globeimposter | aec151ab1896489a13e03e2897d3facc8678ffdbd53bd08a01a2d3837f792adc

Resubmissions

22/01/2025, 17:27

250122-v1trtsxjbz 10

22/01/2025, 15:28

250122-swt6paspet 10

Analysis

max time kernel
899s
max time network
883s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
22/01/2025, 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
Size

55KB
MD5

1748fc9c3457f6102469044a18a67095
SHA1

ff7a2abf8f53c2cac4d2d7d8c70b1784362414bb
SHA256

aec151ab1896489a13e03e2897d3facc8678ffdbd53bd08a01a2d3837f792adc
SHA512

3b2baccde64139657ba2cfcb17398078956b8302f32347ff344861ade61f26496e61a8f913df02ce56d7628ee58381b695fd58f92500cd0f9d0c00a9bd6d3463
SSDEEP

1536:3ibgutzZi79QlgTHf4tq6KhxXwr3+mG3Kk:3itz479QlOWWXKNGak

Score

10^/10

globeimposter defense_evasion discovery persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Public\Videos\how_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #404040; } { margin: 0; padding: 0; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ width: 800px; display: block; margin: auto; position: relative; } .tabs1 .head{ text-align: center; float: top; text-transform: uppercase; font-weight: normal; display: block; padding: 5px; color: #FF0000; background: #303030; } .letter { color: #DC143C; font-weight: 600 } .tabs1 .identi { margin-left: 0px; line-height: 13px; font-size: 13px; text-align: center; float: top; display: block; padding: 15px; background: #303030; color: #DFDFDF; } /*---*/ .tabs{ width: 800px; display: block; margin: auto; position: relative; } .tabs .tab{ float: left; display: block; } .tabs .tab>input[type="radio"] { position: absolute; top: -9999px; left: -9999px; } .tabs .tab>label { display: block; padding: 6px 21px; font-size: 18x; text-transform: uppercase; cursor: pointer; position: relative; color: #FFF; background: #4A83FD; } .tabs .content { z-index: 0;/* or display: none; */ overflow: hidden; width: 800px; /*padding: 25px;*/ position: absolute; top: 32px; left: 0; background: #303030; color: #DFDFDF; opacity:0; transition: opacity 400ms ease-out; } .tabs .content .text{ width: 700px; padding: 25px; } .tabs>.tab>[id^="tab"]:checked + label { top:0; background: #303030; color: #F5F5F5; } .tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] { z-index: 1;/* or display: block; */ opacity: 1; transition: opacity 400ms ease-out; } </style> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> </head> <body> <div class="tabs1"> <div class="head" ><h3>Your personal ID</h3></div> <div class="identi"> <pre>BC 78 97 56 A4 B9 5D 9F DE 6B 7F 1F 4C 2B 70 CA B9 29 AE C9 34 78 19 77 24 02 F4 67 B0 B0 90 58 92 BC 82 3A 16 68 09 63 57 61 43 01 6B E8 45 AC B6 C9 13 6D C0 67 9C 28 4B 09 87 60 04 32 3C 97 84 CB 3B 01 89 15 B7 0A FF 6B 39 7E B3 F6 94 DC D7 D3 6F 97 D8 95 12 31 AD 82 3D A4 75 68 AB D9 2C 63 79 A2 03 F2 A4 BF 24 66 62 66 87 BB 30 26 54 D8 A0 A0 D4 FC 96 F8 3D 31 B6 F9 66 02 39 25 84 33 F2 49 E6 16 AE FD C6 41 C4 00 65 2C 78 5A 37 93 7C 28 EA 22 BC E1 57 E0 8C E1 DE 2B 83 AA 74 89 12 BA A4 CF DB A0 F4 8C 4A 7B 61 83 0A 78 38 3F 5A B4 D6 37 38 73 07 FF 25 B8 D2 32 F8 8F 9D 19 42 11 02 42 9B 00 FA E0 A7 43 15 8C 3B DD 0B 6C BE F1 1F 50 FF 24 EF 2D C5 80 03 64 C3 F3 9D B9 F4 DF 37 35 A3 C3 5C 0B DA 04 AA F4 18 5B 78 91 1A 5D 38 01 54 4C 05 59 4C CF 84 85 4E FA </p> </pre> </div> </div>  <div class="tabs">  <div class="tab"> <input type="radio" name="tabs" checked="checked" id="tab1" /> <label for="tab1">English</label> <div id="tab-content1" class="content"> <h1>☣ Your files are encrypted! ☣</h1> <hr/> <h3> To decrypt, follow the instructions below. </h3> <br/> <div class="text">  To recover data you need decryptor.</br> To get the decryptor you should:</br> <p>Send 1 crypted test image or text file or document to <span class="letter"> [email protected]</span></br> (Or alternate mail <span class="letter"> [email protected]</span>)<p> In the letter include your personal ID (look at the beginning of this document).</p> We will give you the decrypted file and assign the price for decryption all files</p> After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder.</br> <hr color=red> <center><p style="color:#FF0000">MOST IMPORTANT!!!</p></center> <center><p style="color:#FF0000"> You can not decrypt your files cheaper than we offer you. You can refer to other services that promise to decrypt you, BUT IT WILL BE MORE EXPENSIVE. No one, except [email protected], will decrypt your files with a guarantee 100%. </p></center> <hr color=red> <ul> <li>Only [email protected] can with a guarantee decrypt your files </li> <li>Do not trust anyone besides [email protected]</li> <li>Antivirus programs can delete this document and you can not contact us later.</li> <li>Attempts to self-decrypting files will result in the loss of your data</li> <li>Decoders other users are not compatible with your data, because each user's unique encryption key</li> </ul>  </div> </div> </div>  </ul>  </div> </div>  </div> </div> </body> </html>

Emails

[email protected]</span></br>

[email protected]</span>)<p>

[email protected]

[email protected]</li>

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter
Globeimposter family
globeimposter
Renames multiple (8935) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Clears Network RDP Connection History and Configurations 1 TTPs 2 IoCs

Remove evidence of malicious network connections to clean up operations traces.

defense_evasion

Clear Network Connection History and Configurations

T1070.007

pid	Process
2328	reg.exe
4092	reg.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Roaming\\2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe"	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe

Drops desktop.ini file(s) 29 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Music\desktop.ini	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\desktop.ini	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2253712635-4068079004-3870069674-1000\desktop.ini	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Users\Public\desktop.ini	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2253712635-4068079004-3870069674-1000\desktop.ini	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\how_to_back_files.html	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-20_contrast-black.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.ProtectedData.dll	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-150.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_neutral_split.scale-140_8wekyb3d8bbwe\Images\contrast-black\PowerAutomateSquare150x150Logo.scale-140.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-32_altform-lightunplated_contrast-white.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\NewsAppList.scale-200_contrast-black.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\how_to_back_files.html	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Dark.scale-125.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-200.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\CompoundButton.js	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.scale-125_contrast-white.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\WeatherAppList.targetsize-96_altform-lightunplated_contrast-black.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\sbicuuc53_64.dll	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\DirectInk.dll	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\it-it\how_to_back_files.html	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\zh-tw_get.svg	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-256_contrast-white.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\LinkedInboxWideTile.scale-400.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClient.resources.dll	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ui-strings.js	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\DetailsList\DetailsFooter.types.js	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-200_contrast-black.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\netstandard.dll	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\DocumentCard\DocumentCardTitle.js	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\DetailsList\DetailsList.js	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-400_contrast-white.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\review_poster.jpg	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PaintAppList.targetsize-80_altform-lightunplated.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul.xrm-ms	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\example_icons2x.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-24.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\NewsSplashScreen.scale-200_contrast-black.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\plugin.js	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-30.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.42251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-125_contrast-black.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherAppList.targetsize-48.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherStoreLogo.scale-200.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_10.2.41172.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\TipsMedTile.scale-200.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XDocument.dll	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hr-hr\ui-strings.js	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-200_contrast-black.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\System.Collections.Specialized.dll	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Xbox_MedTile.scale-125_contrast-white.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-pl.xrm-ms	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pl-pl\ui-strings.js	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\saext.dll	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\LocalBridge.exe.config	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_contrast-white.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Icons\StickyNotesBadgeLogo.scale-100_contrast-white.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\NewsAppList.targetsize-32_altform-lightunplated_contrast-black.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\selector.js	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\how_to_back_files.html	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\selection-actions2x.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\EmptyView-Dark.scale-150.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailMediumTile.scale-100.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleBadgeLogo.scale-125.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\dark\file_icons.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\d3dcompiler_47.dll	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-black\NotepadAppList.targetsize-40_altform-lightunplated.png	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\resources.pri	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133820405258281857"	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5104	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
5104	2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
4988	chrome.exe
4988	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe
Token: SeShutdownPrivilege	4988	chrome.exe
Token: SeCreatePagefilePrivilege	4988	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe
4988	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 4320	4988	chrome.exe	81
PID 4988 wrote to memory of 4320	4988	chrome.exe	81
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 1096	4988	chrome.exe	82
PID 4988 wrote to memory of 3728	4988	chrome.exe	83
PID 4988 wrote to memory of 3728	4988	chrome.exe	83
PID 4988 wrote to memory of 4032	4988	chrome.exe	84
PID 4988 wrote to memory of 4032	4988	chrome.exe	84
PID 4988 wrote to memory of 4032	4988	chrome.exe	84
PID 4988 wrote to memory of 4032	4988	chrome.exe	84
PID 4988 wrote to memory of 4032	4988	chrome.exe	84
PID 4988 wrote to memory of 4032	4988	chrome.exe	84
PID 4988 wrote to memory of 4032	4988	chrome.exe	84
PID 4988 wrote to memory of 4032	4988	chrome.exe	84
PID 4988 wrote to memory of 4032	4988	chrome.exe	84
PID 4988 wrote to memory of 4032	4988	chrome.exe	84
PID 4988 wrote to memory of 4032	4988	chrome.exe	84
PID 4988 wrote to memory of 4032	4988	chrome.exe	84
PID 4988 wrote to memory of 4032	4988	chrome.exe	84
PID 4988 wrote to memory of 4032	4988	chrome.exe	84
PID 4988 wrote to memory of 4032	4988	chrome.exe	84
PID 4988 wrote to memory of 4032	4988	chrome.exe	84
PID 4988 wrote to memory of 4032	4988	chrome.exe	84
PID 4988 wrote to memory of 4032	4988	chrome.exe	84
PID 4988 wrote to memory of 4032	4988	chrome.exe	84
PID 4988 wrote to memory of 4032	4988	chrome.exe	84
PID 4988 wrote to memory of 4032	4988	chrome.exe	84
PID 4988 wrote to memory of 4032	4988	chrome.exe	84
PID 4988 wrote to memory of 4032	4988	chrome.exe	84
PID 4988 wrote to memory of 4032	4988	chrome.exe	84
PID 4988 wrote to memory of 4032	4988	chrome.exe	84
PID 4988 wrote to memory of 4032	4988	chrome.exe	84
PID 4988 wrote to memory of 4032	4988	chrome.exe	84
PID 4988 wrote to memory of 4032	4988	chrome.exe	84
PID 4988 wrote to memory of 4032	4988	chrome.exe	84
PID 4988 wrote to memory of 4032	4988	chrome.exe	84

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3584	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp3658.tmp.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2160
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
    3⤵
    - Clears Network RDP Connection History and Configurations
    - System Location Discovery: System Language Discovery
    PID:2328
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
    3⤵
    - Clears Network RDP Connection History and Configurations
    - System Location Discovery: System Language Discovery
    PID:4092
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4996
- - C:\Windows\SysWOW64\attrib.exe
    attrib Default.rdp -s -h
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:3584
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffacf15cc40,0x7ffacf15cc4c,0x7ffacf15cc58
  2⤵
  PID:4320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1816,i,7844826617520906958,17007223980500200979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1812 /prefetch:2
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2096,i,7844826617520906958,17007223980500200979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  PID:3728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,7844826617520906958,17007223980500200979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2168 /prefetch:8
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,7844826617520906958,17007223980500200979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,7844826617520906958,17007223980500200979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4412,i,7844826617520906958,17007223980500200979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4380 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,7844826617520906958,17007223980500200979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4572 /prefetch:8
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4924,i,7844826617520906958,17007223980500200979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4940,i,7844826617520906958,17007223980500200979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5076,i,7844826617520906958,17007223980500200979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5112,i,7844826617520906958,17007223980500200979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5232,i,7844826617520906958,17007223980500200979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5356,i,7844826617520906958,17007223980500200979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5348 /prefetch:2
  2⤵
  PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5412,i,7844826617520906958,17007223980500200979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5300,i,7844826617520906958,17007223980500200979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5128 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1976

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

Clear Network Connection History and Configurations

T1070.007

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2253712635-4068079004-3870069674-1000\desktop.ini

Filesize
1KB

MD5
90e73eb3fac3a6ad69fc83fac79265af

SHA1
31ff5a76da3ee7def8b60c2335e451051eb5aee1

SHA256
75e08a931f1517d2980ca0526d64d7fbea8ed30ea8583898c43967b7e0a812ed

SHA512
f521f5716a13283a1d7a386b01855f7e772d85aff3a1976c4a815429f9a4f272c07ce816b19009a989cac9da57007d2bc89ce78819c7eb1b429b53a377401a08

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8683030f-b087-4bbb-b3bf-3f21a340dcfb.tmp

Filesize
9KB

MD5
cb20cd251290cbf0430864db943746bc

SHA1
9f339dc51b8156a844a94d21db45997156a099e4

SHA256
16870d541682feb9ee1a7feb8cde78ce64bd209077a87d724b7edfb90db82f5f

SHA512
da64c0fdfe9194ff4099a8878dd5648297b913ed4981c9ab9e7622fc648b2ef4e20afae77b3ec07deb93f8cd224d5b8636da62ee2f04e19f741e7f464c3a4965

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
fc19531f0d176ee184beba622869cf67

SHA1
0911490bb65fc33e73cc7e49395e373e3149a3e6

SHA256
e7dd407509b6f582849e0e95620d336c9b578ec228efd7f226c435669835cf5b

SHA512
e8cd07b7ab402d5a18aaa58fef53e610842bfafe2c5217f33098cc64e411a740b4382b28c6a4162aadc89554d8e8528fcebf82fc64758db53255a91c0ecfb181

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d474ec7f8d58a66420b6daa0893a4874

SHA1
4314642571493ba983748556d0e76ec6704da211

SHA256
553a19b6f44f125d9594c02231e4217e9d74d92b7065dc996d92f1e53f6bcb69

SHA512
344062d1be40db095abb7392b047b16f33ea3043158690cf66a2fa554aa2db79c4aa68de1308f1eddf6b9140b9ac5de70aad960b4e8e8b91f105213c4aace348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
caf462fe3ef98cd44bd315d31bed6a1a

SHA1
11de9900b16b015632cf5c6390bb53f817213f7a

SHA256
7910becad2b4692be5f35a1a0de672659dd0ab0926d0085a57156f85337698da

SHA512
cea4976f1c4ab9905a66ce5564f789e9b49bb6973661ca7dd9711e0e248d20c27f1ddecc68a977685f5ae7127a05108369734f79e6a50bfa6a81fab7f49242bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
859a5f1e17b3c128b3a9c5a3dac919e7

SHA1
cd70a54b98f16331d0aabce39df83df04858116b

SHA256
7a3597f838d7e5621716bcb3d36070cccbd8747f51d2ba7df6abc5233bda8b3b

SHA512
ce7876610a05243170f0d35e904c46bdf284060c465e3124955b97c3b0ea5bb8b1c6572d7e44173e459029c1b7203ec7c5c3c39519e5982437f1409f6433e032

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
b4185db264c248b2c0581a69401d5b5e

SHA1
44b7f45f3ce1db2c451fecadbd59028db60d5c53

SHA256
aa62bd472fee4f160505ad91e2929e6962dc8a78185c17180b1893ba5ed5a471

SHA512
950135adeb0303d91ae13d50e46c4ca762ea108dd3f9d9ca4ba0b6edb644d769138a3670a9a04fe8cf2dee0738282ec0f525303b62e66f7434ff56eba405b977

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
cd3046255bf4c5da26324c1fc84c59e0

SHA1
f868351705b2d30b6c74dff4e3c76a6a7567e558

SHA256
b9686b09eb33112c4b3513124d04e0b67bb5772db1826e7d349738bdd7fcb2fa

SHA512
32dd2febb56aa8f31805f404dd38a631651fa0f0cd5fd379a791ae5483b30a097f3a3bdf49dd87a3bc9e2eb828fc11266e674b7df9de607f3e057587eff6ecb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
255d39248aa135f96e3ce6824430db47

SHA1
6707551b5693be7b1630635c5f18ad756cd87455

SHA256
c81dd99126eaa8f0b14f2ac0b086e0dc1aab01bb48f5878b7114e46cae760bae

SHA512
2cd5844c2e6e67cfbf2ae1d487d652867f6a97ecbcd11ef006ef69dc790a3f85b2c11431c551eeccbb147f7cb500fb1be8bbd89eb81cb60c204fdf384917c978

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
282c22506ef2551331c8d49ac2cc9f02

SHA1
ebb7b96326797d86d9d2191b141b4d5a284d5029

SHA256
5277615e5b361170885c4a8be62611e3a796ff3c49c82aee4e7cbe6e27a57957

SHA512
33d5509467da402ecff2f2243121fdd27e8c15302ba147dca8428430e9720eb631dc117ed661b017471a178c07954d33400f7f9144f09d7db08b8029e511009b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
52a27e8fee732b2a64d615e07f3c02e5

SHA1
bb4a9e31f451d35960f256029b220d01303bc595

SHA256
f92f467ed90577a98598826a97370d2bcb02877c5de305c32eda946a534043e9

SHA512
69dabd30d785812b4157f01b5c12b7b0dc3978b564cb76f93fe466f11d8f9e115312c91bc5ea850cc84d01d12f632a8808b23f238e419e36f9e3ded232666f41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8e3ef4bdc57264cd61ec3d22836f0053

SHA1
5cd00aff32c4dbbd158cc7f9565121ec5cd1b17d

SHA256
075358316436cca1f2ca4d1202d806d2fc34cb5accd865a8578f7b6667c071fc

SHA512
fff48e7190e9785f0dd18cf610e2a419dfbf3f6afa222ca8a0073beabef70678b066bb915430facc6a17d5649b1825ebb072e5ab3e8d426689cdffab86d92732

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b7db088b70a0c8c2be28655827fd149d

SHA1
39cd254af64ca3666ebd5766e0af45c0afe6c85c

SHA256
c8b48ad4294c8a226e318610626886a80f16e83ec36f3b629712c1ed64486c94

SHA512
e3640424d8b6bd73eb8500360dbdaa24c7988c0708be8fad8b695b90b36592d6f50ca1ea5d8c459a6971886b31cb7abc97dd7f51f0194bd7f71cf065bab9d514

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
50b321d02d778bdaa75514c60e1b9259

SHA1
973a053754917724b49992aec911ffaa294c6843

SHA256
d43663ada6ecf9d7ce3dd83b233c8b4de0578b5066391cbe407dfbb8fa2254b4

SHA512
e611f79c11c948d2422f986457a89291af42c69ed96c4e56b2cf9da5c4b76cdacdab513489552703969eac64528ed3cf4f619d94e6a75399e14866165b980a1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
57ba3ed322f9895b229fa43994a8db77

SHA1
b33656d317438d073671a9fa9bbef2368e4e661f

SHA256
06a462b093f61518ab1bcc40082fae78403d9ff2627e061b49209e008ffd2f70

SHA512
662d08d82f1be00d06cf93e3caec60b721fca8b476ee440ad23a78b6a29b0e379c986d79f922ca99932e5017a81089620086e647f0094428a346a51933cb6fb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0a3528989359b39f5bd177d62431d045

SHA1
3355597107b2c7005cd535886f8f3807637de5d4

SHA256
a1c6725aae4466fe98b0c2da47616c9a95629b97b01b65f72f0f064f4ae062b5

SHA512
6e245bccc3fd4e5aefe7fbf0c85bad253c869975f10581e1a1013c6fe24a4954675d1850d15f29959fc09a1e41c6f0d3a5b97fc105197349fce4d572c709af39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0b89b9b4e9cbe81a1307b7582728aecc

SHA1
ddf1a363c59ce9c66bd32464d6370abc03a0d28b

SHA256
0a9b968731ac43155200dc754f0e2e3c90265dcdcacbe8704f622ab951add40c

SHA512
5e83a6ea3729756aa3b51fa69da3f2d4ca54138ba8389451058e39aa8103c98bd043b55770480f9c5b846db999707a6c1f55b920b98f72b6ffc95bb440477346

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
83ad03f8c554d8c3eaa20d5268e6c9cd

SHA1
3451b9463e31427789fb5d5b64eb365df1b747ba

SHA256
8f05f6c4bfc7169239c07817b8d0514a456d8d4251ef6a5298f45b26f4818004

SHA512
8524d68c535b40bc735a4957656c700ccaaa647557951d75293ab095cef08ebb4290befbe0cce59555060834ba0e4dc73513528bf705f7e71042dd9fa26cbf43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7f6e1dcc219f505c60420e4f44250174

SHA1
0a5e883c24acdf869c40ade251d1b05332296032

SHA256
bbeb2f3e3bc9fedf98f6036eba324576d0caff0b5f62cac929d12410e94eb7c7

SHA512
376713c8d91c9711e8ce960f0f6b345095fcf47546969b8d3a69e48d7baeda72cbd13cc3039762307feb742c1270fc690cfee8e678e780a3293ac6eb0fec3e18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
182a4a8037a280c658871dbb152ed96b

SHA1
6a68d22a9a9cdcef52adecb4ed250a0c662175d3

SHA256
9ab4b658516b00133eb5d0f4253d910f1200e0458422a359e9ada4d917092faa

SHA512
dae2e7a2f4d371824555ded2515fa77ced8536a1418513c38aaa219867341303a0d8497b3698ab64017ffce286005361f9be166a919ca71b52dc4aac39bbb754

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e0b8c6a241cf2619110e1d4a82e905ec

SHA1
f4df2ed9b979fc73dd5c70eca7dc4de36b057f93

SHA256
791cb9d365d55d5c67275f90f96bf10b41ead6e5d1338fa5027e0781bdebc24f

SHA512
ca69128cafadf6cb352b0797ed77194403939ae78105a3e0a99eaef2e7f052ef489cb4cc6b53b4892451e9567c895bcd0fb916e7269be131d2f2869cfadf0311

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
975123259bb78d4c70a12480dafb6f28

SHA1
20eb5ee608a73798c243cda6b2b49e2aa4509145

SHA256
0992d3b51524793abddebad6881e9bde8782a11226934d9bd72558b4287484bf

SHA512
0ba3ea9c33c2e09dad5957896d96dda35f4477280aed9092ca8bdfd3d44a9e49d6ff6ced3b9cf52dec2a654f4b212b3768811d5dd620040dc46b32948c9b9c10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
debe30ea96bc33f7397fc9bbcb9d463b

SHA1
0b5ee43f350bc14b97655c77169f83c8933b100d

SHA256
5a510bf86d23483dd834827a734032cba0c1c4db381c4680df947ec6bfe851e7

SHA512
d50c13a03d64f66dd451cbfc20044cb37dbf89b07ce67c376bb45e02d3fe8056b6d26d07757804b0da4bba1f673eb34cec35ec84ad97718c470f88e371584a2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0113ec2b2aa780dec1b3b818d8d5ac40

SHA1
5b618179e5ab6f0fc0a4cb5e8885f1dad9461c24

SHA256
05c3626945a3b061aa12e82123623af491c15c9fd442f0e1ea9a6a603ed2312c

SHA512
7cb943f355d9ac032faa020e82139c064bd81a0a9b0546634581c20d6479b164830ab42650ea5702349363436d9fa3ce469ea45bfdd7708816da5d7eb821244f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3dd6f113bfba16e68c821115ce7225d5

SHA1
312ea578a26aa32535c1014a5c8b86a244eb4482

SHA256
5cc0ccad7250ba04d1870ec35bcd91a93e4cea591e110119c3e766ad154c9e36

SHA512
be2962eefb9a32dcd17f2c67988a1607a495da0d4992f05e818ed99480a65a31b94a6ac7fbdd6465a751cd05319507b98dcfe54fa6d99ad31bc8cbf249a973a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ba00559b9e06913ee2911e689b54e348

SHA1
854f7ec997be66d25628cdb4c5c38847359e3d72

SHA256
f5dade1bcc01d98ee484c133861d1ba85e9077c8d521e241fd31735dfe4cf439

SHA512
9fd8de36c539346295c5d1164cb336f04ed3ad5bbd685cfd4470fcf1f0c1e954733b0ce3123586ba9fb1a6205af6ac05cd58f0cfcbe785fde70e3d2154d27cb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cfd093f8344122ad57a7546aa13a026c

SHA1
c0c385376bbf664d8e64483644b39aa8348ed000

SHA256
d426132f92bb2ab442d3ced0d0df722ac2b73a51a5f19a713af8236b0aa8f815

SHA512
cc4af38cb4ba2c1ef13a5990da485ae1cb516447d5d2cf11257b2300c25acf968ad4503a8731a19320ff12424b7c99a2e382894136f8187b5d9e13d217d75f27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
959ee4cec038159488592b7c6116b691

SHA1
6c154581965ee8c11b094110310fd79a4142e3ea

SHA256
a811358b84e1817d8a088b124a54a78c0205e09b749e1986339c46623f01d83e

SHA512
75ae13d9e9451bd84cc0b0a20073b1616f401a9a6db9f551ae75978da7cce118166ae7ef77d1f2dae73807b140876d50433b977b137e1dcb674627fda46ad479

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e6c452d4a4829ccb1f6a552e8deaa672

SHA1
53266fd662baa0ad07aa77788c267d4ea3fd501f

SHA256
2f2fe130aeb238f3e0a1cc0062418027fa87f11fd862b9bd6f1b36ed49dd74ef

SHA512
c5b1a4f2f8736a728808685ca7cfaa793040b868108b173d62201dc73c0ca577772b3fb18bc35a87cf6ba332865b77b2d9b935f9e4105c1286ae0b8b2defe61c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1c866427a17c0040a01ba89b2f3fd7b9

SHA1
07f8a4794bc27391cf3573dfcea7f4b28742f6f8

SHA256
c65fe1ebf370178c5fee325b62ad57099cda1734c7735761c374876e8eac6c49

SHA512
6c32959ea4b4a5d43d115b82c14c6284da82dc4f2cd04dedf5ff01d4b680a5b156b978cb95a2f3d49ee7b91faf1f0ee120efacefc0ceba2b4557c04a3b66be17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9876274f8238207dffc97bfc06c017bf

SHA1
ca368bdf594435ee9ef534d340f5a4cb74dbf139

SHA256
03f0f984e942443ff011eb917382025016bddd9f81df9d59c754a1c8609ba440

SHA512
ecd4fce869e4bd3a56b88ca68dd37178e890545832749faa1ac07c59fd1f26b577cd584ea833885e36433a1d32499ba4dbaa37ae9bd4ba20261a5baaa0f23673

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
640a6e762b2ae9a62213d4479692b487

SHA1
5300ec56f313058441b746e4909d6a9ea7eed302

SHA256
706ccd6144fca847b670be6cff0d486954fcb68335a2ae31a9728f285d6317cc

SHA512
3fa85418f6d3fe0d5593ef9a2f124d1e169c1d9ca8023035301138ef303756a07e77ec1b07a39141bf5c84085cdc7a9640a52247e4bd72643aca299bddabab97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a6401526a355ae4e4fab2aa5acfe3740

SHA1
4667dabbbe4f6785ef7807146ebfadd395d59234

SHA256
c2c62a06a0f98c67ea8428e365e5938d7a7e133f946eafc70de9be4203351663

SHA512
a0a5aeba1c25c6890c07e0b0f87218949c861c09042511e689dbac6301fe539eb737228814bdd8d07428f377f05171ebbd83eaea43bb5f6b9f7b0bbec8fa1844

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8b23251802de1ce09c64c469ac857ff7

SHA1
44e14acc823679fce1935923c5e9ec98af730b59

SHA256
532f498b7cd0bf8f5241760e6ab7c0b2dd4f48c545b1a0a137c4906cd53b82d4

SHA512
8c2a3f130b89c2238e6f7781ede2b74f84e37990b7f7877e7a3184b7f1ee82f865ba2be6d9bc72b8bfa5a79a2dec8fdc17c8f3f3b99282deffdd8a4138ddbf37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d3afa8b0a6a2a427be7c6846415833df

SHA1
9ecad71b4882099df6b73dfd306ff28400faaf19

SHA256
05ffb74dadb46da7c32f4bf529e8730d94d4bdaba0af285bcc80bbe24a6f6030

SHA512
614c303d6103fe9ab138d59448a306196b401f6a36496970535f12ff6662ce4ede61350c83ed563157ac222a79d72ad807ca0725aca5d38c4386bd608cf554dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6fd53a372da007e5b6fdd88b226c3358

SHA1
ab0de1e50b997f89e0d872da34ebb5c69d0cbca8

SHA256
3a031e61848da720800c4ef7cdc91b7b5b5726e683dd1e3cd5f376122620cb30

SHA512
3a3f7b43b9f850fc1fd27b6985b6c3d387c714887148734452440b2037550767b3db125a8fd545893e489ccc0272f9a7b50a96b43610158aa664931227c3a11f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a58edf650d731d531b5605a7bb99e847

SHA1
f40d164db0d1f09103bde69b962da52b6697582f

SHA256
10841b8e0aada411601e3b65ad121e43413bc8c56449ed2f67786aa80d8527d9

SHA512
34656461d68123133f3da9d5601aae712243a7b65730bfd1f8b833dcc789b08ec6d3b543cfbf16e51f05e5d8baaf85472ad41d3344078d343794c7ccc0fadc60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5b524af10296da620da004f84052ef35

SHA1
0f718187dd450a828da33e90469188563374aae9

SHA256
64a79b9a020604564d1fa914fa39d729bb99032b0b65c372cdbc813b9441d051

SHA512
fb537123fff5064c03d16f7bb34f6661c6c1ef8c34242cd50678ca06fb590a433232b1c9323c8841c0bd126433dc51b531a95582297d4c656ec43498c39a1512

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7663118d1d1917feddada5d541720adb

SHA1
027063c2eb74bf50fec9af3ba1416b646117a118

SHA256
3dbf001e85be831d2230d2c1854d98f2227cdc80f98f495b6790e3fbe95bbef1

SHA512
8e3944078dae186f37430c0fef764883dbd6a6edf5b2df86aeee01ada03a475cd7aba9fc1df156d57ba762e5b7fc4c93cc739b2868a8256e09bff18446e01b4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
22fb4da7ff3bb893cc2b895710ed92aa

SHA1
53aa38df92600353956aa145cafb96e8b6639d60

SHA256
e89b25eef6e5ab2ac7ac3a9efaf26f1b11794c8899ef498f051d759f873d22e8

SHA512
5aa96fdc3bb25d91dda0c53c7e59d02a0e636a8326fc0e3b1e8ed4329e9978a690473a95178b85d6aaf126d05b74291b84f7a77ca1802bd0cfce5cc4b29c9baf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6b08a8b584fb39449c1ebad831adb78b

SHA1
66118d3ccbe1a630d3f76575a2843754095d148e

SHA256
b9c729006eba8327e45f006474076528a296cbb74a54f1cefb4b30c092a7b696

SHA512
3e628a0270f8cf8a33bc2c3950a0b9b1fe19c5f104641631337ff8a7017476ffa458195122a9448a20d86a75a7294babc61314128b92db469ff4bc6be4b7c312

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f651a18fe3a3c39d7429158d1d796027

SHA1
91ad3c49a4c03b10e2ac3fc8018ab4da1a0c6b00

SHA256
02bca6f16585b48dfb68200067da8eaad3751375dc4d10415d68efd521eefb59

SHA512
3075ace4fe59737d7baf4e37d2772c4bff0b6ae091f879f30ca744b0c23e74fb1417a249a313dceef9630710f3107fb0e14e3fa72b1dc51c73f68ccd334c14bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b0d04866d0812c7774426aba248adb2c

SHA1
ebc07d9262ba7251eebf6af79efb4a5463dc76d0

SHA256
236ec17744df59194a76855d796f0691c87ca75690728346d93bb881afbe2238

SHA512
ebc49471685d85d9dfea7985ba595e09121914eb542d91a9bb06a70395af9420f7c5316bdbdd5816b556171ad6216dabdc053eabb90f0524f5db83ad2835f53b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f029686da21f518eb43d6d54e736efb7

SHA1
7713a30efff91f92b35cc8b38f279f339a7fb659

SHA256
dcb11ed74e14b48f58c86be944e356de5f3ee0a3031733774879f9cb20050f9d

SHA512
3451297a5d397c4456e13b19cf5afc1cc31fbab11a1c1e519c08a7a528c45d60ba806c960b26345e8cb2170ed62c8d85110ee114f86a012df53a4f692127976d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7ce684fd6924899056ac932294884bd8

SHA1
4f97f09568e827257533fdef9c5685a7febf9526

SHA256
fc084f12780edf888350a4ee697d421a0561147816575105c0f46a3105414709

SHA512
5a309848694a5043b55abbb0f07c96a6321dda6e9e0557e474d3daf8b6a5498250274a7c799b2d5fc4f7527415a655ef87ac67688db3268e0c48a684d2d83a75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6c75ee9a76aba25710d4b8f3f9b04a12

SHA1
25cc39f1a0732da8dfc4ae8e82f7c2c81b917f46

SHA256
b8cf5c553f2f5b9d5fe6adf06320286d9b2c51310f5ae1ef15b286d3d23f392a

SHA512
850d14ff9db8f02c231f7664145305cf9eddc84a18f1cd311446ea1526ed1b28d0e25e6be5108a40d298372a2ac333f9406b92f009fe602f623ad3cfca58abee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
29e56000180001bbe5d0686a9d84e18a

SHA1
d8ef11f538d0ed2a25bf6fc6c93978ef7f7ac944

SHA256
22fdf5d1450ed7852008ad8eb297e90b44fa49c50ba04e5df2acd17490d8edbb

SHA512
c35b47a150d8fc6471c9b590a627e1205380a1b631fe9ff125d158a702e11e90c5d992035f9d3e49726246cf26586739107a8e634cb19e1c876a67eee311f517

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b90a8072d9ed7e4be2e27231616fdf81

SHA1
2b5e53efe00977c4a94778b0b30d1534482dbc19

SHA256
8206dcce8cac0d399d330c8321e2246b23581f603e006319b223623abf8f41fb

SHA512
fdb250f4092677b14ea851ce14371cf85a8499f2eba13535f4b43411e7be5d2fcfcc2d812526e8f7fc4c8d5371a898ba06d95b78c45678788879b36a60b521ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
7617d17e50ba91a3e1b17c2d89518d43

SHA1
08d1d2742263ac8452b02631390c7e9d852dafba

SHA256
4e2384209874b0fa702d9dd125eb679637627fbe681c87a8e37b9fd1f2608a2b

SHA512
d55e10fed36fa293397efdb243868bf11b5d48ab52c2eb8a12e7d77b57b271f92c5f801baabb0fcb689f0040dec625e375ad18a5d57b477eecfdb54685487fcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
4ef5c96e2cbad17b151c122bcf8e2808

SHA1
703538d22198b23b41c430f0c18df4ee46c808d4

SHA256
815161bf9c03775a31aa195e2e9dc989c649b58aeea5d6794f55d86b3004e6af

SHA512
999557db01451d33cf372e6174ccebde87d66d88375ec64d64051acf5053ce649e79a74dd4524046a0d3ac94a5113ddddd13b7feade63dc626eb1742ffe61e8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
061702fd7c268343acacb733bf58eab6

SHA1
06407c7478109f819e68517b378426536a8b9e90

SHA256
44899f653b1074cf8b061024a23336693be25a7cd30972695cfafcd93df3322d

SHA512
b0ec95644e68dede7752389e1755045cb969aeb0050a0feecf589c867c11a83370902af7aaa420080a9cc704c6fde643da9db168daaa0cc849b116ab22d66048

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
b2e726e0897ccb966ff0353d6b983852

SHA1
ed4d897a0757e02967ad4244117d5abdadd3f508

SHA256
05b346f8667ec18ba21583c9c6d1ea21a39753b2bf6d1f30ad4aae80be02c6bd

SHA512
50f6df6b1c05dc2efabd106f6a2d8c2d65eec14598e4b12dc915cb893665ddca9e20130186839e5292cd58fa12f9f11a77d60307880d2b576e0a9c78db7a1578

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4988_1725683898\3a99c53f-c9dd-4a1c-abc0-a904ac27ab6c.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4988_1725683898\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3658.tmp.bat

Filesize
445B

MD5
32d8f7a3d0c796cee45f64b63c1cca38

SHA1
d58466430a2bba8641bd92c880557379e25b140c

SHA256
1a6f73b5c28d1c10f63f2056068c1de61487b8cf8f1dcf7516548df144b3e9ea

SHA512
288213b92a03ac750ea319bb23c52e7bdf47f5a47ecb70c905c7610a84c63a3ec0a30801b5880e6def8df2c9f577082072e342198d23a19f64e561923e1ef698

Download Submit
C:\Users\Public\Videos\how_to_back_files.html

Filesize
5KB

MD5
6c29f625d3a1a22866d175de27b15681

SHA1
0aedf379f6f8e673fcf5ac48f2a650d06b76d4df

SHA256
784d1a85232e5b79bc915e657a4fbc3ddf3f0102a123e2e9cbaf53e66d108f12

SHA512
41d196777bfcc49dac70aaf4fd8f0d776279feecbd8ea7cc0a744aa118ad8447cf5031301f29783f9b35ea6b9dcd5943863274f4c423505efae45bf541e38c52

Download Submit