netsupport | hxxp://gemini-desktop[.]info

Resubmissions

08-01-2025 03:25

250108-dy5ymstrem 10

08-01-2025 02:37

250108-c3735asndl 10

Analysis

max time kernel
269s
max time network
259s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 03:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://gemini-desktop.info

Score

10^/10

netsupport defense_evasion discovery evasion phishing rat themida trojan

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Netsupport family
netsupport

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	client32.exe

Downloads MZ/PE file
A potential corporate email address has been identified in the URL: /static/images/[email protected]
phishing
A potential corporate email address has been identified in the URL: image@url=%2Fstatic%2Fimages%2Fwhite_caret_down.png&w=32&q=75
phishing

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	client32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	client32.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.lnk	driver.exe

Executes dropped EXE 4 IoCs

pid	Process
4628	gemini.exe
780	gemini.tmp
1680	driver.exe
2040	client32.exe

Loads dropped DLL 5 IoCs

pid	Process
2040	client32.exe
2040	client32.exe
2040	client32.exe
2040	client32.exe
2040	client32.exe

Themida packer 20 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0007000000023cb4-291.dat	themida
behavioral1/memory/2040-299-0x0000000011000000-0x0000000011B06000-memory.dmp	themida
behavioral1/memory/2040-302-0x0000000011000000-0x0000000011B06000-memory.dmp	themida
behavioral1/memory/2040-301-0x0000000011000000-0x0000000011B06000-memory.dmp	themida
behavioral1/memory/2040-300-0x0000000011000000-0x0000000011B06000-memory.dmp	themida
behavioral1/memory/2040-303-0x0000000011000000-0x0000000011B06000-memory.dmp	themida
behavioral1/memory/2040-310-0x0000000011000000-0x0000000011B06000-memory.dmp	themida
behavioral1/memory/2040-311-0x0000000011000000-0x0000000011B06000-memory.dmp	themida
behavioral1/memory/2040-324-0x0000000011000000-0x0000000011B06000-memory.dmp	themida
behavioral1/memory/2040-325-0x0000000011000000-0x0000000011B06000-memory.dmp	themida
behavioral1/memory/2040-326-0x0000000011000000-0x0000000011B06000-memory.dmp	themida
behavioral1/memory/2040-328-0x0000000011000000-0x0000000011B06000-memory.dmp	themida
behavioral1/memory/2040-329-0x0000000011000000-0x0000000011B06000-memory.dmp	themida
behavioral1/memory/2040-330-0x0000000011000000-0x0000000011B06000-memory.dmp	themida
behavioral1/memory/2040-428-0x0000000011000000-0x0000000011B06000-memory.dmp	themida
behavioral1/memory/2040-429-0x0000000011000000-0x0000000011B06000-memory.dmp	themida
behavioral1/memory/2040-430-0x0000000011000000-0x0000000011B06000-memory.dmp	themida
behavioral1/memory/2040-854-0x0000000011000000-0x0000000011B06000-memory.dmp	themida
behavioral1/memory/2040-875-0x0000000011000000-0x0000000011B06000-memory.dmp	themida
behavioral1/memory/2040-892-0x0000000011000000-0x0000000011B06000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	client32.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
90	raw.githubusercontent.com
91	raw.githubusercontent.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2040	client32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gemini.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gemini.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133807806041147268"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 178818.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3740	msedge.exe
3740	msedge.exe
3400	msedge.exe
3400	msedge.exe
3596	identity_helper.exe
3596	identity_helper.exe
1908	msedge.exe
1908	msedge.exe
780	gemini.tmp
780	gemini.tmp
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2040	client32.exe
2040	client32.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2204	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe
964	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	taskmgr.exe
Token: SeSystemProfilePrivilege	2204	taskmgr.exe
Token: SeCreateGlobalPrivilege	2204	taskmgr.exe
Token: SeSecurityPrivilege	2040	client32.exe
Token: SeSecurityPrivilege	2204	taskmgr.exe
Token: SeTakeOwnershipPrivilege	2204	taskmgr.exe
Token: SeSecurityPrivilege	2204	taskmgr.exe
Token: SeTakeOwnershipPrivilege	2204	taskmgr.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe
Token: SeShutdownPrivilege	964	chrome.exe
Token: SeCreatePagefilePrivilege	964	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe
2204	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3400 wrote to memory of 4560	3400	msedge.exe	83
PID 3400 wrote to memory of 4560	3400	msedge.exe	83
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 5044	3400	msedge.exe	84
PID 3400 wrote to memory of 3740	3400	msedge.exe	85
PID 3400 wrote to memory of 3740	3400	msedge.exe	85
PID 3400 wrote to memory of 2124	3400	msedge.exe	86
PID 3400 wrote to memory of 2124	3400	msedge.exe	86
PID 3400 wrote to memory of 2124	3400	msedge.exe	86
PID 3400 wrote to memory of 2124	3400	msedge.exe	86
PID 3400 wrote to memory of 2124	3400	msedge.exe	86
PID 3400 wrote to memory of 2124	3400	msedge.exe	86
PID 3400 wrote to memory of 2124	3400	msedge.exe	86
PID 3400 wrote to memory of 2124	3400	msedge.exe	86
PID 3400 wrote to memory of 2124	3400	msedge.exe	86
PID 3400 wrote to memory of 2124	3400	msedge.exe	86
PID 3400 wrote to memory of 2124	3400	msedge.exe	86
PID 3400 wrote to memory of 2124	3400	msedge.exe	86
PID 3400 wrote to memory of 2124	3400	msedge.exe	86
PID 3400 wrote to memory of 2124	3400	msedge.exe	86
PID 3400 wrote to memory of 2124	3400	msedge.exe	86
PID 3400 wrote to memory of 2124	3400	msedge.exe	86
PID 3400 wrote to memory of 2124	3400	msedge.exe	86
PID 3400 wrote to memory of 2124	3400	msedge.exe	86
PID 3400 wrote to memory of 2124	3400	msedge.exe	86
PID 3400 wrote to memory of 2124	3400	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://gemini-desktop.info
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb315846f8,0x7ffb31584708,0x7ffb31584718
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,15411221046743596557,202766069330791864,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,15411221046743596557,202766069330791864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,15411221046743596557,202766069330791864,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15411221046743596557,202766069330791864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15411221046743596557,202766069330791864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15411221046743596557,202766069330791864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,15411221046743596557,202766069330791864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,15411221046743596557,202766069330791864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15411221046743596557,202766069330791864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15411221046743596557,202766069330791864,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15411221046743596557,202766069330791864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15411221046743596557,202766069330791864,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2204,15411221046743596557,202766069330791864,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4080 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15411221046743596557,202766069330791864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2204,15411221046743596557,202766069330791864,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6224 /prefetch:8
  2⤵
  PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2204,15411221046743596557,202766069330791864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3164 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,15411221046743596557,202766069330791864,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5088 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4536

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4156

C:\Users\Admin\Downloads\gemini.exe
"C:\Users\Admin\Downloads\gemini.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4628
- C:\Users\Admin\AppData\Local\Temp\is-PM7C5.tmp\gemini.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-PM7C5.tmp\gemini.tmp" /SL5="$2034E,107203419,761856,C:\Users\Admin\Downloads\gemini.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:780
- - C:\Users\Admin\AppData\Local\Temp\is-J9RDE.tmp\driver.exe
    "C:\Users\Admin\AppData\Local\Temp\is-J9RDE.tmp\driver.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    PID:1680
  - - C:\Users\Admin\AppData\Roaming\update\client32.exe
      "C:\Users\Admin\AppData\Roaming/update/client32.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C del /f /q "C:\Users\Admin\AppData\Local\Temp\is-J9RDE.tmp\driver.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1760

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb269ecc40,0x7ffb269ecc4c,0x7ffb269ecc58
  2⤵
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1776,i,10519913584576162279,4919155605219594350,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1772 /prefetch:2
  2⤵
  PID:4284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2072,i,10519913584576162279,4919155605219594350,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  PID:1712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,10519913584576162279,4919155605219594350,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2392 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,10519913584576162279,4919155605219594350,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3400,i,10519913584576162279,4919155605219594350,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3708,i,10519913584576162279,4919155605219594350,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4544 /prefetch:1
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4744,i,10519913584576162279,4919155605219594350,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4784,i,10519913584576162279,4919155605219594350,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4652,i,10519913584576162279,4919155605219594350,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5160,i,10519913584576162279,4919155605219594350,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5164,i,10519913584576162279,4919155605219594350,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4896,i,10519913584576162279,4919155605219594350,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5248,i,10519913584576162279,4919155605219594350,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4960 /prefetch:2
  2⤵
  PID:3584

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
05912c819b08f93c04e6c77cee8cffe6

SHA1
8b74b7d2d98ac79d48973c9eeead0fff11e5ffe5

SHA256
167921d5993427743a66de5ef4806450374efd27c041adecfb32a0bc8ef9fd74

SHA512
ca3351296c52ebf9a68a34bb1b0fdb4c7d8aa6d6071b33159b4f07d38b3bde5679258791b3dd5ac2de927ffaa83038b95f0d616466bc389a90e70931b2568983

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
3900f704b35047ae48593a00530f79f6

SHA1
e9cb28401fae32f2ce78f4e1fcdf74a0821709dd

SHA256
3fdb3196a8d38ea7a8bc4b4512612d54b1481f9d4dead12b9d11dbcc7501c1cf

SHA512
ebb9a6ead4f84c177fa53f6917e1425261b83aff266e89564868561eb7ef6481fe6beca121041263d20bfba1b453106bd39501d9c2656dcc9741eec41b1f85d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e33b44d515d11ac598468089c0b26e1d

SHA1
9706471a8d94332fdd3415122735ea1968e623f8

SHA256
08011660026f65552bc3293733be936685f0c0cbee6f98ba6972f760cab0dbf7

SHA512
a1d29632b7556bbe793c8a3f06b3d358a7e904022e5d62e4c596c18b9bad35a4197ae4dc6e8d30dc08dac9ad74b4f8ddd77003b40e0485f6115e52d1ac3d8ef3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d1c713a393307e16e81d2312a133b465

SHA1
ff93433626d57015a8106ed2be01393e6af5c13d

SHA256
a4b24a53ef991c1fd30d8b60c8d5cf9cfa3dd51da417c52dd249593745b5493c

SHA512
f57f2f60687a9cf9a85d307976dec1ebc5cd109a5de264b15121932c18885c50c58b2bb2d67be8cb23bd59a00d75b2bb527ff22bfc610bbfe880483ab252e8a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
947c1f018ee94474364298ce042acd87

SHA1
81135fa3540621582b3cd5c4e9423b6af338c1c9

SHA256
aea91be41ea6bf8b381a7c4eef6bfd5abdb8ed2f4f49c69b570df2e05ab6c7dc

SHA512
80256560db4831ec74f6ef5e5bfb92025a9fca23710513f96d87c8ff0d280615994e30f91259672046ed7d9a1628fa279388a6a76fe8b581817830f524f00855

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
1a5f1cac7f343523e61647673dc2eef5

SHA1
7f9fb1b89539fbe851d2aa9d550a8f4f57710d9c

SHA256
d5f971468a59006b33836e82a16c049f49699257c84fc6bbe0926f486e1cadb5

SHA512
fb22cce94aaefd088fd2fe4290af3f3fc8a42bebf76e61ab0ff6ffd58c6893747366cd93046f369b3e441f3ec5ecd7bae83bd72e6b6b7bcb5a7bfdc1aa4ea544

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
5263be303063abe0217498effd98c68f

SHA1
231751a58fdfea34bb6d409c8fe31a364747a6f6

SHA256
822dd7e0726eba271fafe3a9bdb116a09c88e3d60734f79e2e3776c47ea0c017

SHA512
855c62b84016e1e7eb4891e8d8cdc9c29ec6cb7b292b7290b1fa4217654540dfb6d3a3b8be9e757f9ee5971964af8de93911a83ed3610ee4cd6922fe86c07e38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
181B

MD5
183257792c1a7dbe20f2beb32344d85f

SHA1
82d80b958e680d6e1f2fdaa417fa68de38264b0f

SHA256
08f2c28876e9dd5da8e646e67131f0559dc2a968921f26a06150cea58ab08265

SHA512
7a483112fd09a390264f2e7ad94b620c8665946bf34d09e8581e9ad92212dc1bb82e035b8f6620e07be8419b41f272d7f7922ac1704e4e35f5e9ed683e55e3f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5e5c4fc8831bcacf9ed65fa003e1bb80

SHA1
a8ccf9c249a574028e77cf96b423cf3256ff2495

SHA256
475ec815fb39d2945afcaf047739d5d2db94a0fc2b45f9abda660d5ac7b8503b

SHA512
6369353620192c3dca883c7a388a3b9a67312c84c0fe15492df93dedcac26f3c4510403f951e888cb79f88702f48718bb0bd7f4614f838d21c5407dd65545d52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
062dafaeec7f3a56b0a1b3ec33146cac

SHA1
9aa27a0dca919a086eb16d253287b7123f201860

SHA256
bd19c86b2201628e231bada1c58e7bec9b7fd70500c18a4c5368dc81bab73708

SHA512
e95ddb94ef18a0953a84d314d1fbbf43d290bce899eb8af6daed7d9035ea70055b804e82188fe7a150a2a89949b5778fbf90e2fbfa987a79ca182e56146f7f81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b41b26d2a3938ad9add9774626b01c92

SHA1
3aafa573a1016231287fc1aa0182781c7204af96

SHA256
17d6ed1bc5daadb98349ded2a06efded0a8ea94753e79639effc174106f4e6d8

SHA512
017532fd9ee45fe6fa2dbb0cd40c298dc08efcbf13a40ef9734c14f94fff9da2fee3fdb2c930bac223bb17300d0c3f7f4261c867030f2b9c0a1a2d7e416f9f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dd522d2d1b09262aa4516c75d9855db5

SHA1
e337a05e0ce14eca88f40ac1e290d42e2d4de926

SHA256
0d601dffa292587f0550a4914d6bfc6ca28d8eb8c051861762bf5ec0e5264f1f

SHA512
632bbcb7a36844b45563fdfbaafdf30e86860d1d91a403b3077c6150a234fd6259fee1db0b8b795bddf4f4adb922886440bd111c20922c7e333d623d05ccdecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
744e00927e77c4e16e624b5f5a306aad

SHA1
0a532421874006479582b4cfc008f21b797f2422

SHA256
d08d05e4edcd52c86de71af027a1b65dd589ad9c5ff1cff6f2446b20770d88d9

SHA512
0e048d4eea7041ec0cb23101f7ffac56bcbdc05605a0e0a03c31312d788b7c9d02885cfe8b76454ae812e1761bd4f4e522f8a574c0f33c44cfdfc8f6d33405f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b3921b0791adcab0709d633b3f8b9994

SHA1
adbdbed786dc6f5d7607cfed6d923009618de4c1

SHA256
7848f849f2125fe0a8997b009a2e63023195a7adfce6274a6efe40754c7e57e4

SHA512
4d38254d857229bb1756b38d8d233839e01a189e1fe92799cfbeaa39044c08280f9e48887671e37eb878f3f5e30e651710b87c994b727c2285cc29c0be3544bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a490d93-0a0c-4579-ba45-f63b14b7c393.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\extracted_files\AudioCapture.dll

Filesize
87KB

MD5
7629af8099b76f85d37b3802041503ee

SHA1
f40a5efcb9dee679de22658c6f95c7e9c0f2f0c0

SHA256
2cc8ebea55c06981625397b04575ed0eaad9bb9f9dc896355c011a62febe49b5

SHA512
c209714ffdb0b95595583976340f2eb901eb9895f2f420afc4ca3c12744432e52fbedfd857b56cb347d4475df7678bd42d43f221208a108384e1df5aaf7d19e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J9RDE.tmp\driver.exe

Filesize
7.2MB

MD5
f0f8cdf115e89e3caab43f50658ba709

SHA1
19dfa9bc7437c7ec11dd4192700f2b9c9b324cef

SHA256
cfc26c6a0f8fec7312ba9c79a3d186cbe01867936c7ade98f201fbf9b6ab90a5

SHA512
697ad6802af19932003ea95ad0210b782d778ae41aefb1192a4ff58b05c1c124d9935df60e16e374dc7c1e0f4e197e4cb423dd10bd81cb8c6c6ffd44f48f972e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PM7C5.tmp\gemini.tmp

Filesize
2.9MB

MD5
9e3d21ba2007d8f2d178a26c21ced9f0

SHA1
cf39a2f89bc9d72404b74d19b48938f4ae3ee0fa

SHA256
21a8d0d1ac67a892e8d2e4f04e5fae2683bc43e384ef6d9ee6005ddea1b966a1

SHA512
295c7dc56c943b76fdc07a3505a081de21c2c8860b034c77780d8257ac8008fbeaa9240524ce08b2a6bb13530f780b669ebc5d8c5ebd6b0be840d7549bed76b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir964_1961049186\2424fe34-6153-4ab1-acb1-383724851071.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir964_1961049186\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\update\NSM.LIC

Filesize
259B

MD5
4e8ecebce46ceef1f6e29c71b6d3be94

SHA1
2345f5203dc819c33782d8f3632f13e835066392

SHA256
76f0b30a1d93469ab744ac81a2f9f96f180e5df964189d3f9b71aef2673dff46

SHA512
80c0949bc0842e036a3ee3ca2023af9465c3f9d6a18a028b1453630a6b1005c9d9b44747600c41899ad551a57510fbe845a7f06df04763ec278189f22b4d2b3e

Download Submit
C:\Users\Admin\AppData\Roaming\update\PCICAPI.dll

Filesize
106KB

MD5
67c53a770390e8c038060a1921c20da9

SHA1
49e63af91169c8ce7ef7de3d6a6fb9f8f739fa3a

SHA256
2dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689

SHA512
201e07dbccd83480d6c4d8562e6d0a9e4c52ed12895f0b91d875c2bbcc50b3b1802e11e5e829c948be302bf98ebde7fb2a99476065d1709b3bdbcd5d59a1612d

Download Submit
C:\Users\Admin\AppData\Roaming\update\PCICHEK.DLL

Filesize
14KB

MD5
3aabcd7c81425b3b9327a2bf643251c6

SHA1
ea841199baa7307280fc9e4688ac75e5624f2181

SHA256
0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f

SHA512
97605b07be34948541462000345f1e8f9a9134d139448d4f331cefeeca6dad51c025fcab09d182b86e5a4a8e2f9412b3745ec86b514b0523497c821cb6b8c592

Download Submit
C:\Users\Admin\AppData\Roaming\update\PCICL32.dll

Filesize
4.2MB

MD5
d1356c062414a92b56b7466b562e9161

SHA1
d8e1dfe082de0b9dbdcef8ce1387dc70efc6d027

SHA256
83a44061672cc24c9cf1b8867ffc4ce0a6c3f2f129d32e7b31b58dfc12fbdea3

SHA512
7076bd0da6bdeded0d356e475096df65aa2a2a0acb5f201bf63b6d8c9d80a6084d8ee7bb5016cc210ff1da07cbe4ef7a1e1c18a7d29ab06d8de6d63d78459730

Download Submit
C:\Users\Admin\AppData\Roaming\update\client32.exe

Filesize
117KB

MD5
7d854e511bf1c3b8ddd0d60fed785bfd

SHA1
8a7dab456bbaf4558e19a474b352e8b9373d7629

SHA256
0d67440514fbb244cf374cd3afa99215ef16ea47dc5b3926afd811270e956f2f

SHA512
feb37323d44f11adeced4179205f62d324cc70f8be87bc76ee9565ede1f82fe3b2811fcb4e58639454f304454d4d71a7f86a50b9ddd02a19c55f7b630a8e26bd

Download Submit
C:\Users\Admin\AppData\Roaming\update\client32.ini

Filesize
745B

MD5
c0b2855f369d2c871ac18c4b04faddd6

SHA1
dac354442dce857bfada924d97205674373bcea1

SHA256
748f494f29d88d8ed48af36c65afb67a43e9c1e7a8bf80aa26f085a89e22cc59

SHA512
acf1baa2592fa7d293aed6fc14aa8716393c9870c9496b80d1b9e282f7b4dc5e82aa652de8243ec65fcbaa75a4c769b83d817dee23f1d1961f526af9770698cc

Download Submit
C:\Users\Admin\AppData\Roaming\update\htctl32.dll

Filesize
316KB

MD5
051cdb6ac8e168d178e35489b6da4c74

SHA1
38c171457d160f8a6f26baa668f5c302f6c29cd1

SHA256
6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269

SHA512
602ab9999f7164a2d1704f712d8a622d69148eefe9a380c30bc8b310eadedf846ce6ae7940317437d5da59404d141dc2d1e0c3f954ca4ac7ae3497e56fcb4e36

Download Submit
C:\Users\Admin\AppData\Roaming\update\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\update\office.lnk

Filesize
1KB

MD5
b645868482618c15ed333b39a72ac60e

SHA1
f2bf858e0014bc0e1a29ae531cba87f0e5895c5a

SHA256
e66e9df50f40aa73dc847f6afdf9852000782841df6b808a75e090e9787604dd

SHA512
24ad17f2f9165070f04a9979a804eeac6eb47c10b4f2d79bac4f8f245aee50abea5d3331098119fe1ed10640194d631cbd55cc8f97a55573cbe2c2052fd5fd62

Download Submit
memory/780-313-0x0000000000400000-0x00000000006FB000-memory.dmp

Filesize
3.0MB

Download
memory/780-198-0x0000000000400000-0x00000000006FB000-memory.dmp

Filesize
3.0MB

Download
memory/780-190-0x0000000000400000-0x00000000006FB000-memory.dmp

Filesize
3.0MB

Download
memory/780-309-0x0000000000400000-0x00000000006FB000-memory.dmp

Filesize
3.0MB

Download
memory/2040-428-0x0000000011000000-0x0000000011B06000-memory.dmp

Filesize
11.0MB

Download
memory/2040-430-0x0000000011000000-0x0000000011B06000-memory.dmp

Filesize
11.0MB

Download
memory/2040-311-0x0000000011000000-0x0000000011B06000-memory.dmp

Filesize
11.0MB

Download
memory/2040-892-0x0000000011000000-0x0000000011B06000-memory.dmp

Filesize
11.0MB

Download
memory/2040-303-0x0000000011000000-0x0000000011B06000-memory.dmp

Filesize
11.0MB

Download
memory/2040-324-0x0000000011000000-0x0000000011B06000-memory.dmp

Filesize
11.0MB

Download
memory/2040-325-0x0000000011000000-0x0000000011B06000-memory.dmp

Filesize
11.0MB

Download
memory/2040-326-0x0000000011000000-0x0000000011B06000-memory.dmp

Filesize
11.0MB

Download
memory/2040-328-0x0000000011000000-0x0000000011B06000-memory.dmp

Filesize
11.0MB

Download
memory/2040-329-0x0000000011000000-0x0000000011B06000-memory.dmp

Filesize
11.0MB

Download
memory/2040-330-0x0000000011000000-0x0000000011B06000-memory.dmp

Filesize
11.0MB

Download
memory/2040-300-0x0000000011000000-0x0000000011B06000-memory.dmp

Filesize
11.0MB

Download
memory/2040-301-0x0000000011000000-0x0000000011B06000-memory.dmp

Filesize
11.0MB

Download
memory/2040-302-0x0000000011000000-0x0000000011B06000-memory.dmp

Filesize
11.0MB

Download
memory/2040-429-0x0000000011000000-0x0000000011B06000-memory.dmp

Filesize
11.0MB

Download
memory/2040-310-0x0000000011000000-0x0000000011B06000-memory.dmp

Filesize
11.0MB

Download
memory/2040-299-0x0000000011000000-0x0000000011B06000-memory.dmp

Filesize
11.0MB

Download
memory/2040-875-0x0000000011000000-0x0000000011B06000-memory.dmp

Filesize
11.0MB

Download
memory/2040-854-0x0000000011000000-0x0000000011B06000-memory.dmp

Filesize
11.0MB

Download
memory/2204-212-0x000002176F2E0000-0x000002176F2E1000-memory.dmp

Filesize
4KB

Download
memory/2204-213-0x000002176F2E0000-0x000002176F2E1000-memory.dmp

Filesize
4KB

Download
memory/2204-209-0x000002176F2E0000-0x000002176F2E1000-memory.dmp

Filesize
4KB

Download
memory/2204-208-0x000002176F2E0000-0x000002176F2E1000-memory.dmp

Filesize
4KB

Download
memory/2204-211-0x000002176F2E0000-0x000002176F2E1000-memory.dmp

Filesize
4KB

Download
memory/2204-207-0x000002176F2E0000-0x000002176F2E1000-memory.dmp

Filesize
4KB

Download
memory/2204-203-0x000002176F2E0000-0x000002176F2E1000-memory.dmp

Filesize
4KB

Download
memory/2204-202-0x000002176F2E0000-0x000002176F2E1000-memory.dmp

Filesize
4KB

Download
memory/2204-201-0x000002176F2E0000-0x000002176F2E1000-memory.dmp

Filesize
4KB

Download
memory/2204-210-0x000002176F2E0000-0x000002176F2E1000-memory.dmp

Filesize
4KB

Download
memory/4628-187-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4628-168-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4628-314-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download