fe13d90d6b687cd2f5ef09f5442ba7771f576cf8814542f252c62940625e9bac

Resubmissions

05/01/2025, 15:27

250105-svzd1szngr 10

02/01/2025, 15:39

250102-s3ysfswrgt 10

02/01/2025, 15:36

250102-s19f6swrbw 10

Analysis

max time kernel
602s
max time network
639s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
05/01/2025, 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-02_f13196fb4909a242e615ac12ec069b2e_cobalt-strike_cobaltstrike_poet-rat_snatch.exe
Size

5.0MB
MD5

f13196fb4909a242e615ac12ec069b2e
SHA1

780cb0f18b61462e2589ad43e07f7d238777ef8e
SHA256

fe13d90d6b687cd2f5ef09f5442ba7771f576cf8814542f252c62940625e9bac
SHA512

fe86652e792708676b3010e4ae6900d4cc7808d18c4d7379823670d99b0b7b45667e1d25b95f8f3deb1f6180a9ee34f5fa7c32f62ccdd675148b2dcddebad6c8
SSDEEP

49152:r56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6liK1uOCeXvpnz:r56utgpPFotBER/mQ32lUR

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-02_f13196fb4909a242e615ac12ec069b2e_cobalt-strike_cobaltstrike_poet-rat_snatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133805644783136708"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
424	vlc.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
248	chrome.exe
248	chrome.exe
2988	AcroRd32.exe
2988	AcroRd32.exe
2988	AcroRd32.exe
2988	AcroRd32.exe
2988	AcroRd32.exe
2988	AcroRd32.exe
2988	AcroRd32.exe
2988	AcroRd32.exe
2988	AcroRd32.exe
2988	AcroRd32.exe
2988	AcroRd32.exe
2988	AcroRd32.exe
2988	AcroRd32.exe
2988	AcroRd32.exe
2988	AcroRd32.exe
2988	AcroRd32.exe
2988	AcroRd32.exe
2988	AcroRd32.exe
2988	AcroRd32.exe
2988	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
3428	OpenWith.exe
424	vlc.exe
4368	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe
Token: SeShutdownPrivilege	248	chrome.exe
Token: SeCreatePagefilePrivilege	248	chrome.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
248	chrome.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe
424	vlc.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
3428	OpenWith.exe
424	vlc.exe
2272	OpenWith.exe
4368	OpenWith.exe
4368	OpenWith.exe
4368	OpenWith.exe
4368	OpenWith.exe
4368	OpenWith.exe
4368	OpenWith.exe
4368	OpenWith.exe
4368	OpenWith.exe
4368	OpenWith.exe
4368	OpenWith.exe
4368	OpenWith.exe
2988	AcroRd32.exe
2988	AcroRd32.exe
2988	AcroRd32.exe
2988	AcroRd32.exe
2988	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 248 wrote to memory of 4972	248	chrome.exe	80
PID 248 wrote to memory of 4972	248	chrome.exe	80
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 2836	248	chrome.exe	81
PID 248 wrote to memory of 3552	248	chrome.exe	82
PID 248 wrote to memory of 3552	248	chrome.exe	82
PID 248 wrote to memory of 3896	248	chrome.exe	83
PID 248 wrote to memory of 3896	248	chrome.exe	83
PID 248 wrote to memory of 3896	248	chrome.exe	83
PID 248 wrote to memory of 3896	248	chrome.exe	83
PID 248 wrote to memory of 3896	248	chrome.exe	83
PID 248 wrote to memory of 3896	248	chrome.exe	83
PID 248 wrote to memory of 3896	248	chrome.exe	83
PID 248 wrote to memory of 3896	248	chrome.exe	83
PID 248 wrote to memory of 3896	248	chrome.exe	83
PID 248 wrote to memory of 3896	248	chrome.exe	83
PID 248 wrote to memory of 3896	248	chrome.exe	83
PID 248 wrote to memory of 3896	248	chrome.exe	83
PID 248 wrote to memory of 3896	248	chrome.exe	83
PID 248 wrote to memory of 3896	248	chrome.exe	83
PID 248 wrote to memory of 3896	248	chrome.exe	83
PID 248 wrote to memory of 3896	248	chrome.exe	83
PID 248 wrote to memory of 3896	248	chrome.exe	83
PID 248 wrote to memory of 3896	248	chrome.exe	83
PID 248 wrote to memory of 3896	248	chrome.exe	83
PID 248 wrote to memory of 3896	248	chrome.exe	83
PID 248 wrote to memory of 3896	248	chrome.exe	83
PID 248 wrote to memory of 3896	248	chrome.exe	83
PID 248 wrote to memory of 3896	248	chrome.exe	83
PID 248 wrote to memory of 3896	248	chrome.exe	83
PID 248 wrote to memory of 3896	248	chrome.exe	83
PID 248 wrote to memory of 3896	248	chrome.exe	83
PID 248 wrote to memory of 3896	248	chrome.exe	83
PID 248 wrote to memory of 3896	248	chrome.exe	83
PID 248 wrote to memory of 3896	248	chrome.exe	83
PID 248 wrote to memory of 3896	248	chrome.exe	83

C:\Users\Admin\AppData\Local\Temp\2025-01-02_f13196fb4909a242e615ac12ec069b2e_cobalt-strike_cobaltstrike_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-02_f13196fb4909a242e615ac12ec069b2e_cobalt-strike_cobaltstrike_poet-rat_snatch.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ff8d391cc40,0x7ff8d391cc4c,0x7ff8d391cc58
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1764,i,13881463098769319967,3663470867100877462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1756 /prefetch:2
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,13881463098769319967,3663470867100877462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2116 /prefetch:3
  2⤵
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,13881463098769319967,3663470867100877462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2212 /prefetch:8
  2⤵
  PID:3896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,13881463098769319967,3663470867100877462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3232,i,13881463098769319967,3663470867100877462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4484,i,13881463098769319967,3663470867100877462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4440 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4464,i,13881463098769319967,3663470867100877462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4732 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4796,i,13881463098769319967,3663470867100877462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4744,i,13881463098769319967,3663470867100877462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  PID:896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4328,i,13881463098769319967,3663470867100877462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4740,i,13881463098769319967,3663470867100877462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  PID:1300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5076,i,13881463098769319967,3663470867100877462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5380,i,13881463098769319967,3663470867100877462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5316 /prefetch:2
  2⤵
  PID:780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4208,i,13881463098769319967,3663470867100877462,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:2700

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2888

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:768

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:3576

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3428

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\OpenTrace.mov"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:424

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2272

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4368
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\ExportShow.ps1"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2988
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4740
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5F8A9B2B26DA22A2EAD04891F778BCEF --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1948
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=15BBE0A5B6F9A9BFFF96471674C3996D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=15BBE0A5B6F9A9BFFF96471674C3996D --renderer-client-id=2 --mojo-platform-channel-handle=1780 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:1428
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6F2FAAFB629574471F20D85631FD3F76 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4228
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EFBE0C6D46916D95E59C84EF5DEA5E63 --mojo-platform-channel-handle=1936 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3344
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E0EE88652E442D673593366F0A8F188C --mojo-platform-channel-handle=2540 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
aaf50ab7e049059409db7a077355df54

SHA1
e8961f0c06c80d8412b18741bd8dece2ab9af4df

SHA256
54b06df2d4a0db4d3599f4e3579c5a1d2a5e42966f421b2752dacf70ffa9e1b7

SHA512
5b11b8d2fc8715308487d26b9073d5f8a41042e5d668f5f29ee8f9a2396c3b5b55a5a73c906c38127db7fbafad883b0acce78cc2b6686f6c3ea730d7e93282f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
088cf7fb094661a92622596c9f28cfc5

SHA1
5d9d62f4bb5ceba1e082d4aef48fd576e0601cee

SHA256
463c95248de5a56ec88d8a9c719b6c61eb214f8ff912cae76ab1a47e21a9b337

SHA512
a93bccbc7ab9ca848024f292e5949f5edb6e4a6f5a2c12f3b25883d1fc6204fad0d89ebf47ef66ebbf8fb38cb3851bce38badbe7909968d7697e604c328329b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
e239cf41781f8f3fff39d029cfafc3d3

SHA1
28464b17a6e47da5e5981aa3a513125fd5de509d

SHA256
d6f02e401efeb6f8a25f0a7467b4807965a640180787f3fafc224a7d29bc27d3

SHA512
ada83dc84a52087894f5817b7e43a1003a6d2dcabe00aced83344d7263319cc24c1552e6221307691b2796b0f54244a885087a7bc68b0b6a02eabdccd46404b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
19fec84ac07bc1ddacd66fc899123263

SHA1
817858f249fc7f5e209902339d87827135b89bb7

SHA256
864fb422b1d9ddfbdf768e3f6c7dd0757d3fc835ccc4d35a3a1b8ae7534cba2d

SHA512
7bf30c6c7af0e45094f5cea26391e754a1777f39a4d7683e29803bd909b123c6801e681115f7faf6b82015a328aa810f1ecbb592868fc268405518024eb6769c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
80ff0998ab4ea4c0c2d7262a0d2ee98c

SHA1
e1180c16c1cb64746bc2ed041b60bf71682ff7b3

SHA256
27bdc345344340edb1067026c9204fc5f8b7ab775e2787ae11aa1cf0f3acdf48

SHA512
7606f4dcdff8a5d68098aa7503ca4754a50f4bdad6305e7d542df01480c606728674575833ae89d31424e5cc2d607a8a229d6c2d08286af481540d72c001f1ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
978a0252ab6cd0f7e54c88967e2e9f32

SHA1
177941fdc79638e4a1832495b6466e4daf4a6ac2

SHA256
e420099abbcfaa38f291fd4733de2d90642a51f5918ada57bfd31a215f4c2d9d

SHA512
59fc864f92e7b6328d5f2889782d9eccf9a0116bc0fc5c42182a22e879d4ec50e1f994cd327b20255856f18da4b9f571b056bebb5575510231a626ce09b0a274

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
27447de698e036792c22980bbe9ba4aa

SHA1
dd6c5143c9589f84a11bbd99631032806c7a6922

SHA256
51db9d7367b5f6b15021bd3f83250ec6a1c9ab92f74f8f4e257daea01f5d5a37

SHA512
90156da9394f1ba76b8956411413c7b501023f0af3bf09668338fa56a21ed077226b7053eebe9f19a03e1634f6446c19a3f4771da1e02b9dd7f543d295915777

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
50750d8a0550cfbbfdf1fdab879a0457

SHA1
d35e2429931419a18b75d628d5654072d7f42db3

SHA256
1a975bb41dfa638d93a2e16670cee60a41360f3145543ddfb95fae3e5625d230

SHA512
af10513a0d2d0ca616f83ad9c3a79b520d95419f37b57ce602692498890781eeebb120f1959c807b638bd77b64505f72364bc1eae2bb57d8cb54979387a93385

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1114f0d587ad998837de342bd2d41987

SHA1
5109c56d666ead6cc82280d7dd990007ea5b2942

SHA256
9396003c673538a34e66e2ad1c293aef802d20d2a8e04dfb565033fb1fcf90ac

SHA512
ebe9316aeca264be433bd60266306afdd0826db20c476c30f7871b4ff44439b97d4a47e9619a8caa1e1a5d9500b0afe332c970ee4a36966088ff1c34b5f58ff7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cff4cf6075190030b8d9281c4dc528d1

SHA1
12ef3baa2f04a9be62ecba6a0084a1ecd637541f

SHA256
3791b8cc1b8f6cbba5855e758cb1b6eeb421b399a185e8be319f2db7e500a6c2

SHA512
65758d4553eb14e43317358041363c28933eb49c2de9a480c5234ef7df5bb848cf4dfd0e4a592f5db672c593d9f33a119ea72a1bc034a27ce4c9e57369afb407

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
44ea2c6edcd214327bb6833c78d2b7fb

SHA1
dfdfdb4865dbf1fd3d3cb286ddd52c758072202e

SHA256
097815b2aaebd078ef469107a014bafc30ec7dc98a4d1fc39e2bb4398461a183

SHA512
7820693589346cd3fd9cc60473da1774595df992792cce9b68f0594e0e528e053b68945e2c747fb17e4dc8cf6359fcf96167ac5605d13e6c63bd27e5a4396bf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ba48a7ce-3f25-4b64-9ef4-36f8e796ea2f.tmp

Filesize
15KB

MD5
b0a516846117ea1aacc2426addd25351

SHA1
6f1404140da933ed6d5ae711d4d87d5119d10b7b

SHA256
a738f6ac9da675d7a7c861de367880e645507dd7933b65acc9df05d360715649

SHA512
d0b3d8599b94c0ac3d9c1e431cee9297f2a7793e28dcee317d510bcb5f0795cdf090705692b8f82d7b9cf47c0374a3db1a1e5fb13624a16bb261f5fd5a840e0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
b56258f01ccab31a95be9a7a31b9586b

SHA1
b3ad117ec315c2fc99779592b8fcbdf9e114e852

SHA256
314d5920b0edaf025c2ab979315824dc27288ba4ebb6f4995cad1d00677e17c7

SHA512
8e727012b2476ba246f7f9e8ab57754a9f29a99cf428efdf2c31969a3e4e55f596a3555e4e63003c81d2e89e20a3774f4cbb27b1c3ec7eec5f6dd08f886b9d0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
cf27f51d1cc33ba4fcae018fb401de79

SHA1
329193448a0dec86b372558d2db4b01f826dedf7

SHA256
7f5391acfee9aa8b1a8f4352e8608fb7520837bb5c83281a31768609cb7de02c

SHA512
130679fcca98bba4f2950fc434796bff103713cb766ae9b4290a86880d5474e954f58722a8ec04ea14d94bd98f4f2a5ed3e599b4d7ff0816466e15da85aa5d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir248_2042459064\4303340c-1ee0-4b51-ac1f-2f187f5ce1c7.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir248_2042459064\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
74B

MD5
d4e590d668b60f43fd0b07093d750e76

SHA1
6cf411f9a7315b540581be5e92a673c92455c7c4

SHA256
aa709da61005adfe436ba9ac7acc6047ee3dbc0f4b5c30fbeeeac5e79cb7e49d

SHA512
2d9d041bc078f17aa9fdac0f8b385730d39904be7d9b08aac0eeccfc620ba5b7fc260542988d38c54e0d00dcbc58b5289aefff6eab3dd3c78787caf4f28c341e

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock

Filesize
17B

MD5
236c820b7ff5532ac29596b7288f16c2

SHA1
6952b7a1927ee4251e5c630d3850d9bbf62789f4

SHA256
dd5378c369f65ffcb11056d4bdf0ba37871a62129fd30598cd4b85ec71c35e32

SHA512
941e28347de1ac3e6ad83c1a8683f82f3b8ba3cbe57ad65e61645241a4fc7ae561f1ee7c3e2e553fec9155aaaa734ffb53a1e6267c5ea2a59dffa9241470ccf5

Download Submit
memory/424-649-0x00007FF6E8E30000-0x00007FF6E8F28000-memory.dmp

Filesize
992KB

Download
memory/424-650-0x00007FF8D3FB0000-0x00007FF8D3FE4000-memory.dmp

Filesize
208KB

Download
memory/424-651-0x00007FF8C2240000-0x00007FF8C24F6000-memory.dmp

Filesize
2.7MB

Download
memory/424-652-0x0000023F323B0000-0x0000023F33460000-memory.dmp

Filesize
16.7MB

Download