939281eac1c6e5aa2e4238a1e545e67b2609c15f517474b2a5133bb64fe9c1eb

Analysis

max time kernel
1046s
max time network
426s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PepperX.exe
Size

146KB
MD5

39c9477cf131ca5ccc05c8871c0e10e6
SHA1

07b2581b2cb41053d09c4bb896aaabc1d28f2a7b
SHA256

939281eac1c6e5aa2e4238a1e545e67b2609c15f517474b2a5133bb64fe9c1eb
SHA512

689fd585232031f746b1573d3ed66ac329420611d4e1092ce6952b49ab0c168091726bd02189a4e183d1196ced4f51953e4eb25a5219a36f86d8f6761da9f129
SSDEEP

1536:xzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDqk3sA9atm8z+L8QBfuSoyAMjwT:KqJogYkcSNm9V7D7352v+L8DnyAewT

Score

9^/10

defense_evasion discovery ransomware spyware stealer

Malware Config

Signatures

Renames multiple (617) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	F415.tmp

Deletes itself 1 IoCs

pid	Process
4612	F415.tmp

Executes dropped EXE 1 IoCs

pid	Process
4612	F415.tmp

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1045960512-3948844814-3059691613-1000\desktop.ini	PepperX.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1045960512-3948844814-3059691613-1000\desktop.ini	PepperX.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPvx2en4f476_ggebl99erws0cd.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPs2njz3e9rsez_k6i191egcmnd.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPt42_ytg1kn0pi7_kjvtl3v0l.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\1pvSvxmZY.bmp"	PepperX.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\1pvSvxmZY.bmp"	PepperX.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4612	F415.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PepperX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F415.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Desktop	PepperX.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Desktop\WallpaperStyle = "10"	PepperX.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133770567249851286"	chrome.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1pvSvxmZY	PepperX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1pvSvxmZY\ = "1pvSvxmZY"	PepperX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\1pvSvxmZY\DefaultIcon	PepperX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\1pvSvxmZY	PepperX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\1pvSvxmZY\DefaultIcon\ = "C:\\ProgramData\\1pvSvxmZY.ico"	PepperX.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
752	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
808	ONENOTE.EXE
808	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe
2704	PepperX.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
4612	F415.tmp
4612	F415.tmp
4612	F415.tmp
4612	F415.tmp
4612	F415.tmp
4612	F415.tmp
4612	F415.tmp
4612	F415.tmp
4612	F415.tmp
4612	F415.tmp
4612	F415.tmp
4612	F415.tmp
4612	F415.tmp
4612	F415.tmp
4612	F415.tmp
4612	F415.tmp
4612	F415.tmp
4612	F415.tmp
4612	F415.tmp
4612	F415.tmp
4612	F415.tmp
4612	F415.tmp
4612	F415.tmp
4612	F415.tmp
4612	F415.tmp
4612	F415.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2704	PepperX.exe
Token: SeBackupPrivilege	2704	PepperX.exe
Token: SeDebugPrivilege	2704	PepperX.exe
Token: 36	2704	PepperX.exe
Token: SeImpersonatePrivilege	2704	PepperX.exe
Token: SeIncBasePriorityPrivilege	2704	PepperX.exe
Token: SeIncreaseQuotaPrivilege	2704	PepperX.exe
Token: 33	2704	PepperX.exe
Token: SeManageVolumePrivilege	2704	PepperX.exe
Token: SeProfSingleProcessPrivilege	2704	PepperX.exe
Token: SeRestorePrivilege	2704	PepperX.exe
Token: SeSecurityPrivilege	2704	PepperX.exe
Token: SeSystemProfilePrivilege	2704	PepperX.exe
Token: SeTakeOwnershipPrivilege	2704	PepperX.exe
Token: SeShutdownPrivilege	2704	PepperX.exe
Token: SeDebugPrivilege	2704	PepperX.exe
Token: SeBackupPrivilege	2704	PepperX.exe
Token: SeBackupPrivilege	2704	PepperX.exe
Token: SeSecurityPrivilege	2704	PepperX.exe
Token: SeSecurityPrivilege	2704	PepperX.exe
Token: SeBackupPrivilege	2704	PepperX.exe
Token: SeBackupPrivilege	2704	PepperX.exe
Token: SeSecurityPrivilege	2704	PepperX.exe
Token: SeSecurityPrivilege	2704	PepperX.exe
Token: SeBackupPrivilege	2704	PepperX.exe
Token: SeBackupPrivilege	2704	PepperX.exe
Token: SeSecurityPrivilege	2704	PepperX.exe
Token: SeSecurityPrivilege	2704	PepperX.exe
Token: SeBackupPrivilege	2704	PepperX.exe
Token: SeBackupPrivilege	2704	PepperX.exe
Token: SeSecurityPrivilege	2704	PepperX.exe
Token: SeSecurityPrivilege	2704	PepperX.exe
Token: SeBackupPrivilege	2704	PepperX.exe
Token: SeBackupPrivilege	2704	PepperX.exe
Token: SeSecurityPrivilege	2704	PepperX.exe
Token: SeSecurityPrivilege	2704	PepperX.exe
Token: SeBackupPrivilege	2704	PepperX.exe
Token: SeBackupPrivilege	2704	PepperX.exe
Token: SeSecurityPrivilege	2704	PepperX.exe
Token: SeSecurityPrivilege	2704	PepperX.exe
Token: SeBackupPrivilege	2704	PepperX.exe
Token: SeBackupPrivilege	2704	PepperX.exe
Token: SeSecurityPrivilege	2704	PepperX.exe
Token: SeSecurityPrivilege	2704	PepperX.exe
Token: SeBackupPrivilege	2704	PepperX.exe
Token: SeBackupPrivilege	2704	PepperX.exe
Token: SeSecurityPrivilege	2704	PepperX.exe
Token: SeSecurityPrivilege	2704	PepperX.exe
Token: SeBackupPrivilege	2704	PepperX.exe
Token: SeBackupPrivilege	2704	PepperX.exe
Token: SeSecurityPrivilege	2704	PepperX.exe
Token: SeSecurityPrivilege	2704	PepperX.exe
Token: SeBackupPrivilege	2704	PepperX.exe
Token: SeBackupPrivilege	2704	PepperX.exe
Token: SeSecurityPrivilege	2704	PepperX.exe
Token: SeSecurityPrivilege	2704	PepperX.exe
Token: SeBackupPrivilege	2704	PepperX.exe
Token: SeBackupPrivilege	2704	PepperX.exe
Token: SeSecurityPrivilege	2704	PepperX.exe
Token: SeSecurityPrivilege	2704	PepperX.exe
Token: SeBackupPrivilege	2704	PepperX.exe
Token: SeBackupPrivilege	2704	PepperX.exe
Token: SeSecurityPrivilege	2704	PepperX.exe
Token: SeSecurityPrivilege	2704	PepperX.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
752	NOTEPAD.EXE
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
808	ONENOTE.EXE
808	ONENOTE.EXE
808	ONENOTE.EXE
808	ONENOTE.EXE
808	ONENOTE.EXE
808	ONENOTE.EXE
808	ONENOTE.EXE
808	ONENOTE.EXE
808	ONENOTE.EXE
808	ONENOTE.EXE
808	ONENOTE.EXE
808	ONENOTE.EXE
808	ONENOTE.EXE
808	ONENOTE.EXE
2392	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 764	2704	PepperX.exe	91
PID 2704 wrote to memory of 764	2704	PepperX.exe	91
PID 4596 wrote to memory of 808	4596	printfilterpipelinesvc.exe	100
PID 4596 wrote to memory of 808	4596	printfilterpipelinesvc.exe	100
PID 2704 wrote to memory of 4612	2704	PepperX.exe	101
PID 2704 wrote to memory of 4612	2704	PepperX.exe	101
PID 2704 wrote to memory of 4612	2704	PepperX.exe	101
PID 2704 wrote to memory of 4612	2704	PepperX.exe	101
PID 4612 wrote to memory of 2676	4612	F415.tmp	103
PID 4612 wrote to memory of 2676	4612	F415.tmp	103
PID 4612 wrote to memory of 2676	4612	F415.tmp	103
PID 1804 wrote to memory of 4840	1804	chrome.exe	118
PID 1804 wrote to memory of 4840	1804	chrome.exe	118
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3336	1804	chrome.exe	119
PID 1804 wrote to memory of 3844	1804	chrome.exe	120
PID 1804 wrote to memory of 3844	1804	chrome.exe	120
PID 1804 wrote to memory of 3044	1804	chrome.exe	121
PID 1804 wrote to memory of 3044	1804	chrome.exe	121
PID 1804 wrote to memory of 3044	1804	chrome.exe	121
PID 1804 wrote to memory of 3044	1804	chrome.exe	121
PID 1804 wrote to memory of 3044	1804	chrome.exe	121
PID 1804 wrote to memory of 3044	1804	chrome.exe	121
PID 1804 wrote to memory of 3044	1804	chrome.exe	121
PID 1804 wrote to memory of 3044	1804	chrome.exe	121
PID 1804 wrote to memory of 3044	1804	chrome.exe	121
PID 1804 wrote to memory of 3044	1804	chrome.exe	121
PID 1804 wrote to memory of 3044	1804	chrome.exe	121
PID 1804 wrote to memory of 3044	1804	chrome.exe	121
PID 1804 wrote to memory of 3044	1804	chrome.exe	121
PID 1804 wrote to memory of 3044	1804	chrome.exe	121
PID 1804 wrote to memory of 3044	1804	chrome.exe	121
PID 1804 wrote to memory of 3044	1804	chrome.exe	121
PID 1804 wrote to memory of 3044	1804	chrome.exe	121
PID 1804 wrote to memory of 3044	1804	chrome.exe	121
PID 1804 wrote to memory of 3044	1804	chrome.exe	121

C:\Users\Admin\AppData\Local\Temp\PepperX.exe
"C:\Users\Admin\AppData\Local\Temp\PepperX.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:764
- C:\ProgramData\F415.tmp
  "C:\ProgramData\F415.tmp"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\F415.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1400

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{3B88BA0A-8234-4556-96E8-8F6B31B8A10B}.xps" 133770566019400000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:808

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\1pvSvxmZY.README.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:752

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc8b7ecc40,0x7ffc8b7ecc4c,0x7ffc8b7ecc58
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1724,i,9277979791458140416,12156165985160521800,262144 --variations-seed-version --mojo-platform-channel-handle=1992 /prefetch:2
  2⤵
  PID:3336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,9277979791458140416,12156165985160521800,262144 --variations-seed-version --mojo-platform-channel-handle=2092 /prefetch:3
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,9277979791458140416,12156165985160521800,262144 --variations-seed-version --mojo-platform-channel-handle=2472 /prefetch:8
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,9277979791458140416,12156165985160521800,262144 --variations-seed-version --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:1864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3176,i,9277979791458140416,12156165985160521800,262144 --variations-seed-version --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:4244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4536,i,9277979791458140416,12156165985160521800,262144 --variations-seed-version --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4824,i,9277979791458140416,12156165985160521800,262144 --variations-seed-version --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  PID:720

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulte4bf365eh4b13h4942hbe79h10cc8332c497
1⤵
PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc7a8946f8,0x7ffc7a894708,0x7ffc7a894718
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,8290447264955738346,2455769975455789602,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2000 /prefetch:2
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,8290447264955738346,2455769975455789602,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,8290447264955738346,2455769975455789602,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:4832

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault16fb217bhef57h4282h9dc9hbbd918d124a9
1⤵
PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc7a8946f8,0x7ffc7a894708,0x7ffc7a894718
  2⤵
  PID:372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,5311252171530592840,15584440369592364746,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,5311252171530592840,15584440369592364746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,5311252171530592840,15584440369592364746,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:1000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulte35e017ehc707h415ch919ehe1276ce940f2
1⤵
PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc7a8946f8,0x7ffc7a894708,0x7ffc7a894718
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,16859341548453338708,12534915137521872004,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,16859341548453338708,12534915137521872004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,16859341548453338708,12534915137521872004,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1045960512-3948844814-3059691613-1000\UUUUUUUUUUU

Filesize
129B

MD5
cf9599de2f8bc8dc0f7de9b02ef58876

SHA1
a6e6ca06667a3545686a807c9466d03cd0cd8a32

SHA256
5d08085e1945eef9daa1cc9f15c0b85ac349a76e8ae16e62f5f830b6771369e0

SHA512
4c84642bd685f246f7f4b07350b0d4344eb0804b7fe8717accc85c5ad7342d5a5b77e780d163c3197f0a24c953b28bdba5c8d6bf491dae3478861fb09d62cd9a

Download Submit
C:\1pvSvxmZY.README.txt

Filesize
348B

MD5
9810eed5ecd966874ebeb398ac6531ed

SHA1
17d2e2bc15df652734b79185cb323e652559fd6a

SHA256
53183e5ed0cf42bed46b17c9dcc92ea49737bb57dce34f1e20675a913796566e

SHA512
b26ca61461ed8b09f037e33d209cd0a22959b89e3e7895e057f544010fd5ae037e4fa76311763c121cd6e8b3050de22fa7d2163b4d9cf40585e14f5024e0cb79

Download Submit
C:\ProgramData\F415.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-6703B454-10C4.pma.1pvSvxmZY

Filesize
4.0MB

MD5
6ff55e5530956ffe6e868bacf90d57bb

SHA1
b636e4c2b4c8408468b8129159638b31311eb201

SHA256
427dd81b013321e02c13edba326e19556a485d2528852fa60888a42afe67ea5e

SHA512
fc48081a1a7767128704e8a039dd8e812086c3bcf4e24143a719931c9dcde4b217e92e70c2b699bb620992b9825aac0578fd22673a7e740bd0c62adf0d5079b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
3781a3752ccf765a14dc8637235f1fd6

SHA1
272b3ca3c1c0a6548d78eb4bd74d99087cb4d6db

SHA256
038dcbd0c38e80da81d2ef14df60c6b08da0a0632ed69d650471c0bbb9f54462

SHA512
8b97d43485a82f5aab874bb66776aa2efc45c7bced102b97aab3aa9c053f6f855750d03956703830c88d4b5b464029447aa177c7db0d379a5da8feea6e0c3179

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
61759528663e223f5bc759c168476559

SHA1
d87dad16fbce44a57ab8aacbb520afeb2b61ab40

SHA256
b4acb5860e20552c9e3aa885a73526f13ee75a0d19f3a79b039d828fd8f4dd74

SHA512
4a3f743dc19aa73a40a882f39c63493127aa08277f83123e226d221f776b506bb280f12d058e035db00783b8d389b63ba1855027b1c98bae1cc3b8229ee00d48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f11d82703abfe7f22943091d7309daf8

SHA1
8fc5ba8ee8fed2969d62cc0b5b0e2ceb55914a81

SHA256
b4af7b1c32477d5d632156a002e2ddb1a6e3c89c2e4eb8067984a2b67108744d

SHA512
689a9fe13ab9e9c61d57bc77d5ccc3ebe67d235451fa7f986dc42ad6352d9dde0d48d7331d60e6a1e3e1cb8b9957005cab1f060f37d927ecdb2179cb5f10c399

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
15ee88ffa88811d20a0c7acc0a2423f2

SHA1
84228333ffceb867a1bf404a92b73c7008b77628

SHA256
3984bbc1c8bd642cc8196f9f20acb60508eb251bd3a929a8be35da002835b1a2

SHA512
4c05966e4f2eefd5d498c04dfb6f31294eb7e7c7a3c1bb84eae42766b0174883b856efebacd6eba2f8d7eb18fee9214cfe38758df1b11fe73a065f844002eb13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
eeccca3248df931009aa60398a6dbb99

SHA1
9d971f8ad30bd399b7375cbba19e157ea78cc6b3

SHA256
c6e9860a4ddee9a80067543a595e21b4683bcc86232f4598ba4e850a39ccea2e

SHA512
ebf43de371fc3cd2034f7f0feae66c53235790f7d2c228d573b0ec94fe50329b1d35862c9aad758bb018bda0f638e400bbbd507f142bd75dc5cb37b5280f0ddc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
f984a5a246a0e631dd68494fa140558e

SHA1
ddefe4e034dca4a0b577bc78fb449a87e2df1eaa

SHA256
601f630c1e30a028c01ed7fdab23f57bcc6d247bb13f65f3efda392e9d75fff4

SHA512
b40572af48c0ea47714bd58b32476347fac52886d47b985fff71f42edbf761aff84a9bbb26be937edf77dd51b3dc6ee00ca5540d3c8e795ff4cd0a4a7848dc28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
3KB

MD5
4e55c1295b72bafbcdf5da5c30cabfdf

SHA1
4ba8202f66c45f50be26082e49ede09afc2358a7

SHA256
34f8e806651a277dac7207f72baf26360ba28602f3ad7fa5bbfc934bcfeeffd3

SHA512
663ae5493118f1f313a9338ba1c21b0f537b433ee41ffe81e4ae221a892e0f9f7e241456d3085beabb5798a32cdac08f38e944393195f1b1c0df2dd724c5c09e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State~RFe59b8a8.TMP

Filesize
1KB

MD5
c018c437bb18a29dca88dd4fae288293

SHA1
36421d08f7033cc308a409d53f8da29dda2e4e4f

SHA256
bd596ccb40c44822f0f124ccadcfa390163d895fee6233f70d1d50e491c10714

SHA512
a04b0168a9e4c1dd2252d2e192f17af4176fcd155f0e54bffdc49eb2241e3aa676a5f40ea8d74a683004f56d8a238ecb68ec6219fb2b661c2abad880d9b9d2a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
60c97be0da178b2b75c7d6a7012ff548

SHA1
62681e6e9fa9fde0cb862c4c62aabe2174fb1bd2

SHA256
d1d122d87cc5bd58e4db851759fa2ca28f70aa238bb97cbcf0cca0fb9869af8c

SHA512
86e1f48b510919c9a8463ab904c563a4b52ab85ced23e8233eb03873fed2be7e7ca149a90c4b0353086c15b39b070fb8cbefc775cdf55d2fcf45180456ab9f2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2974b03dda08f02c71c22b80f2b7767d

SHA1
948540141894dc2c13f96f38370c67927b71e787

SHA256
01c6d9d3c46cf02eb051be6640ae617f430b04667be9d31b8fef9a7ee37ce7d6

SHA512
4995da89449f5e21dde49e30fa58757746f3d17574b1feafe1fbb362e6497c6594efe02a3653d024af705cd1561782ea28f3e68b0508c3b16dc1ad45ea1e847b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e290d40cc76886ecd6655f1b383385de

SHA1
108966f33442a3a8c40bd8de469bba1a78c45b30

SHA256
b4aa1549a2f3088ef2218df1421509ff2d0bd7dc76b2f1d2a663119fdbbcd618

SHA512
2497c967fde6583db1d6e6a29fccb1370212df3c10ac8eb6d2a7e7c293243cc2e53196647090c38f7f06671b5997105dfd1aa70efb86a0e923709ac1d8e72eb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
4db753fc2ec82050d1d43ff6e29ec958

SHA1
f582b9472b82f7e5492cb65b33c3808d72fc5fb4

SHA256
f0fd68d1698a04055c56b9e35f09b988aa137a8d24b27fbb63c6821fda3370dc

SHA512
b2997c23157550cc7281c164001df720ace9390f7c071e79d971a51ca0d9b66d291d8e475be2ad0cb19dd8167acd715e52bb1ebf12f530f2d63216e3d22c0ea7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
10ca8ae1f194b7c0501f8bd303c93094

SHA1
6b94001d768913b940900e3a5bbf34598f5c108e

SHA256
595a8d03f94f22fc48c7c0663d56b70d7045cfe7fd045b175cb433ad12306379

SHA512
26941ebad029c70552c5e3efc2b02da337a82798be5198603880f6f77768125b6992557c5d05e4dff73622cff38b8afe4fd453f8fb3f8dcc887e1d0332478919

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
aecff18205cd9491ae16133a2ec810d1

SHA1
a5ef9c3c5ba5cf707bce06ac5904edb8eb3539e7

SHA256
21561197d11406f1ff826f6a947c818c80c7415e5905923a4ed6215ad8ffb5c2

SHA512
cdd1e0fb9c2ac0afea6204c109d60263544d45ac37eb2866279eac13e257bf34aa71823f1f1a00702186a21869fd707781e6ad222534a43c440c1ef96c91ab7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
167bb254ee43e81f1ee6e00684b23bb5

SHA1
ccebb0485d03cbce8244615b09972d45a0bd146c

SHA256
162f705be51c2e3f5e7ad18ac57bf885490419caf5a49d4cfdecd044f0eda932

SHA512
1d69eb2a3bca235c2fa763b040d92f179a1f6849acc3f553db8234515e2e8c23449ddb1b88331a26583004d113b5063f739935c5cfef840dc95fa0c5d1d808e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b8621d54-802e-435e-a778-3a6e5c3edc54.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
e22d97bdfb7aebb685804250e6d608a4

SHA1
b77452a16b8bc461d521b80c6b857f78fe1950d0

SHA256
0ab89e7dad201ae40645b94087817e73c42bd70f3b9bf58bbe0cdb39d35b544e

SHA512
4b83fbb13793cf7612eec3d2daa2adfd6fd7aa0f732713736c9dba726dacfc130c35b09a56bc98fa12b747204b70c928ea66b7c011ddd43387a7fb8bc60cc921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
ad3b2c05390549159e6145061e3855bf

SHA1
c4fcb37bb4fb1ce4e96414b7b34782951449e7bb

SHA256
ca01a3f97794937e923ae330b96ebad4356f85c149a9cd8313f7d99f7f02d5d6

SHA512
b604892394dd6f385a40590f7fe5f4e9b935ab9f9efbcc1aeff8995e3064c93842d4dd0223af0e160b3bf1dbdbabd0785d44f1249aabbed31c09e9c0745bb19a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{3B88BA0A-8234-4556-96E8-8F6B31B8A10B}.xps

Filesize
13.1MB

MD5
751b8d8546f9129756dc4ee76d4be1eb

SHA1
48923f8e1fd3f534d42b69e17e9705069588d8f9

SHA256
13cf22ea8f73cb54e807c744caa8e41e356075a21c7f694e2ab9f2b122b250d7

SHA512
5346201706aeb4bc2c55cbcf02010968f072c0404ff685268dd6ef5c63fa5bc6874b35135910eaf154ccde7da32bd780c5af8b8d1a666995865d05609c8e1222

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDD

Filesize
146KB

MD5
8fdf823ccaa04caf835d08f916f42c88

SHA1
90af6a7efc297e2ff685d668b64a6024f96b431f

SHA256
c436817947b8409990c492e528f9af2ee85c630745c2ffcc6f9b140449723c67

SHA512
a0e73e6bb8056a83097ea8baef2be4e3787b28ac09666ae373d055689f8c422c859dfe88febf64285a20747129f8464dc1dbfaa58710ad0007176fa91f0bcaf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1E00FFF4-842C-48FE-8457-AFD782F1D187}

Filesize
4KB

MD5
d46e7c7a720de9901afd782f99c38a6f

SHA1
d47e59518bd5f900b5d80b6d95ed2b03d5946b96

SHA256
c9ad13acdc473559238b543ec8da46952905bba22362db94f52cba3194a10ebf

SHA512
dd66c57a797e8cf61ed04b0c29410eca553168513ae7838f74eca63187e1a94bbbbdcfb4af4163bff845ceb5cd8ae8d0a0627b98086a53bc73d745533e797328

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
078ed0e3549d5f87ca3eebf54d0ac7cb

SHA1
3d30d785a6631e6547593270f8c92d10ac0b23ef

SHA256
4cd68b8f895cb41d3b5d3690899c47ac7b66b8fab975f677ade0de430516a1cc

SHA512
afae573dd66bf78f14a2e1c6840dfc974c6ea45db3d696d46f3e8f177cc1c3f2c247e8fb78572c46152f838dafd19f7e85a339013716eda1d23863209114571a

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1045960512-3948844814-3059691613-1000\DDDDDDDDDDD

Filesize
129B

MD5
678184ede626e099a62d9930ad02c476

SHA1
22ee08da45352f80bbf2764d90dcbabc62a9bb82

SHA256
0fc8955a60510dde439e03b7c7830d72648672abf4ada879be7d8c64160fbbd4

SHA512
654a26cc764b7160946eca1f99621a0d7f7e9f8eb1e2ba202c028d8c308d0cfd79953c0ee04570117dcc8ea7f5f02512e700a7920b492a7ffa2c1aec3a2a7d09

Download Submit
memory/808-2975-0x00007FFC59D30000-0x00007FFC59D40000-memory.dmp

Filesize
64KB

Download
memory/808-3064-0x00007FFC59D30000-0x00007FFC59D40000-memory.dmp

Filesize
64KB

Download
memory/808-3065-0x00007FFC59D30000-0x00007FFC59D40000-memory.dmp

Filesize
64KB

Download
memory/808-2976-0x00007FFC59D30000-0x00007FFC59D40000-memory.dmp

Filesize
64KB

Download
memory/808-2977-0x00007FFC59D30000-0x00007FFC59D40000-memory.dmp

Filesize
64KB

Download
memory/808-2974-0x00007FFC59D30000-0x00007FFC59D40000-memory.dmp

Filesize
64KB

Download
memory/808-3066-0x00007FFC59D30000-0x00007FFC59D40000-memory.dmp

Filesize
64KB

Download
memory/808-3006-0x00007FFC573D0000-0x00007FFC573E0000-memory.dmp

Filesize
64KB

Download
memory/808-3007-0x00007FFC573D0000-0x00007FFC573E0000-memory.dmp

Filesize
64KB

Download
memory/808-3067-0x00007FFC59D30000-0x00007FFC59D40000-memory.dmp

Filesize
64KB

Download
memory/808-2973-0x00007FFC59D30000-0x00007FFC59D40000-memory.dmp

Filesize
64KB

Download
memory/2704-2955-0x0000000001440000-0x0000000001450000-memory.dmp

Filesize
64KB

Download
memory/2704-2956-0x0000000001440000-0x0000000001450000-memory.dmp

Filesize
64KB

Download
memory/2704-0-0x0000000001440000-0x0000000001450000-memory.dmp

Filesize
64KB

Download
memory/2704-2957-0x0000000001440000-0x0000000001450000-memory.dmp

Filesize
64KB

Download
memory/2704-2-0x0000000001440000-0x0000000001450000-memory.dmp

Filesize
64KB

Download
memory/2704-1-0x0000000001440000-0x0000000001450000-memory.dmp

Filesize
64KB

Download