5f54d87c3a9f0ccf47783aa02c3e51d55edad950c717e0f59f1f307a45346251

Analysis

max time kernel
279s
max time network
291s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 02:12

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

sample.js
Size

77KB
MD5

ac7bb14b622c2d35219240671815bfd2
SHA1

dbcb098e25db3587c2d2b72e8a1dfdd9274e7fb2
SHA256

5f54d87c3a9f0ccf47783aa02c3e51d55edad950c717e0f59f1f307a45346251
SHA512

5ffa0a7c6ba57106d49768cd0232e6dd73e2ad630d03c3ef75f981a921bbe7d4c28d671d260c3c5614f6cabd9379f79398b9bad3b3a5cbe2f1f2015697e73bf1
SSDEEP

1536:O6QJFLCCwNieXvQehNFZuSuWtWWxTZdkG+NpcaEej3qcS/6aXWKjpsvH6ZJsnfJC:pQJFLhwTRZdkG+NpcaEej3qcS/6aXWKJ

Score

8^/10

bootkit defense_evasion discovery execution persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Executes dropped EXE 7 IoCs

pid	Process
4000	MEMZ.exe
2596	MEMZ.exe
4500	MEMZ.exe
1736	MEMZ.exe
3760	MEMZ.exe
4952	MEMZ.exe
5716	MEMZ.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
669	raw.githubusercontent.com
670	raw.githubusercontent.com
671	raw.githubusercontent.com
672	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Probable phishing domain 1 TTPs 1 IoCs

Phishing

T1566

description	flow	ioc	stream
HTTP URL	78	https://www.speedtest.net/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1?ray=8bf32ed85bad6921	5

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133701488345366536"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\RADCUI.dll,-15300#immutable1 = "RemoteApp and Desktop Connections"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-101#immutable1 = "Customize your mouse settings, such as the button configuration, double-click speed, mouse pointers, and motion speed."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-1#immutable1 = "Speech Recognition"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-100#immutable1 = "Mouse"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-160#immutable1 = "Uninstall or change programs on your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-7#immutable1 = "Change advanced color management settings for displays, scanners, and printers."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\mmsys.cpl,-300#immutable1 = "Sound"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4313#immutable1 = "Configure your Internet display and connection settings."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-1#immutable1 = "Power Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sud.dll,-1#immutable1 = "Default Programs"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\netcenter.dll,-1#immutable1 = "Network and Sharing Center"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\autoplay.dll,-2#immutable1 = "Change default settings for CDs, DVDs, and devices so that you can automatically play music, view pictures, install software, and play games."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3001#immutable1 = "Sync files between your computer and network folders"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122#immutable1 = "Windows Defender Firewall"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-51#immutable1 = "Date and Time"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fhcpl.dll,-2#immutable1 = "Keep a history of your files"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\Mode = "1"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\srchadmin.dll,-602#immutable1 = "Change how Windows indexes to search faster"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4312#immutable1 = "Internet Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "2"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-2#immutable1 = "Conserve energy or maximize performance by choosing how your computer manages power."	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\Mode = "6"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-10#immutable1 = "Ease of Access Center"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-1#immutable1 = "BitLocker Drive Encryption"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\intl.cpl,-2#immutable1 = "Customize settings for the display of languages, numbers, times, and dates."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-52#immutable1 = "Set the date, time, and time zone for your computer."	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\srchadmin.dll,-601#immutable1 = "Indexing Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-1000#immutable1 = "Devices and Printers"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\RADCUI.dll,-15301#immutable1 = "Manage your RemoteApp and Desktop Connections"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-159#immutable1 = "Programs and Features"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\FFlags = "18874369"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 1e00718000000000000000000000c98f908eccbef640915bf4ca0e70d03d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\netcenter.dll,-2#immutable1 = "Check network status, change network settings and set preferences for sharing files and printers."	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\GroupByKey:PID = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874369"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\IconSize = "48"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 0c0001008421de39030000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4268	explorer.exe
6408	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2640	chrome.exe
2640	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
6788	chrome.exe
6788	chrome.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe
2596	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs

pid	Process
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe
Token: SeShutdownPrivilege	2640	chrome.exe
Token: SeCreatePagefilePrivilege	2640	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
2640	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
5572	firefox.exe
5572	firefox.exe
5572	firefox.exe
5572	firefox.exe
5572	firefox.exe
5572	firefox.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
2640	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
6788	chrome.exe
5572	firefox.exe
5572	firefox.exe
5572	firefox.exe
5572	firefox.exe
5572	firefox.exe
5572	firefox.exe
5572	firefox.exe
5572	firefox.exe
5572	firefox.exe
5572	firefox.exe
5572	firefox.exe
5572	firefox.exe
5572	firefox.exe
5572	firefox.exe
5572	firefox.exe
5572	firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
6408	POWERPNT.EXE
6408	POWERPNT.EXE
5572	firefox.exe
5572	firefox.exe
5572	firefox.exe
5572	firefox.exe
3760	MEMZ.exe
1736	MEMZ.exe
4500	MEMZ.exe
2596	MEMZ.exe
3760	MEMZ.exe
2596	MEMZ.exe
4500	MEMZ.exe
1736	MEMZ.exe
3760	MEMZ.exe
4500	MEMZ.exe
2596	MEMZ.exe
1736	MEMZ.exe
3760	MEMZ.exe
2596	MEMZ.exe
1736	MEMZ.exe
4500	MEMZ.exe
3760	MEMZ.exe
2596	MEMZ.exe
4500	MEMZ.exe
1736	MEMZ.exe
3760	MEMZ.exe
2596	MEMZ.exe
1736	MEMZ.exe
4500	MEMZ.exe
3760	MEMZ.exe
4500	MEMZ.exe
1736	MEMZ.exe
2596	MEMZ.exe
3760	MEMZ.exe
2596	MEMZ.exe
1736	MEMZ.exe
4500	MEMZ.exe
3760	MEMZ.exe
1736	MEMZ.exe
4500	MEMZ.exe
2596	MEMZ.exe
3760	MEMZ.exe
2596	MEMZ.exe
4500	MEMZ.exe
1736	MEMZ.exe
3760	MEMZ.exe
4500	MEMZ.exe
1736	MEMZ.exe
2596	MEMZ.exe
3760	MEMZ.exe
2596	MEMZ.exe
1736	MEMZ.exe
4500	MEMZ.exe
3760	MEMZ.exe
4500	MEMZ.exe
1736	MEMZ.exe
2596	MEMZ.exe
3760	MEMZ.exe
2596	MEMZ.exe
1736	MEMZ.exe
4500	MEMZ.exe
1736	MEMZ.exe
2596	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 4488	2640	chrome.exe	105
PID 2640 wrote to memory of 4488	2640	chrome.exe	105
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 116	2640	chrome.exe	106
PID 2640 wrote to memory of 2356	2640	chrome.exe	107
PID 2640 wrote to memory of 2356	2640	chrome.exe	107
PID 2640 wrote to memory of 2824	2640	chrome.exe	108
PID 2640 wrote to memory of 2824	2640	chrome.exe	108
PID 2640 wrote to memory of 2824	2640	chrome.exe	108
PID 2640 wrote to memory of 2824	2640	chrome.exe	108
PID 2640 wrote to memory of 2824	2640	chrome.exe	108
PID 2640 wrote to memory of 2824	2640	chrome.exe	108
PID 2640 wrote to memory of 2824	2640	chrome.exe	108
PID 2640 wrote to memory of 2824	2640	chrome.exe	108
PID 2640 wrote to memory of 2824	2640	chrome.exe	108
PID 2640 wrote to memory of 2824	2640	chrome.exe	108
PID 2640 wrote to memory of 2824	2640	chrome.exe	108
PID 2640 wrote to memory of 2824	2640	chrome.exe	108
PID 2640 wrote to memory of 2824	2640	chrome.exe	108
PID 2640 wrote to memory of 2824	2640	chrome.exe	108
PID 2640 wrote to memory of 2824	2640	chrome.exe	108
PID 2640 wrote to memory of 2824	2640	chrome.exe	108
PID 2640 wrote to memory of 2824	2640	chrome.exe	108
PID 2640 wrote to memory of 2824	2640	chrome.exe	108
PID 2640 wrote to memory of 2824	2640	chrome.exe	108
PID 2640 wrote to memory of 2824	2640	chrome.exe	108
PID 2640 wrote to memory of 2824	2640	chrome.exe	108
PID 2640 wrote to memory of 2824	2640	chrome.exe	108
PID 2640 wrote to memory of 2824	2640	chrome.exe	108
PID 2640 wrote to memory of 2824	2640	chrome.exe	108
PID 2640 wrote to memory of 2824	2640	chrome.exe	108
PID 2640 wrote to memory of 2824	2640	chrome.exe	108
PID 2640 wrote to memory of 2824	2640	chrome.exe	108
PID 2640 wrote to memory of 2824	2640	chrome.exe	108
PID 2640 wrote to memory of 2824	2640	chrome.exe	108
PID 2640 wrote to memory of 2824	2640	chrome.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\sample.js
1⤵
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4148,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=2152 /prefetch:8
1⤵
PID:1900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe69e6cc40,0x7ffe69e6cc4c,0x7ffe69e6cc58
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1984,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1980 /prefetch:2
  2⤵
  PID:116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2196,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2500 /prefetch:8
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3228,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3692,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3684 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4676 /prefetch:8
  2⤵
  PID:5144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4728,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:5160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4688,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:5168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4648,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  PID:5260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5212,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:5400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3392,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:5648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4504,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3128 /prefetch:8
  2⤵
  PID:5672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4952,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:5684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4900,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4892 /prefetch:8
  2⤵
  PID:5740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5332,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  PID:5820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5336,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  PID:5836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5368,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  PID:6036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5324,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:5140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5524,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=4840,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3700 /prefetch:1
  2⤵
  PID:5264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=3468,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4736 /prefetch:1
  2⤵
  PID:5392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=3480,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=3464,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4612 /prefetch:1
  2⤵
  PID:112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5076,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4380 /prefetch:1
  2⤵
  PID:6088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=5136,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4540 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=5236,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4780 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=5404,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=4892,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=4800,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:5292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=5880,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:5300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=5912,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=6064,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=5468,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:5720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4580,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=6532,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:6504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6704,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4360 /prefetch:8
  2⤵
  PID:6524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=6372,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:6532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6708,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6908 /prefetch:8
  2⤵
  PID:6592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7208,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7196 /prefetch:8
  2⤵
  PID:6688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7160,i,9909812771170534383,6555500550847220582,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7332 /prefetch:8
  2⤵
  PID:6696

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6100

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
PID:4268

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:5972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Modifies data under HKEY_USERS
PID:5820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultebef9db1h604eh4b0dhb652h00f45d1e18fb
1⤵
PID:6200

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\InstallRegister.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- System Location Discovery: System Language Discovery
PID:3104

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\RestartStart.ppsm" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:6408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe69e6cc40,0x7ffe69e6cc4c,0x7ffe69e6cc58
  2⤵
  PID:6708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2032,i,9826319968344670285,12877421164350857359,262144 --variations-seed-version=20240906-130113.352000 --mojo-platform-channel-handle=2028 /prefetch:2
  2⤵
  PID:7000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1916,i,9826319968344670285,12877421164350857359,262144 --variations-seed-version=20240906-130113.352000 --mojo-platform-channel-handle=1992 /prefetch:3
  2⤵
  PID:7016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,9826319968344670285,12877421164350857359,262144 --variations-seed-version=20240906-130113.352000 --mojo-platform-channel-handle=2284 /prefetch:8
  2⤵
  PID:7036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,9826319968344670285,12877421164350857359,262144 --variations-seed-version=20240906-130113.352000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,9826319968344670285,12877421164350857359,262144 --variations-seed-version=20240906-130113.352000 --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:6276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3700,i,9826319968344670285,12877421164350857359,262144 --variations-seed-version=20240906-130113.352000 --mojo-platform-channel-handle=4632 /prefetch:8
  2⤵
  PID:5864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3148,i,9826319968344670285,12877421164350857359,262144 --variations-seed-version=20240906-130113.352000 --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4864,i,9826319968344670285,12877421164350857359,262144 --variations-seed-version=20240906-130113.352000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4980,i,9826319968344670285,12877421164350857359,262144 --variations-seed-version=20240906-130113.352000 --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4812,i,9826319968344670285,12877421164350857359,262144 --variations-seed-version=20240906-130113.352000 --mojo-platform-channel-handle=4640 /prefetch:8
  2⤵
  PID:6044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5016,i,9826319968344670285,12877421164350857359,262144 --variations-seed-version=20240906-130113.352000 --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  PID:6820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5048,i,9826319968344670285,12877421164350857359,262144 --variations-seed-version=20240906-130113.352000 --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  PID:4008
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:5168
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff74a824698,0x7ff74a8246a4,0x7ff74a8246b0
    3⤵
    PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5192,i,9826319968344670285,12877421164350857359,262144 --variations-seed-version=20240906-130113.352000 --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:2328

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:6328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1044

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5492
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba1932cc-324f-4b81-9184-a71359470cbf} 5572 "\\.\pipe\gecko-crash-server-pipe.5572" gpu
    3⤵
    PID:5780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 23638 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db230a3e-d31a-4321-8e1a-63618607a940} 5572 "\\.\pipe\gecko-crash-server-pipe.5572" socket
    3⤵
    PID:6780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2852 -childID 1 -isForBrowser -prefsHandle 2916 -prefMapHandle 3144 -prefsLen 23779 -prefMapSize 244628 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2966b12c-eaac-4976-bba7-52dae1920198} 5572 "\\.\pipe\gecko-crash-server-pipe.5572" tab
    3⤵
    PID:3664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3992 -childID 2 -isForBrowser -prefsHandle 3976 -prefMapHandle 3956 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e6dff34-cdef-4b3a-a635-b23e0636ef04} 5572 "\\.\pipe\gecko-crash-server-pipe.5572" tab
    3⤵
    PID:3896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4852 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4724 -prefMapHandle 4804 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d27f7c6-48a0-4452-b9a5-2536e207b32f} 5572 "\\.\pipe\gecko-crash-server-pipe.5572" utility
    3⤵
    - Checks processor information in registry
    PID:2472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4752 -childID 3 -isForBrowser -prefsHandle 5652 -prefMapHandle 5648 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00fe45ae-a50f-43e8-9c0a-07ec8a134f6c} 5572 "\\.\pipe\gecko-crash-server-pipe.5572" tab
    3⤵
    PID:4012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5792 -childID 4 -isForBrowser -prefsHandle 5592 -prefMapHandle 5576 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfe1c1d3-db57-46e6-9719-b66459bacb79} 5572 "\\.\pipe\gecko-crash-server-pipe.5572" tab
    3⤵
    PID:5072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5988 -childID 5 -isForBrowser -prefsHandle 5908 -prefMapHandle 5912 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b785a39-7e2d-40df-8e55-01d0412d69c9} 5572 "\\.\pipe\gecko-crash-server-pipe.5572" tab
    3⤵
    PID:116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6168 -childID 6 -isForBrowser -prefsHandle 6216 -prefMapHandle 5964 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78fcd674-f093-45e2-b1bf-6f4f73255754} 5572 "\\.\pipe\gecko-crash-server-pipe.5572" tab
    3⤵
    PID:6432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4312 -childID 7 -isForBrowser -prefsHandle 4568 -prefMapHandle 4008 -prefsLen 27272 -prefMapSize 244628 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ca2b00f-e2a4-4b80-9a7b-41e7e0d5d4a7} 5572 "\\.\pipe\gecko-crash-server-pipe.5572" tab
    3⤵
    PID:5328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5712 -childID 8 -isForBrowser -prefsHandle 1564 -prefMapHandle 5636 -prefsLen 27462 -prefMapSize 244628 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2d96dbb-062c-478a-b082-073a96c9585a} 5572 "\\.\pipe\gecko-crash-server-pipe.5572" tab
    3⤵
    PID:5116
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4000
  - - C:\Users\Admin\Downloads\MEMZ.exe
      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2596
  - - C:\Users\Admin\Downloads\MEMZ.exe
      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4500
  - - C:\Users\Admin\Downloads\MEMZ.exe
      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1736
  - - C:\Users\Admin\Downloads\MEMZ.exe
      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3760
  - - C:\Users\Admin\Downloads\MEMZ.exe
      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4952
  - - C:\Users\Admin\Downloads\MEMZ.exe
      "C:\Users\Admin\Downloads\MEMZ.exe" /main
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      PID:5716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Phishing

T1566

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
4fd2e1e0ee89ab2efcf64b13813dfb57

SHA1
f1469469ac1884f002fbe3cba1d8be88cfdf39af

SHA256
b94064c9e6abef05638da45947d0760325acfec963626406aa73bdeb3f3e77a6

SHA512
f28e540f5e356191f33a7e5cb091d9e6fcafac73a94e87d6b96823ff9cd8d914ed319cb3ad1ea76a5e788b7637826b6b5fa6b3a6c96f24353c0c44f9ce0b00cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
8bb9891e571a300d558a74c7317bf8dc

SHA1
717c7e25f068f1388232f231ee940e28f7db3e8a

SHA256
8c6bba8a788612bbc91ef675ff447c80ba86baecefb95f0fb9c5fc68bc616de0

SHA512
8bc8dc1ec31bf56e1486294e35402249dc85c729cf0c2e02c986d5d6705ed1a22b1a952ac2e7729ed43f30029a9f179344a5bf03059b294abfe133419e8571e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
b184932dffc09b0b38add1d73bb7604b

SHA1
d7110a948cf8d4daef4fb08f0b6ff559e78b2204

SHA256
a98dcf84afa20e1342daf863fd5cf7420026cda733e77ad2e6d9955f3444775f

SHA512
b8e6be22ea8d2df974d92ac7c5dbe636867cd9959083d37bb4fec1b3b856dd327cc6bc86ebfb0b4d08d87bc6983bac7cbf0c64e6d0a120cd5f0131d7e161e171

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
4561800c8955c5764cf3a5b7375e4be0

SHA1
133ef959fd76427a6b29cc1cd878751cfe86b4e5

SHA256
9bd03814edbaca629228a94cbc28a91f2b9a74f1da34f8703df0336fa54a975e

SHA512
9c85769e7367c95253cdc5e8b957bfbcdbb992f92b505e4a3335b9cbc9f34f9eecf9bc0ce4a5a35c405d4eb6ac31c0a39c002dd323df5bc9ee27cbd4d563353d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
ef0ddf6341065085b7523d6ed93d1f72

SHA1
0976d4eb69dac46cf291d1cfc5638c444ddc0caa

SHA256
bbb65e465098bd8757879e9777965b9bad2ef089f382203d35b0ad09f67e1dfa

SHA512
8ec1d485a4474178e6ddeca97822f787832989d2dcd4a905a17e09caae60ba38589f34d193f8659ad5b0e1196728f0665250efdf358cfeee9f7cce54ab117187

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
1d856f9d2930ce728d2c7d390dc66d13

SHA1
68def8346b47eae88dff58df07e92bf8746647d7

SHA256
eae18212418813a52c275590bf0f533d8d108f585906b33d49bb7b928136f17d

SHA512
fdea4a0d0338e8a53e6e983b5651fd1a1a1df41ef1f5529023063a21044fa5bc0adb2929348788e9657714236f582093fc5de82796fbef19e8a0863e9b0c7c4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
40KB

MD5
0c22061eba99e217eb807e7c156f9410

SHA1
208755817b747eaef114427469ff5d17f532d723

SHA256
394ff5488b8a289de7ebd23ac855fd3f1b22d62f952773e1f33651709f1e2054

SHA512
b6dd7091734b8582578be7a4ab634b393078980e32a4fbc3cc3320c480a4bf00f95a4179fce5fc17b1ba4d60b02094d0a5b85a5a135cd6256be3e469fd43e0d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000003

Filesize
61KB

MD5
fdba276d308908467eeabd67fe4961b1

SHA1
f7d8200e675b441e8b7abf584ae62826b86c752d

SHA256
83bb2e7910866513462518cede137e8fb77a9c87b00184230f3afe333fba42b4

SHA512
de4131b613cb1623e5179ab7d43d2d07702e57ce230a68ad2219ede9618c66354a1597cb9758689d4884a34132ffd3482ebc0f795efdb50d4c851e6b64571b4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004

Filesize
41KB

MD5
0d17932e0626482afe8b6f310e47cb24

SHA1
78dd115cea950e82c6428486836b1975b6630573

SHA256
1f5b32a1afcdf9092cf1f0bb84eae0a6be1c8b4ddeb4d2fc4d271d1314aab252

SHA512
75e51a80add7329ddf91df268fe15a827931325283f15212b55a2dc41b76c1050863b0c0eecc4e7f20c069c0b8cf0c5b4e666ec9dca843c37a8e25867785edb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
33KB

MD5
5c3d1ab807f84ddc2b48dfff3aa9212b

SHA1
29e843aad3e18139bfe6c04c4a78cb32880e8a05

SHA256
a25f93df58d92ef75eb5eb8e2696de7e70d63479dda74b78274c6d999fefff9d

SHA512
9f8995ad7c13d6c3e0ce31b8f71721b6c5aac925f63a394879379ed712199e315b63c540221c4218fb7d34fdcad12358d8715fbdb9c87b8d5998447324f2c367

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\91cddb24b75e20ed_0

Filesize
254B

MD5
fc63452c6e0162d82dbd71b41163699b

SHA1
a7eaec59e16f8b2956dc1973b4d0ec8c9e942851

SHA256
3b5328b5ec29df9b699d6dfd79093033e803b1b4a81cbc4239c56ba26fbd5c24

SHA512
315a8754e40c8d5f73e09b48e5d2335e61c2012f34f7c0e47a6f1d5406c5803fe9b4f12187b71b8d5235048de1bc81551db48b573baef5af17a00984a9f2d1f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\9a92c1d71aba29ba_0

Filesize
265B

MD5
a2b7b99bc2d41adccf5e2107a7196123

SHA1
3878215af2e30311f0c8726e73300028aabefaf6

SHA256
b8c1e2a6c53897354792855bacb5a3c284c9ffe1df087a627b1d89463a9290d3

SHA512
76b91e310aef7e99e227dffeec0fb0c18181c2239e6131be04ce46a57853bb84f3a36bee34ff6b490fb874ff7458f242f57a75db7d9bf42880ffafb66bbc0f0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
984B

MD5
0fcc22c28c1933a0e8e42bbdd9e5fe5e

SHA1
d39429ac9793b36280a89e89ccb3775563c8bb4e

SHA256
6dbf1959c8d38ddbf0c11c7d5ad02ba33849b5bc92f3a6bd3a9d0b542092fa07

SHA512
69a7013dc2b6b83f557301567252159889f175048bb32fe0182c97d243dcd23749bcfc167e622d9498bf595542c8e17ed301f7c625a5da612f68dc2cec5de3bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1008B

MD5
6165ea01f92ef4e736c43c3ca7ccdfc6

SHA1
200a1a0cb471ce938b39898ea68068f59e09b686

SHA256
a78210512775dd3ceae77f7da258f98efeefba53ad2e750537ab9c235165fd72

SHA512
0097c2947bd1ab30bd2c93d31cba186383786b57a3df3ea16a430f61c3e53a9ec1fea0fb80430c96aa0ec79f75d69313dd4242ea9d588265be71b8eea6379911

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
864B

MD5
fe43a63714e11cee25d4cf675b10f286

SHA1
32d9ead9785c0e8521d996d3b7ddc81283c8b0cd

SHA256
d495c6c12eb25159acfe99ec4568eb9f2dc4cb443d7a34da41da129f5e935d2f

SHA512
87126b07dbf873084f5977bc70f99843b023c8e6aae7c275b85fbcf9a9b4b29a45f2b03431cf3ef61df1aeb2ead1300a588ef65bd8bb21ccea319bfa78d7fdeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
af31c24b3d7f6b4d6808e9bad41b06d3

SHA1
3670ae353100adc26a1ce8dc25e5bcc1d26216d9

SHA256
f31775dfb3def9bda7adb43e2be179757fe599f7a0bed701d69c485308fe8582

SHA512
211adf99cfbc8a6fb08dac36ba755e7a32db0ceaa58aeb45871aa78956b71d604ab28bd8c8cc28a222e72d7332a15ea3d0cecfbc01830b83012c2ef5a103cce1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Favicons

Filesize
24KB

MD5
df345d8757af8ca63d2262325c1f9f77

SHA1
48409fbb24e2bafc4fd71f6dd2bc6f474344b798

SHA256
33741b1547aecbf0a287c494fae7c15ec17bcbaab7dbfdac15926dcf820108e1

SHA512
ee6df9c57ce608619cdf3081cad38f68b5586dcbb3a189c79a51e2d111dce6056916fcd285426f281bd6dc791565e3b691ad7bed1f771c1c6dda327b0116ce25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
160KB

MD5
7565fc1dc0aecdc50168e06201cdf87a

SHA1
db930299c14906e6e9e6d7365c7cc574b354f3f6

SHA256
c50b8dc10e7f6fd9c3a0dd3c996c0ee1cfda4a2e5299ebfed934a8c5d118e895

SHA512
53ab78fcefcea95b476ae5416b57ffc0488ba5449617cbf2a2124fe3ba0784f61ecad12f5b4895fe17cd1f4bb18bb95538e7ca920717913cc3dca6c2dd6b9c02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
14KB

MD5
3ab1e5d8c5c1b0679eacd15651bd666e

SHA1
70dd307ed6b06439fbbf36e0616997d72270c26a

SHA256
7993fd009796d6393b6da52bf898fc70075c3881aeeadbbdebfb25905d40a7d5

SHA512
c472b0e0a3a211d481808a120ddaf5704b3f864177d9f5d5279b97772493f3e67941c13d3992b8c00f2a89be06e7afd82d67c8628a9895a66ad8b5be8a1239aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
20KB

MD5
8f5da5bc85ee37ba714e1425cd0dad65

SHA1
af8df23225dec5e21737dd194e75c98804c56372

SHA256
ecbf7dd1a30bbaab6bcaf14794ab9701bb7244a520bec4c416b423c12fcecea1

SHA512
de6b67ce466a371827304aaab873bb4f7c2a50b1a98d799bc4b9faf1429012cb8e5f3fd14252b279abfa080584e2ba0c6a5fac29ed2681f045f04fda0fcecb2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
20KB

MD5
0938f0fc3d8419ada16d78af0e5031af

SHA1
7c4b3045b07d409faedcfd39acd84ff743a379bb

SHA256
6186c1684c1a26b9030646c5601790cc1f77551546355540060404084a8daef1

SHA512
e4c5c8d65c516cd051ffd3e32ad6925f13a00aaef75526c8784a9e1a32046d7e4c057be31de4ea198ab86af24ebd7a75b367bc9852bde9a31ccdef5a3fd5ba70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d8995aefe913e707e82e4a2b5158fd08

SHA1
a9d43bab3188437226c62509fd36d0dc36eb65fd

SHA256
9b91ae34afa062639704f22eeaa4dad5a16d22a5aa345a1fd7f36b110a244e5f

SHA512
6824347d55fbb012d28ec4f235d124853c6b0981327493d47a5f1cbc2e67ab69ee4903590736720ea2f050d7536bbaec0052271b417ca96343c5c1b0d22f2c1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
09149c752d78224643b5d27e9bd48eb1

SHA1
751b04012fab2d52ba38ee32492a75ac8a7f9725

SHA256
3231342e06ee1160e9c8920ddb26a34d0e03f081091769e0bf495bf577e1ba1d

SHA512
bdefe23bd362af3dd5a68bf6eb9349eabf31bf32802eceb8b5607676401897b17f2e48ed8f6eb015a9d6c881cf0ca58f4976835282b2efeed7c845acb2d29c3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
35eb55d68e994caa081272397a84d81d

SHA1
cdaabdfe67c0b130f407079af21355199275abfa

SHA256
53e8bf9f3a676bb7296ae95e4f40a699835e3f65b7c0839c9ce81249834ab40d

SHA512
45f8238c7d0de93f5c8acf0c32d09986a36bde3554239c375a52231a31468b7a7fdc6bbd9d4490cdd5e80c8f4c54cce70d3286a1ced25870814b5385e144b66f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
460cd445bbc2c8ca7042eff681efe9b6

SHA1
b23eda5e997dc17d9ee50d564dd2c9215acdf361

SHA256
bfe85eed25125dcfcd700b2f4084ec82ca17641e1c8ecebfe5b5ebc0e7456ba9

SHA512
c7f1b09a9dbfc27c85cc1b5b8401f619257cc182c2d5181f144d34114f151f4ab953ca105db7d7cfdcdb699450d678378eae54f1793d58b67f1508172edb2a1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
325f0b617869cf3aed74983cef1e3db5

SHA1
5b79afba71f9b75f5eb11f1e412002d849e7d7fd

SHA256
a4c4f03876914fd195ec60860262014dae02f774eba623fc57a0014a0cf5ece5

SHA512
fc37ff6d36a57f37d2042948f8ad3660f4ef542c1889be0aa07265f984f020e923d758bfd79fc71a1204d8fb2cffadbbff16dd8638494cc385114a0f2a23fd41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c25a5a06d1b3ed4fc3c0ea00b4c8090e

SHA1
1a9f35e16e2d5237ca87e7fe9cc5b24c304805d4

SHA256
4f6bd6892db6ba04160e025bdbea9962d32414e599ce479b5455c14726768b95

SHA512
f16bf0fe3613df90c3915a607e0e3945381463fb79317bb5bc18129f49384446dcdbf798001a11ecf68ffc21ab7c3b050adcf9995c5f1130ec96b9709c7b1a0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ebc996fcdb36d6bde5a4c2d5bfbcd96b

SHA1
bcb3511ddf7ea1828b90b10dbfeda46f55444db0

SHA256
9fdc5ec08ecf3bef4a03166db2dbc38b3bc8060650cc81495d0556b65ef0612d

SHA512
66426df07d2a6c7196f740866d461648141208d099017ab401794b19f052c7e4ff9503cf2769dd5f460172acdb3966d6d75fabdf43db8f0f8011d5421c392b8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
32bda2ac03a0b2d44f1c51aa44301b22

SHA1
2fba247a8c9dfc911f1e0a311e4090f3fa90d695

SHA256
f0fa587dc578bad6b8709d6f222b816c368b37c985d4af7cc283ab2c7e2a9437

SHA512
f3c1fb51bc032e3ead891f7ec41d0eb8e4eafd71444a535571ca800ef1331ad0b9b01b78be1e91a9beca5aacc0cb6279c78bdf85e6792f0f8982c3515fdff485

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
22a97a7edf46e9d772db7a44b31a81b9

SHA1
36246b1c8d18cd4102963c2d2ec565ef8f45a3ce

SHA256
02852694d6de2d4651159500d0023e2e57ba91d49ee144f1e158296b32f01868

SHA512
4384061de2ebac1b498d8f6f52f3ddaec935eae0a76762610de6180a910dbc9088a5d188002a09a76692b0cc573ce04ad2aaa2c7a6d574de350693746609e5a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
ef0578eebc0f946705ff758c3a7adf13

SHA1
f3c565913c132e4fc8931cfd8f348527a23d4ab3

SHA256
38d6aef76f660f771553ca39d8bd5e6d467102ee61fe15b6b2b9d8d4070bf260

SHA512
b35f28fdeacdc84a19f89d2741531bc12cdb586199b6e478a5bbfa751e9d3a0cc657140922e70d0c399ae5b5cc7b5a09367687351378845db7095c70b62db1b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6788cbfb4a00154522e1e2cc89768b50

SHA1
6e93f3dd472251fdb199963ec22584d211987268

SHA256
4a5f9d497958cec45ce4ec423cb755a515c27c0e2370eb3e0e66a5f034536224

SHA512
3854c867e84f03e916836d47532938d1cd61eec38962d18de22c9c890df96d0b75ada049817e8835f0de1b8f1743d4f0865f3d247d12a0178a5afb88240c0407

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d35f4d610dd68d9a11da6c340195e4a3

SHA1
582b825da24db42e654799d9cb904983a3ac721e

SHA256
d709806104c56d203beb8b72b182620f9a736c98744f230810b0b4ee2bd80251

SHA512
4a8ec4716a9e1c30a87bdf7548b6e04867b87e21c38241c519819088e3694853eb5ab3f6a1c314cc4c9cb3d52d136365e5f3a80c03c180da4bd4cd08b234a467

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
ff6fa5dd2addc465f2b39f3cfe3ed599

SHA1
0d43b49456f9cc27894d276fd0ee71d39616909a

SHA256
fc87da0e18a1739a57ddca5a4dc75a4df48ee4d6acef29b8c6c43cef6896d2c4

SHA512
56ce3c98784a4eb3fcfeb216304dd6f24b0b69bc87d61f841cee887b3d8449414a9ce93cade6914ed55784f1ac917a109622c25f32000644cd8cf3167b33eaed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
fcae3dfd252d747f7bcaf84ed4c75c91

SHA1
4ba74afb4fc5ca8b64efb392bae0137d95dca215

SHA256
b71a28f47bb993ba0589ba45c4434ee20629240513fc8d9b55d22ac7b615b124

SHA512
08cf522cac049dec04073138941c258070841c718f3e136fc23a25cc954c1738fbe75a3d49e174af90d13d5f9ec37e526e04cd9c21a0695b049f2c8f9dc8ebfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
92622d15442506c422830001c62e13eb

SHA1
f155a6d139a0fc02253338487e8dae869b99892d

SHA256
03878495e28c30842490de45d024d1ffe78ebcf986c93458aff0e56d5c768bd3

SHA512
1c3cdd843ccb9129fcf8ec9ce27b56fdb8b411fc6052348b49906db964bf6f612161465c7f8599ef872715712d60ebdcea17d4b914f76dae3ab9ec866441cc4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
69d0bed886f087a1b98b5e4becf6897a

SHA1
1cdceaa25fe14e3cdbb10de1e7a0d7083d14e725

SHA256
200eae43f23108f437fbba0662cf128c4f9c8e433a96011c4646cefa5fc07971

SHA512
4c698124207dcb6e8cdfb441ef6d00660675edf090bb018a697d7117df1cdea8b8d723698b0e3a5f96f72a6e4c5d4d7461a918fdd27090ef144e2967cf8e4616

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a6dc8c19a50e8547457e7ffacb58a66f

SHA1
9d2c71d3358ac44cde122d577b2edcd2179aad31

SHA256
f1a661f695d0fcf551cf0e2561756ea2636422b67ef0b5db18be91638763e92d

SHA512
a07088b2bde7abc6993b12e0856be939e3f904a3bd68d8d1ed8a44dc7534eff5ade85213d493c5a98cdc8bfeb954efd86d0b554d41477ad2d89d6b202fcc1bab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
f91708af734003a8c26759a4e5f02110

SHA1
5eb9dd40572666d6984439bac63734ffb6e51b1d

SHA256
d67b97f31ec9ff9beaf880b3db88d1ce4080923dd10e0ef3af05da3a08d9b381

SHA512
44177933c87643d84651f639c10beb841e315f957239e2a316cdd98f513a252fe5bcc0577a13906b8fae6ccfff149fbd244f34c188b4bbfb41eb45f851c6ea24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3698b6515fabce7b64af8791a1d4b9ba

SHA1
0905580589a6b2224f966f13c20eb4990c874918

SHA256
adf07cd03c860eb6569891b37b1c38fcd780261977ca2f874eec45c5929a2ffc

SHA512
b55917e81e2dda4d943ae21d5e240e56ad1a14c91a01a2c46d1260fc27baa51b25068f4d09840aa55d0a0e4480f96923f053677fde56fe7438e9bad30d6d109f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
2fbe2a6eed8d66557b7648adceb2aa68

SHA1
028d9fb880011c47155e71f99dc8e81f548ab787

SHA256
1df6f57de6372971542a5b1b5b8e2e17d655f5c819164a0aa19448d28f04b5e5

SHA512
acfdef068b9a99c7a3dbbf6d7e084c6c166e689fdcc316628fbf3bc8416faf8242d9ad8217f4fc28d925da8284a392b08ee4808e6fd81ed15861a0fa8e4ed2ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Search Logos\logo

Filesize
39KB

MD5
15a5c23dd6b51a85135fd726c065ef9d

SHA1
75eced9b6281584fa8bdf499239d316d3a8c4968

SHA256
896f3c6039e31704dff9d92e6ff0ce44e22a48f265df3011a2b21f5187e8b9bf

SHA512
e15a6859794ce40c2f551504694b8e0cb28485a54d9da3a4e316d1f2c216d9319e6b52febfd64c86f7cd2b5b972257e1ab97599cf7a2d07a49c191b59efadc97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
872170cf57933d0a3407cd14679c527c

SHA1
1e4ba718294ce259868545dee007efea8609edd0

SHA256
e045dccbaac34bb301fcdabaa997c125be86671218c95482932dd248c0221f78

SHA512
07432bced71283cd6d2f2170ad180c5d764f14bdc6c5b989112185aed56f226a80e36b276b037f944b7f83413259b950d0b6712ac57aa3b04dbe676859466778

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
324B

MD5
6c1b7cc295ffb622091198c3a1982860

SHA1
111a2c6ebdcc4535dba6d86447c214b9f8954824

SHA256
4dc7458fb3150f7af68f0bedb9f69dd328d4403adc8ed7a788457bde2a23d079

SHA512
01fea23cd0db3b5d9e73a3f4b9dcdea2cc3006721a8ab05d3838a3e7394d1c3771ae209cf570dc591c24d21bf59bcc2a6da4ea9e2d0e2952c90d9cf7d24b53c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
ef48733031b712ca7027624fff3ab208

SHA1
da4f3812e6afc4b90d2185f4709dfbb6b47714fa

SHA256
c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99

SHA512
ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
77a25781dbe18b7b9a3970c4098b1d87

SHA1
f3b1c28b3b8e17549a12d4e07c8fd3638d4cdbec

SHA256
1574ce2a359926a17bc328f02d5aaad8c1ebc01416b7115d09827b254aa2aa5d

SHA512
1a560bfa978a98c45a4d4a063e8572adf32a20b2696051c7479e97b48b3b5feee32284cc923bb3577a8b191c407623fa0cb6439d85132b23edf4a49d98632dee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
fc0bbc7bc576f79a37fae8cf7107b2d0

SHA1
515b70203baadb90d5bf8182623114506620ff12

SHA256
8aac85a668e3cbf28d8c0f97ef693a6d2bbe09b721c5830280494dad09751bc4

SHA512
7c1c72629d62fb1a43353a1c2ef029e3f1a30825e1df30d34b027ef00e6decdfd1166071d34efe9d0ebee6cba3aa20e6b8b151e10a2b3b764f1c148f2d4cbb73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
3283de9806352867d5199f49e60c1c9a

SHA1
a650883004dfee13240e9429f420881867cc14fa

SHA256
e0ea654f8b603c5bc78522c7f5033ae02fd2cebaea7b9a4c5fe5c464fa98253a

SHA512
4353d3944ef8245eb61c8d2fa02fe50d16a1ee01cb6b485ad4f8d656bd1118b63cd934338ddda837f7f24d65312c0e43eabb45ee5f86a20682b2ffb588a30e74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
05b96b85aaf2727448847c28d8af8279

SHA1
a24bf4e8791a3a6183629a07d6e12df3df664409

SHA256
707e11e28f14a3b5a4181a21dda1d0b2ec1de915bb64e2614d853de44bf11e78

SHA512
b9e796bae058b5d0fd09035c3c62adcc1f5bc4bbc6bb8b4581a6f50debd96c440ac0c33a6250e61f6b75d22b45ca99012afcfaa2b690c03d7d1f5e92af596af5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
b6ce34eb2a820e8ee60c9b454681b5f8

SHA1
be342eeffd682521fa42182ff610f4530aa5896a

SHA256
5784cfe8d1dcd5bf135ccf3c4c1b9db3a8e52bd345cff86f4a36ad14faf4214c

SHA512
d0901244bafc706073296a4430ce8fb52d92617c380622e69c99520450170769c2b46bb6e03c0cb21c62ff1c0789113343c5f0a469b38c3c63e84f4e9ff21ebf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ff9cd91b-7169-4d4c-98a2-efa7bd37ff40.tmp

Filesize
110KB

MD5
c7cae51e219d9d334ffde4b566d414a8

SHA1
5e4d7ca29faecd52f5615a7510b5219ad8435242

SHA256
b34db02c86c6a8c67380e9c9567d0d609038d3de81d3b6959aa45610a9bb9dab

SHA512
b1f3de55328014eeae8578a86f15d9ad2b6c3d979d73ad30f76da6c8bc3bc9fb72b5d1fa63669e6110608cdf8291f55b2755010861cede09a859305ea402e990

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\segmentation_platform\ukm_db

Filesize
28KB

MD5
596cfb465572bebf4c74bb8fdcbaa02c

SHA1
edad8e42b16c261cca0376921710456cb6928e01

SHA256
595d6429db947d1724f7e51eec59d18801222292bca54c9a3243917e1341f14d

SHA512
21ad8394e0c4468088dff6209828b97b25d295061503d5bf888f9449f6166c2be81ca334eefeb97f2d35f428ad5b071328d9796ee10b22e80bc43bf6fc4e3417

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\segmentation_platform\ukm_db-journal

Filesize
24KB

MD5
34c00e1dc572a403a1400b4a5b723f8c

SHA1
b3cf6c8df590452a15cca8d4c190be2bcd5e9be4

SHA256
44e98e94fc1ecc4e37d0f9a6d18bb96f39adf9b38bf576361f676c58586055e1

SHA512
b68b396a2469da2712d4e1e38f9e3da20804a7c8f4bd45a7997971fd5f3cfb3d4d6df6d1e9c57a21e4c92d0e762f2a1c5d3926b28e921990db570c7236be2ffa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\10A0222AFA26BA84074326BA5AAF691B1EB56EDC

Filesize
32KB

MD5
c16820761e4f0287a44659af9906fbdd

SHA1
b23327a033dc4d88ed0d742a19e312bd1b99fb2d

SHA256
88777e33a4f34ac3aaefd879097c65c23cc364b8421fdcf993b3285203799236

SHA512
1296e1aa95230bcc350bd836a12a89611e70fdc56c65b06cfff27f93c3327f7c8ea8e3fb358283f8d78a48526de3870c5dcb7b065c38cd276094f7a8afb38f5a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
7KB

MD5
c460716b62456449360b23cf5663f275

SHA1
06573a83d88286153066bae7062cc9300e567d92

SHA256
0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

SHA512
476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

Filesize
8KB

MD5
ee1f91a194add592b4289e9bda4cf430

SHA1
542ccd4cb7ff01376565d5772894ec17143b015d

SHA256
6e2fa0fb882637a8687ef52bb2f4755e3fa4c0a6c0695a81c3913667c447bd10

SHA512
2e4b35ee1ff66881ee7aa07069bf8939ca8e81c68fa645d942b542096e8a9cffd78125b2f44f67f3eef8b6f19ae4e3033fc47c2c516703e7a3e30d7ad3cfa9a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
be97c8f1d7fe593a9b11bbed8ad5ba09

SHA1
15faf01330a6752d566a5bfcd3058602715eb454

SHA256
49faae2c898c0d43ff9c4cddee365fcd9858c8ac671bdf2fe27187da978f1e9f

SHA512
c007225d0ed6a90dea51b783777f5a91f74b37d2c371b1d0804f3c8efe8719f7eaf153efab77d7ef97851a9f070fa766a2c636727c7a7cbd1c06e8f6e49d8d07

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
0c164638d80e76a835a41fa3f4ec8378

SHA1
8f2e56b0d9312b0d79eed971355d431c32cd15f8

SHA256
c84e25c08f059e52649ac716b52d7a9452ab1a11fa04143dfc36e8b641be8ec4

SHA512
46d1357018ba2c8d0aefc199f93eb3a78796e5cd21a020017dbc764ff6ed13dfe4fb3c1eb0f7f2ee1e42c351afb407fa14e717a39db83d37e43ab306c38fd104

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
010ef7afd2ccda3a13b38c3035edf0ac

SHA1
c057b7491e228419fef052df94b16762e922b2ec

SHA256
b1b5188e8ba1db2e2700d9950f93b26319b4b32c84463bd468e1f264b326836c

SHA512
a8437a3f6909927ed9fcb86561c42defdaee99d86b557ff6307ab702d8b25b819cd114c9ff4cebcaff704949e0c879ba6dc02852bb64265a1fb4afd8d5479aa3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
752228c32bcb203d47c1111523fd47db

SHA1
de8df288568ee726ec6ab6ec5d7f4b7ba4be8ae2

SHA256
9b4df8887636e2f34b802cc75251bbcc7d8f11e93598d224e0e5163a292f5e56

SHA512
fd5b3a5a83d34898710f580af248ef74e2d7c4d95744693b308286a92f213305e7fbda13b47f93a6449d2d4273046d336e62b4f25d099c24d27029f68ab274f2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
3a4e3a030c7a6d2f39950c8b9308ff63

SHA1
4c4da826fac5c4dcf9b52c1fd6f3477ff199750b

SHA256
d78cc22153a23ffa81cab549658b239c50301a4072882c4fa40547b5c4308a6e

SHA512
a682ddc703126f3ae383711a35c6bcb7857b242ce2165c9d9d18d22485b535bf7711c7b5725b1f146b2018920f66baed2b4b258e8929006e9b771b22cef05a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\1c72c448-ae74-4bdf-ae8a-cbbfd0d75829

Filesize
659B

MD5
a800da7079de52e220275c8022e6464e

SHA1
66f2076d1961f8b7785022ed55481b78d739d61a

SHA256
4836d62a431ecaf74205effce2d8e078962b232134a2a4f783da5c38579b19ad

SHA512
d21356b31ed967df423a33c26ed9710e66026af0cdab5846e2b16a16af278f46028a82340b7bacc7f5beb9773a73cbdca518f9b1efbb88461a4bfd530fab6f57

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\cc271f16-3dba-4623-9496-ae07d3e2c766

Filesize
982B

MD5
0bc2d6a849eb4ecbeb188fbd4eba41d7

SHA1
1668d49d12d9d4de5f58ee4d817c6f199ae3f318

SHA256
b53cc417c55d484dc1c4bf8010d3361f02c5835f07275b2f2f944d90da03af14

SHA512
784480edc3dbb67e22b0f76f341111ae06245748fc7072d6384561cfa868cbb611fcfec287a1aa2b6087afe522c3033b9a80daa5accb376ed518197d7c7c3c85

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js

Filesize
10KB

MD5
a43c892e8d31f53ae2c9b7eaa0817f5b

SHA1
733d575c5f1b303faf207488d05c83da2bc0504d

SHA256
d35796568d6e99a9aeba05147348bb1f7a9dc14a1a7cab2b07850fb4dbe3eaa1

SHA512
d8f6b2f0912516d399384619ee3c2e5e5b4aaae1880d876eaeee50c561b8af4f2ef857749174659098dff99fa895b24e51b8341eca67337e25510f730182e996

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js

Filesize
11KB

MD5
1266c6df4d3849e7ebfdb025569c2ce0

SHA1
a009e7603f3c0c4a5bce7565d8075cb3d8f02164

SHA256
19b02709a94c75aeeed6470cb76ed82a59776cb2f04999af19de8a8255aa97b2

SHA512
2d8122f40d4109b7d71f8cbf62fcc003961f30f3a7f2455333f052f1059058af8cc81a8fb06b5e1887d00390405cb7f99fc5789b73358f4505b8bf0967c63904

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js

Filesize
11KB

MD5
62f38dcac1eb01df9fb81f62857365d2

SHA1
0afb5957e862714a3ec77be06ecda0dc7b1d0cd8

SHA256
1823a28f56f56c45c829708b429c7f3bf5e8148b4e6147aeb52d6a62705a7b9f

SHA512
be498555bfa48d12c617fc3119976e0bc99bde9a1cf1b182606af93cfb173816cf98d55ac06e2b2c451a9a11afffb1e5b2c0ba98ac0c92435e99379ed8c61cb1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
f8c66f028f94406d5fb29d0f7da05205

SHA1
f406627c56a95d5d00bd4a88366315219838b0af

SHA256
6a2aee974c0197841f563f58656ac86564f25e475265c3fb6c7291d5dff655aa

SHA512
d8ebfac8fe1c64b1e2641f18e72cc93d3a1b04f7cfd418b0f73e1e24848bff0884babf3bc7909e9700964019cfb90d495fe68d4e892af3d34f31ff910e571905

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
81ed83bd5a19182315a6fe1bf933aea2

SHA1
2e4c252d504197f63ba3c5b67ca09a6c4598e17d

SHA256
f2ed348823459171b4a28f5c4a6e2a7dfb2b709b15fe091dd3f3eef012e99999

SHA512
b7bf7395835bfe4ace2b15afa9e6c954d761f5abcd8ff841983e94786ed26986c3880e3ffaef7ce8351d04a788e9cc8008aaf8844de38b0aa2f0b2cac5e2ce13

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
392KB

MD5
3aebe51b6bb825e1d98dab68198116c7

SHA1
8fb9ff18f6e24b45ee96c7ddda4404055c6ea7d9

SHA256
9f93d7c1010e70ef6f21b816fbe05d117bbbecc5becebdbbbc9157d0a9daef69

SHA512
43e7d293d6c9853e65dee04aaa012fb1281c5540f48f021cc3bf23d774c13a9cbcb1ecbe6909890e70dc1cbc71f1e77cc50cf0e2f56e110e9f72d3fe09879590

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
memory/6408-632-0x00007FFE46790000-0x00007FFE467A0000-memory.dmp

Filesize
64KB

Download
memory/6408-628-0x00007FFE490F0000-0x00007FFE49100000-memory.dmp

Filesize
64KB

Download
memory/6408-633-0x00007FFE46790000-0x00007FFE467A0000-memory.dmp

Filesize
64KB

Download
memory/6408-657-0x00007FFE490F0000-0x00007FFE49100000-memory.dmp

Filesize
64KB

Download
memory/6408-658-0x00007FFE490F0000-0x00007FFE49100000-memory.dmp

Filesize
64KB

Download
memory/6408-660-0x00007FFE490F0000-0x00007FFE49100000-memory.dmp

Filesize
64KB

Download
memory/6408-659-0x00007FFE490F0000-0x00007FFE49100000-memory.dmp

Filesize
64KB

Download
memory/6408-631-0x00007FFE490F0000-0x00007FFE49100000-memory.dmp

Filesize
64KB

Download
memory/6408-629-0x00007FFE490F0000-0x00007FFE49100000-memory.dmp

Filesize
64KB

Download
memory/6408-630-0x00007FFE490F0000-0x00007FFE49100000-memory.dmp

Filesize
64KB

Download
memory/6408-627-0x00007FFE490F0000-0x00007FFE49100000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads