f35c32336623760c4c7f2f97de295dd92d131cd0acf8aacef4228df6605de247

Analysis

max time kernel
493s
max time network
494s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2024 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

monkeys dancing.mp4
Size

11.2MB
MD5

78ba068286738c17db3758bd36e07a94
SHA1

a1d28e2f93ad2ee7c26766251773255e4e6b7f8b
SHA256

f35c32336623760c4c7f2f97de295dd92d131cd0acf8aacef4228df6605de247
SHA512

bb187df15a43aeecb908f480c5ed7e9316d42135e125a1260f8c1a512ed8e9a0ced6621fc09e06ef276c38fd381233566a56b762fe218d32a5a8a82c161f5592
SSDEEP

196608:AfKpOUXRMMLca+mpG0aFr6/6EDjFPgEyAO307hXNu5VsTpe2XTsuUlwqWP:AypOUS6cTmfmr6RDjFPiAOyqVso2X4uz

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3540	4308	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133722441774368482"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{000DE101-E39D-4349-A323-13F85AB7EE7F}	chrome.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{69C48B8D-4BCC-4AEC-9796-E6F7BBEE47B0}	wmplayer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
392	chrome.exe
392	chrome.exe
3676	chrome.exe
3676	chrome.exe
3676	chrome.exe
3676	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4308	wmplayer.exe
Token: SeCreatePagefilePrivilege	4308	wmplayer.exe
Token: SeShutdownPrivilege	688	unregmp2.exe
Token: SeCreatePagefilePrivilege	688	unregmp2.exe
Token: 33	3204	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3204	AUDIODG.EXE
Token: SeShutdownPrivilege	4308	wmplayer.exe
Token: SeCreatePagefilePrivilege	4308	wmplayer.exe
Token: SeShutdownPrivilege	392	chrome.exe
Token: SeCreatePagefilePrivilege	392	chrome.exe
Token: SeShutdownPrivilege	392	chrome.exe
Token: SeCreatePagefilePrivilege	392	chrome.exe
Token: SeShutdownPrivilege	392	chrome.exe
Token: SeCreatePagefilePrivilege	392	chrome.exe
Token: SeShutdownPrivilege	392	chrome.exe
Token: SeCreatePagefilePrivilege	392	chrome.exe
Token: SeShutdownPrivilege	392	chrome.exe
Token: SeCreatePagefilePrivilege	392	chrome.exe
Token: SeShutdownPrivilege	392	chrome.exe
Token: SeCreatePagefilePrivilege	392	chrome.exe
Token: SeShutdownPrivilege	392	chrome.exe
Token: SeCreatePagefilePrivilege	392	chrome.exe
Token: SeShutdownPrivilege	392	chrome.exe
Token: SeCreatePagefilePrivilege	392	chrome.exe
Token: SeShutdownPrivilege	392	chrome.exe
Token: SeCreatePagefilePrivilege	392	chrome.exe
Token: SeShutdownPrivilege	392	chrome.exe
Token: SeCreatePagefilePrivilege	392	chrome.exe
Token: SeShutdownPrivilege	392	chrome.exe
Token: SeCreatePagefilePrivilege	392	chrome.exe
Token: SeShutdownPrivilege	392	chrome.exe
Token: SeCreatePagefilePrivilege	392	chrome.exe
Token: SeShutdownPrivilege	392	chrome.exe
Token: SeCreatePagefilePrivilege	392	chrome.exe
Token: SeShutdownPrivilege	392	chrome.exe
Token: SeCreatePagefilePrivilege	392	chrome.exe
Token: SeShutdownPrivilege	392	chrome.exe
Token: SeCreatePagefilePrivilege	392	chrome.exe
Token: SeShutdownPrivilege	392	chrome.exe
Token: SeCreatePagefilePrivilege	392	chrome.exe
Token: SeShutdownPrivilege	392	chrome.exe
Token: SeCreatePagefilePrivilege	392	chrome.exe
Token: SeShutdownPrivilege	392	chrome.exe
Token: SeCreatePagefilePrivilege	392	chrome.exe
Token: SeShutdownPrivilege	392	chrome.exe
Token: SeCreatePagefilePrivilege	392	chrome.exe
Token: SeShutdownPrivilege	392	chrome.exe
Token: SeCreatePagefilePrivilege	392	chrome.exe
Token: SeShutdownPrivilege	392	chrome.exe
Token: SeCreatePagefilePrivilege	392	chrome.exe
Token: SeShutdownPrivilege	392	chrome.exe
Token: SeCreatePagefilePrivilege	392	chrome.exe
Token: SeShutdownPrivilege	392	chrome.exe
Token: SeCreatePagefilePrivilege	392	chrome.exe
Token: SeShutdownPrivilege	392	chrome.exe
Token: SeCreatePagefilePrivilege	392	chrome.exe
Token: SeShutdownPrivilege	392	chrome.exe
Token: SeCreatePagefilePrivilege	392	chrome.exe
Token: SeShutdownPrivilege	392	chrome.exe
Token: SeCreatePagefilePrivilege	392	chrome.exe
Token: SeShutdownPrivilege	392	chrome.exe
Token: SeCreatePagefilePrivilege	392	chrome.exe
Token: SeShutdownPrivilege	392	chrome.exe
Token: SeCreatePagefilePrivilege	392	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4308	wmplayer.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 2816	4308	wmplayer.exe	83
PID 4308 wrote to memory of 2816	4308	wmplayer.exe	83
PID 4308 wrote to memory of 2816	4308	wmplayer.exe	83
PID 2816 wrote to memory of 688	2816	unregmp2.exe	84
PID 2816 wrote to memory of 688	2816	unregmp2.exe	84
PID 392 wrote to memory of 2972	392	chrome.exe	103
PID 392 wrote to memory of 2972	392	chrome.exe	103
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 1140	392	chrome.exe	104
PID 392 wrote to memory of 440	392	chrome.exe	105
PID 392 wrote to memory of 440	392	chrome.exe	105
PID 392 wrote to memory of 1332	392	chrome.exe	106
PID 392 wrote to memory of 1332	392	chrome.exe	106
PID 392 wrote to memory of 1332	392	chrome.exe	106
PID 392 wrote to memory of 1332	392	chrome.exe	106
PID 392 wrote to memory of 1332	392	chrome.exe	106
PID 392 wrote to memory of 1332	392	chrome.exe	106
PID 392 wrote to memory of 1332	392	chrome.exe	106
PID 392 wrote to memory of 1332	392	chrome.exe	106
PID 392 wrote to memory of 1332	392	chrome.exe	106
PID 392 wrote to memory of 1332	392	chrome.exe	106
PID 392 wrote to memory of 1332	392	chrome.exe	106
PID 392 wrote to memory of 1332	392	chrome.exe	106
PID 392 wrote to memory of 1332	392	chrome.exe	106
PID 392 wrote to memory of 1332	392	chrome.exe	106
PID 392 wrote to memory of 1332	392	chrome.exe	106
PID 392 wrote to memory of 1332	392	chrome.exe	106
PID 392 wrote to memory of 1332	392	chrome.exe	106
PID 392 wrote to memory of 1332	392	chrome.exe	106
PID 392 wrote to memory of 1332	392	chrome.exe	106
PID 392 wrote to memory of 1332	392	chrome.exe	106
PID 392 wrote to memory of 1332	392	chrome.exe	106
PID 392 wrote to memory of 1332	392	chrome.exe	106
PID 392 wrote to memory of 1332	392	chrome.exe	106
PID 392 wrote to memory of 1332	392	chrome.exe	106
PID 392 wrote to memory of 1332	392	chrome.exe	106

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\monkeys dancing.mp4"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 2352
  2⤵
  - Program crash
  PID:3540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:3976

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x8c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4308 -ip 4308
1⤵
PID:2092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffad54fcc40,0x7ffad54fcc4c,0x7ffad54fcc58
  2⤵
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,17737981004251020569,12838513069647546604,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:1140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2172,i,17737981004251020569,12838513069647546604,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  PID:440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2296,i,17737981004251020569,12838513069647546604,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2472 /prefetch:8
  2⤵
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3176,i,17737981004251020569,12838513069647546604,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3356,i,17737981004251020569,12838513069647546604,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4520,i,17737981004251020569,12838513069647546604,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4712,i,17737981004251020569,12838513069647546604,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3856,i,17737981004251020569,12838513069647546604,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4844,i,17737981004251020569,12838513069647546604,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4956 /prefetch:8
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4952,i,17737981004251020569,12838513069647546604,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4932,i,17737981004251020569,12838513069647546604,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:1120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3184,i,17737981004251020569,12838513069647546604,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4432 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4800,i,17737981004251020569,12838513069647546604,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3840 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5460,i,17737981004251020569,12838513069647546604,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4924,i,17737981004251020569,12838513069647546604,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5428,i,17737981004251020569,12838513069647546604,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  - Modifies registry class
  PID:5084

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a2c8a487650516d30cdc8d5869d94a14

SHA1
50527097f3843ffc4d131f9b5805e88e05514a2f

SHA256
0850b6e012ac17ebf1f5fedff1371400021cf64bf8713b762eb2eff08fb10602

SHA512
4b8aa939b74e6533f2fb40da093d312506b19ad51e10e91868a76308da3c4cbd7480ab07189db36bb5d40bc0d1f85315ac97005d57df64f1634426257b098d73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004

Filesize
213KB

MD5
f942900ff0a10f251d338c612c456948

SHA1
4a283d3c8f3dc491e43c430d97c3489ee7a3d320

SHA256
38b76a54655aff71271a9ad376ac17f20187abd581bf5aced69ccde0fe6e2fd6

SHA512
9b393ce73598ed1997d28ceeddb23491a4d986c337984878ebb0ae06019e30ea77448d375d3d6563c774856d6bc98ee3ca0e0ba88ea5769a451a5e814f6ddb41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
48e466a40a8dccb034ef60e33a95b9fb

SHA1
d9f7e4639124254329a845d28fa20dcbf5000af5

SHA256
ff9d3c999516687dcb766a49fdb47f4e3d150460ed34b9be96cc396bd5b03313

SHA512
938938d5452b0f1bbffe1cbe637af0b6c267ed5867cc16132021f39607712617262517bf90e7fc2ef0135553617701a1ce00ccd3abcb3654e222ffc551404348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
bf0a33e05babb254d9935582cbde448d

SHA1
4b99294351c6dc06ee1e822a37a0be3260b728cb

SHA256
721c7973aeaa7ddcfc402131324ad6bcd1e028852bf3ac54e0ad3f6be587bed7

SHA512
21319597e7ce1e092e2061b6a1142040f0c2036369d81ba7dffc3e7cd877d484975f201fe5ce1c6c833c2d00a4e5d23fecd7a33b0816dd3c24a96da1fe86253a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
f51de48898faa2e8ea49c6c8eb7f5a75

SHA1
2c35e53da3ed0510b357a410733df6d2c0c82a8d

SHA256
f0de44028068fd65239e4786e1edfccb3d3447d33850abf60d9c274f4e4c97bc

SHA512
9e7c7f9235800762c2445f826b2cd736f4a6f6fed02c1ec2330c9c9fdb9e832a9a446de0ae805e4c46c09f644a8eaf757aca3498eebdfbdbf6a27949f8cd8f9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a35fde6ef019023adf41cbae7c784418

SHA1
9fc144b2c679efdf7f27300b1cc98cc02d451c61

SHA256
40297ff7ac1187413c3b5de481a3771bd3cbc691bcb1e0e8491ae398ce62cfd2

SHA512
eeaf35316d1f156afc26f94f801dd2ac4779b3f5fdc05a59949b4826f9a3f8b5db2baca23a6b43aa49c28be82c44e15f5479412a56b8241d360c0a0641919c8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
f941a84fcdca955fb0a6c15da3590588

SHA1
0e9abef6da1c87330b8e83dd79d425e41040a611

SHA256
2d2b0fe9c7ceafd81a98c3144a40c94e81292e6d7300bb83054febf0e2bd196d

SHA512
907f195412e779984e99e646740221d36de1a47bb969289ea77085caa3bbf08c6114797292cb8bc3a2c6b19e084e933c10f916c0ed196ab7629c9cad2b77734d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
d71f7c8e129211a0a7d9b02889ccf526

SHA1
06a7b9fc3a20a049cd26cf4435f3d88f745ded50

SHA256
a337a63359f50674f9798f5f920e9aceee81d778b63865984c23cf95caba9276

SHA512
b56e977983d1640cfdd66d96d89e80642cfe8900ca3a6506f507f7555692413ee513f993aa49e8d8e692916e0f863988f379e902b61ec1355c739e8581775e88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
52c2d5a5c67b8a8e18af00f27f66b51a

SHA1
aee0491ce35a6d289b19184715e5ffbef7aa9e3a

SHA256
be7bc9b9451492e3270b4eef42508db608d27ca9c778eb9c3448c8cc69b8e3f4

SHA512
e24063b6c7d523d90a2b2bd3ff1b4666a553f9902a29ce7baa6e653a45d9a022982b753869503ad7f5a5706cc2a778a082ed7356fb39b2a499f92da7fbda1cb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
0d82c6df9150284828dbffd56cec3dc5

SHA1
3933d48abf4858c644e32ef24508fbf4a4691517

SHA256
16e1debda49dd24dd475ef3cea713e801606cbb34492cc45d6d5f52bc313c28a

SHA512
efbf1a07741f71a10d9d2e82030232750c94e78c321995979415e5f72419e4bea06743d4b6e6a6cd2be77cc8d4a4f4e294bcc2b203dc3a8e144a691ca61f80f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2aa382dec7323e2cec15bc7a873138cc

SHA1
801f220efc1362e9b29522898f309c7c578d6c8a

SHA256
b07ac1e1a161cf5c7db73d33b2f85e2abdb6a4fb645bce33762b6fd1d6d1d419

SHA512
0580d1fd8aa43c8fa68c8a3a281934610ab803417d76c84d10de6983c18c139ba0f50a2422ef61f372537c46e18af2a52451404b86bbbbb116838938cf455295

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
45512809831a87d23698f5cc5e166c86

SHA1
793d0dbf5e3ddd9dfcd1ad09f2d568bc92963367

SHA256
c64710bb36bcc25e655ce5cde655c3bfbcfb41f658e204b17da7f0c9b9567b02

SHA512
4cbd6384158d10efb74ee85a7206f7593b57cb2dd8aa1a4a737516bb0f59fb2710695d56ae02ed6ef590dba690db8b6f2c12ea358e620ea26bfd654cd6164876

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
5e7d49e84ab14d6861b52bd6f47ca7c9

SHA1
440b15605641ab61e437c7e1c31739bc6a241e6a

SHA256
3c4ef64b959b6e07056b2731dbd77911495b920f700ef41e210f1b10669e2974

SHA512
49514a3976da25693a6154dd9f94ae8226aecfd3cf79b3441610babfc3ffeffa10cb043ae08a3c699da38e3003ba088b489ce703006853cde4cc57bf206606a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2d2e8f60025c952a1b22781c7d54a509

SHA1
dc648ab1b1dd8f308ab903120243ce28b21f11b8

SHA256
e8b14bee005bdc65b8f7f2d99cdde6ea78f49cd949d06b168cc8c2f88bb38788

SHA512
e059065baa87cead064751cddcf8bb423c9b4ee4f905c8dd5d9cdae5465ea8750e26a485064c2781e286836cb0e277acd60bccb25afffe59df3faafd09ff30dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
c0b349c87da9f8f13b0cbd39c620f170

SHA1
704fd84d117dd1e513432b2f066064f32e841b3f

SHA256
09c9402eecc58132ed4f429fc98075c65be76b4ea44c65c1c9c1fa98a1804657

SHA512
0c2b812dcd5de189df7467bfda6d6c09759c803185b99f664a827f2828da78467d9c09c0377dad6c11c35e53223d597d0fa194fc72afb42fdea8b28e8cab0edc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
aa028a5e2a16220faefdf2d5361dcf49

SHA1
ca2b467a28a96de8802b1c66838c7c7aaf789ec8

SHA256
fb66449a229ac70e6df1fe4204518acbffa751f02b7e33474ccf1ac44f5a93ea

SHA512
9c0b8c374041b5d55df943ec268d6f2881d44d8f73c9d70297e5e03adaba21478b76eedf0fd936c55487e3fe983d5d78f3dc43d1f30d025a516776f0c7f32306

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0c5c09ec7b3a489bb3aa37abce143a68

SHA1
32fe62222a65662c1b237581e5ab85200bae6af8

SHA256
f4d0ca5105409d06633d33b68df204b3c61d5ed3c53989dc0b81fd1dd72dc4ed

SHA512
1038d8dbd24d46a49c359f2967a95cfcfcbe741d8d430431c4521f897b3b8b88b505fa7ec8b3423bdb82c5ef2ed86625ef8d167a879dca4c5723b24b6d5eff40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ef7f469ed3d94efbe5e3c8dcd29ca490

SHA1
0730c3fbf419de99c7f228ddd9d675b89efd1d51

SHA256
2fcf1587a5b6e52bae28ba240f52f31b5d89ed83e0e2d908e55c80259c11e6df

SHA512
ca5b54f3890798689231b4fe6bcafeef6233441728706b0caca8f7e622c9edda80f8f5b91df74a23ea2de9d2a2a79d5335cc11c64119e75445bdce8be9c844b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
484a9dd79f67c3ba50ff5890be05dd3f

SHA1
da42d66e5b201c255e49341c8b13c5715c64cbd4

SHA256
88f511819984c2aafd718bcd044b654696129c43df2d2ca52bcaaff59e8af067

SHA512
b01dfde877132a3bde31b378001ec89742848ec929d3a8193560e64e485f1f85ab20112a5f9a48b563991aaa1b797e133a01f9cea709a647e13ecaee146675a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a149b62f1ceebb9d78c7da0234c8e6fc

SHA1
2b6306d55e5f1268d0dc125bea4c23dbf5db1d3f

SHA256
ad1982de0f223da3cc3fac1d74e001f63ef8d063b2621d7c8df3bdc6dc466557

SHA512
6f405f06d2b2a8409adf8225a06dfe708c48e694a370c9f862089064f3b77186099d1b50eb3ca4286033a526c4d56887d184d5f923186afca9c9a66c8790a445

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2d62790e21e2e7f1e37b813c7ca8cd3c

SHA1
e8c01bf6e88174c43a086b5786e888291b5b0c7d

SHA256
59db6a708471d22faa91ae7d269956cc5ea945e02f1ea4cff4f09502bfc4595a

SHA512
24e7006bcc145ef99ac92ebce1079f3b6834099e31e38b35fbc14359dec2209b6685e12aabb54e8f6831894d69c882805e69d7e025c3cdea8117867472ba0f03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
671e2608c9e89cbae1df507941f349be

SHA1
a6c9013860c28ab7ba3ac941237210b2062b7df2

SHA256
3472dfbe3eaabae3050d5f5ec67f58f7e936392b8d0a170015ea857b455c9a51

SHA512
2bad2c7bc22fbad5f4aef0e77169c749862c82e472db416535be729a4bcef272aedd04b2465c6b69a27e28d25b5085b0539d02ab8366b91c99ff83a16e12274f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
201a1dcd753f5c26f8915ce7aff1a443

SHA1
af9562b2f4560923efb8206bdf2ff739ce8606a2

SHA256
1a5f96c07ff607081d2cc6f82f1269a98258892e1c162155fda489466fb3416d

SHA512
6e49c38d43fa77b20308aa77ed51d29770a555db9b5fee5d5612fa5c4e28fccf76f2df96f1d688a568aeb8615ff9029c5c78b8f8ba40c3af924a124dfbcbafcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
52301aebdab165183c1ad41aab44e471

SHA1
b76a358b2b026b62a3f98bc0bf6ebb7dc9f80e78

SHA256
934bb5353956e24af367f7ece818eff96555fd4020c75e45e3b5777d91f095f4

SHA512
9c4a1e302a74a523e6d805dff8d25bdffb2414e458028d1bddfa8eba9a6c73e34079ddb50517a28085647036741358f99d464345d6f760cf4a0d70ac37972d50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
aa6d150e245a5f8284eea2773334182b

SHA1
ea6a5fcd344bc18f039b52efcdcaaa31dde6846c

SHA256
ff1ae76b7d0dc88ff832f3d8811ae41d63b86eeeef8a2627ab1a75914d8f51ce

SHA512
611aa67bc0fdb690bb3fbe62126f6aaca3f3e9869c01119606a5576922b13a477d6ab75f1df815c50b2833dadcf8a84ff4f70ce936bc5764204041ecb6d01ce2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9e4c6cd2724c90a45edd41c70e3ea671

SHA1
fa11842b93ecbc75d140709348515b9909d94ae7

SHA256
a3735f51aeaf7fbd9d036ed02126fe30164eca518866919971783eeac62083e8

SHA512
ce8e6a85419a81a2f142e8795b94c4a36f64914c7a9a49b3b7428701fcaf975730683339ed665f73555c6efc6e7c6bfbefc1b389bc3997c87daa3a3e1d25e36f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8d8b5353e7e69c5ae34931da712b7559

SHA1
62f7af6bdf65dabf616f9a62f568b1414bd391f1

SHA256
47ca1936237098e4b795a4ba5e08abe5d0645b4e5cf0672483f79952b15590da

SHA512
f55f448f7e893e1f89aa65baea10cad7f1d5ec20d732e9cb566aa4b3d5fbf424319a1797cd8a3e6b7a7b271093dce8ad5f06698717cfe2c557e19593d0651dbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
428205eacf9ec02dcf3b1450a3127e18

SHA1
a379988e3908fd5314e4d638406b1e760ba9842b

SHA256
37bd5d171fa13bf2cdccd502f99a1f068415b64d50aa32155bfec1abc3de015d

SHA512
b591147ed092e3c0a174fd25f12405c65b96e5fbeec4deb990870ebc25d64ba1e501768ff8ff6b25cef3a740f0ca8d3875a92a5005551f7a161ff479ba8456b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
acda4628d9ed1df3ca975e695d5fc320

SHA1
e22713dd02bce4ee08bf7c02b20dca653115a397

SHA256
dffedaea2920b01a24f300447b51de3ad2b05c5c6f919fda9adf280e210bae43

SHA512
475e0c86d89d76abaffb8cfa609df8432807dc120db7c5a3020c883bad0d88caac96ec7c569e82be261067cfc5bc60c42a573034000f020b92fc669f06353053

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
764307ccba371f3c37441b95f5d6b27c

SHA1
3a287b95dd3931c66c2ab2fe1350ffe3a3f19c02

SHA256
86c86c289a374df05863d6d1af43e54fab5a12b8aedcb788858b1a8d0515042f

SHA512
afe9009bab6dc6037728fa5b52642b50b61d2de66c2f698dfba4c9958bb4eb0dad4f75af6d4f0c00863a04902ddf73e796a479cbc1d7533f82611259bb6b9858

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
caeb5bb2685e526f347afd9bd368e3bd

SHA1
bac42b7f844a07f74d5cf55b60a5db712af13795

SHA256
41474b6801411bdbd5e2f9a52c21706f2d60f1139fb6ef33ff44a952176b00f4

SHA512
92b0bc7f50ab676b60e0e9f5f01e4cddbd32f6d113f091179605307f69868b1abf03008a8c4e7b518cd47f3ae8c8576e179070506f8a2253bf4588885c2390f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
38597c963233cf431ab3f2e9ec4df3b9

SHA1
e1ad72e07a68287476526e464cb8ee9cbd19ed7f

SHA256
8e9ddbd8b822ce69272b50d223dd644620f164e3acac3fa481a9b0e3713fc18a

SHA512
3a57fcb1cf38bcff79106915a4d9134a3e0ffc8095c63a618c0c55a583b9d954d48ef3812142f2e1851ab725d088c33e80c0b76a0f733eca88826c81e8b93fd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
6f87125d6e03288850c930d2e94ecc95

SHA1
da5bba2a1d17bc6026f3f7074b07089994ff02fd

SHA256
cf2370c266b42f3c2533ea806378ef411c4320a40f04754248cde41d25fefac9

SHA512
bc2e1e9681d3b3202fade7a06898144bfa718d4c2da01192644cabb0f382315b00bb5e5426876cda9a5e7cf359d738306f0159a65683791845e277813fcd8e88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
210KB

MD5
e86aedb711de304a95079e0f90bc5e7c

SHA1
118e1c724b8c780a299006674196abd1ea09ddaa

SHA256
d3365ed7781a68d928b3d1491e9162669db7801e22455d6ad3670714e4c574ef

SHA512
16bfb6b594085850ce0ffc88af5b61ae9b8382e98af8e2f5b410a621c97c26d8a0d93c3613c0c5c6866812b6627de11abab107b25e2e9b1c9146484e9c3121dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
210KB

MD5
e46334ccd14e315b3166ac4f47748c35

SHA1
1c1c258eaf4e499a61a5f810c087ce9b2aa3969f

SHA256
83a62f2112267f5166fc2c4f64c1d8821f7c37acc0513b750d2eb0ee72331391

SHA512
042f6814a8131904bd891b7a16c8614e3b8278df3685b719c666f1cc4f88ffaa73a76bc1dc78d36a3041d034b7b7f86632b0558ee7403fd0f3298b4a3b03d5be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
384KB

MD5
c7ca2711d80cd052da0d98ce7e6dec6b

SHA1
b051f0425224cf70e3a10636c21bf113bd1cd301

SHA256
a0c1147d7f6adb99735dc3fa370ef6fb8e6ddd3687eb7afd677af5c71df6957f

SHA512
487b985fe8a4fb9a0cb59ffb0b485133e0b089115e36b9bc3f0cbb64babd899daf1b282a9554b45874a59a4c7d9c07db370650c28a5731bde50f52e66a0fc0af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
a90b2342793d8b3956274dd72ed41fb5

SHA1
32ebeaf20f95d3d27bf211394f2e7caad5e0656c

SHA256
aea26386bb0de10f52736c5c396e952e140a5cebe3917195e9539c583acc02ed

SHA512
55831c64fce663a933153e30419fd5071f3585ac9ee850989ce5c1b31c7bb2464569c923f33a5ac9baa54730aa8788863fe076497a522d47e4e52dc942490b82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
90ba2c02f1d6abebb0f9433ee43a6348

SHA1
582ba488b7d1358e1f695ed06b50bb5f19088700

SHA256
e2fe51d32ec6a0321700a0e8f2f893598afdc49e42b07450414576d0352fdb8e

SHA512
d315c29a5e842dc4bf375bb28471814674cca28c00f760b076c1e64f281b77b05eead84486aff41bc7172db157924c6e46ac8bad5a8f36612ad4bb5bdf8048d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
094fd86ed552d174655ff1b52b0ba9e4

SHA1
a7a3a3b48998e534ff4f3149bfbabe93015c5d14

SHA256
6f32cf723ef4fc9daad64710320b8b5c8fedf9d34a5ee22fae4d49715c6ac0f8

SHA512
b966a6c7bb6bd7ef61e4a36cc4ec87688c3b6e49567f0e989bc3e66fdc866b1d98e775c636ab176bcf8f183be8aa03693119fe7e8207940c3c8afb2eb785a82a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
3KB

MD5
3bfeaf473e64913d04d52d2eb81549a1

SHA1
b13f1c1f0350fa40fd5a8bab7b90de12cbe36119

SHA256
756102cec2cb5ec8eb852318a0b7aae0f46afca03b07942b1cf920c6b0e3ed73

SHA512
08f91ad8bd5dd37edea495ed3fb37ea7e8891a10269b4dd81792a95ce49c6212ac8cc3ff6dee1429f7fd89f79d57d3ad512258b860fab444fc98fd2ac2c371a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
1KB

MD5
031ad3bb1a7a532e6f425b8f69f13155

SHA1
dab54d870b2760c20716c01f3d705276bbbf0d7e

SHA256
da34f3ddc4a06a4fae0e07c90cf0649d8bf8efa8e2b0a74e802792fc4bc58b9b

SHA512
dd16e70969bb66756a4ea44e93714026500e53cd018676ba46e2083f5deae7eb2abba4cb504f3537d096ff919304abf0d1f6ba9a510a1b6f169795c74ce5b975

Download Submit
memory/4308-57-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-78-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/4308-88-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-92-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-91-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-90-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-86-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/4308-93-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-94-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-95-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-98-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-97-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-96-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-99-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-100-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-101-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/4308-102-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-104-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/4308-105-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/4308-103-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-106-0x0000000009650000-0x0000000009660000-memory.dmp

Filesize
64KB

Download
memory/4308-107-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-109-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/4308-108-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-87-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/4308-85-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/4308-84-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/4308-83-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-82-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-79-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/4308-80-0x0000000009650000-0x0000000009660000-memory.dmp

Filesize
64KB

Download
memory/4308-89-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/4308-77-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-75-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-74-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/4308-73-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-72-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-68-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-69-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-67-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-66-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-64-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-63-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-58-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-59-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-55-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-56-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/4308-54-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/4308-53-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/4308-52-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/4308-51-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/4308-50-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-49-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/4308-47-0x0000000009650000-0x0000000009660000-memory.dmp

Filesize
64KB

Download
memory/4308-42-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/4308-40-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/4308-41-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/4308-39-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/4308-38-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/4308-37-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/4308-34-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/4308-35-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/4308-36-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/4308-33-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download