0b05e398a1cb8511549b2d76f7e68f8b869395d52c8a05242c2f6da32d4b5b70

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
18/08/2024, 13:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Drawful 2.exe
Size

11.2MB
MD5

deb86bf934ad91d4adc08b9e94bf4a84
SHA1

0f1742dd0528a6f7b6d7717b6b3117ea94486d61
SHA256

0b05e398a1cb8511549b2d76f7e68f8b869395d52c8a05242c2f6da32d4b5b70
SHA512

5e9ed7736c8acbdf575ff69f7f7844c2de66ea648445a9a4a5a6c55883b08472cbae4320e10f3dd7eddee1f16a23532a4e6cecdbca3f78cb1ea5e6a94cd0fe6c
SSDEEP

196608:gpJwe+BtisZuuJZ8CxsL2tThLzdTB1AdDtH0C9SOSAC/:ewYsZuu38CSSlPLOH/gOSAC/

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\7-Zip\Lang\kab.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\eo.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sa.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ta.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\th.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\uk.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\yo.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\7-zip.chm	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\en.ttt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\fi.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sk.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\nn.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sr-spl.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\mn.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ug.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\et.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\kaa.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\pt.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\zh-tw.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\readme.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ar.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\de.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\es.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ne.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\pt-br.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\fa.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\id.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ja.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\pa-in.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\hr.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ky.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\tg.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\hu.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ko.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\lij.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\7zG.exe	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\hy.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\fy.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ka.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sq.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\7z.sfx	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\is.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\an.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\cy.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\eu.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\it.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ru.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\uz.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\az.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\br.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\kk.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ro.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\si.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sr-spc.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\fur.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ku-ckb.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\mk.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ext.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\uz-cyrl.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\be.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ps.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\tk.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\zh-cn.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\7z.dll	msiexec.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File created	C:\Windows\Installer\e596c12.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF90F04B91EDAF549D.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF891D05A87D8C79F9.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFEB7EF98AE67AF8B0.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e596c0e.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6CBA.tmp	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File created	C:\Windows\Installer\e596c0e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DF1BD558E5BC6A593A.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{23170F69-40C1-2701-2401-000001000000}	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000fd384c3a7d3ca1330000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000fd384c3a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900fd384c3a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dfd384c3a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000fd384c3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133684618576201582"	chrome.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe

Modifies registry class 38 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\ProductName = "7-Zip 24.01"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\PackageCode = "96F071321C0410724210000020000000"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\PackageName = "7z2401.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0410724210000010000000\Complete	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\Media	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\7-Zip	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Drive\shellex\DragDropHandlers\7-Zip	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files (x86)\\7-Zip\\7-zip.dll"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Directory\shellex\DragDropHandlers\7-Zip	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96F071321C0410720000000040000000\96F071321C0410724210000010000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0410724210000010000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\InstanceType = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0410724210000010000000\LanguageFiles = "Complete"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\Version = "402718720"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96F071321C0410720000000040000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0410724210000010000000\Program = "Complete"	msiexec.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\7z2401.msi:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
388	msiexec.exe
388	msiexec.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
5904	msedge.exe
5904	msedge.exe
3984	msedge.exe
3984	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeCreatePagefilePrivilege	2064	chrome.exe

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
5328	msiexec.exe
5328	msiexec.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe
5904	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 5452	2064	chrome.exe	89
PID 2064 wrote to memory of 5452	2064	chrome.exe	89
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 2688	2064	chrome.exe	90
PID 2064 wrote to memory of 4100	2064	chrome.exe	91
PID 2064 wrote to memory of 4100	2064	chrome.exe	91
PID 2064 wrote to memory of 4284	2064	chrome.exe	92
PID 2064 wrote to memory of 4284	2064	chrome.exe	92
PID 2064 wrote to memory of 4284	2064	chrome.exe	92
PID 2064 wrote to memory of 4284	2064	chrome.exe	92
PID 2064 wrote to memory of 4284	2064	chrome.exe	92
PID 2064 wrote to memory of 4284	2064	chrome.exe	92
PID 2064 wrote to memory of 4284	2064	chrome.exe	92
PID 2064 wrote to memory of 4284	2064	chrome.exe	92
PID 2064 wrote to memory of 4284	2064	chrome.exe	92
PID 2064 wrote to memory of 4284	2064	chrome.exe	92
PID 2064 wrote to memory of 4284	2064	chrome.exe	92
PID 2064 wrote to memory of 4284	2064	chrome.exe	92
PID 2064 wrote to memory of 4284	2064	chrome.exe	92
PID 2064 wrote to memory of 4284	2064	chrome.exe	92
PID 2064 wrote to memory of 4284	2064	chrome.exe	92
PID 2064 wrote to memory of 4284	2064	chrome.exe	92
PID 2064 wrote to memory of 4284	2064	chrome.exe	92
PID 2064 wrote to memory of 4284	2064	chrome.exe	92
PID 2064 wrote to memory of 4284	2064	chrome.exe	92
PID 2064 wrote to memory of 4284	2064	chrome.exe	92
PID 2064 wrote to memory of 4284	2064	chrome.exe	92
PID 2064 wrote to memory of 4284	2064	chrome.exe	92
PID 2064 wrote to memory of 4284	2064	chrome.exe	92
PID 2064 wrote to memory of 4284	2064	chrome.exe	92
PID 2064 wrote to memory of 4284	2064	chrome.exe	92
PID 2064 wrote to memory of 4284	2064	chrome.exe	92
PID 2064 wrote to memory of 4284	2064	chrome.exe	92
PID 2064 wrote to memory of 4284	2064	chrome.exe	92
PID 2064 wrote to memory of 4284	2064	chrome.exe	92
PID 2064 wrote to memory of 4284	2064	chrome.exe	92

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Drawful 2.exe
"C:\Users\Admin\AppData\Local\Temp\Drawful 2.exe"
1⤵
PID:3712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6f8fcc40,0x7ffd6f8fcc4c,0x7ffd6f8fcc58
  2⤵
  PID:5452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1804,i,7811090558157083550,12495809919896162936,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1776 /prefetch:2
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2128,i,7811090558157083550,12495809919896162936,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,7811090558157083550,12495809919896162936,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2208 /prefetch:8
  2⤵
  PID:4284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3232,i,7811090558157083550,12495809919896162936,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3220,i,7811090558157083550,12495809919896162936,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3112,i,7811090558157083550,12495809919896162936,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3680 /prefetch:1
  2⤵
  PID:5412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4792,i,7811090558157083550,12495809919896162936,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:5708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4804,i,7811090558157083550,12495809919896162936,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  PID:5336
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:5688
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff77a924698,0x7ff77a9246a4,0x7ff77a9246b0
    3⤵
    - Drops file in Windows directory
    PID:5944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5024,i,7811090558157083550,12495809919896162936,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3284,i,7811090558157083550,12495809919896162936,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4500 /prefetch:8
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4328,i,7811090558157083550,12495809919896162936,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3820 /prefetch:8
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5168,i,7811090558157083550,12495809919896162936,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:5652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5204,i,7811090558157083550,12495809919896162936,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3344,i,7811090558157083550,12495809919896162936,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:5836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5304,i,7811090558157083550,12495809919896162936,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5600,i,7811090558157083550,12495809919896162936,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:6024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3452,i,7811090558157083550,12495809919896162936,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5636,i,7811090558157083550,12495809919896162936,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5896,i,7811090558157083550,12495809919896162936,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5604,i,7811090558157083550,12495809919896162936,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5124,i,7811090558157083550,12495809919896162936,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5800,i,7811090558157083550,12495809919896162936,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=6168 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3772
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\7z2401.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:5328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6196,i,7811090558157083550,12495809919896162936,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3340 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4224

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2816

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004CC
1⤵
PID:5912

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:388
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3712

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:5312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd59a83cb8,0x7ffd59a83cc8,0x7ffd59a83cd8
  2⤵
  PID:5448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,255292625575236559,3110429642173329625,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:6096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,255292625575236559,3110429642173329625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,255292625575236559,3110429642173329625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,255292625575236559,3110429642173329625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,255292625575236559,3110429642173329625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,255292625575236559,3110429642173329625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
  2⤵
  PID:5128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,255292625575236559,3110429642173329625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:4644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e596c0f.rbs

Filesize
20KB

MD5
36b2f3baeca74e22846e300bb9470be2

SHA1
adb101c4d4b90a52b8e548aad0c0f6596d49061b

SHA256
ff7bd87de21867be0fb448547ce9af6857b3f19e9b9ce0a6aee8560dfef24549

SHA512
6be63865d174bec770df58fadae4095c6dd16849655e6f642e90047889121a0e25898f5e35a4cae78fea4415182243491622888e4d8d9aab0b48ac7cfdc45791

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240818133738.pma

Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
cc009d8c1528ae675bacec1f38789880

SHA1
83223d2d970a55e814018cd4fa008a73e2871c38

SHA256
aab120fb95fceac4316cb5aa2908fc7b01fc049389859fc6342bbcb8528d25f3

SHA512
0b1732d2df085ae710d7f4081ecde42a30e68ac88ebb90c4d971bf6dfa04ff7550832ad97937c833b4ebb428a1d843c9ed370b7a3e2c7d0a71a055a9424839de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
768a7ae6e72435ad6ccf6a809d72f7a0

SHA1
d09116e7e9dd7593315f685d2c1f8597b484c638

SHA256
a8ba3bf9675532ca4ab9d72c8bff07bb6722c336b4254ee2da50bf47bc235782

SHA512
c93e252ed78dc661e083111b72ad7735fc5e01f79a2d5b4d614379de3f5537ab2900bf36f7fb2de244b24ab53cd025c595be5e56153b798a138ed3df8584739c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
f6240de9744b1fa0fbc25339797e4bc5

SHA1
96b425d4c2a07b680d423ed7673c65c47d320608

SHA256
2ad6aa4231b961a1fbba23f486dcf031d9f56473552c05086bb7fd0db176bdd3

SHA512
f4b742317e6196f51a6889c93366bff3a16eacbe7b63e0b77191f45989322464e62fb05753cf3119af847c00b9009892b34c1ef1f5ad67d2329c5754ab184d6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
15KB

MD5
73f64ae311c0bc3635d6dd66c7e68d36

SHA1
40792a1bc07054b14d1659c49a9a0f2d2fdc1207

SHA256
e2524a2a5e2ce6b2b6e05f5c72116205466a424988cb70d013f6bad6ea82c8e0

SHA512
3c52a18dc7cf42e5ded88e1e495733e5d0c496e7ec31ada24c18af592f8a09af9450c79867de3a7ff79cb0c9f5a3d8b1716de04a77bfb74e45bbca36c382d0b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
18d8e9a99ebb3c551881b4a8c7a62612

SHA1
253c7dc9c301bff781575814791b62801426a13a

SHA256
dfae79fd501dd097ff851fbef04d836b03ed49bdb471134c95a1afeb47eb6338

SHA512
264d72e38c05ef650ffbeff016de675a143e2fd4af629932d1c8a1a62b69bb3109bb1b03095127f955bd8ecdc9b0ef1cfbf6df68bf43fb51bf631a5621e5b85a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
28e75bba9a01440f0def5688623e3433

SHA1
f2a7253351a5185a6d184f3a5bf7e2ae50cf1b6d

SHA256
97683075824d76b1e6bedf91bebb5f013e32e062deea5e43f3fd7e6b4e52e969

SHA512
c349a5015e2763dbf60785ea0e0159321d5fbf893218febf881d59f9944cd792201cb1bc8beeb0da914eb2c82fb3c2cfad32132ba5b4813ba4e812136ac7d251

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2770adaf598bc44181458d18eb0a9f29

SHA1
a22f21bf9bd81f910f48a465c73a5f2f6b0f274b

SHA256
24fe97c93e84312ec4551572f62a8918769fe3faa8dc37b31bd7b68e4a1a9835

SHA512
82c9963251435e9f7d16801fa7c1f0e153f72b1f038255d9aa3be3e2a4a0e6dbcd06fddfa14c274b4640e54af9cad644bf86a3675d23accef28a05319b683e95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
00c3ef41295c767d37e3979542fb9bb0

SHA1
94b51405844f52e0e8461598d40e9c55b016cccf

SHA256
670e353c51738e8f6672e2d9330dc5de408adaf44777fa4153932733051df332

SHA512
571b76a4af80dd6b108b4c9c1567eed920b7166d7e1a3d6b5d3f39fd8ee221e7e6931fe9544dbe87bbfa431f56923af9a388670e8e5d7271a974441a7a59f2b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\d2f88d34-602f-41f5-83d6-3b11fb4c37ad.tmp

Filesize
1KB

MD5
7b4b55e975553db163d6062c6629714e

SHA1
7d24468aa10e1df1114d46fcc12bbe150c63d794

SHA256
9576b95ae72be1cb4e46247335e07e442698d6468f7cdf94024467dacb5ee2b7

SHA512
27387729347bfcebd57a8fb0c5f351bb7c324e6d3f5dbc7be7b7d8ecc036c9dd36fd73b522e9cdfadce0bc397462eaa66a70e736951f8c67495b9b0c158bc34c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
47bf9b0ede24a0ea9062871122812c03

SHA1
aaa12b1aec78a064ee27143c72f383e803b9e874

SHA256
da7bd758283f2b95f209fb588840ac6d944cf1ef4ffc8338608a33537c51d42e

SHA512
3f16dea827a2dcc366736b5c69712a312f079665c99036c8f3b00cefc0d65f770d2aa1276965c7150cccb6f0275a13fbf50d58ff0d19efe0a421c6a69ffdb6b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
65c4c3b1cfc8230a41819a2915c7732f

SHA1
8e43bcbe12ddb5842c799f0b6e2c923d84f81c26

SHA256
c0a5ab3ee35b512549e4a1c0f1b8595e9ba2592ec7d56e8d89f212f89b0eedeb

SHA512
69feb1ec2846d37fbf5290a66f843686d7edc5624adcc94b0b0f5920b40f0eee949da0f54fae514f37849fcc56e04ec478577654c73df84b73da3566c02b5972

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e3f741f568808db01ba9edb41cc65855

SHA1
2455d5d825f0a9894dd9bedda0f0c3b6a11b870a

SHA256
f6797b0bab63a47fcc1601747b24744f942ba38b9708aca7742c0abb97690f31

SHA512
f532dd90f3d7e9bc274c011172f46edc3e59ac4c50e900ae0284ef593dc3c7d01faab066319e2bdae6572f317535a44148ecf323756a90a1cf8ee7f3df40e6b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
07c676d7e7125fdb516eace6b31a10e8

SHA1
8c21c9928224572c2fab5227d3319b9acd56807a

SHA256
3bc1e890b8fcf9bd83a60ec446d3b1fdb4e45fcb17dca136f0aafd553a9a8a7c

SHA512
e654ad011cd1c5923d6c5ded6778aead6a27984307d6ea7bd37e6b48090d9f6a5cd5abad8454f7e177e2ac7fe37a3e984012cad1f7e470852d837f2b9bf66b34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c37f5552a8af7fa3593319ff10376d8f

SHA1
ea563d9e7c7fa5b4cf09b825a3b2a5cceb668be5

SHA256
35515cf90bcc266947cf98b8b5b55a656ffa608b8c75d125d3321ec45354dd7b

SHA512
bf15eff8d2ea1e83e4676377165ba04a7723330cc91429b6d669625c421d3513eaab829542adc9465bdbc712ec6e33bd264812a1e402cef2304291099a7ba4ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
87a02d3e24871fd14929a04ff798d729

SHA1
a8ca74e2fe79aea2ecbbdff2f3dac788e529dc79

SHA256
2e0e258d24f380fd92db80736780fabebff6d5c4775fe46f2934a2c2b046495f

SHA512
9e79a09666198ff1ef5ef07bcf7349d2d9c71029073e4de89e3a3d32bea11cf1152097baddc39aa105279eb36880102521ea0ea2a5b72914efafea5ddcfa694b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c4b54722fee6c94a3cc1df281ef72168

SHA1
41be2f05ef1e613452697472aa932c42c430b4de

SHA256
b46525d8a4a10a8c155fa0de9fe443a0fd67d111e1cc06718b69b5a595a51248

SHA512
1808cc93031b94a127005eedeb14ab24278420dd4a71e9a20c2c7dbfce878029b3445ab75fe86fd54a73e344f718a8f8d8d208b470347fee5c85a2169c3577bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
975810e2378dedeffde2228a90b36fa9

SHA1
11d9e2ff51d23041dc944eae8800a8b74ce979ce

SHA256
0732f5db3e04fb5f2478d9c1c34e142add1c93852bdf7822a192b859dfe6352d

SHA512
f8d8ec32cd729b0a5dc6d026def6a48ac79b11496320e4028f4b611e84702237d646c5db80330d8adf1f0fcb5ff90b7ea92b46f77bc83cd4ab2ed1f80eb91456

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b220b1d2f1608c980583f42d1c290b1a

SHA1
88651eaf0f52efc97c0ac0589737314658391ed9

SHA256
0513a5ea058114f97e007c97c7167115d1ad471f3accbad671f0d36a8126c41b

SHA512
36bb3e0ee8c8ad304efbedf08ea821eaa8a6256f47ef0d0746219a464a39361f9a08f27aa858be8a5e73a61fb0bc6afb09e583c90530c2f58846e3d03cca214c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
76B

MD5
a7a2f6dbe4e14a9267f786d0d5e06097

SHA1
5513aebb0bda58551acacbfc338d903316851a7b

SHA256
dd9045ea2f3beaf0282320db70fdf395854071bf212ad747e8765837ec390cbc

SHA512
aa5d81e7ee3a646afec55aee5435dc84fe06d84d3e7e1c45c934f258292c0c4dc2f2853a13d2f2b37a98fe2f1dcc7639eacf51b09e7dcccb2e29c2cbd3ba1835

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt.tmp

Filesize
140B

MD5
b8a3c9bc7e94fdcf6942356e37b16b38

SHA1
854e0fc8f036a37277ebdb231aa8a00432d181de

SHA256
b2c1cb6bebd6cd3eebeabe3e5b3b4eb6b7d7985183e0f82c58554d649805022c

SHA512
a58fa33400e8ff09b3e66b2571f7e9d10202b0c6e9f30db9a45c2f12f0a5123eb47fbfeca78422fb02d9f156bc286b7057d01b7085731b2380aea703ad90ddf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe588f99.TMP

Filesize
140B

MD5
a47a953d7abd9d882eebc6b2c09ed8d9

SHA1
1e5a119d1f49a28ed7c0f2a6a6f307bdcea7b75b

SHA256
bd6401b9ce4f35075a5f2f9ee933ba902495d39a000e349560dc8ad9bcd03a85

SHA512
ee7514e7ddf0c8f254eab1dad07a58197e9bb50a9e2f592e83fa4e642c7c2955d910bf16dde85832ebc94805a9030e047cd2324c12f624165f50ce075d86329e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ba522326-0dda-4b33-8dcc-2966163fb6c4.tmp

Filesize
9KB

MD5
ca99a2ad2780374e2c1acba0fd490d28

SHA1
dae3724f0d296c4b2964c254460477079d5f6ca0

SHA256
3385406c4f81f985a702e04227a8a66d1f96b043cba9bb94243337ff086703b7

SHA512
30a89dcf35cf80cb4ac31198ee8056a7fe1a343722bc52b804bb9294793a5f5047cbc6143266c751165d984f0c0858f704937704e417562df3c81033eceaf86f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
100KB

MD5
201d6bdc81724cd49701d25f27539332

SHA1
e0053173548099ab9d7791e86dcfa5655223b637

SHA256
e65bee1da25111a52b4251d28425a86634686b574a410e8bdd6d313abb1b9699

SHA512
58ba3a0c6c3e5c3a82d9a175dc881b29ff20680fd72e2329ab19d7f57cecd8bcbe2e68df55cd9f22ff824ae545c65a6642d04a830a569b8f061c626cdc7f0b45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
198KB

MD5
0e98053e7cfd70386e07d2440a0dca42

SHA1
f5185eb2ba1a4d45df6c8d66d02e08bd510ff56e

SHA256
4c7eb8524ea8966e7796b7912d80ce4db7dc64c5577a5d1bf968924191640bb6

SHA512
c06998dd0b873f8061a4aa52eb1ec46f1353a04511a686de0aa7ca6a0cabf3d0341dabac10173b52a2cd8c8737cf01ca44f181c10ecebd67b85df666b15f0173

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
198KB

MD5
aef7f3bf5d6cb7b939a39ff5f2714425

SHA1
88b3b2a9198d846fdc6fec96b1cc399e3ca2f641

SHA256
e6b8be55d69d2694477e8c719687efb1fa4c551afe1ae7315c2010699d387f84

SHA512
622e64741df316f7bfe83f17c1d132ad4499b31e9eb87082bfdce6d882ecc32b7a97f04f1e1020aa9d84936e55acba3b653d700a95f04b06a4dabe652e39e810

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
198KB

MD5
a9d3921083a97c33d54b94222e10915c

SHA1
e02fe5786e4648b6bd6d150f1a568ed5bc9437d2

SHA256
cc15d33edfbe7285a1d42d095ee94422f7e6e030e2473d3bf51759a7a8281c31

SHA512
78723b13b68f6f81986518b7f08300e7d1f662935c8f0ef53e9c9475540144fc7426e42773c5945da23422ad94ed48fcf04f00a5776af3b543be3182e7dd17b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
198KB

MD5
1b3aeb11b6c9a9d4510397bb043be8aa

SHA1
2d81e7e68f0bde39798e1efd81d6456da4d75760

SHA256
4d83303ff7af4380ee103cd0a880617df84e45b412a657269a18867235d79046

SHA512
614d8b5510543c10814fc84854fc596fde2bd52234c2e2451801c5d33253c152d283c2f124dcf2072c0628957812627084da1ff66f7736e02327fa5b26fcb0d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
198KB

MD5
458ec91cc35f3041de3fc3deae089349

SHA1
f2c1bb4603b093f431dac17c3794a4fd5c28c502

SHA256
0c97675a3c2f2ec1ee3d5bdd161a87ee82541de4d4b17d5d4814fd75e19b93b6

SHA512
db86e6421e4d74f47c4fae1db8974ed1443bb7f39291e9f34cb24193213074aa9d4e081f6ade0cf7ca645c9f522232c5486992735273868586d5c8d53f80074f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f081a02d8bbd5d800828ed8c769f5d9

SHA1
978d807096b7e7a4962a001b7bba6b2e77ce419a

SHA256
a7645e1b16115e9afec86efa139d35d5fecc6c5c7c59174c9901b4213b1fae0e

SHA512
7f3045f276f5bd8d3c65a23592419c3b98f1311c214c8e54a4dfe09122a08afb08ab7967b49bd413bc748ce6363658640bc87958d5e0a78974680a8f9beadf44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e681bda746d695b173a54033103efa8

SHA1
ae07be487e65914bb068174b99660fb8deb11a1d

SHA256
fee5f7377e5ca213c1d8d7827b788723d0dd2538e7ce3f35581fc613fde834c2

SHA512
0f4381c769d4ae18ff3ac93fd97e8d879043b8ec825611db27f08bd44c08babc1710672c3f93435a61e40db1ccbf5b74c6363aaaf5f4a7fc95a6a7786d1aced8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
38b9e01eadaccd4eab564edaab0d161d

SHA1
d460a0bc8e909363720d8cb5f36501e07bb0f79b

SHA256
f18f491f7e15acf072670c47f0f16148334adacf4b47079c0636c40c90742e4d

SHA512
4b1e8a0e6c9f97f11b172715babbdba3cd250c6b6f3f176d3791072dcfae214ee955df1d98e72337a7430c072fa56b62d0db14c98e495367976d427067ead470

Download Submit
C:\Users\Admin\Downloads\7z2401.msi

Filesize
1.4MB

MD5
a141303fe3fd74208c1c8a1121a7f67d

SHA1
b55c286e80a9e128fbf615da63169162c08aef94

SHA256
1c3c3560906974161f25f5f81de4620787b55ca76002ac3c4fc846d57a06df99

SHA512
2323c292bfa7ea712d39a4d33cdd19563dd073fee6c684d02e7e931abe72af92f85e5bf8bff7c647e4fcdc522b148e9b8d1dd43a9d37c73c0ae86d5efb1885c8

Download Submit
C:\Users\Admin\Downloads\7z2401.msi:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
4dc255f69e939e95f1a7e2631c72cb92

SHA1
6bbc358558e75d0ad9e587fa5718327eee98910b

SHA256
1601303e11bcbebdccecbc5bf476fcc7981256200b21c3e1392f188d03ca89b8

SHA512
bd7b892b87c29a4b15e774d63f8289dfea990fa7277d12df12e98d006cce8018024aa5c34ec094c9589272906d5f8aa253d00a232800c59ab00e5ad7b37be21f

Download Submit
\??\Volume{3a4c38fd-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d91ac376-695d-4186-9dd2-b7507e8ec49e}_OnDiskSnapshotProp

Filesize
6KB

MD5
bc7c2251795bd38435fa1990868e60d5

SHA1
5048b7fa59aa0a8467743b7a5f026cadf65944dd

SHA256
8544948a4af1ca31604875d4f85b3bcd3cba50f2bd01f035e5e88c2f26ab19de

SHA512
63d2ab67a0d7ce071b20130c52eb378adefb6be8b432628a4ececb4ac4927a4c9a05732cdedb38ec7b59c74bf47328da3d1b3248607f6bc6cf6ab272bb6998e6

Download Submit