmp

Filesize
584KB

Download
memory/3104-4-0x0000000005810000-0x000000000581A000-memory.dmp

Filesize
40KB

Download
memory/3104-5-0x00000000731A0000-0x000000007388E000-memory.dmp

Filesize
6.9MB

Download
memory/3104-6-0x00000000731A0000-0x000000007388E000-memory.dmp

Filesize
6.9MB

Download
memory/3104-449-0x0000000006AC0000-0x0000000006BE2000-memory.dmp

Filesize
1.1MB

Download
memory/4304-512-0x000001EEBF070000-0x000001EEBF080000-memory.dmp

Filesize
64KB

Download
memory/4304-552-0x000001EEBF0A0000-0x000001EEBF0B0000-memory.dmp

Filesize
64KB

Download
memory/4304-531-0x000001EEBF0A0000-0x000001EEBF0B0000-memory.dmp

Filesize
64KB

Download
memory/4304-522-0x000001EEBF0A0000-0x000001EEBF0B0000-memory.dmp

Filesize
64KB

Download
memory/4304-521-0x000001EEBF0A0000-0x000001EEBF0B0000-memory.dmp

Filesize
64KB

Download
memory/4304-519-0x000001EEBF0A0000-0x000001EEBF0B0000-memory.dmp

Filesize
64KB

Download
memory/4304-547-0x000001EEBF0A0000-0x000001EEBF0B0000-memory.dmp

Filesize
64KB

Download
memory/4304-517-0x000001EEBF0A0000-0x000001EEBF0B0000-memory.dmp

Filesize
64KB

Download
memory/4304-535-0x000001EEBF0A0000-0x000001EEBF0B0000-memory.dmp

Filesize
64KB

Download
memory/4304-550-0x000001EEBF0A0000-0x000001EEBF0B0000-memory.dmp

Filesize
64KB

Download
memory/4304-514-0x000001EEBF0A0000-0x000001EEBF0B0000-memory.dmp

Filesize
64KB

Download
memory/4304-546-0x000001EEBF0A0000-0x000001EEBF0B0000-memory.dmp

Filesize
64KB

Download
memory/4304-545-0x000001EEBF0A0000-0x000001EEBF0B0000-memory.dmp

Filesize
64KB

Download
memory/4304-544-0x000001EEBF0A0000-0x000001EEBF0B0000-memory.dmp

Filesize
64KB

Download
memory/4304-543-0x000001EEBF0A0000-0x000001EEBF0B0000-memory.dmp

Filesize
64KB

Download
memory/4304-536-0x000001EEBF0A0000-0x000001EEBF0B0000-memory.dmp

Filesize
64KB

Download
memory/4304-551-0x000001EEBF0A0000-0x000001EEBF0B0000-memory.dmp

Filesize
64KB

Download
memory/4304-532-0x000001EEBF0A0000-0x000001EEBF0B0000-memory.dmp

Filesize
64KB

Download
memory/4304-553-0x000001EEBF0A0000-0x000001EEBF0B0000-memory.dmp

Filesize
64KB

Download
memory/4304-554-0x000001EEBF0A0000-0x000001EEBF0B0000-memory.dmp

Filesize
64KB

Download
memory/4304-555-0x000001EEBF0A0000-0x000001EEBF0B0000-memory.dmp

Filesize
64KB

Download
memory/4304-558-0x000001EEBF0A0000-0x000001EEBF0B0000-memory.dmp

Filesize
64KB

Download
memory/4304-529-0x000001EEBF0A0000-0x000001EEBF0B0000-memory.dmp

Filesize
64KB

Download
memory/4304-530-0x000001EEBF0A0000-0x000001EEBF0B0000-memory.dmp

Filesize
64KB

Download
memory/4304-528-0x000001EEBF0A0000-0x000001EEBF0B0000-memory.dmp

Filesize
64KB

Download
memory/4304-525-0x000001EEBF0A0000-0x000001EEBF0B0000-memory.dmp

Filesize
64KB

Download
memory/4304-537-0x000001EEBF0A0000-0x000001EEBF0B0000-memory.dmp

Filesize
64KB

Download
memory/4304-520-0x000001EEBF0A0000-0x000001EEBF0B0000-memory.dmp

Filesize
64KB

Download
memory/4304-538-0x000001EEBF0A0000-0x000001EEBF0B0000-memory.dmp

Filesize
64KB

Download
memory/4304-539-0x000001EEBF070000-0x000001EEBF080000-memory.dmp

Filesize
64KB

Download
memory/4304-540-0x000001EEBF0A0000-0x000001EEBF0B0000-memory.dmp

Filesize
64KB

Download
memory/4580-474-0x000001CAE7900000-0x000001CAE7910000-memory.dmp

Filesize
64KB

Download
memory/4580-490-0x000001CAE7AB0000-0x000001CAE7AC0000-memory.dmp

Filesize
64KB

Download
memory/4580-506-0x000001CAEBF60000-0x000001CAEBF68000-memory.dmp

Filesize
32KB

Download