vidar | b687de1924f7805b57a1b528ed804d6d2f5e2e3f8058ab904fe0983a9d6a2a36

Resubmissions

16-11-2024 14:42

241116-r3d8daybme 8

16-11-2024 14:36

241116-rywxmaskdm 10

Analysis

max time kernel
124s
max time network
127s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
16-11-2024 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Unlock_Tool_v2.6.4.rar
Size

49.9MB
MD5

b1a7540cd12701261738fd879efb2779
SHA1

1b3ad97b572045c61003de254d7833cab2391ee8
SHA256

69289808086eba703c638e42fa8f2adbe274b98ec0e3d005b62560e42a9200f0
SHA512

2a5ffac6840e56a2388f16cbbb737789482108fd77658467d55bcbcd49bcc3a13e942b073951cb3470f2cb42495e41b84404bedb2d4d8da33c9313e2fd944e44
SSDEEP

1572864:5HRk6MsvlqSOFhI63C6w1TMZmm+sIoE435lp4kJr2:BVnlxkr3URo+gN5Aks

Score

10^/10

vidar 68fa61169d8a1f0521b8a06aa1f33efb credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

11.8

Botnet

68fa61169d8a1f0521b8a06aa1f33efb

https://t.me/fu4chmo

https://steamcommunity.com/profiles/76561199802540894

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Signatures

Detect Vidar Stealer 47 IoCs

stealer

resource	yara_rule
behavioral1/memory/5036-1243-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/5036-1248-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/5036-1246-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/5036-1268-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/5036-1269-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/5036-1276-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/5036-1277-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/5036-1697-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/5036-1698-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/5036-1705-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/5036-1709-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/5036-1710-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/5036-1712-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/5036-1713-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/5036-1714-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/5036-1768-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/5036-1769-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/5036-1776-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/5036-1780-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/5036-1781-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/5036-1783-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/5036-1801-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/5036-1802-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/5036-1809-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/5036-1810-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/4752-1828-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/4752-1829-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/4752-1836-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/4752-1837-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/4752-2266-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/4752-2267-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/4752-2274-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/4752-2275-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/4752-2279-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/4752-2280-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/4752-2282-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/4752-2283-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/4752-2336-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/4752-2339-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/4752-2346-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/4752-2347-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/4752-2351-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/4752-2352-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/4752-2367-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/4752-2368-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/4752-2375-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/4752-2376-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Downloads MZ/PE file

Uses browser remote debugging 2 TTPs 20 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
4668	msedge.exe
4972	chrome.exe
3892	msedge.exe
4852	msedge.exe
3732	msedge.exe
5268	msedge.exe
3060	chrome.exe
4824	msedge.exe
5228	chrome.exe
5532	chrome.exe
1536	msedge.exe
2380	chrome.exe
5108	chrome.exe
1240	chrome.exe
2248	chrome.exe
5324	msedge.exe
4540	msedge.exe
408	chrome.exe
3260	msedge.exe
4456	chrome.exe

Executes dropped EXE 5 IoCs

pid	Process
2084	Unlock_Tool_v2.6.4.exe
5036	Unlock_Tool_v2.6.4.exe
2992	Unlock_Tool_v2.6.4.exe
5172	Unlock_Tool_v2.6.4.exe
4752	Unlock_Tool_v2.6.4.exe

Loads dropped DLL 4 IoCs

pid	Process
5036	Unlock_Tool_v2.6.4.exe
5036	Unlock_Tool_v2.6.4.exe
4752	Unlock_Tool_v2.6.4.exe
4752	Unlock_Tool_v2.6.4.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2084 set thread context of 5036	2084	Unlock_Tool_v2.6.4.exe	86
PID 2992 set thread context of 4752	2992	Unlock_Tool_v2.6.4.exe	142

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2040	2084	WerFault.exe	82
3188	2992	WerFault.exe	140

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlock_Tool_v2.6.4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlock_Tool_v2.6.4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlock_Tool_v2.6.4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Unlock_Tool_v2.6.4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Unlock_Tool_v2.6.4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Unlock_Tool_v2.6.4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Unlock_Tool_v2.6.4.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
464	timeout.exe
3984	timeout.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133762415613103661"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
5036	Unlock_Tool_v2.6.4.exe
5036	Unlock_Tool_v2.6.4.exe
5036	Unlock_Tool_v2.6.4.exe
5036	Unlock_Tool_v2.6.4.exe
5228	chrome.exe
5228	chrome.exe
5036	Unlock_Tool_v2.6.4.exe
5036	Unlock_Tool_v2.6.4.exe
5036	Unlock_Tool_v2.6.4.exe
5036	Unlock_Tool_v2.6.4.exe
1916	msedge.exe
1916	msedge.exe
3260	msedge.exe
3260	msedge.exe
5036	Unlock_Tool_v2.6.4.exe
5036	Unlock_Tool_v2.6.4.exe
5036	Unlock_Tool_v2.6.4.exe
5036	Unlock_Tool_v2.6.4.exe
4752	Unlock_Tool_v2.6.4.exe
4752	Unlock_Tool_v2.6.4.exe
4752	Unlock_Tool_v2.6.4.exe
4752	Unlock_Tool_v2.6.4.exe
4456	chrome.exe
4456	chrome.exe
4752	Unlock_Tool_v2.6.4.exe
4752	Unlock_Tool_v2.6.4.exe
4752	Unlock_Tool_v2.6.4.exe
4752	Unlock_Tool_v2.6.4.exe
5160	msedge.exe
5160	msedge.exe
5324	msedge.exe
5324	msedge.exe
1720	msedge.exe
1720	msedge.exe
4752	Unlock_Tool_v2.6.4.exe
4752	Unlock_Tool_v2.6.4.exe
4752	Unlock_Tool_v2.6.4.exe
4752	Unlock_Tool_v2.6.4.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2396	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeRestorePrivilege	2396	7zFM.exe
Token: 35	2396	7zFM.exe
Token: SeSecurityPrivilege	2396	7zFM.exe
Token: SeSecurityPrivilege	2396	7zFM.exe
Token: SeShutdownPrivilege	5228	chrome.exe
Token: SeCreatePagefilePrivilege	5228	chrome.exe
Token: SeShutdownPrivilege	5228	chrome.exe
Token: SeCreatePagefilePrivilege	5228	chrome.exe
Token: SeShutdownPrivilege	5228	chrome.exe
Token: SeCreatePagefilePrivilege	5228	chrome.exe
Token: SeShutdownPrivilege	5228	chrome.exe
Token: SeCreatePagefilePrivilege	5228	chrome.exe
Token: SeShutdownPrivilege	5228	chrome.exe
Token: SeCreatePagefilePrivilege	5228	chrome.exe
Token: SeShutdownPrivilege	5228	chrome.exe
Token: SeCreatePagefilePrivilege	5228	chrome.exe
Token: SeShutdownPrivilege	5228	chrome.exe
Token: SeCreatePagefilePrivilege	5228	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2396	7zFM.exe
2396	7zFM.exe
2396	7zFM.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 5036	2084	Unlock_Tool_v2.6.4.exe	86
PID 2084 wrote to memory of 5036	2084	Unlock_Tool_v2.6.4.exe	86
PID 2084 wrote to memory of 5036	2084	Unlock_Tool_v2.6.4.exe	86
PID 2084 wrote to memory of 5036	2084	Unlock_Tool_v2.6.4.exe	86
PID 2084 wrote to memory of 5036	2084	Unlock_Tool_v2.6.4.exe	86
PID 2084 wrote to memory of 5036	2084	Unlock_Tool_v2.6.4.exe	86
PID 2084 wrote to memory of 5036	2084	Unlock_Tool_v2.6.4.exe	86
PID 2084 wrote to memory of 5036	2084	Unlock_Tool_v2.6.4.exe	86
PID 2084 wrote to memory of 5036	2084	Unlock_Tool_v2.6.4.exe	86
PID 2084 wrote to memory of 5036	2084	Unlock_Tool_v2.6.4.exe	86
PID 5036 wrote to memory of 5228	5036	Unlock_Tool_v2.6.4.exe	91
PID 5036 wrote to memory of 5228	5036	Unlock_Tool_v2.6.4.exe	91
PID 5228 wrote to memory of 2208	5228	chrome.exe	92
PID 5228 wrote to memory of 2208	5228	chrome.exe	92
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 5072	5228	chrome.exe	93
PID 5228 wrote to memory of 4576	5228	chrome.exe	94
PID 5228 wrote to memory of 4576	5228	chrome.exe	94
PID 5228 wrote to memory of 340	5228	chrome.exe	95
PID 5228 wrote to memory of 340	5228	chrome.exe	95
PID 5228 wrote to memory of 340	5228	chrome.exe	95
PID 5228 wrote to memory of 340	5228	chrome.exe	95
PID 5228 wrote to memory of 340	5228	chrome.exe	95
PID 5228 wrote to memory of 340	5228	chrome.exe	95
PID 5228 wrote to memory of 340	5228	chrome.exe	95
PID 5228 wrote to memory of 340	5228	chrome.exe	95
PID 5228 wrote to memory of 340	5228	chrome.exe	95
PID 5228 wrote to memory of 340	5228	chrome.exe	95
PID 5228 wrote to memory of 340	5228	chrome.exe	95
PID 5228 wrote to memory of 340	5228	chrome.exe	95
PID 5228 wrote to memory of 340	5228	chrome.exe	95
PID 5228 wrote to memory of 340	5228	chrome.exe	95
PID 5228 wrote to memory of 340	5228	chrome.exe	95
PID 5228 wrote to memory of 340	5228	chrome.exe	95
PID 5228 wrote to memory of 340	5228	chrome.exe	95
PID 5228 wrote to memory of 340	5228	chrome.exe	95

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Unlock_Tool_v2.6.4.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2396

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2692

C:\Users\Admin\Downloads\Malware\Unlock_Tool_v2.6.4.exe
"C:\Users\Admin\Downloads\Malware\Unlock_Tool_v2.6.4.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\Downloads\Malware\Unlock_Tool_v2.6.4.exe
  "C:\Users\Admin\Downloads\Malware\Unlock_Tool_v2.6.4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5228
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff912c6cc40,0x7ff912c6cc4c,0x7ff912c6cc58
      4⤵
      PID:2208
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1768,i,6469766639574141341,12991331982896075467,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1764 /prefetch:2
      4⤵
      PID:5072
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1880,i,6469766639574141341,12991331982896075467,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2084 /prefetch:3
      4⤵
      PID:4576
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,6469766639574141341,12991331982896075467,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2260 /prefetch:8
      4⤵
      PID:340
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,6469766639574141341,12991331982896075467,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3228 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4972
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3356,i,6469766639574141341,12991331982896075467,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3472 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2380
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4608,i,6469766639574141341,12991331982896075467,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3688 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:408
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4708,i,6469766639574141341,12991331982896075467,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4912 /prefetch:8
      4⤵
      PID:4304
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4976,i,6469766639574141341,12991331982896075467,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4964 /prefetch:8
      4⤵
      PID:980
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4396,i,6469766639574141341,12991331982896075467,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5128 /prefetch:8
      4⤵
      PID:2304
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5204,i,6469766639574141341,12991331982896075467,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4912 /prefetch:8
      4⤵
      PID:2028
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5208,i,6469766639574141341,12991331982896075467,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5008 /prefetch:8
      4⤵
      PID:4264
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5212,i,6469766639574141341,12991331982896075467,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4632 /prefetch:8
      4⤵
      PID:3188
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3964,i,6469766639574141341,12991331982896075467,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5352 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:5532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:3260
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff912c73cb8,0x7ff912c73cc8,0x7ff912c73cd8
      4⤵
      PID:1268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,10899564591172304054,8080168209310804835,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2020 /prefetch:2
      4⤵
      PID:1940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,10899564591172304054,8080168209310804835,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,10899564591172304054,8080168209310804835,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8
      4⤵
      PID:1664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2008,10899564591172304054,8080168209310804835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2008,10899564591172304054,8080168209310804835,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,10899564591172304054,8080168209310804835,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4544 /prefetch:2
      4⤵
      PID:5840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,10899564591172304054,8080168209310804835,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4524 /prefetch:2
      4⤵
      PID:5880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,10899564591172304054,8080168209310804835,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2312 /prefetch:2
      4⤵
      PID:5388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,10899564591172304054,8080168209310804835,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2332 /prefetch:2
      4⤵
      PID:5724
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,10899564591172304054,8080168209310804835,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4772 /prefetch:2
      4⤵
      PID:4684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2008,10899564591172304054,8080168209310804835,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2360 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2008,10899564591172304054,8080168209310804835,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3732
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CAAAAFBKFIEC" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5248
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 260
  2⤵
  - Program crash
  PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2084 -ip 2084
1⤵
PID:5348

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" .
1⤵
PID:5364
- C:\Users\Admin\Downloads\Malware\Unlock_Tool_v2.6.4.exe
  Unlock_Tool_v2.6.4.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2992
- - C:\Users\Admin\Downloads\Malware\Unlock_Tool_v2.6.4.exe
    "C:\Users\Admin\Downloads\Malware\Unlock_Tool_v2.6.4.exe"
    3⤵
    - Executes dropped EXE
    PID:5172
- - C:\Users\Admin\Downloads\Malware\Unlock_Tool_v2.6.4.exe
    "C:\Users\Admin\Downloads\Malware\Unlock_Tool_v2.6.4.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4752
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Drops file in Windows directory
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:4456
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff912c6cc40,0x7ff912c6cc4c,0x7ff912c6cc58
        5⤵
        
        PID:5568
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1980,i,9560505796307574814,6409608967501572462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1976 /prefetch:2
        5⤵
        
        PID:2512
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1792,i,9560505796307574814,6409608967501572462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2012 /prefetch:3
        5⤵
        
        PID:3764
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,9560505796307574814,6409608967501572462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2236 /prefetch:8
        5⤵
        
        PID:224
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,9560505796307574814,6409608967501572462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3208 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5108
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,9560505796307574814,6409608967501572462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3352 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3060
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4460,i,9560505796307574814,6409608967501572462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4228 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1240
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4832,i,9560505796307574814,6409608967501572462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4844 /prefetch:8
        5⤵
        
        PID:1604
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4836,i,9560505796307574814,6409608967501572462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4888 /prefetch:8
        5⤵
        
        PID:4548
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4904,i,9560505796307574814,6409608967501572462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4892 /prefetch:8
        5⤵
        
        PID:5204
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4848,i,9560505796307574814,6409608967501572462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4908 /prefetch:8
        5⤵
        
        PID:2724
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4868,i,9560505796307574814,6409608967501572462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4960 /prefetch:8
        5⤵
        
        PID:6104
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5000,i,9560505796307574814,6409608967501572462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5284 /prefetch:8
        5⤵
        
        PID:5188
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4964,i,9560505796307574814,6409608967501572462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5240 /prefetch:2
        5⤵
        Uses browser remote debugging
        
        PID:2248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      PID:5324
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff912c73cb8,0x7ff912c73cc8,0x7ff912c73cd8
        5⤵
        
        PID:2256
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,8116181743737038463,4276629340770493653,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
        5⤵
        
        PID:4684
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,8116181743737038463,4276629340770493653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5160
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,8116181743737038463,4276629340770493653,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:8
        5⤵
        
        PID:1820
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1876,8116181743737038463,4276629340770493653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4824
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1876,8116181743737038463,4276629340770493653,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4540
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,8116181743737038463,4276629340770493653,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
        5⤵
        
        PID:5620
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,8116181743737038463,4276629340770493653,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2548 /prefetch:2
        5⤵
        
        PID:1916
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,8116181743737038463,4276629340770493653,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4348 /prefetch:2
        5⤵
        
        PID:2336
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,8116181743737038463,4276629340770493653,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4896 /prefetch:2
        5⤵
        
        PID:3608
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,8116181743737038463,4276629340770493653,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4236 /prefetch:2
        5⤵
        
        PID:4952
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1876,8116181743737038463,4276629340770493653,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4668
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1876,8116181743737038463,4276629340770493653,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2708 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1536
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,8116181743737038463,4276629340770493653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3828 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1720
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CGIEGHJEGHJK" & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:2984
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 260
    3⤵
    - Program crash
    PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2992 -ip 2992
1⤵
PID:5488

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CGIEGHJEGHJK\BFBGDG

Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
C:\ProgramData\CGIEGHJEGHJK\CFCBAA

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\CGIEGHJEGHJK\EHIJDH

Filesize
10KB

MD5
362a839a393a4a1f1dd11c35f24fdad7

SHA1
11e56d88db964f267dc60814731eb798fc9d40b1

SHA256
aa20cc7683030187816d8a8caa9e0dcbc9e97665d62f045715878f67ae5b4e1b

SHA512
78e9fbcce2e2d3fc963abe7f29f3c809cb0312c893e6153c0abe1520df4cf6153adce75fd9981438105554ac8bffd2f2b1419e9f9352c2d37f2621a4d9dfef99

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
2KB

MD5
a6834445bba3de300697a0e8f3ad1aeb

SHA1
a4f1979a5ba8ec2d6c247dadfa7a2cc1e517ea5c

SHA256
6c80ef96021027c62204821749f01c08fe5c1c90f221cc6329ce98718eec9afc

SHA512
e79ade1277bb0314626ca580670fc527d9c138605a4534a811661c38e89599d96bd04029708d3e9506012205a5f5a0a26cfc77e57448dc8201efb77e10f2d91d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4E3D1101CFA1A79AF305FD7C55E37649_A8EAC700FEE71EDD327E06BEAA0C7F96

Filesize
2KB

MD5
979d1da21c17e37390e7daae8392b356

SHA1
f52e9560311ea5e49a899cb8c47852d8b05644a0

SHA256
d4238a531681f4ba73018edb99b3c329b4697c998fc17b804c4d7019670a19c0

SHA512
3fff3f097fa77cc34e1235d93604e1c6b278fd28597502cd528dcb8f01e1861d6d0628146e33b46b91a8dfb9c20ed357201b4802dcd9e497fd48e109d2c70510

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\597117144EB9D396F219AFCC039FCFC7

Filesize
344B

MD5
646de8d02d736ef4f72f93b5063fb6d9

SHA1
2a4e6fa255a59518c98c2c7f19d06b9255deca2f

SHA256
be92a050c80c5022979112ce6e16de403d005207ced2c00b0eef6779f6672c86

SHA512
921dd0eb8a44585616c165883190d67d45611da97d652acd486c8ea5d392d8ae3b9db0573da6793c6198dd49270779dadaac8995b36a677d834703c6898d9a04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
9e3700fb6db05cd67b91efea9efcd30f

SHA1
e961e3ae161846501f6266f28d4003b7c940e642

SHA256
189da4022263334ae06ee558f490889fe0c31f393be7c24aed065a44595f1645

SHA512
7ce6b8273e4f0c09ceaf72c576e22e11bd43ba917ebe22a05caed2654f34a34ff39182ce60ddf91644cf928f60197dd24c3bff2de07820461d12c240ce874307

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
ad1b3ebb532a26c85d92b636148a4737

SHA1
02769b485528f66047fe6fae4fd949f768da5140

SHA256
fe9ca93032ccc2aef9f120a4cf73f36b5faa62d5fcbbbf8104d9d13ba0a16074

SHA512
473fbe17399c43cbb37ecad2f7d24fb6a3efea9c3c967083777ae208125dcc48acdb147915b7d902e6da0656dac1b5c50631881af578c5fa425b58c7f343eafb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
61733dea8bf556ad6c02c3df3e5efa2a

SHA1
b3fb84814fe57901053c0aadbec2cf60a5f0340b

SHA256
146c23c17904831ee6ce5dbdbfbdc674674abd479c77f9ecd67626b9e286b2bd

SHA512
f7973834391db9fee14330c4d8b118d0fb11e0cfd34361ef97b003fcbf547d9b10f9be5b1f69a5d51f536995aa6c435488b6a1c2b21619002307c6f3a5ebd26c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4E3D1101CFA1A79AF305FD7C55E37649_A8EAC700FEE71EDD327E06BEAA0C7F96

Filesize
474B

MD5
9afa2460dfd6f56b9a4c11224a196c4a

SHA1
77a4f222473ac5cc12e0c2c3ed622fb66f92d648

SHA256
9b4dcf32b6ac6594d0a213b1ee0933b21902aa9b44639bce9f79b866d01f834e

SHA512
3a6a1476ed2b510aa75e890d7b1f7475dec596cb00144f5c755d50a9b85a98fd0d8f5f1d8208c31759f48a4bf07d927586df37a6d1b491895beb301cf799fddf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\597117144EB9D396F219AFCC039FCFC7

Filesize
540B

MD5
c211577ab881ab5dab04821d4f4c1ab8

SHA1
52ed5c88b94f97e1d2cd5e10851f21c499ea48c4

SHA256
fc1676dc2226485e3b3f02efea987e4b63959f90e8ff38f792bc348d47c2d46b

SHA512
4306483d144012d1b6bc6fef11d611f586e898ef522693b3c8a024e13f51e8ed054ae538e669ada391f111f5a2db23500a8d74d04d1a7e8f402a52ced12d2f77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
aebd44834cb73d9a2dd984ff73f7c103

SHA1
68d6fb0917ee74e2cf1ba0b1537eaf580b580bec

SHA256
82edd67569c9055c8280c729b153393008e74503357ee31502e5b287d8abd4dc

SHA512
3778bef90d2b94c81e0692bad70074d109ef93f7ce8e3308bedaf98c9e191d0f03870a1ed33881810f51abe176153a0699f80b2c72f0c092249ae44b75ca06fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
79e90b79849ab24f7077995c4e45f1d5

SHA1
3dae744f25bcaa1b690d61b789a8b1e58a790953

SHA256
3d2a7a2b6c89618f30d26fd5dac9ff7d52d6cf1d3651fd7aaa1d1229464b1507

SHA512
6169379e245102bc4b1ff74bc2c7cf356f24fdef55e5f3f8a7323da36f6ca92f1ec38bf230cacecc89c33e12e1b201de417a570a998f31cb281bed3ae8f8deb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e47855f5b4ff0a5fe1946e97d9a550b5

SHA1
9b78c77f5bab924a0d045a6e13435da447a47039

SHA256
27c4c9cc91c2ba8fe0869b5531dd61420b06d334413194fe2a83dcac7379f8a8

SHA512
7e8609be5bae25ee08f5b6b326d18e074236d71a034ea8bc99f89c7f4ad8dfc4c50125175981bc4875ede6e0aa95c7238e31c11783df90cb61fab06f4dc7e8e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
5f530579da34efa6c10b77099708bc20

SHA1
25ee2bb82a8dc412e4658102d771d96b8a593b98

SHA256
a2645150690fa3041a6599b4ffcb80ff54bd09e13447d8a1e7d1d8b24ae7e684

SHA512
89602b0c2f22d747696b197dc0fd8248ca5e862444bac011353d186f2a19d0bd7319c79493eaef0da817f8c4668f37b675fefaf35876c3003ff271d6cf24a943

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
2b0ddd0f13835ad87b64055534541cf2

SHA1
ce96d6c06978ed461402b921e053230353e5f170

SHA256
233304b664b5b9350d329dfe6860bd183ea5a462f26e9c5260f9343f8b6808bf

SHA512
38373d1d9cf0d4eb02cf9f8c3570eec56accaa9168aa974d6de4b900b415428e4c4ca958d645f05522b26c031987f1a62a89d748aee909b4711c8735d07f2493

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
e696046caba90501001558c1b4b97580

SHA1
8614ef4a73d375b4c122b868f7cffa693573483e

SHA256
edc43f3c2651bc194f15862b96f69345274df4fbe051ece29c8405eccc6f4c83

SHA512
44baae4d0c241d8432fb63fc1510483b03c7f91fbb22350552d26e45a1ddf99e9f1d7930a3a18763bdde7cba20f89579ba0602bb0ed1736ef6970b19e8496c2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_1\_locales\en_US\messages.json

Filesize
1KB

MD5
578215fbb8c12cb7e6cd73fbd16ec994

SHA1
9471d71fa6d82ce1863b74e24237ad4fd9477187

SHA256
102b586b197ea7d6edfeb874b97f95b05d229ea6a92780ea8544c4ff1e6bc5b1

SHA512
e698b1a6a6ed6963182f7d25ac12c6de06c45d14499ddc91e81bdb35474e7ec9071cfebd869b7d129cb2cd127bc1442c75e408e21eb8e5e6906a607a3982b212

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_1\manifest.json

Filesize
2KB

MD5
35068e2550395a8a3e74558f2f4658da

SHA1
bd6620054059bfb7a27a4fff86b9966727f2c2b9

SHA256
e2f418c816895e830541f48c0406b9398805e88b61a4ec816244154cd793743c

SHA512
4bcb971d7353648abf25aca7a4a4771f62bbb76f8fc13bde886f29826d9314f5101942492004fc719493604d317958b63a95cf5173f8180214f27d6bea303f97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_1\service_worker_bin_prod.js

Filesize
102KB

MD5
4e0c47897bf98deac56f800942e150c4

SHA1
7903d30e0acee273724bdaa67446d9fd4e8460a5

SHA256
fe76ea0c2f81e6140f38f4143b40be85014b93ff80737600cfb39aeb5c8c6537

SHA512
8b31463fc683439bab5d4aefe2be0f6a9f5b695c2d95aff3f842bfc74b10ae3d386d288121161506f74a08fb86d25c1096da4177b768254bf84e83983982640f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_0

Filesize
44KB

MD5
a3e15f70232fe230417a86e5e701da57

SHA1
e2e49385ef93e35f62c59c6208cc5b2649331f79

SHA256
80ad87f2ff54cfcd48a9d58144f42973601f263065106e99cbf06e48e385d737

SHA512
ea98de8e2c4f681ddf34064100513c408204c0a28033eba501d41622ea340642c15f7c772e53e81bf512d86f3dc534870b5ccf678d9bfd53fd35f6644bf99ec9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
ca4a999edf0435a77349b9d98ed1f7ca

SHA1
7782dfa0f25cbbf414ea30dea36f073994842d0f

SHA256
6424eeea71edec08bdac7fbaefd49ba9717d88b09e74e1433abf6ee6867e7804

SHA512
adcab4a77e439eabbad1d9ef4a4fcd32a940e9f2841d09946b1aee61b592c8b82c4f525c3d47bde6a4adbb4438af7225264f5de2d2cdd5aa24445de594e3c33d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2

Filesize
1.0MB

MD5
52bb6b1a8d9db924fcb2ddb45668fa72

SHA1
12996023e66ef0ae44d4e8a36c5d6f1ec78a85e8

SHA256
ae324698ce5ffcd56026f3de4c29ed754e9706f1ae1029a0409b4a3998128b52

SHA512
944d29fee61a718410e5a45bb55008dd2a7b9107380def625768c849b31c325c9592795c53b7d5818e883c791d7c6e271c1691ae0805c557ab9f1d0c2f9c36f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_3

Filesize
4.0MB

MD5
cfa172a650b84b3abdbcc47097ea7b57

SHA1
5b45943b506c37225942826c102fcca6bb743847

SHA256
74581baa80a130006b3dd5628aa4845b20089bb80a5c5710c459e2708c95b038

SHA512
fd8626ec91e0b48a17bfe1bbf51ff8419717f631109ea2ca39b908dbc06d7628b4ff5d861bee7bc2070685c59a63c9c3759db1cb589299a0cf430a7d3b5dabfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
329B

MD5
292e5d02bb3ae3b2daa957c32126da2b

SHA1
ee2e6bfd0b0b3bbdb2203effcef29d1ff6e18d88

SHA256
4983ca8d4cfc2acf12e9fbaf0e2a51f9d1a3cee7522e306897200d476ec6b208

SHA512
2fa2a928099876ff9993a013ce0207b3be5a8423d34f7115a6e29cb9c7df7a1a5d4aed90e8da4c7f1d6eaa3bbf4b05a31afa7dff9bb28c910dce2064d60b9166

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000003.log

Filesize
3KB

MD5
ad0936bf44861dbc163bb903a584dba7

SHA1
69cc6be5a375750d327649344d4d14a34f2c4316

SHA256
b65bfda7a705261d9f4c57b24904627e859689af95b14194fa329bea15084841

SHA512
8b26b0533681b62d77d4dee3e610aed2b825f44a50f56a0df0f82a63cf9c528829cfc8ae8f74df9ad3a0d991e0bccf5c58d12a566c08593368fe37a95d5f0311

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG

Filesize
333B

MD5
7375c66954cc93ee0a7109ea92897c7f

SHA1
4901d456f36593a4ac9a005a12ca50e17adefbd7

SHA256
e1c6fe1cb2e900edd672e20219d04bb612cb9d0aa9f9fd3dcbdd69a56f3539cc

SHA512
1048f53a0779cb118ceb5d8d45bede5c8cb34d59aeb356bc11fa780c87b0e66f6761089797afd8ed38f7f4a601502bd4b2aea64524b0c348aa80c523dcff8dbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
345B

MD5
485d1eb16de337dd46da3c5d572612d4

SHA1
ff6bc5bd208c1f028c53c321bdb306e3dccad26f

SHA256
217850692d108cbe3780e5576240afefa19251e36358c3612cb9e78aff367469

SHA512
0e29be4a528a78fe7c6981511ea7dccde90c1b828eb8abacbc8c0db1dbba91b2f5563a9c79e78afe3a0951e5efd3879b4033a3e3b9f4005e2bd6e10832d08660

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
321B

MD5
c8935deb40770160ae054585f68b97b5

SHA1
6b8d36bb2bc654ae502601d027eac19a127ec22a

SHA256
23c25ee87b046cfc2a9fa7a96e3711561642e943456137efa33fcdb958267902

SHA512
c3828101bb40ab1f2c8205eeea050664a53e7a9c37c5af4636e1cab5ae3db6ad2520f02f1827bdce53e7bbbccc9ceb1bd0fbfd5dfbc309f105264c7e30127d6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager-journal

Filesize
12KB

MD5
e3f2e13483f6d6ede79fd2a43536f9a9

SHA1
cf04dadc4df9bdbfb7873aaa555da2da5fa8d22e

SHA256
b69ac8bc64408c2dbfa4ce3b8fa75d657cb6c8aab2aba4d4515ea75340f21435

SHA512
49d15e16ce6a2b525e2506bc06588efb46dd924a58cd97f31a931fa2ae00d30d6fdb7effe555cdb30a6c9fc4acd68fb2bc4a015419468f1be7a365d7d1feaf63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
335B

MD5
b9ffa6462569394f07930e2551459bb5

SHA1
71fae65478e1b58f9288ed9c82ddc26aaf463338

SHA256
d68c904fb35e649cb9ebbae927d3aa6b1d18c4c2df228a5bf6284f9ca915b961

SHA512
ebbe69f7df7d65bb16f2ef3663b6f4391500a034b284b0476f432107276d998f958b99eb841d3b7a5e864e467a273051669f47c7f113f06262a8f62539d2e818

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
ef48733031b712ca7027624fff3ab208

SHA1
da4f3812e6afc4b90d2185f4709dfbb6b47714fa

SHA256
c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99

SHA512
ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
02a4b762e84a74f9ee8a7d8ddd34fedb

SHA1
4a870e3bd7fd56235062789d780610f95e3b8785

SHA256
366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da

SHA512
19028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
826c7cac03e3ae47bfe2a7e50281605e

SHA1
100fbea3e078edec43db48c3312fbbf83f11fca0

SHA256
239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab

SHA512
a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6d72c359-c2e6-4de7-a530-198ffbb2456e.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d970cb3300961ddba493572c2aaede87

SHA1
6847b36df23ed790dfb4f0cf62a9fa0062baaaf6

SHA256
2878b52abf313091c3f342d5b00999ce22e0a8cf8fdfd0d8e3e8e24aceb1d11b

SHA512
d6626b6db1c71373ef1eb00b84746c02030ebf4dff0bf41b52acc7302cf7e91c40bc7b0b6e741ad8be46bc811cbc340ef0ef6a8bfc03e3e6de4f4e5d3a67469a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6804830f82108911ad65542dc7eb14ca

SHA1
d37b38b9e4e78ebbae6c7cf6edae2a722e36f493

SHA256
a4054c0ed16eb75665827b039e311fe9ed8095d6eac86d70fa8b1bf6b7b0a0f3

SHA512
2b6e5ba1b568e16381ca8fa676c10076bba1303628d5e1ce88a84c21e0dae5110db6f3bac53d543481b377b1ea6111ac2858f58839cabf8e45494ae38c1df426

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\locales\resources\Data\level4.resS

Filesize
128KB

MD5
64d183ad524dfcd10a7c816fbca3333d

SHA1
5a180d5c1f42a0deaf475b7390755b3c0ecc951c

SHA256
5a666340f42f0f985772024d90a83d15c9a241a68d58205cd4afbb1a31f1621a

SHA512
3cab59dff09981f49d1070fba06a781439bb1ea2dae0cfcb937d9875bbe9e866be2c951cfc6a3ca4a92aea79dd3e9c4792a765f5a06f230a57dabcab2f0b3c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4456_137728688\CRX_INSTALL\_locales\en_US\messages.json

Filesize
1KB

MD5
64eaeb92cb15bf128429c2354ef22977

SHA1
45ec549acaa1fda7c664d3906835ced6295ee752

SHA256
4f70eca8e28541855a11ec7a4e6b3bc6dd16c672ff9b596ecfb7715bb3b5898c

SHA512
f63ee02159812146eee84c4eb2034edfc2858a287119cc34a8b38c309c1b98953e14ca1ca6304d6b32b715754b15ba1b3aa4b46976631b5944d50581b2f49def

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4456_137728688\CRX_INSTALL\manifest.json

Filesize
1KB

MD5
2d15a6576d5d85222f9f367c286205d5

SHA1
a51fccba42570f45a57b3e3951da75eb553eeb81

SHA256
31e923ef15ac783399d5a4ca5c67e96342cf7f18437843e2a3f55b551c6dbce6

SHA512
92217626f79111b1329a3c91ac4923354aa8fc31fd7ba7428a256e9acb35825d6ea28fde02b4ae44914adf359b3dd11d16f274040dd8e675f2aba66139b52661

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5228_561092482\9f699cdb-fba8-4618-97be-25cb5b7d74f4.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5228_561092482\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\Downloads\Malware\Unlock_Tool_v2.6.4.exe

Filesize
1.3MB

MD5
47bf252ac2514a86141ac92d6cf9239c

SHA1
130311c3e7039451618ceaf8b720fed87a3f7918

SHA256
768dfbc70585ca9fa75305461481b5169bef079792dbb25ad84df90fa19e19d7

SHA512
a5bd8e9473324e26cd96c1f8090d9550a7c5951e40d96435d2e1a2ef5e2833a7daed603f425d2aee08d40a9d6a190fa99169a37a538310e04fd3e5d55cc6e4e6

Download Submit
C:\Users\Admin\Downloads\Malware\locales\resources\Data\sharedassets0.assets.resS

Filesize
900KB

MD5
db887602126900f414e141c698776204

SHA1
4cf6ac2535552718bfd28162c15ec0ab0545c58b

SHA256
7bf15ec0a512b66a888f0d08960c2815e971ea608f93e99cb76d697680bf5c2e

SHA512
0e162b6623cbd87f73859fbf03217e4afad603304b823a44da9905559251984a05e4651232957f7308a7a4b723b9f29279ab010ae76eb93cd819306b1ce19927

Download Submit
memory/2084-1242-0x0000000000A57000-0x0000000000A58000-memory.dmp

Filesize
4KB

Download
memory/4752-2274-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/4752-2266-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/4752-1830-0x000000001C1F0000-0x000000001C44F000-memory.dmp

Filesize
2.4MB

Download
memory/4752-1836-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/4752-1837-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/4752-2376-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/4752-1828-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/4752-2375-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/4752-2368-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/4752-2367-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/4752-2352-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/4752-2351-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/4752-2347-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/4752-1829-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/4752-2346-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/4752-2339-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/4752-2336-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/4752-2283-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/4752-2282-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/4752-2280-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/4752-2279-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/4752-2275-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/4752-2267-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/5036-1714-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/5036-1776-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/5036-1248-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/5036-1243-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/5036-1802-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/5036-1809-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/5036-1781-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/5036-1801-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/5036-1268-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/5036-1810-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/5036-1769-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/5036-1269-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/5036-1276-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/5036-1246-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/5036-1271-0x000000001C900000-0x000000001CB5F000-memory.dmp

Filesize
2.4MB

Download
memory/5036-1277-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/5036-1780-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/5036-1768-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/5036-1713-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/5036-1697-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/5036-1698-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/5036-1705-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/5036-1709-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/5036-1783-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/5036-1712-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/5036-1710-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download