blackguard | 859fc18ce5bde52754cac32912847e504b13d7489ea272bf0f96aeba4e3f689a

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
29-12-2024 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VegaStealer_v2.exe
Size

7.7MB
MD5

7dbb57d91edaface996422c1a5730dab
SHA1

f267d1e2344ed349553b5d096ce8f817567a8db4
SHA256

859fc18ce5bde52754cac32912847e504b13d7489ea272bf0f96aeba4e3f689a
SHA512

920f44b03faa15af8597801067a28d537d8b5367b04c06a30f678e84bd01c4e7aa2586b1f79cd793dc0e28c7f05889e645a5f9a9979f5a504e82806e040948bd
SSDEEP

196608:Rg+T6GMT/C2p/rFG9Xy1hOYM43d+2kbQSOcD2VqUJ:RwT/gydM43rSBOcD2B

Score

10^/10

blackguard discovery phishing spyware stealer

Malware Config

Extracted

Family

blackguard

https://api.telegram.org/bot6931928883:AAE3_IXAxj6tcKnwTCroCX1FU2LEmn35yrU/sendMessage?chat_id=5767320556

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Blackguard family
blackguard
A potential corporate email address has been identified in the URL: [email protected]
phishing

Executes dropped EXE 1 IoCs

pid	Process
4180	v2.exe

Loads dropped DLL 5 IoCs

pid	Process
4180	v2.exe
4180	v2.exe
4180	v2.exe
4180	v2.exe
4180	v2.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	freegeoip.app
1	ip-api.com
2	freegeoip.app

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VegaStealer_v2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	v2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	v2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133799827465144655"	chrome.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4180	v2.exe
4180	v2.exe
4180	v2.exe
4180	v2.exe
4932	chrome.exe
4932	chrome.exe
3464	chrome.exe
3464	chrome.exe
3464	chrome.exe
3464	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4180	v2.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 4180	2068	VegaStealer_v2.exe	77
PID 2068 wrote to memory of 4180	2068	VegaStealer_v2.exe	77
PID 2068 wrote to memory of 4180	2068	VegaStealer_v2.exe	77
PID 4932 wrote to memory of 3916	4932	chrome.exe	82
PID 4932 wrote to memory of 3916	4932	chrome.exe	82
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 1336	4932	chrome.exe	83
PID 4932 wrote to memory of 460	4932	chrome.exe	84
PID 4932 wrote to memory of 460	4932	chrome.exe	84
PID 4932 wrote to memory of 2276	4932	chrome.exe	85
PID 4932 wrote to memory of 2276	4932	chrome.exe	85
PID 4932 wrote to memory of 2276	4932	chrome.exe	85
PID 4932 wrote to memory of 2276	4932	chrome.exe	85
PID 4932 wrote to memory of 2276	4932	chrome.exe	85
PID 4932 wrote to memory of 2276	4932	chrome.exe	85
PID 4932 wrote to memory of 2276	4932	chrome.exe	85
PID 4932 wrote to memory of 2276	4932	chrome.exe	85
PID 4932 wrote to memory of 2276	4932	chrome.exe	85
PID 4932 wrote to memory of 2276	4932	chrome.exe	85
PID 4932 wrote to memory of 2276	4932	chrome.exe	85
PID 4932 wrote to memory of 2276	4932	chrome.exe	85
PID 4932 wrote to memory of 2276	4932	chrome.exe	85
PID 4932 wrote to memory of 2276	4932	chrome.exe	85
PID 4932 wrote to memory of 2276	4932	chrome.exe	85
PID 4932 wrote to memory of 2276	4932	chrome.exe	85
PID 4932 wrote to memory of 2276	4932	chrome.exe	85
PID 4932 wrote to memory of 2276	4932	chrome.exe	85
PID 4932 wrote to memory of 2276	4932	chrome.exe	85
PID 4932 wrote to memory of 2276	4932	chrome.exe	85
PID 4932 wrote to memory of 2276	4932	chrome.exe	85
PID 4932 wrote to memory of 2276	4932	chrome.exe	85
PID 4932 wrote to memory of 2276	4932	chrome.exe	85
PID 4932 wrote to memory of 2276	4932	chrome.exe	85
PID 4932 wrote to memory of 2276	4932	chrome.exe	85
PID 4932 wrote to memory of 2276	4932	chrome.exe	85
PID 4932 wrote to memory of 2276	4932	chrome.exe	85

C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe
"C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\v2.exe
  "C:\Users\Admin\AppData\Local\Temp\v2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca6f1cc40,0x7ffca6f1cc4c,0x7ffca6f1cc58
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1740,i,7326062100758337648,18363249655066385941,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1768 /prefetch:2
  2⤵
  PID:1336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2104,i,7326062100758337648,18363249655066385941,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  PID:460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1544,i,7326062100758337648,18363249655066385941,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2200 /prefetch:8
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,7326062100758337648,18363249655066385941,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,7326062100758337648,18363249655066385941,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3544,i,7326062100758337648,18363249655066385941,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4420 /prefetch:1
  2⤵
  PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4772,i,7326062100758337648,18363249655066385941,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  PID:3392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4824,i,7326062100758337648,18363249655066385941,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4800,i,7326062100758337648,18363249655066385941,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5112,i,7326062100758337648,18363249655066385941,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4812,i,7326062100758337648,18363249655066385941,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5096 /prefetch:8
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5108,i,7326062100758337648,18363249655066385941,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  PID:3548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5040,i,7326062100758337648,18363249655066385941,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5036 /prefetch:2
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4236,i,7326062100758337648,18363249655066385941,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3760,i,7326062100758337648,18363249655066385941,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5248,i,7326062100758337648,18363249655066385941,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3344,i,7326062100758337648,18363249655066385941,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3280 /prefetch:8
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3296,i,7326062100758337648,18363249655066385941,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3464

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1764

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004D4
1⤵
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
361651c6a1355369da72072a3ee48749

SHA1
03e241ca0fa29e4536c087fc1af383cb6380f1fc

SHA256
87d867ba71be259dbb08faaddece9384002eb858316cc8b98ec0db77fe8a0c79

SHA512
5996ea890d0d90d7cb0a8087ede60bfd9c55c45b8ee83cdb8633ce8d0b4e3a8c5c8536e58301bb2484fd8b2ebd8f086cd25deffc0071b214decee1cdb1cbb458

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
41KB

MD5
ca9e4686e278b752e1dec522d6830b1f

SHA1
1129a37b84ee4708492f51323c90804bb0dfed64

SHA256
b36086821f07e11041fc44b05d2cafe3fb756633e72b07da453c28bd4735ed26

SHA512
600e5d6e1df68423976b1dcfa99e56cb8b8f5cd008d52482fefb086546256a9822025d75f5b286996b19ee1c7cd254f476abf4de0cf8c6205d9f7d5e49b80671

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
72KB

MD5
43cb209da0740090172519ed6c1fed84

SHA1
085bd5ef087f7cac77b2b0cfb3353b54abd54dc5

SHA256
3a7f8be6d463bd77dad51cc40b5407ad923dd1a1f678979eb9b95adac8d393da

SHA512
3f522c8b72e42942e7713ae0efa4970de6a2f4b8e990ad59b09b00a2bc4a97a331ca9d8a6ce5e0a840abb86b2162e288d424472dbaad61ea432a6ff772e8c66c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001f

Filesize
459KB

MD5
cdda340e8eb23f20ceb348c4089a4d9b

SHA1
7354bb5e01f093c02d4c5be137a388ef7ee3141a

SHA256
11f6209d6cc27b67f04f8e266e56a834b0d16fcfb72cbffe481fcf2d77feba62

SHA512
285b752093c984063812a1fe284f5ef91d0b9ed06f612fc2e0cb7e3b3a16abd61014ac9eca883f02a6d35fd7e1cb84b57bea6ead73f45ab4e15321a2fd0be733

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000020

Filesize
71KB

MD5
56b4de33a9d129271188241d1a66b266

SHA1
a0aeb6cb5ed7d67aa1bf8066af0ebcc22cf67e9d

SHA256
ef88bf4b325e1d6b06b11dda9c5980082a7266e3d0134c70f95e098ee6404bc2

SHA512
41b3c60c2a15e68fba03fce678ddcd7ff319d60909b5a23ebb953981e6249ff47fb6bfacf58e42bd295ca84f46527bda9b2d00a9666b0bd79ab8eb9c86259e37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000032

Filesize
27KB

MD5
0dd3e79cbf1483610fa1ac438d0fb607

SHA1
772a1c6a1b4c50a727990cc53a46ec3ac3755ad5

SHA256
2752a0e9312cabae43b766907c81739f1b7b357d4b4410e8bc85734985473df5

SHA512
dc6c0278286c01db86dfe581c968e8c71737ddf1f6dfa4dae01e4f9dca68f330e13ce5abb988176ba42513c6cc3f7b6b003a670778881d69d41bf744b2067b75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000033

Filesize
65KB

MD5
4e035d4419924345da63c874ba6f534b

SHA1
3d163ded0e3ad03ad25dbc00eab646e66850645a

SHA256
f7e0f5593818363eb354bd153649a8c5e364b55d94596c5493b367271988b132

SHA512
6ca7db61c39c7a7a1b061170f024c5b8adadf402df7c3d722db9b7a1fa4109cb4401944d8661aa9436917d5513390bd4ea4d69124fdd44d770f914b45e056cd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000038

Filesize
86KB

MD5
24adcd1865b0a1608212f3c0a2ae6224

SHA1
a76b8c8e1a1e4d311352de297c43536a5de4811f

SHA256
acfdb44d611ba20360fed0f57ef6f873fca90c5b179852ae2981040d4fedd59e

SHA512
d74b778ed1fe5d43ac5ba08498e5650d756917c62e9be285ca6167714db6e227a0c0f82963ae6cf2724ba6503b90780fc24d4efe67f49e81e13c19114ad81ba6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000049

Filesize
105KB

MD5
771beb63dc02931a2b62bfc69df4d7fe

SHA1
e9cb0e7a0e3e379154882547b974bcb016efbf66

SHA256
a5d0915cb0fd24e1027e03a31c5fe6323540ee14059a366f20f5a994c782c74b

SHA512
7e3e458ec9b575b5a6205e12f306174884950dd2012442a6b9a4fb9884ab527be6f70bce0caf4ef933a8f424817060bc72124db16aee5f0ea419b41680ac0c70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00004c

Filesize
29KB

MD5
f85e85276ba5f87111add53684ec3fcb

SHA1
ecaf9aa3c5dd50eca0b83f1fb9effad801336441

SHA256
4b0beec41cb9785652a4a3172a4badbdaa200b5e0b17a7bcc81af25afd9b2432

SHA512
1915a2d4218ee2dbb73c490b1acac722a35f7864b7d488a791c96a16889cd86eee965174b59498295b3491a9783facce5660d719133e9c5fb3b96df47dde7a53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e6dae9bc12aa7dbe09bafc88603772af

SHA1
06434b4a13ce3cf83a350a0373a43288576603b7

SHA256
bc534f5b711aeb1fc4d3f7c428b138417d3d6ad59c1552746d35d51940c2fe12

SHA512
98e5116f2f0615910d3895563fad85c9c1bbe9308f72106d274f028f9d0c42f6b7c9b117f9540534d12e52ee9dec440c6a219981ffd5c16b127b35a9344ca8eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
5709c3a380d455e993ca595e4517a835

SHA1
72ce3b63b5dee43590503e7ea112ac27dab3285d

SHA256
d1620bfc825a2693ef215e99687895fed24fa916b36613e98e9cb132f61961cf

SHA512
610e783af093a66cced96e99881218f461e7760acfd44e3dc18575dc9e7566a2d66ab0a5b95a5613b148e264b8a92af842cea4d39618dbd887d61c9643188d5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
4d3becbb43aaedd4f33e0216af35a3aa

SHA1
f28ed1ebbc38f8ced6753f8702df62c2a4d448a7

SHA256
87016038c81f789516d2d59e59f889009f649fb967904073d41b9b7a56a746f5

SHA512
a5887966b1ae1b3a3050c1a8d714d19c868bfd954c094eef756eaeebfd1e1d210a3fab59cf1b4c661f447cbb4636a81177be15ff2d6837169cf300d83503d623

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f27c692660f403d7de78201f9e23eaf9

SHA1
032dc4659472e564b2d6be88536638a865261cd7

SHA256
c84f18417b1d253b74f191492524f1ea5288dd455937a8f3a5bc0914bea5e7b2

SHA512
87ce0b32fc8763927f26dcefcd2d768b3360bfd7a1e4635b2583f1dea373561aecc3e98c4ce7dc8522ed5ff2fc374f64796ac1b782891184c81d9cd128e37b1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
b78fe4d104fe9a8ee76ff54465e9a8fa

SHA1
8dd57b38d1d60d99af7144b15149519544f95a06

SHA256
8fa6d442b413cbd29fc6fbc68070d5d24e7772621cb48aa3c439513def4d2865

SHA512
414de304fe9027bf18d3a1d88d1aed2690ce97487a988f6e5fa1e7ad6204c27906462bb14c442b0e21c1fff924eb1afa1a0c9d680ce6df6b6e3fd824bb7a21b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a57c7702e38ca9e034ad9abb195c7c23

SHA1
f3c30583737bd0440ae5c885ded694b8f7011669

SHA256
d9d360379671d407c0f90b5d631a7e9fd0f54520e86b93973d720d2ee16bbb4e

SHA512
eee488913d970ef0bfc116fb4a98c397c76c5876d3ce2819163ecad2127c7b29c0cc561d5891fad09570b8f27e7a21fc000c16415d6d0809cb6eb686de29f045

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
964eddca6bf06ec3f8b736da593197d1

SHA1
40cc87d73aac7f73c36fffc7f3d44ddb1923da3a

SHA256
41d391ceb335fccc7ff2c4da1ca0bb216ecec3603308717ee6b761f1ab584410

SHA512
fd4048fcb21c6ac48bb4b8bf1cd274a44f7136fc2e906f8702fdb9cb15f281c0a80059b0530d56f07335d5751e8fb7009a1994daf2363caadd770a64d8326359

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
7ca00d331d780f1963b24ed8ef88a961

SHA1
ba53982e87f897695fe4a88df63a2572d1cad9b1

SHA256
b455b640fd0c6de35006a8d7610aebf93630dba480095599b4c41b29af32db19

SHA512
e9a75408239ced54026ef8f428418b49541e119a24888b275757b7758808edab99603c4306acda7321e53a56c355f1d40704ab367915825dbbf7d820f4f511f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
1d05a171c54aa400d6bde2dd5c07e0d8

SHA1
877f87699ce3622b4e6ab3ba585f5bb9f6b717a8

SHA256
0f15877c129569af6bd7b9b7b768c1a32e3469b0c9b9e65f354f0392c554e6bb

SHA512
b367dabceca84ac600f344d72b094f65d71be9c181c95966a85fbec82445bb14b9caa64a2630bb207000a6c915e487f86659dba3400b696f6fb524db8afe7aa9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
9f2a207c5fa00ec56b505ddaca429cb3

SHA1
a2ecdbf1984d288da05e6e71a42df7c802a53479

SHA256
9e816dcaa90c14b0b909e9cb287ff7b358489aecd875a1dd1e069818f60c52a7

SHA512
7e7d238c792691bd32e744824324b52eaa97ba82cf747fa9ab22b4ca6211a24c3504da77765e702adde26af5975703d2851a2c4f9b93f230db19e65ab66b4621

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
2f825d77b6e3012a0e08dcf12ddddb42

SHA1
985d3cc9d5c6b3e29a61dad0fb860ee0cfd86269

SHA256
987fc90cb09baec0b3753c88ab5995c0d8bf0a50f0809ecaac57a586cff5d75a

SHA512
4d4168cb5c28a18290d58d1c2b74d4a9ba607ecd27bf617034287c65225c94e351cbb8e78c5efd7b712898ccdb2deeee273f928d29d17387e0e79bf1774ad004

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
b3f8c51107f75185d4735fcd6f3cf493

SHA1
9e472b75125708ea8030465422968bba788a5ec7

SHA256
09bfab7dbb00c9aa3174aa2c459bc2631d81e8f7570fcb6166c485f0dde13bd2

SHA512
314f5e21b8d64c902cc57e8e3e4974ef6618450ce38d6f9f1d09bcc769452b099cc1c8f833b90ec1d7cac0d0d30f484421a656ce4fe5307c1bec023f58e7a27e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d26c65ac4d5702c3c5ee893adac87f8f

SHA1
9ed56a14ffbaa0b75ccb83ccaf54295246e2ab9c

SHA256
c5f2842d411daf81e3da027eac012cda53c5f4ebf882bb033ec08f20f444dce0

SHA512
6d4f2554a32e06e2cf00a4257f3d35ade468a995ecdeb4981b7eacc279939e2449caca1b988e2ac830ffe9264c09b94e8410941142821049cd72496c93d3bd67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e7a37bdf513175a5fad0c8d922974012

SHA1
edde64fc4001d510b84c50fdb5cd962ec7e2cf28

SHA256
b0fdfb7957f39f31e90d548862a3a265aaee8be7c64212962ffb8cec3edc270e

SHA512
3149ed3c14bba2cfb9ecbf978484d81adadcd8c5ff1cb744db8f3e295cc8fdde7ee613b8ee1d9f5ae36bdcfc09f35db0e2aafa5cf628fb2a51e04d4bc70e1230

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3b2c4731b269f5b3a220abf93ae52d62

SHA1
86d79ec17f654bbe72234260bb141b0ce79abb61

SHA256
0c124aba6a787116464cd761842bae31b786364eac65503cc832361033389710

SHA512
9f75ea223022ac941018748d397fa8c378ba2c2065f18ec57f37880d021c07699f55bf066f92831699c0590f5fddfb6d05ec6cd84c2a1d56833a66dfd9c9ae08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
44904acd91d0d577fb50dd6676915a7b

SHA1
8fc98801b7587663e9c3b820ec6f41b43b10df7b

SHA256
33d5bf99b61f38c3830a714fbd2411a0ec53fe44a227f360f0fc2ca4716285a3

SHA512
eea94a395e93fcbc59feec9757113971f774c7cf5cfbe052283a4e43bc4b2fb193c32bad95f497223d2273cb08f9ebc40882137c61a0e695ca5599c5f00799d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
85fd61118e7a05fee8e2dd82393b4e05

SHA1
46ac7e33ad5babbdde46d301b10c754357014324

SHA256
0151f42870b8ae69a2c268a032f832b2c1e8c39aa253486ca5945a7a7e381ee7

SHA512
d8f8f99d406d6b95d23110e68372aa6dc8b4ae89fc6b096471602e96b79a0aa37f17b0f9cbe1012e9581fd94200a1b185b0074278c62a22b745ba6c784217301

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0fa5fb8dc943890bf536b2358d67c362

SHA1
0be2aa62445dfc7f4afc1a5f709bcf4f5696829f

SHA256
684574cfa646e8046f6f7edc9b6cae126bc6ea76a60d6d3e49beb59384a24752

SHA512
02122ae60eebb58ab8ad28dd38f5922d7aca17632a0a54965fdee0c5e28875113076f5a7fb0895de6efa95095ce51876b133bd6f8683dbe2efb229f8e943407e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
aab546242ea56b0ee6d49b498022ba33

SHA1
4ad5886ff348021ee683679ffc90b9deedfa2f0b

SHA256
3f7bc42a8688cf1d296e6347ca0bc51ca97f2d51a2cc5c088ddf5be5b42f6e2e

SHA512
5c2b816ac42a81ab2862cbe8aa90bb4c8ccaa7c1806115a9cce8c8048b1fcf7094066921b5ccdc64252089826a4e8f08777aef4680c5ae4cedda8115fa640da6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4e654cc0e6c425278e60b2bd96c09c7a

SHA1
488214c93b1e9746c670a8d36d74ae06b1771a28

SHA256
259779637a997ee9fdb5cebc4051b2e0d6f0ccdc8d01a6cba906a0c8d2afa216

SHA512
606e7964dcc8016e1f42d77c9865235b484fc038233e760fe766ab9360a89d1da88a116023d009373479fb1ccf9c86771aea25b53ffe66882e6ba16b01b743d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3d1285dd235dfe764d08c66d44650bc3

SHA1
de1e922254548000f71de384ec1c82455d4d48fa

SHA256
ef1e32fca0183a2ae62da8ad033ca8a5e2afaaec207af906877b4250fa4e4728

SHA512
8b065e0034c9d7ea4367c9dc95c564616341fd8e6cadb3aa854df516126f5cf9cb5f69cd4665207cc8def3877be7ceaa1013ae621b2efe63a501df1fb2fa06d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
16addc7f7bdde422cf2a971dc6249d52

SHA1
a1d8b5841dd8bc6dad4af961a0dd121e789c51c4

SHA256
f78aef917c1ef25a7d35ac8b6fb686fa4b8cfefccbb9719cfdbd06591e92ed3b

SHA512
cdba0f8c46d9ba0e568e6fce84b61342d45161dd1c65fb9628e71ae65faef556223ff12bba6e73f0ac0f287176cf49ee91cda75de33c678f5edfb1fd7fd606a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\67a473248953641b_0

Filesize
2KB

MD5
686246cef448dac768a8989a9247b913

SHA1
f16c946a3eaeeca56754df620846241d73bd67df

SHA256
5d7ee4be2f32ab6cc405aed7b9aaa79a6b56af0caef7fd429c36bc395f2317bd

SHA512
578ddef10b2dc4082d8e7fa9e921ab01e5dce0155c47525aa550103fcf4ebdb1dc883696903bff2a9b435d0ec802cb755b1b28d6b49ea7b241f40d674f2a9411

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
49967eba24071410e2ebf562f35c0a03

SHA1
7e00cefa46691591eea498c5269a3acb2e82acae

SHA256
57c1f0b79ece8204949bc0696b5db0a4ff55789e411c0f37a31692b669a02ccb

SHA512
b60f55ae98498c1548332e4e72d8cf870f32caf46b6be79977317785e6326372a21af9545c44c1112f84e68da8fb4cf234a598fa9283b06955f21d6faf3ac571

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
38b02d4e2e96e96c230a56b8a49d84b4

SHA1
07d2c7d960f0fc182a7ce810ce7bbcd20d7e0897

SHA256
6982908d19ce79aadc82a6755200c0cabb30900c978fe30df3f11e95c8cefd49

SHA512
2a2a9555086bda8b46ce3ebd0fdca00e9819332b82f81679484d9af537336702bbe85aefbc24f1d7fe8abe0addf1751b946f4c33e69ab294af43a314155a7c14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
11e9f9ab72f0a155f897c7254684894f

SHA1
42a9a67f9fc292656844d7f2e8602432eedae1ba

SHA256
51490db1ff95c85234bf3b68b68d3a9e47fa62ffe3b1e2e830285b3237feada1

SHA512
1da0ce292a2f5f3bf2550939a410c4f19949ff271b575d38af10e97ea4c2f7ff1be71c513681f55c5b7e9625e82e27baf5f49eb8a83ef48acb361a235fb31ac8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\fcb6256d-433f-4f95-9a85-0169ef2400ce.tmp

Filesize
231KB

MD5
bfa6c002af0e4f66eb68fa0b86a58bf7

SHA1
8a4e40b92eb63298fc73f29001497b7492f7d354

SHA256
66745913bf1dff491f64365cc0ac39aeb9cb4e1aa7dcf27e85f59913919f885d

SHA512
8b1a8a79c6802ae880e7af730ade88c9d590a2f170b29b7b82afd2278ea18dadfc0b6dec2c796b386bd6504a5c692a3473d211f78c92a0f436d35e38d35a960e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
571KB

MD5
169b6d383b7c650ab3ae2129397a6cf3

SHA1
fcaef7defb04301fd55fb1421bb15ef96d7040d6

SHA256
b896083feb2bdedc1568b62805dbd354c55e57f2d2469a52aec6c98f4ec2dedf

SHA512
7a7a7bdb508b8bf177249251c83b65a2ef4a5d8b29397cab130cb8444b23888678673a9a2e4b1c74cc095b358f923b9e7e5a91bfa8c240412d95765851f1dd87

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
1.3MB

MD5
0a1e95b0b1535203a1b8479dff2c03ff

SHA1
20c4b4406e8a3b1b35ca739ed59aa07ba867043d

SHA256
788d748b4d35dfd091626529457d91e9ebc8225746211086b14fb4a25785a51e

SHA512
854abcca8d807a98a9ad0ca5d2e55716c3ce26fae7ee4642796baf415c3cfad522b658963eafe504ecaed6c2ecdcdf332c9b01e43dfa342fcc5ca0fbedfe600e

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
410KB

MD5
056d3fcaf3b1d32ff25f513621e2a372

SHA1
851740bca46bab71d0b1d47e47f3eb8358cbee03

SHA256
66b64362664030bff1596cda2ec5bd5df48cc7c8313c32f771db4aa30a3f86f9

SHA512
ce47c581538f48a46d70279a62c702195beacbfafb48a5a862b3922625fe56f6887d1679c6d9366f946d3d2124cb31c2a3eacbbd14d601ea56e66575cdf46180

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4932_1510463891\249261c9-6c91-4271-9771-b02882e507d6.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4932_1510463891\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2.exe

Filesize
271KB

MD5
f50e22758e93eb1feae57f8d65fc98b0

SHA1
c94fb9ba4a7f0cccb8f047d76aff9ed8c82995f7

SHA256
0493ccedd654e3a966e043817381974529b991c163e35e10402d8752e16b675d

SHA512
cb63fd6dbc58d53409935522751c35d3fff5117b4e33db3b765588024ab06f03ca12413cc687c56776bf14757c1491d999930c061222d9bd8678437bcfcbd2e0

Download Submit
C:\Users\Admin\AppData\Roaming\wHFwFZJTJLXPPRRDTuDDDHXJJEQ.Admin\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\wHFwFZJTJLXPPRRDTuDDDHXJJEQ.Admin\Process.txt

Filesize
730B

MD5
a2e27950ee0363fd23e0efc1d4b74592

SHA1
5ee55468d1a873e089351316f4255494cce6f5c6

SHA256
e626050ec813f0a9930b8d4d43549bf4c22bb8c3827e238fb472bbb6b093ef96

SHA512
ac5c80f9ef84435589721fa7904a13d62508aef25e66db399a148a2f73c0962b346be7cc8fe55e3ba554d1e79bf87f2f6ec2562d3c8ffd4774a1e870c2367ea5

Download Submit
C:\Users\Admin\AppData\Roaming\wHFwFZJTJLXPPRRDTuDDDHXJJEQ.Admin\Process.txt

Filesize
1KB

MD5
67ab1a416e3fa3ed5bb16863eafa9246

SHA1
003a827cd10eef1f42327c645867959848f66190

SHA256
46c19149e8c68230f1c2f826bc1065df184f1b75c60b3c5a968da274afba8a7e

SHA512
416e927403fe37a5ef38332cd4aef5cd75c415b22fa23667ca884c6cba735e3d8e7115115a632d292822f2445cb2324807a1ea74e2e4276c9810bd8b8ed2bbd3

Download Submit
memory/4180-73-0x00000000050C0000-0x0000000005152000-memory.dmp

Filesize
584KB

Download
memory/4180-187-0x0000000074D60000-0x0000000075511000-memory.dmp

Filesize
7.7MB

Download
memory/4180-182-0x0000000004E50000-0x0000000004EB6000-memory.dmp

Filesize
408KB

Download
memory/4180-83-0x0000000004D10000-0x0000000004D32000-memory.dmp

Filesize
136KB

Download
memory/4180-88-0x0000000005F00000-0x0000000006257000-memory.dmp

Filesize
3.3MB

Download
memory/4180-95-0x00000000065C0000-0x00000000065FC000-memory.dmp

Filesize
240KB

Download
memory/4180-183-0x00000000057E0000-0x0000000005856000-memory.dmp

Filesize
472KB

Download
memory/4180-89-0x0000000005E20000-0x0000000005E6C000-memory.dmp

Filesize
304KB

Download
memory/4180-184-0x0000000005760000-0x000000000577E000-memory.dmp

Filesize
120KB

Download
memory/4180-87-0x0000000005E90000-0x0000000005EF8000-memory.dmp

Filesize
416KB

Download
memory/4180-77-0x0000000005070000-0x00000000050C0000-memory.dmp

Filesize
320KB

Download
memory/4180-98-0x00000000075E0000-0x00000000077A2000-memory.dmp

Filesize
1.8MB

Download
memory/4180-50-0x0000000074D60000-0x0000000075511000-memory.dmp

Filesize
7.7MB

Download
memory/4180-34-0x0000000005480000-0x0000000005512000-memory.dmp

Filesize
584KB

Download
memory/4180-31-0x0000000000110000-0x000000000015A000-memory.dmp

Filesize
296KB

Download
memory/4180-96-0x0000000006600000-0x0000000006621000-memory.dmp

Filesize
132KB

Download
memory/4180-94-0x00000000078C0000-0x0000000007E66000-memory.dmp

Filesize
5.6MB

Download
memory/4180-30-0x0000000074D6E000-0x0000000074D6F000-memory.dmp

Filesize
4KB

Download