Analysis
-
max time kernel
124s -
max time network
127s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
16-11-2024 14:36
Static task
static1
Behavioral task
behavioral1
Sample
Unlock_Tool_v2.6.4.rar
Resource
win11-20241007-en
General
-
Target
Unlock_Tool_v2.6.4.rar
-
Size
49.9MB
-
MD5
b1a7540cd12701261738fd879efb2779
-
SHA1
1b3ad97b572045c61003de254d7833cab2391ee8
-
SHA256
69289808086eba703c638e42fa8f2adbe274b98ec0e3d005b62560e42a9200f0
-
SHA512
2a5ffac6840e56a2388f16cbbb737789482108fd77658467d55bcbcd49bcc3a13e942b073951cb3470f2cb42495e41b84404bedb2d4d8da33c9313e2fd944e44
-
SSDEEP
1572864:5HRk6MsvlqSOFhI63C6w1TMZmm+sIoE435lp4kJr2:BVnlxkr3URo+gN5Aks
Malware Config
Extracted
vidar
11.8
68fa61169d8a1f0521b8a06aa1f33efb
https://t.me/fu4chmo
https://steamcommunity.com/profiles/76561199802540894
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6
Signatures
-
Detect Vidar Stealer 47 IoCs
resource yara_rule behavioral1/memory/5036-1243-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/5036-1248-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/5036-1246-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/5036-1268-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/5036-1269-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/5036-1276-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/5036-1277-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/5036-1697-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/5036-1698-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/5036-1705-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/5036-1709-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/5036-1710-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/5036-1712-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/5036-1713-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/5036-1714-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/5036-1768-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/5036-1769-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/5036-1776-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/5036-1780-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/5036-1781-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/5036-1783-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/5036-1801-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/5036-1802-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/5036-1809-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/5036-1810-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/4752-1828-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/4752-1829-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/4752-1836-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/4752-1837-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/4752-2266-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/4752-2267-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/4752-2274-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/4752-2275-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/4752-2279-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/4752-2280-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/4752-2282-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/4752-2283-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/4752-2336-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/4752-2339-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/4752-2346-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/4752-2347-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/4752-2351-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/4752-2352-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/4752-2367-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/4752-2368-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/4752-2375-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/4752-2376-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 -
Vidar family
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 20 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 4668 msedge.exe 4972 chrome.exe 3892 msedge.exe 4852 msedge.exe 3732 msedge.exe 5268 msedge.exe 3060 chrome.exe 4824 msedge.exe 5228 chrome.exe 5532 chrome.exe 1536 msedge.exe 2380 chrome.exe 5108 chrome.exe 1240 chrome.exe 2248 chrome.exe 5324 msedge.exe 4540 msedge.exe 408 chrome.exe 3260 msedge.exe 4456 chrome.exe -
Executes dropped EXE 5 IoCs
pid Process 2084 Unlock_Tool_v2.6.4.exe 5036 Unlock_Tool_v2.6.4.exe 2992 Unlock_Tool_v2.6.4.exe 5172 Unlock_Tool_v2.6.4.exe 4752 Unlock_Tool_v2.6.4.exe -
Loads dropped DLL 4 IoCs
pid Process 5036 Unlock_Tool_v2.6.4.exe 5036 Unlock_Tool_v2.6.4.exe 4752 Unlock_Tool_v2.6.4.exe 4752 Unlock_Tool_v2.6.4.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2084 set thread context of 5036 2084 Unlock_Tool_v2.6.4.exe 86 PID 2992 set thread context of 4752 2992 Unlock_Tool_v2.6.4.exe 142 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe File opened for modification C:\Windows\SystemTemp chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2040 2084 WerFault.exe 82 3188 2992 WerFault.exe 140 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Unlock_Tool_v2.6.4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Unlock_Tool_v2.6.4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Unlock_Tool_v2.6.4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Unlock_Tool_v2.6.4.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Unlock_Tool_v2.6.4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Unlock_Tool_v2.6.4.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Unlock_Tool_v2.6.4.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 464 timeout.exe 3984 timeout.exe -
Enumerates system info in registry 2 TTPs 12 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133762415613103661" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 5036 Unlock_Tool_v2.6.4.exe 5036 Unlock_Tool_v2.6.4.exe 5036 Unlock_Tool_v2.6.4.exe 5036 Unlock_Tool_v2.6.4.exe 5228 chrome.exe 5228 chrome.exe 5036 Unlock_Tool_v2.6.4.exe 5036 Unlock_Tool_v2.6.4.exe 5036 Unlock_Tool_v2.6.4.exe 5036 Unlock_Tool_v2.6.4.exe 1916 msedge.exe 1916 msedge.exe 3260 msedge.exe 3260 msedge.exe 5036 Unlock_Tool_v2.6.4.exe 5036 Unlock_Tool_v2.6.4.exe 5036 Unlock_Tool_v2.6.4.exe 5036 Unlock_Tool_v2.6.4.exe 4752 Unlock_Tool_v2.6.4.exe 4752 Unlock_Tool_v2.6.4.exe 4752 Unlock_Tool_v2.6.4.exe 4752 Unlock_Tool_v2.6.4.exe 4456 chrome.exe 4456 chrome.exe 4752 Unlock_Tool_v2.6.4.exe 4752 Unlock_Tool_v2.6.4.exe 4752 Unlock_Tool_v2.6.4.exe 4752 Unlock_Tool_v2.6.4.exe 5160 msedge.exe 5160 msedge.exe 5324 msedge.exe 5324 msedge.exe 1720 msedge.exe 1720 msedge.exe 4752 Unlock_Tool_v2.6.4.exe 4752 Unlock_Tool_v2.6.4.exe 4752 Unlock_Tool_v2.6.4.exe 4752 Unlock_Tool_v2.6.4.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2396 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
pid Process 5228 chrome.exe 5228 chrome.exe 5228 chrome.exe 5228 chrome.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 4456 chrome.exe 4456 chrome.exe 4456 chrome.exe 4456 chrome.exe 5324 msedge.exe 5324 msedge.exe 5324 msedge.exe 5324 msedge.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeRestorePrivilege 2396 7zFM.exe Token: 35 2396 7zFM.exe Token: SeSecurityPrivilege 2396 7zFM.exe Token: SeSecurityPrivilege 2396 7zFM.exe Token: SeShutdownPrivilege 5228 chrome.exe Token: SeCreatePagefilePrivilege 5228 chrome.exe Token: SeShutdownPrivilege 5228 chrome.exe Token: SeCreatePagefilePrivilege 5228 chrome.exe Token: SeShutdownPrivilege 5228 chrome.exe Token: SeCreatePagefilePrivilege 5228 chrome.exe Token: SeShutdownPrivilege 5228 chrome.exe Token: SeCreatePagefilePrivilege 5228 chrome.exe Token: SeShutdownPrivilege 5228 chrome.exe Token: SeCreatePagefilePrivilege 5228 chrome.exe Token: SeShutdownPrivilege 5228 chrome.exe Token: SeCreatePagefilePrivilege 5228 chrome.exe Token: SeShutdownPrivilege 5228 chrome.exe Token: SeCreatePagefilePrivilege 5228 chrome.exe Token: SeShutdownPrivilege 4456 chrome.exe Token: SeCreatePagefilePrivilege 4456 chrome.exe Token: SeShutdownPrivilege 4456 chrome.exe Token: SeCreatePagefilePrivilege 4456 chrome.exe Token: SeShutdownPrivilege 4456 chrome.exe Token: SeCreatePagefilePrivilege 4456 chrome.exe Token: SeShutdownPrivilege 4456 chrome.exe Token: SeCreatePagefilePrivilege 4456 chrome.exe Token: SeShutdownPrivilege 4456 chrome.exe Token: SeCreatePagefilePrivilege 4456 chrome.exe Token: SeShutdownPrivilege 4456 chrome.exe Token: SeCreatePagefilePrivilege 4456 chrome.exe Token: SeShutdownPrivilege 4456 chrome.exe Token: SeCreatePagefilePrivilege 4456 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2396 7zFM.exe 2396 7zFM.exe 2396 7zFM.exe 5228 chrome.exe 5228 chrome.exe 5228 chrome.exe 5228 chrome.exe 5228 chrome.exe 5228 chrome.exe 5228 chrome.exe 5228 chrome.exe 5228 chrome.exe 5228 chrome.exe 5228 chrome.exe 5228 chrome.exe 5228 chrome.exe 5228 chrome.exe 5228 chrome.exe 5228 chrome.exe 5228 chrome.exe 5228 chrome.exe 5228 chrome.exe 5228 chrome.exe 5228 chrome.exe 5228 chrome.exe 5228 chrome.exe 5228 chrome.exe 5228 chrome.exe 5228 chrome.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 4456 chrome.exe 4456 chrome.exe 4456 chrome.exe 4456 chrome.exe 4456 chrome.exe 4456 chrome.exe 4456 chrome.exe 4456 chrome.exe 4456 chrome.exe 4456 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2084 wrote to memory of 5036 2084 Unlock_Tool_v2.6.4.exe 86 PID 2084 wrote to memory of 5036 2084 Unlock_Tool_v2.6.4.exe 86 PID 2084 wrote to memory of 5036 2084 Unlock_Tool_v2.6.4.exe 86 PID 2084 wrote to memory of 5036 2084 Unlock_Tool_v2.6.4.exe 86 PID 2084 wrote to memory of 5036 2084 Unlock_Tool_v2.6.4.exe 86 PID 2084 wrote to memory of 5036 2084 Unlock_Tool_v2.6.4.exe 86 PID 2084 wrote to memory of 5036 2084 Unlock_Tool_v2.6.4.exe 86 PID 2084 wrote to memory of 5036 2084 Unlock_Tool_v2.6.4.exe 86 PID 2084 wrote to memory of 5036 2084 Unlock_Tool_v2.6.4.exe 86 PID 2084 wrote to memory of 5036 2084 Unlock_Tool_v2.6.4.exe 86 PID 5036 wrote to memory of 5228 5036 Unlock_Tool_v2.6.4.exe 91 PID 5036 wrote to memory of 5228 5036 Unlock_Tool_v2.6.4.exe 91 PID 5228 wrote to memory of 2208 5228 chrome.exe 92 PID 5228 wrote to memory of 2208 5228 chrome.exe 92 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 5072 5228 chrome.exe 93 PID 5228 wrote to memory of 4576 5228 chrome.exe 94 PID 5228 wrote to memory of 4576 5228 chrome.exe 94 PID 5228 wrote to memory of 340 5228 chrome.exe 95 PID 5228 wrote to memory of 340 5228 chrome.exe 95 PID 5228 wrote to memory of 340 5228 chrome.exe 95 PID 5228 wrote to memory of 340 5228 chrome.exe 95 PID 5228 wrote to memory of 340 5228 chrome.exe 95 PID 5228 wrote to memory of 340 5228 chrome.exe 95 PID 5228 wrote to memory of 340 5228 chrome.exe 95 PID 5228 wrote to memory of 340 5228 chrome.exe 95 PID 5228 wrote to memory of 340 5228 chrome.exe 95 PID 5228 wrote to memory of 340 5228 chrome.exe 95 PID 5228 wrote to memory of 340 5228 chrome.exe 95 PID 5228 wrote to memory of 340 5228 chrome.exe 95 PID 5228 wrote to memory of 340 5228 chrome.exe 95 PID 5228 wrote to memory of 340 5228 chrome.exe 95 PID 5228 wrote to memory of 340 5228 chrome.exe 95 PID 5228 wrote to memory of 340 5228 chrome.exe 95 PID 5228 wrote to memory of 340 5228 chrome.exe 95 PID 5228 wrote to memory of 340 5228 chrome.exe 95
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Unlock_Tool_v2.6.4.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2396
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2692
-
C:\Users\Admin\Downloads\Malware\Unlock_Tool_v2.6.4.exe"C:\Users\Admin\Downloads\Malware\Unlock_Tool_v2.6.4.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\Downloads\Malware\Unlock_Tool_v2.6.4.exe"C:\Users\Admin\Downloads\Malware\Unlock_Tool_v2.6.4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"3⤵
- Uses browser remote debugging
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5228 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff912c6cc40,0x7ff912c6cc4c,0x7ff912c6cc584⤵PID:2208
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1768,i,6469766639574141341,12991331982896075467,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1764 /prefetch:24⤵PID:5072
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1880,i,6469766639574141341,12991331982896075467,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2084 /prefetch:34⤵PID:4576
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,6469766639574141341,12991331982896075467,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2260 /prefetch:84⤵PID:340
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,6469766639574141341,12991331982896075467,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3228 /prefetch:14⤵
- Uses browser remote debugging
PID:4972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3356,i,6469766639574141341,12991331982896075467,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3472 /prefetch:14⤵
- Uses browser remote debugging
PID:2380
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4608,i,6469766639574141341,12991331982896075467,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3688 /prefetch:14⤵
- Uses browser remote debugging
PID:408
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4708,i,6469766639574141341,12991331982896075467,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4912 /prefetch:84⤵PID:4304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4976,i,6469766639574141341,12991331982896075467,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4964 /prefetch:84⤵PID:980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4396,i,6469766639574141341,12991331982896075467,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5128 /prefetch:84⤵PID:2304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5204,i,6469766639574141341,12991331982896075467,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4912 /prefetch:84⤵PID:2028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5208,i,6469766639574141341,12991331982896075467,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5008 /prefetch:84⤵PID:4264
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5212,i,6469766639574141341,12991331982896075467,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4632 /prefetch:84⤵PID:3188
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3964,i,6469766639574141341,12991331982896075467,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5352 /prefetch:24⤵
- Uses browser remote debugging
PID:5532
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"3⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:3260 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff912c73cb8,0x7ff912c73cc8,0x7ff912c73cd84⤵PID:1268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,10899564591172304054,8080168209310804835,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2020 /prefetch:24⤵PID:1940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,10899564591172304054,8080168209310804835,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:1916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,10899564591172304054,8080168209310804835,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:84⤵PID:1664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2008,10899564591172304054,8080168209310804835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:14⤵
- Uses browser remote debugging
PID:3892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2008,10899564591172304054,8080168209310804835,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:14⤵
- Uses browser remote debugging
PID:4852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,10899564591172304054,8080168209310804835,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4544 /prefetch:24⤵PID:5840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,10899564591172304054,8080168209310804835,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4524 /prefetch:24⤵PID:5880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,10899564591172304054,8080168209310804835,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2312 /prefetch:24⤵PID:5388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,10899564591172304054,8080168209310804835,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2332 /prefetch:24⤵PID:5724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,10899564591172304054,8080168209310804835,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4772 /prefetch:24⤵PID:4684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2008,10899564591172304054,8080168209310804835,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2360 /prefetch:14⤵
- Uses browser remote debugging
PID:5268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2008,10899564591172304054,8080168209310804835,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:14⤵
- Uses browser remote debugging
PID:3732
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CAAAAFBKFIEC" & exit3⤵
- System Location Discovery: System Language Discovery
PID:5248 -
C:\Windows\SysWOW64\timeout.exetimeout /t 104⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:464
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 2602⤵
- Program crash
PID:2040
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2084 -ip 20841⤵PID:5348
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:964
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4116
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" .1⤵PID:5364
-
C:\Users\Admin\Downloads\Malware\Unlock_Tool_v2.6.4.exeUnlock_Tool_v2.6.4.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2992 -
C:\Users\Admin\Downloads\Malware\Unlock_Tool_v2.6.4.exe"C:\Users\Admin\Downloads\Malware\Unlock_Tool_v2.6.4.exe"3⤵
- Executes dropped EXE
PID:5172
-
-
C:\Users\Admin\Downloads\Malware\Unlock_Tool_v2.6.4.exe"C:\Users\Admin\Downloads\Malware\Unlock_Tool_v2.6.4.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4752 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4456 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff912c6cc40,0x7ff912c6cc4c,0x7ff912c6cc585⤵PID:5568
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1980,i,9560505796307574814,6409608967501572462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1976 /prefetch:25⤵PID:2512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1792,i,9560505796307574814,6409608967501572462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2012 /prefetch:35⤵PID:3764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,9560505796307574814,6409608967501572462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2236 /prefetch:85⤵PID:224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,9560505796307574814,6409608967501572462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3208 /prefetch:15⤵
- Uses browser remote debugging
PID:5108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,9560505796307574814,6409608967501572462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3352 /prefetch:15⤵
- Uses browser remote debugging
PID:3060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4460,i,9560505796307574814,6409608967501572462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4228 /prefetch:15⤵
- Uses browser remote debugging
PID:1240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4832,i,9560505796307574814,6409608967501572462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4844 /prefetch:85⤵PID:1604
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4836,i,9560505796307574814,6409608967501572462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4888 /prefetch:85⤵PID:4548
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4904,i,9560505796307574814,6409608967501572462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4892 /prefetch:85⤵PID:5204
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4848,i,9560505796307574814,6409608967501572462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4908 /prefetch:85⤵PID:2724
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4868,i,9560505796307574814,6409608967501572462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4960 /prefetch:85⤵PID:6104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5000,i,9560505796307574814,6409608967501572462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5284 /prefetch:85⤵PID:5188
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4964,i,9560505796307574814,6409608967501572462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5240 /prefetch:25⤵
- Uses browser remote debugging
PID:2248
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:5324 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff912c73cb8,0x7ff912c73cc8,0x7ff912c73cd85⤵PID:2256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,8116181743737038463,4276629340770493653,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:25⤵PID:4684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,8116181743737038463,4276629340770493653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:5160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,8116181743737038463,4276629340770493653,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:85⤵PID:1820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1876,8116181743737038463,4276629340770493653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:15⤵
- Uses browser remote debugging
PID:4824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1876,8116181743737038463,4276629340770493653,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:15⤵
- Uses browser remote debugging
PID:4540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,8116181743737038463,4276629340770493653,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:25⤵PID:5620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,8116181743737038463,4276629340770493653,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2548 /prefetch:25⤵PID:1916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,8116181743737038463,4276629340770493653,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4348 /prefetch:25⤵PID:2336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,8116181743737038463,4276629340770493653,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4896 /prefetch:25⤵PID:3608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,8116181743737038463,4276629340770493653,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4236 /prefetch:25⤵PID:4952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1876,8116181743737038463,4276629340770493653,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:15⤵
- Uses browser remote debugging
PID:4668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1876,8116181743737038463,4276629340770493653,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2708 /prefetch:15⤵
- Uses browser remote debugging
PID:1536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,8116181743737038463,4276629340770493653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3828 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:1720
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CGIEGHJEGHJK" & exit4⤵
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3984
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 2603⤵
- Program crash
PID:3188
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2992 -ip 29921⤵PID:5488
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:5208
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
116KB
MD54e2922249bf476fb3067795f2fa5e794
SHA1d2db6b2759d9e650ae031eb62247d457ccaa57d2
SHA256c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1
SHA5128e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da
-
Filesize
160KB
MD5f310cf1ff562ae14449e0167a3e1fe46
SHA185c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA5121196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad
-
Filesize
10KB
MD5362a839a393a4a1f1dd11c35f24fdad7
SHA111e56d88db964f267dc60814731eb798fc9d40b1
SHA256aa20cc7683030187816d8a8caa9e0dcbc9e97665d62f045715878f67ae5b4e1b
SHA51278e9fbcce2e2d3fc963abe7f29f3c809cb0312c893e6153c0abe1520df4cf6153adce75fd9981438105554ac8bffd2f2b1419e9f9352c2d37f2621a4d9dfef99
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
Filesize2KB
MD5a6834445bba3de300697a0e8f3ad1aeb
SHA1a4f1979a5ba8ec2d6c247dadfa7a2cc1e517ea5c
SHA2566c80ef96021027c62204821749f01c08fe5c1c90f221cc6329ce98718eec9afc
SHA512e79ade1277bb0314626ca580670fc527d9c138605a4534a811661c38e89599d96bd04029708d3e9506012205a5f5a0a26cfc77e57448dc8201efb77e10f2d91d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4E3D1101CFA1A79AF305FD7C55E37649_A8EAC700FEE71EDD327E06BEAA0C7F96
Filesize2KB
MD5979d1da21c17e37390e7daae8392b356
SHA1f52e9560311ea5e49a899cb8c47852d8b05644a0
SHA256d4238a531681f4ba73018edb99b3c329b4697c998fc17b804c4d7019670a19c0
SHA5123fff3f097fa77cc34e1235d93604e1c6b278fd28597502cd528dcb8f01e1861d6d0628146e33b46b91a8dfb9c20ed357201b4802dcd9e497fd48e109d2c70510
-
Filesize
344B
MD5646de8d02d736ef4f72f93b5063fb6d9
SHA12a4e6fa255a59518c98c2c7f19d06b9255deca2f
SHA256be92a050c80c5022979112ce6e16de403d005207ced2c00b0eef6779f6672c86
SHA512921dd0eb8a44585616c165883190d67d45611da97d652acd486c8ea5d392d8ae3b9db0573da6793c6198dd49270779dadaac8995b36a677d834703c6898d9a04
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
Filesize1KB
MD59e3700fb6db05cd67b91efea9efcd30f
SHA1e961e3ae161846501f6266f28d4003b7c940e642
SHA256189da4022263334ae06ee558f490889fe0c31f393be7c24aed065a44595f1645
SHA5127ce6b8273e4f0c09ceaf72c576e22e11bd43ba917ebe22a05caed2654f34a34ff39182ce60ddf91644cf928f60197dd24c3bff2de07820461d12c240ce874307
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize192B
MD5ad1b3ebb532a26c85d92b636148a4737
SHA102769b485528f66047fe6fae4fd949f768da5140
SHA256fe9ca93032ccc2aef9f120a4cf73f36b5faa62d5fcbbbf8104d9d13ba0a16074
SHA512473fbe17399c43cbb37ecad2f7d24fb6a3efea9c3c967083777ae208125dcc48acdb147915b7d902e6da0656dac1b5c50631881af578c5fa425b58c7f343eafb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
Filesize450B
MD561733dea8bf556ad6c02c3df3e5efa2a
SHA1b3fb84814fe57901053c0aadbec2cf60a5f0340b
SHA256146c23c17904831ee6ce5dbdbfbdc674674abd479c77f9ecd67626b9e286b2bd
SHA512f7973834391db9fee14330c4d8b118d0fb11e0cfd34361ef97b003fcbf547d9b10f9be5b1f69a5d51f536995aa6c435488b6a1c2b21619002307c6f3a5ebd26c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4E3D1101CFA1A79AF305FD7C55E37649_A8EAC700FEE71EDD327E06BEAA0C7F96
Filesize474B
MD59afa2460dfd6f56b9a4c11224a196c4a
SHA177a4f222473ac5cc12e0c2c3ed622fb66f92d648
SHA2569b4dcf32b6ac6594d0a213b1ee0933b21902aa9b44639bce9f79b866d01f834e
SHA5123a6a1476ed2b510aa75e890d7b1f7475dec596cb00144f5c755d50a9b85a98fd0d8f5f1d8208c31759f48a4bf07d927586df37a6d1b491895beb301cf799fddf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\597117144EB9D396F219AFCC039FCFC7
Filesize540B
MD5c211577ab881ab5dab04821d4f4c1ab8
SHA152ed5c88b94f97e1d2cd5e10851f21c499ea48c4
SHA256fc1676dc2226485e3b3f02efea987e4b63959f90e8ff38f792bc348d47c2d46b
SHA5124306483d144012d1b6bc6fef11d611f586e898ef522693b3c8a024e13f51e8ed054ae538e669ada391f111f5a2db23500a8d74d04d1a7e8f402a52ced12d2f77
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
Filesize458B
MD5aebd44834cb73d9a2dd984ff73f7c103
SHA168d6fb0917ee74e2cf1ba0b1537eaf580b580bec
SHA25682edd67569c9055c8280c729b153393008e74503357ee31502e5b287d8abd4dc
SHA5123778bef90d2b94c81e0692bad70074d109ef93f7ce8e3308bedaf98c9e191d0f03870a1ed33881810f51abe176153a0699f80b2c72f0c092249ae44b75ca06fc
-
Filesize
40B
MD579e90b79849ab24f7077995c4e45f1d5
SHA13dae744f25bcaa1b690d61b789a8b1e58a790953
SHA2563d2a7a2b6c89618f30d26fd5dac9ff7d52d6cf1d3651fd7aaa1d1229464b1507
SHA5126169379e245102bc4b1ff74bc2c7cf356f24fdef55e5f3f8a7323da36f6ca92f1ec38bf230cacecc89c33e12e1b201de417a570a998f31cb281bed3ae8f8deb1
-
Filesize
649B
MD5e47855f5b4ff0a5fe1946e97d9a550b5
SHA19b78c77f5bab924a0d045a6e13435da447a47039
SHA25627c4c9cc91c2ba8fe0869b5531dd61420b06d334413194fe2a83dcac7379f8a8
SHA5127e8609be5bae25ee08f5b6b326d18e074236d71a034ea8bc99f89c7f4ad8dfc4c50125175981bc4875ede6e0aa95c7238e31c11783df90cb61fab06f4dc7e8e0
-
Filesize
44KB
MD55f530579da34efa6c10b77099708bc20
SHA125ee2bb82a8dc412e4658102d771d96b8a593b98
SHA256a2645150690fa3041a6599b4ffcb80ff54bd09e13447d8a1e7d1d8b24ae7e684
SHA51289602b0c2f22d747696b197dc0fd8248ca5e862444bac011353d186f2a19d0bd7319c79493eaef0da817f8c4668f37b675fefaf35876c3003ff271d6cf24a943
-
Filesize
264KB
MD52b0ddd0f13835ad87b64055534541cf2
SHA1ce96d6c06978ed461402b921e053230353e5f170
SHA256233304b664b5b9350d329dfe6860bd183ea5a462f26e9c5260f9343f8b6808bf
SHA51238373d1d9cf0d4eb02cf9f8c3570eec56accaa9168aa974d6de4b900b415428e4c4ca958d645f05522b26c031987f1a62a89d748aee909b4711c8735d07f2493
-
Filesize
4.0MB
MD5e696046caba90501001558c1b4b97580
SHA18614ef4a73d375b4c122b868f7cffa693573483e
SHA256edc43f3c2651bc194f15862b96f69345274df4fbe051ece29c8405eccc6f4c83
SHA51244baae4d0c241d8432fb63fc1510483b03c7f91fbb22350552d26e45a1ddf99e9f1d7930a3a18763bdde7cba20f89579ba0602bb0ed1736ef6970b19e8496c2a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_1\_locales\en_US\messages.json
Filesize1KB
MD5578215fbb8c12cb7e6cd73fbd16ec994
SHA19471d71fa6d82ce1863b74e24237ad4fd9477187
SHA256102b586b197ea7d6edfeb874b97f95b05d229ea6a92780ea8544c4ff1e6bc5b1
SHA512e698b1a6a6ed6963182f7d25ac12c6de06c45d14499ddc91e81bdb35474e7ec9071cfebd869b7d129cb2cd127bc1442c75e408e21eb8e5e6906a607a3982b212
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_1\manifest.json
Filesize2KB
MD535068e2550395a8a3e74558f2f4658da
SHA1bd6620054059bfb7a27a4fff86b9966727f2c2b9
SHA256e2f418c816895e830541f48c0406b9398805e88b61a4ec816244154cd793743c
SHA5124bcb971d7353648abf25aca7a4a4771f62bbb76f8fc13bde886f29826d9314f5101942492004fc719493604d317958b63a95cf5173f8180214f27d6bea303f97
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_1\service_worker_bin_prod.js
Filesize102KB
MD54e0c47897bf98deac56f800942e150c4
SHA17903d30e0acee273724bdaa67446d9fd4e8460a5
SHA256fe76ea0c2f81e6140f38f4143b40be85014b93ff80737600cfb39aeb5c8c6537
SHA5128b31463fc683439bab5d4aefe2be0f6a9f5b695c2d95aff3f842bfc74b10ae3d386d288121161506f74a08fb86d25c1096da4177b768254bf84e83983982640f
-
Filesize
44KB
MD5a3e15f70232fe230417a86e5e701da57
SHA1e2e49385ef93e35f62c59c6208cc5b2649331f79
SHA25680ad87f2ff54cfcd48a9d58144f42973601f263065106e99cbf06e48e385d737
SHA512ea98de8e2c4f681ddf34064100513c408204c0a28033eba501d41622ea340642c15f7c772e53e81bf512d86f3dc534870b5ccf678d9bfd53fd35f6644bf99ec9
-
Filesize
264KB
MD5ca4a999edf0435a77349b9d98ed1f7ca
SHA17782dfa0f25cbbf414ea30dea36f073994842d0f
SHA2566424eeea71edec08bdac7fbaefd49ba9717d88b09e74e1433abf6ee6867e7804
SHA512adcab4a77e439eabbad1d9ef4a4fcd32a940e9f2841d09946b1aee61b592c8b82c4f525c3d47bde6a4adbb4438af7225264f5de2d2cdd5aa24445de594e3c33d
-
Filesize
1.0MB
MD552bb6b1a8d9db924fcb2ddb45668fa72
SHA112996023e66ef0ae44d4e8a36c5d6f1ec78a85e8
SHA256ae324698ce5ffcd56026f3de4c29ed754e9706f1ae1029a0409b4a3998128b52
SHA512944d29fee61a718410e5a45bb55008dd2a7b9107380def625768c849b31c325c9592795c53b7d5818e883c791d7c6e271c1691ae0805c557ab9f1d0c2f9c36f7
-
Filesize
4.0MB
MD5cfa172a650b84b3abdbcc47097ea7b57
SHA15b45943b506c37225942826c102fcca6bb743847
SHA25674581baa80a130006b3dd5628aa4845b20089bb80a5c5710c459e2708c95b038
SHA512fd8626ec91e0b48a17bfe1bbf51ff8419717f631109ea2ca39b908dbc06d7628b4ff5d861bee7bc2070685c59a63c9c3759db1cb589299a0cf430a7d3b5dabfe
-
Filesize
329B
MD5292e5d02bb3ae3b2daa957c32126da2b
SHA1ee2e6bfd0b0b3bbdb2203effcef29d1ff6e18d88
SHA2564983ca8d4cfc2acf12e9fbaf0e2a51f9d1a3cee7522e306897200d476ec6b208
SHA5122fa2a928099876ff9993a013ce0207b3be5a8423d34f7115a6e29cb9c7df7a1a5d4aed90e8da4c7f1d6eaa3bbf4b05a31afa7dff9bb28c910dce2064d60b9166
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
3KB
MD5ad0936bf44861dbc163bb903a584dba7
SHA169cc6be5a375750d327649344d4d14a34f2c4316
SHA256b65bfda7a705261d9f4c57b24904627e859689af95b14194fa329bea15084841
SHA5128b26b0533681b62d77d4dee3e610aed2b825f44a50f56a0df0f82a63cf9c528829cfc8ae8f74df9ad3a0d991e0bccf5c58d12a566c08593368fe37a95d5f0311
-
Filesize
333B
MD57375c66954cc93ee0a7109ea92897c7f
SHA14901d456f36593a4ac9a005a12ca50e17adefbd7
SHA256e1c6fe1cb2e900edd672e20219d04bb612cb9d0aa9f9fd3dcbdd69a56f3539cc
SHA5121048f53a0779cb118ceb5d8d45bede5c8cb34d59aeb356bc11fa780c87b0e66f6761089797afd8ed38f7f4a601502bd4b2aea64524b0c348aa80c523dcff8dbf
-
Filesize
345B
MD5485d1eb16de337dd46da3c5d572612d4
SHA1ff6bc5bd208c1f028c53c321bdb306e3dccad26f
SHA256217850692d108cbe3780e5576240afefa19251e36358c3612cb9e78aff367469
SHA5120e29be4a528a78fe7c6981511ea7dccde90c1b828eb8abacbc8c0db1dbba91b2f5563a9c79e78afe3a0951e5efd3879b4033a3e3b9f4005e2bd6e10832d08660
-
Filesize
321B
MD5c8935deb40770160ae054585f68b97b5
SHA16b8d36bb2bc654ae502601d027eac19a127ec22a
SHA25623c25ee87b046cfc2a9fa7a96e3711561642e943456137efa33fcdb958267902
SHA512c3828101bb40ab1f2c8205eeea050664a53e7a9c37c5af4636e1cab5ae3db6ad2520f02f1827bdce53e7bbbccc9ceb1bd0fbfd5dfbc309f105264c7e30127d6f
-
Filesize
12KB
MD5e3f2e13483f6d6ede79fd2a43536f9a9
SHA1cf04dadc4df9bdbfb7873aaa555da2da5fa8d22e
SHA256b69ac8bc64408c2dbfa4ce3b8fa75d657cb6c8aab2aba4d4515ea75340f21435
SHA51249d15e16ce6a2b525e2506bc06588efb46dd924a58cd97f31a931fa2ae00d30d6fdb7effe555cdb30a6c9fc4acd68fb2bc4a015419468f1be7a365d7d1feaf63
-
Filesize
335B
MD5b9ffa6462569394f07930e2551459bb5
SHA171fae65478e1b58f9288ed9c82ddc26aaf463338
SHA256d68c904fb35e649cb9ebbae927d3aa6b1d18c4c2df228a5bf6284f9ca915b961
SHA512ebbe69f7df7d65bb16f2ef3663b6f4391500a034b284b0476f432107276d998f958b99eb841d3b7a5e864e467a273051669f47c7f113f06262a8f62539d2e818
-
Filesize
14B
MD5ef48733031b712ca7027624fff3ab208
SHA1da4f3812e6afc4b90d2185f4709dfbb6b47714fa
SHA256c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99
SHA512ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029
-
Filesize
86B
MD5961e3604f228b0d10541ebf921500c86
SHA16e00570d9f78d9cfebe67d4da5efe546543949a7
SHA256f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed
SHA512535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472
-
Filesize
152B
MD502a4b762e84a74f9ee8a7d8ddd34fedb
SHA14a870e3bd7fd56235062789d780610f95e3b8785
SHA256366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da
SHA51219028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f
-
Filesize
152B
MD5826c7cac03e3ae47bfe2a7e50281605e
SHA1100fbea3e078edec43db48c3312fbbf83f11fca0
SHA256239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab
SHA512a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6d72c359-c2e6-4de7-a530-198ffbb2456e.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
5KB
MD5d970cb3300961ddba493572c2aaede87
SHA16847b36df23ed790dfb4f0cf62a9fa0062baaaf6
SHA2562878b52abf313091c3f342d5b00999ce22e0a8cf8fdfd0d8e3e8e24aceb1d11b
SHA512d6626b6db1c71373ef1eb00b84746c02030ebf4dff0bf41b52acc7302cf7e91c40bc7b0b6e741ad8be46bc811cbc340ef0ef6a8bfc03e3e6de4f4e5d3a67469a
-
Filesize
5KB
MD56804830f82108911ad65542dc7eb14ca
SHA1d37b38b9e4e78ebbae6c7cf6edae2a722e36f493
SHA256a4054c0ed16eb75665827b039e311fe9ed8095d6eac86d70fa8b1bf6b7b0a0f3
SHA5122b6e5ba1b568e16381ca8fa676c10076bba1303628d5e1ce88a84c21e0dae5110db6f3bac53d543481b377b1ea6111ac2858f58839cabf8e45494ae38c1df426
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
128KB
MD564d183ad524dfcd10a7c816fbca3333d
SHA15a180d5c1f42a0deaf475b7390755b3c0ecc951c
SHA2565a666340f42f0f985772024d90a83d15c9a241a68d58205cd4afbb1a31f1621a
SHA5123cab59dff09981f49d1070fba06a781439bb1ea2dae0cfcb937d9875bbe9e866be2c951cfc6a3ca4a92aea79dd3e9c4792a765f5a06f230a57dabcab2f0b3c1e
-
Filesize
1KB
MD564eaeb92cb15bf128429c2354ef22977
SHA145ec549acaa1fda7c664d3906835ced6295ee752
SHA2564f70eca8e28541855a11ec7a4e6b3bc6dd16c672ff9b596ecfb7715bb3b5898c
SHA512f63ee02159812146eee84c4eb2034edfc2858a287119cc34a8b38c309c1b98953e14ca1ca6304d6b32b715754b15ba1b3aa4b46976631b5944d50581b2f49def
-
Filesize
1KB
MD52d15a6576d5d85222f9f367c286205d5
SHA1a51fccba42570f45a57b3e3951da75eb553eeb81
SHA25631e923ef15ac783399d5a4ca5c67e96342cf7f18437843e2a3f55b551c6dbce6
SHA51292217626f79111b1329a3c91ac4923354aa8fc31fd7ba7428a256e9acb35825d6ea28fde02b4ae44914adf359b3dd11d16f274040dd8e675f2aba66139b52661
-
Filesize
132KB
MD5da75bb05d10acc967eecaac040d3d733
SHA195c08e067df713af8992db113f7e9aec84f17181
SHA25633ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA51256533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
1.3MB
MD547bf252ac2514a86141ac92d6cf9239c
SHA1130311c3e7039451618ceaf8b720fed87a3f7918
SHA256768dfbc70585ca9fa75305461481b5169bef079792dbb25ad84df90fa19e19d7
SHA512a5bd8e9473324e26cd96c1f8090d9550a7c5951e40d96435d2e1a2ef5e2833a7daed603f425d2aee08d40a9d6a190fa99169a37a538310e04fd3e5d55cc6e4e6
-
Filesize
900KB
MD5db887602126900f414e141c698776204
SHA14cf6ac2535552718bfd28162c15ec0ab0545c58b
SHA2567bf15ec0a512b66a888f0d08960c2815e971ea608f93e99cb76d697680bf5c2e
SHA5120e162b6623cbd87f73859fbf03217e4afad603304b823a44da9905559251984a05e4651232957f7308a7a4b723b9f29279ab010ae76eb93cd819306b1ce19927