meduza | 2c41808826974a0fdd3c7b27850143cad077a79e0cf69c011da495d6abee679a

Resubmissions

24-11-2024 19:42

241124-yexs5s1rgq 10

24-11-2024 09:24

241124-lc6xtatmay 10

Analysis

max time kernel
539s
max time network
523s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

unturnedHack.exe
Size

4.1MB
MD5

c5293ff604e4231fdffaa092fd7c5ca8
SHA1

9e8aeb9ec19b8a6d534360883188872a257bb337
SHA256

4531a1efd815df17d3a6f247d0850ab5e510de2345723e41c062716e65df686e
SHA512

57a64316ac3944a4050853f491b85b373fc9e5f393c868d20243fcf1dfda4e733a61cf0348b7e0be25e7b880e49373131c500b5f91e7eb0c345957e070ad5fc9
SSDEEP

49152:Xl4UjB0jUudKphZByreh+Woao/OZa8XLh+4vBTVlz8svA:14UjKgu8A

Score

10^/10

meduza collection discovery spyware stealer

Malware Config

Extracted

Family

meduza

109.107.181.162

Attributes

anti_dbg
true
anti_vm
true
build_name
761
extensions
none
grabber_max_size
1.048576e+06
links
none
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 49 IoCs

resource	yara_rule
behavioral10/memory/3100-5-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-10-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-4-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-15-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-17-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-12-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-11-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-18-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-25-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-24-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-23-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-20-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-19-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-9-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-6-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-34-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-35-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-39-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-38-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-40-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-41-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-46-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-42-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-47-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-49-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-48-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-45-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-53-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-86-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-91-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-99-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-100-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-92-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-84-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-80-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-78-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-77-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-72-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-71-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-83-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-70-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-61-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-59-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-55-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-52-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-64-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-58-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-103-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral10/memory/3100-104-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza

Meduza family
meduza

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	unturnedHack.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	unturnedHack.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	unturnedHack.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	unturnedHack.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	unturnedHack.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	unturnedHack.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
6	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2380 set thread context of 3100	2380	unturnedHack.exe	83

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2972	cmd.exe
4896	PING.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133769512038575816"	chrome.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4896	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3100	unturnedHack.exe
3100	unturnedHack.exe
4876	chrome.exe
4876	chrome.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2716	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3100	unturnedHack.exe
Token: SeImpersonatePrivilege	3100	unturnedHack.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeDebugPrivilege	2716	taskmgr.exe
Token: SeSystemProfilePrivilege	2716	taskmgr.exe
Token: SeCreateGlobalPrivilege	2716	taskmgr.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 3100	2380	unturnedHack.exe	83
PID 2380 wrote to memory of 3100	2380	unturnedHack.exe	83
PID 2380 wrote to memory of 3100	2380	unturnedHack.exe	83
PID 2380 wrote to memory of 3100	2380	unturnedHack.exe	83
PID 2380 wrote to memory of 3100	2380	unturnedHack.exe	83
PID 2380 wrote to memory of 3100	2380	unturnedHack.exe	83
PID 2380 wrote to memory of 3100	2380	unturnedHack.exe	83
PID 2380 wrote to memory of 3100	2380	unturnedHack.exe	83
PID 2380 wrote to memory of 3100	2380	unturnedHack.exe	83
PID 2380 wrote to memory of 3100	2380	unturnedHack.exe	83
PID 3100 wrote to memory of 2972	3100	unturnedHack.exe	94
PID 3100 wrote to memory of 2972	3100	unturnedHack.exe	94
PID 2972 wrote to memory of 4896	2972	cmd.exe	96
PID 2972 wrote to memory of 4896	2972	cmd.exe	96
PID 4876 wrote to memory of 2452	4876	chrome.exe	107
PID 4876 wrote to memory of 2452	4876	chrome.exe	107
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 4148	4876	chrome.exe	108
PID 4876 wrote to memory of 1816	4876	chrome.exe	109
PID 4876 wrote to memory of 1816	4876	chrome.exe	109
PID 4876 wrote to memory of 3716	4876	chrome.exe	110
PID 4876 wrote to memory of 3716	4876	chrome.exe	110
PID 4876 wrote to memory of 3716	4876	chrome.exe	110
PID 4876 wrote to memory of 3716	4876	chrome.exe	110
PID 4876 wrote to memory of 3716	4876	chrome.exe	110
PID 4876 wrote to memory of 3716	4876	chrome.exe	110
PID 4876 wrote to memory of 3716	4876	chrome.exe	110
PID 4876 wrote to memory of 3716	4876	chrome.exe	110
PID 4876 wrote to memory of 3716	4876	chrome.exe	110
PID 4876 wrote to memory of 3716	4876	chrome.exe	110
PID 4876 wrote to memory of 3716	4876	chrome.exe	110
PID 4876 wrote to memory of 3716	4876	chrome.exe	110
PID 4876 wrote to memory of 3716	4876	chrome.exe	110
PID 4876 wrote to memory of 3716	4876	chrome.exe	110
PID 4876 wrote to memory of 3716	4876	chrome.exe	110
PID 4876 wrote to memory of 3716	4876	chrome.exe	110

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	unturnedHack.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	unturnedHack.exe

C:\Users\Admin\AppData\Local\Temp\unturnedHack.exe
"C:\Users\Admin\AppData\Local\Temp\unturnedHack.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\unturnedHack.exe
  "C:\Users\Admin\AppData\Local\Temp\unturnedHack.exe"
  2⤵
  - Checks computer location settings
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:3100
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\unturnedHack.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffec3a9cc40,0x7ffec3a9cc4c,0x7ffec3a9cc58
  2⤵
  PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,1647387572320233892,5148468769527877387,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2176,i,1647387572320233892,5148468769527877387,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2432 /prefetch:3
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,1647387572320233892,5148468769527877387,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2440 /prefetch:8
  2⤵
  PID:3716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,1647387572320233892,5148468769527877387,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3432,i,1647387572320233892,5148468769527877387,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3724,i,1647387572320233892,5148468769527877387,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4848,i,1647387572320233892,5148468769527877387,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4856,i,1647387572320233892,5148468769527877387,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:2832
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff60dd14698,0x7ff60dd146a4,0x7ff60dd146b0
    3⤵
    - Drops file in Program Files directory
    PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4480,i,1647387572320233892,5148468769527877387,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4468 /prefetch:8
  2⤵
  PID:5500

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4184

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault124c2c25h95f0h4025h8141h7410764b18da
1⤵
PID:1120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffeafb346f8,0x7ffeafb34708,0x7ffeafb34718
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,10936488309021684614,3233645653330119003,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,10936488309021684614,3233645653330119003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,10936488309021684614,3233645653330119003,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:5128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5340

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:5580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultad014a54hfd4ch4aa8h9204h192d27fddf7f
1⤵
PID:5636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffeafb346f8,0x7ffeafb34708,0x7ffeafb34718
  2⤵
  PID:5656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,6994154242637915478,849398209301405423,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:5976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,6994154242637915478,849398209301405423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  PID:5984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,6994154242637915478,849398209301405423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:5996

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:5820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
ba8067d814e8dd120b02f5d107df4f2b

SHA1
4e169d1fff0fcab4785d0e795e400188e78adc40

SHA256
8b3580415c3df352144d738397c0c8c22b269e19a9a4cea6a4d2a9045a0c799c

SHA512
546d68acaf17d229b81efe09ceb5118df085e13e0657170b6341ba752ebab8e9e3940c9972c3b75145b5e0c5afd0f3ab55ee40a82fc9b332ee7565c57eb0b30b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2bfe8271bc32abc4bb19f4ba87d41d1b

SHA1
cc1d4b25d9fddcc5cde929b539a3079e03bdcdc8

SHA256
b85a145829a1eef70e7e38676b6b3ee638e44ec01dca46e61a30b13cac7cff80

SHA512
3021dcba3aa2a2dee15badb95b5b308281007d4ff6b1f79f4a58a85070444583c7a24fcd955297b8322c09bfb6e0667af99233f082453cb08cd7123d70f85488

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
5f1853b839e46d6151471ffc50352649

SHA1
449b4df1dfb7a6ad23507df70fe1e1af1e8f4591

SHA256
d209a0529228c0ef385f5a5662ff66f92e43f2d4a63ff46fc848ea0a144de441

SHA512
222d4a87b4bcc035148bb8066c3c54e0ccc02483b53a14fe8740384a5aa98bf990d9aa96a8cfa62aa0bc0e56cbb2f524fbbf99fdee7f0e11040398371a2a1e28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6974a862eb5e384c607847079c1407b8

SHA1
e88507bab7862e7c6688c6704b9bdc6ee8264d11

SHA256
2eca4ee37f78097b20ec4592be2f1416302724ab2854ed9faf2ec2d4d94af5e6

SHA512
64ac96dafdf91a2c11fe1fbc882b54b61690e431cb158b1bb1e6f8505568bcac7e3fcc5984c3e1666ee6e06bad9a844113131fc777111801e26f7b4af51b6cc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e1cd62df7a429ed3c132d99d484e4caa

SHA1
87ba6a1b6a92f1720bae23419bb0b6744efb0dab

SHA256
5bda363398bfb9b5e04e2ee47c4649f1f292e9c7dde019b422ec6069d13f6bba

SHA512
0eacdb8fd2bc47277e807f41699e3359db956e67adfd6ba2c0c58860ff7c531e420c14587375acc078af8457867cfa5b43052530e73a17002325940e8ba38592

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e9ecb21c21763137b8f6a62fb4a15305

SHA1
a8b1927d2ce1dfef81d681564d20773a23e470df

SHA256
942b33677fbc59363ef51ddafb578958aa70a10f11bb4032e99b59875a2b5b1f

SHA512
8f7daffcdbbc7b12a5c657d67fabd3b56bdb8438d3e4d28ffa3e60a31da85a80fa36406b2c2b65fb4cb4093edc0765dc0791752d4364be0a577900151802ce6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
49a3ad90649f7a23215296bd7d9cbc13

SHA1
f3dffead9ec070fa45b08bc7ef0c7c075be3e5f9

SHA256
51609bd83dfd3522d51a31c1a65ae56d8f4705263ce759842c8e5e139f69687f

SHA512
57b880c6bcad327d8268dd12ea19ac2380a370e86c4923c861d6a8446afc4e069f819c85e52045928c59f230f4b6522a97768372fdb40eaac6c26f778efbfdc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c3d4f23173aed9f2e4911056c6564948

SHA1
510b33ae600f9971aa453760e9ade28d87ce67df

SHA256
e7c807cd753fa66affa9ba0781b53a19f56dccfda576b1f4342afca4ddbbbd20

SHA512
0c88cd78fb6f1473b7eb7c0d37a3d8a38c2ffbac2d5813b0903300b1679a8f696f8959735be2743a2782abe989af994ce13d33018e8c34573527241452d9f3b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
290762b45e9461983b9708a36e56c034

SHA1
4f7cb02b1e7917eeb6c2cbfc3dce5ec23c16107c

SHA256
0c556fbc503069ac3662219834f030743defa1d372777b65aa1b989011f48013

SHA512
3d9f6d26c8d29b7eb352288dc78d50224ead071879a0f378a8e6e64493079fb5d9a9b664cd49ce77fa0d5dca2161395e9ac329818e906f29550cdcf898b39ebd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1110f999c4f2c0a26d695b72860934b9

SHA1
fda5cfb67c28381745e568523463fd50061197e6

SHA256
04aa368a55fcc85e8293b38dc009a0e103a330a37212340745b23e4d75c37d3a

SHA512
13916ecfdb1416c24feb5918500b323f488189761101467a2e78344c80943e02afa40516ee6a1a1fc0a11867ac925cbb4fa30271c844828e41debd734a8893e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bceb96564abb913d5576e33da1cb18f0

SHA1
7a3f18ba883f058f148730075dcf9c4c86789078

SHA256
431719745389fc04db904f0f41be10d447253027a0cd07bc72a9ba944c5248fb

SHA512
2928f95da064698da9b375a4c587466a5336e3f07640c56dd3879ae05369e23bab3cc490b23bf5a957b7849548f70cd514fd381f1c8e4047b05056a465733551

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b929025806a258e677cc848500d8d006

SHA1
de7df9dbb6f1e1bf8ef78eb576f2fc94bdd125c0

SHA256
ae0e0b09420048adefb88b713610b09b245d31be7b9ff6982587e3c9660b7ac0

SHA512
df1a7230ac6269c3ebacd71d6840a517d5789f1e1b8ef40b39bbf3f24820393aad8e74678e59cd6e849d5c6c395cf35cc46ad2579e476116ccfac291675c2d16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
62a45b8d3a5f65e0bf8338db37264362

SHA1
350f43dac85ff164dbaf1ef6bdda76b3a47f27ed

SHA256
b6df02234e0c2bef0a4a618ef903393dd3fa1d4f7ab694cee62c5b922f910396

SHA512
f300234ee1443d2182a501724c1513a949b74e2a4021ad8ce3b6f8db4cb209e055010c907b39f46580820912efd2d5e2379a13a38aaba6d9bb39c91f65e09824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f9b5906f2a13efed351eda0b6c8d94f9

SHA1
821edab74340571568ec3ed86ca02979e1e6cabc

SHA256
e0ba4e22b4fc2e71cbfdee134c1e3dc9925fc62289dfe6304cc6e62d4e6de494

SHA512
9134cb45847ca2a7bae5a39420906f15cafb0e100c16d3f78bf6ccb05bb44148a5c447dc46da8c0820b31d0ae5e8e762328333128a3ec009a25e00f4b7f2189e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ff2fddfcf5db0cd0e4849c9a1cdb6d9b

SHA1
1a5612a966371362e7b127c429f7e1a12faf1560

SHA256
31a039ee4f3fd898a4aa628cd7fdfe17addf6ee0e6ab31be111471257a79e70a

SHA512
61f156c1abacb4b1c12d69b76ea5ce18e6dc150e7f528dda32bcf249a6afe03d3d26707ed83028738275f7e1bb519ce93e99c0dabbd6dfc8fc3b48e51baaa436

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2a6d6598d85896720dd8d38f6fdaeaab

SHA1
5706d3642a5b8a72b7047112e50a3457d9e7d898

SHA256
f0ae17b287efead34721be32e362eca37990b0fff5b7c0983bc323e13c53f293

SHA512
588b8f8eec5fd56ebd302fe9b3a1a2eadfba6de5c94b71f7ab9647eb87873767beba0f58275e9f72cb8ad9e698159339186c43eb1026651f47c235deac2178d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1f8771241c885512b6392094b1db10fe

SHA1
36c58eb0d537e597ce056f298a692567737fa546

SHA256
e81cd54f4887f87d9c1586f04ad4db3e8cb770408f965c0090b2332c9a284b58

SHA512
1f7c98fe1aaac32a081caba133215593f12486b6450a61fd0c7df887c12a5a54520a7be826903dd35a51f928b53497587aa843c7d097732c840c536c163c8348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
58e7783dfede1102a52c2a2ec428e9c8

SHA1
6fab40240c20b4841c3b06d111324209d6da797d

SHA256
d1d0a0af81b43cedcff56f6fc628110724e832974d5715fb6eb0fd040f35ebf0

SHA512
fa3301fe89b4ad4c3bcd6b84332d7d6344d3afa977417febb6ef64651fa88546e807d661fce3ad363a8c4e24e2c702ea2cc9c50c2ed30123d7cb9229d66fc792

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b70d1d94f93a80fb719d56f2aeb61fff

SHA1
d30557fc0eff9d956f02d4c95fd0ad3bfb3335f8

SHA256
e94d90547b1fa39a9d2b2426ab42f50bcb3cff4c76e3338da3517282a0bde95a

SHA512
5ea7c669eb7c8d5ea19be8ebb7ddd402d773309fe017734747d6efa62ab315d41d448c74a284c76144eb8373f421a22f6f643b21b027660cbe7596875bb030eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
5505df6d6a48b91279934934c0c56465

SHA1
b281ed049b1c42b08b115689850c9dfd72fcce0f

SHA256
94ae83dc234aaf9864a1531e654d0f8b3353f4f2cc99a75d3f985fff1eb12e42

SHA512
b1e48a904955783add067f78521c4ab281ce47006fe826d9623d92be3565f641555e7ce5e0baa21c89305be82a63408091f982c736b4ddeda97e275a52b5164a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
41327575d95856d2074d7c62b036a77c

SHA1
7df091e92dc0935c1367f725512b0e351508b19f

SHA256
dd9ea6026f782de039811499b3c44374de7570f4b2d4ea1d22db893b8faaf59c

SHA512
7797de7049c1ebe7860787f616bcada147e093b154771453cb6869b84a37db3152928a0c128d5eb6225b70e3534b5e1113a4dbcec9dbd1381fc003275e8a4489

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
a879b4bad0dda11fa38b7f14905f9329

SHA1
bfc55dd62a23a82f2f8ed6cd90fa83003035c84c

SHA256
1bc4bea81c1c3ed9ff8837913593731e245d34269da50d8238a08d4848f83632

SHA512
479642ac88d89b77f240254b0c98d72e001c26feea378c9cb2f319aff88273cebb31c17c12b616b07c283b9fd025581777342cf1daeb87f34cbe5c417db0aff2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1543363c-0c49-4738-b902-eed5a49870a4.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
fd0d5f4ddfd0a95770ade6a02134244d

SHA1
07560e58e5dd7fc13306292482b40be660e8fecc

SHA256
df1f561a2f8f37d2c385463a5d175666558c7f4404c8b344d034e4eee5849098

SHA512
447cef046f9fcd6c65725f8c1e845ae3f703f2a65ef6eec593884b2f2450d6b05289a9d5b554f314253cc2ef922f121e7c7f01abcbb92ec0525a83e7936f3775

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d3380256ef55da6d657989d8bdef56ee

SHA1
805a4abb5c1d4b3dcdf5d66044c14f7eaa9f9771

SHA256
a5169f8ee5236ffc009f783804da62c499407450446ae7b70c25a213bf4b1d3a

SHA512
aad3e247ce2937fce4378c2b567d8ab73c870a810a6629fec6ddf9c20da3a19554362a9d78cf820e41e805c7c3113937560a9988e7216fed7d3c7157d4acd9ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
a873b4f58ecb258b35f36fa40a314b02

SHA1
fe4141d0a5f33b68aae5af09978a5075517af252

SHA256
27d9dffab69faa54ad81aa3b4af08d0766806eb7f90f2778ad043e3f1a9ae9ce

SHA512
9375a88b712fb5736a200cbca8d7c614fbd0ded2593dd3b184a905ca06738db47a25ead77a2a1d271499dbba01a74a0ed765ca045cd2c3b46c5f7b6d42aa6002

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
11e847570e14d974a840ad88914c442a

SHA1
beaafd9fc2ef7dc8f6cd6890d2546081e910253c

SHA256
cc441619c0751d44b5cac8e760e66500f45f312875ba3dabbceea1312e6e74e7

SHA512
d4f03ed7d150401b45b7422b548f46cceff29171c2acb01bc6f76e311d4d1a8cb08045877bf1b100c35923d86a94b65667d176f28171172b6371635f90e31648

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
ab2301a71e50bf81a38829f0b1f92a63

SHA1
4f4452f181f8701e955d6973ad27c02bf3fa7ab7

SHA256
e154425ed8167a9980305fff4baff32a106ed94168f20a793def35570aa1b7c2

SHA512
1e2e47745d9ea7f2e976d28a507ade652dc899877ac13932b1a2d95bbe691163d76b65fd7966cde9ff8fd45d50d46fa18fd6c19ec6a32ecfb8b537f18a398299

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
memory/2380-0-0x00007FF5AF9C0000-0x00007FF5AF9C1000-memory.dmp

Filesize
4KB

Download
memory/3100-41-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-49-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-77-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-72-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-71-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-83-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-70-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-61-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-59-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-55-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-52-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-64-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-58-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-103-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-104-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-80-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-84-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-92-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-100-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-99-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-91-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-86-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-53-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-45-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-48-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-78-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-47-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-42-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-46-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-40-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-38-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-39-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-35-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-34-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-6-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-9-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-19-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-20-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-23-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-24-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-25-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-18-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-11-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-12-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-17-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-15-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-4-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-10-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3100-5-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download