vidar | c7d2fda303d9928f804d3269d128b216844d9afcb2f533054c8d87e1c6fd4aeb

Analysis

max time kernel
599s
max time network
541s
platform
windows11-21h2_x64
resource
win11-20250210-en
resource tags

arch:x64arch:x86image:win11-20250210-enlocale:en-usos:windows11-21h2-x64system
submitted
10-02-2025 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

data-Setup/data/extracted_3382/sss.bat
Size

405B
MD5

9ca3883fd45a5a455e64704ac6151ac9
SHA1

e7f89032ce544253a51020d7e894f6919fc35839
SHA256

c981688479756c987d6207e5804ed2b97fb50dfc80469309646c3f79d5ed05b4
SHA512

e5746faaae0680f68295db94f3865a7ec56663553d7401f996cce18bdc67ade23aef10c81018da28992e82a8178dc8a567b5b355479c7ceedfb87e46be9efa5a

Score

10^/10

vidar credential_access discovery execution spyware stealer

Malware Config

Extracted

Family

vidar

https://t.me/sok33tn

https://steamcommunity.com/profiles/76561199824159981

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Signatures

Detect Vidar Stealer 10 IoCs

stealer

resource	yara_rule
behavioral18/memory/4720-42-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral18/memory/4720-46-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral18/memory/4416-47-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral18/memory/4720-69-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral18/memory/4416-73-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral18/memory/4720-76-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral18/memory/4720-77-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral18/memory/4416-78-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral18/memory/4416-117-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral18/memory/4720-133-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	3556	powershell.exe
3	3556	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3556	powershell.exe
3972	powershell.exe

Uses browser remote debugging 2 TTPs 7 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
1008	chrome.exe
2148	chrome.exe
1572	chrome.exe
2616	chrome.exe
1388	chrome.exe
3160	chrome.exe
3144	chrome.exe

Executes dropped EXE 4 IoCs

pid	Process
3596	VBSP14J5.exe
4720	VBSP14J5.exe
4416	VBSP14J5.exe
3132	BETKL74S.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3596 set thread context of 4720	3596	VBSP14J5.exe	87
PID 3596 set thread context of 4416	3596	VBSP14J5.exe	88

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1472	3596	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VBSP14J5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VBSP14J5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VBSP14J5.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	VBSP14J5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	VBSP14J5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	VBSP14J5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	VBSP14J5.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3556	powershell.exe
3556	powershell.exe
3972	powershell.exe
3972	powershell.exe
4720	VBSP14J5.exe
4720	VBSP14J5.exe
3132	BETKL74S.exe
3132	BETKL74S.exe
4416	VBSP14J5.exe
4416	VBSP14J5.exe
3132	BETKL74S.exe
3132	BETKL74S.exe
4720	VBSP14J5.exe
4720	VBSP14J5.exe
1388	chrome.exe
1388	chrome.exe
4416	VBSP14J5.exe
4416	VBSP14J5.exe
1008	chrome.exe
1008	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3280	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1388	chrome.exe
1388	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3556	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	3280	Explorer.EXE
Token: SeCreatePagefilePrivilege	3280	Explorer.EXE
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	3280	Explorer.EXE
Token: SeCreatePagefilePrivilege	3280	Explorer.EXE
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	3280	Explorer.EXE
Token: SeCreatePagefilePrivilege	3280	Explorer.EXE
Token: SeShutdownPrivilege	3280	Explorer.EXE
Token: SeCreatePagefilePrivilege	3280	Explorer.EXE
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeCreatePagefilePrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	3280	Explorer.EXE
Token: SeCreatePagefilePrivilege	3280	Explorer.EXE

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2240	2744	cmd.exe	82
PID 2744 wrote to memory of 2240	2744	cmd.exe	82
PID 2240 wrote to memory of 2660	2240	net.exe	83
PID 2240 wrote to memory of 2660	2240	net.exe	83
PID 2744 wrote to memory of 3556	2744	cmd.exe	84
PID 2744 wrote to memory of 3556	2744	cmd.exe	84
PID 3556 wrote to memory of 3972	3556	powershell.exe	85
PID 3556 wrote to memory of 3972	3556	powershell.exe	85
PID 3556 wrote to memory of 3596	3556	powershell.exe	86
PID 3556 wrote to memory of 3596	3556	powershell.exe	86
PID 3556 wrote to memory of 3596	3556	powershell.exe	86
PID 3596 wrote to memory of 4720	3596	VBSP14J5.exe	87
PID 3596 wrote to memory of 4720	3596	VBSP14J5.exe	87
PID 3596 wrote to memory of 4720	3596	VBSP14J5.exe	87
PID 3596 wrote to memory of 4720	3596	VBSP14J5.exe	87
PID 3596 wrote to memory of 4720	3596	VBSP14J5.exe	87
PID 3596 wrote to memory of 4720	3596	VBSP14J5.exe	87
PID 3596 wrote to memory of 4720	3596	VBSP14J5.exe	87
PID 3596 wrote to memory of 4720	3596	VBSP14J5.exe	87
PID 3596 wrote to memory of 4720	3596	VBSP14J5.exe	87
PID 3596 wrote to memory of 4720	3596	VBSP14J5.exe	87
PID 3596 wrote to memory of 4720	3596	VBSP14J5.exe	87
PID 3596 wrote to memory of 4416	3596	VBSP14J5.exe	88
PID 3596 wrote to memory of 4416	3596	VBSP14J5.exe	88
PID 3596 wrote to memory of 4416	3596	VBSP14J5.exe	88
PID 3596 wrote to memory of 4416	3596	VBSP14J5.exe	88
PID 3596 wrote to memory of 4416	3596	VBSP14J5.exe	88
PID 3596 wrote to memory of 4416	3596	VBSP14J5.exe	88
PID 3596 wrote to memory of 4416	3596	VBSP14J5.exe	88
PID 3596 wrote to memory of 4416	3596	VBSP14J5.exe	88
PID 3596 wrote to memory of 4416	3596	VBSP14J5.exe	88
PID 3596 wrote to memory of 4416	3596	VBSP14J5.exe	88
PID 3596 wrote to memory of 4416	3596	VBSP14J5.exe	88
PID 3556 wrote to memory of 3132	3556	powershell.exe	92
PID 3556 wrote to memory of 3132	3556	powershell.exe	92
PID 3132 wrote to memory of 3280	3132	BETKL74S.exe	52
PID 4720 wrote to memory of 1388	4720	VBSP14J5.exe	93
PID 4720 wrote to memory of 1388	4720	VBSP14J5.exe	93
PID 1388 wrote to memory of 4988	1388	chrome.exe	94
PID 1388 wrote to memory of 4988	1388	chrome.exe	94
PID 1388 wrote to memory of 3356	1388	chrome.exe	95
PID 1388 wrote to memory of 3356	1388	chrome.exe	95
PID 1388 wrote to memory of 3356	1388	chrome.exe	95
PID 1388 wrote to memory of 3356	1388	chrome.exe	95
PID 1388 wrote to memory of 3356	1388	chrome.exe	95
PID 1388 wrote to memory of 3356	1388	chrome.exe	95
PID 1388 wrote to memory of 3356	1388	chrome.exe	95
PID 1388 wrote to memory of 3356	1388	chrome.exe	95
PID 1388 wrote to memory of 3356	1388	chrome.exe	95
PID 1388 wrote to memory of 3356	1388	chrome.exe	95
PID 1388 wrote to memory of 3356	1388	chrome.exe	95
PID 1388 wrote to memory of 3356	1388	chrome.exe	95
PID 1388 wrote to memory of 3356	1388	chrome.exe	95
PID 1388 wrote to memory of 3356	1388	chrome.exe	95
PID 1388 wrote to memory of 3356	1388	chrome.exe	95
PID 1388 wrote to memory of 3356	1388	chrome.exe	95
PID 1388 wrote to memory of 3356	1388	chrome.exe	95
PID 1388 wrote to memory of 3356	1388	chrome.exe	95
PID 1388 wrote to memory of 3356	1388	chrome.exe	95
PID 1388 wrote to memory of 3356	1388	chrome.exe	95
PID 1388 wrote to memory of 3356	1388	chrome.exe	95
PID 1388 wrote to memory of 3356	1388	chrome.exe	95
PID 1388 wrote to memory of 3356	1388	chrome.exe	95
PID 1388 wrote to memory of 3356	1388	chrome.exe	95

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\data-Setup\data\extracted_3382\sss.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:2660
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\data-Setup\data\extracted_3382\script.ps1"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3972
  - - C:\Users\Admin\AppData\Roaming\VBSP14J5.exe
      "C:\Users\Admin\AppData\Roaming\VBSP14J5.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3596
    - - C:\Users\Admin\AppData\Roaming\VBSP14J5.exe
        
        "C:\Users\Admin\AppData\Roaming\VBSP14J5.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4720
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        6⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbb06acc40,0x7ffbb06acc4c,0x7ffbb06acc58
        7⤵
        
        PID:4988
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1788,i,923306174146172534,6594086242085244689,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=1784 /prefetch:2
        7⤵
        
        PID:3356
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2096,i,923306174146172534,6594086242085244689,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=2100 /prefetch:3
        7⤵
        
        PID:4080
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,923306174146172534,6594086242085244689,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=2208 /prefetch:8
        7⤵
        
        PID:4372
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,923306174146172534,6594086242085244689,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3148 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:3144
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,923306174146172534,6594086242085244689,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3196 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:3160
    - - C:\Users\Admin\AppData\Roaming\VBSP14J5.exe
        
        "C:\Users\Admin\AppData\Roaming\VBSP14J5.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:4416
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        6⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:1008
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbb06acc40,0x7ffbb06acc4c,0x7ffbb06acc58
        7⤵
        
        PID:3452
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2040,i,17897061904058866759,9264855273173686681,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=2036 /prefetch:2
        7⤵
        
        PID:3064
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1716,i,17897061904058866759,9264855273173686681,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=2180 /prefetch:3
        7⤵
        
        PID:3776
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2204,i,17897061904058866759,9264855273173686681,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=2220 /prefetch:8
        7⤵
        
        PID:2016
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,17897061904058866759,9264855273173686681,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3160 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:1572
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,17897061904058866759,9264855273173686681,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3200 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:2148
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4256,i,17897061904058866759,9264855273173686681,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4496 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:2616
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4196,i,17897061904058866759,9264855273173686681,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4176 /prefetch:8
        7⤵
        
        PID:2836
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4672,i,17897061904058866759,9264855273173686681,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4712 /prefetch:8
        7⤵
        
        PID:3008
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4428,i,17897061904058866759,9264855273173686681,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4704 /prefetch:8
        7⤵
        
        PID:5012
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4388,i,17897061904058866759,9264855273173686681,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4400 /prefetch:8
        7⤵
        
        PID:4108
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=736,i,17897061904058866759,9264855273173686681,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3144 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4684
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 836
        5⤵
        Program crash
        
        PID:1472
  - - C:\Users\Admin\AppData\Roaming\BETKL74S.exe
      "C:\Users\Admin\AppData\Roaming\BETKL74S.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3596 -ip 3596
1⤵
PID:836

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4984

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
734B

MD5
e192462f281446b5d1500d474fbacc4b

SHA1
5ed0044ac937193b78f9878ad7bac5c9ff7534ff

SHA256
f1ba9f1b63c447682ebf9de956d0da2a027b1b779abef9522d347d3479139a60

SHA512
cc69a761a4e8e1d4bf6585aa8e3e5a7dfed610f540a6d43a288ebb35b16e669874ed5d2b06756ee4f30854f6465c84ee423502fc5b67ee9e7758a2dab41b31d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A35D9ABCF6B2146E5B1E68A4E5BEE886

Filesize
346B

MD5
4f222f8f0a12836ef47e5eea0ac22e85

SHA1
69ab6db662ed6f0d3f878f98895fbc74143ab72e

SHA256
663b24c6a2502f0590c1ffc1408979641e1583e0177425e4e957bcdd01632e9f

SHA512
991cff721569f3bd7a5b6eb3a5f00481da60d828f057317485b792ab27404a161bd6432159b360b1b9def97f5127bfceb7cf903ef235e8277421a17911ebd4c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
b1e036c7c111573689639d59346cba7d

SHA1
027914dfee54789269fb46df876ef0cfc2fa74a7

SHA256
20563d12a8eee4d05104c1ed7643418c052cdddc352581555b9c6332016fbc98

SHA512
1bbd0f4136d5f139630e380606d97834acce3203e09108bab8c3efdc648a063f08e7214230dc91e84409af9aeab76000c1d8f3148c8d7c3559c87fae48beb916

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A35D9ABCF6B2146E5B1E68A4E5BEE886

Filesize
540B

MD5
be3933bae48751f1c2dcd428b029732d

SHA1
d162bad063e6397b49460bfd74f3a772a5a610fd

SHA256
38dcb40014099713043a6140ae2271c2bbf00343123b03dad512ff91813d5ac1

SHA512
cf5a34823695e13e77c9f53f0ea1b660ff299a7b426d80f2268805f9e4fa46436bb4264ca3a437bed8761f463ed1eac6f37ea2c2a61513c5d8074d5ca76ea1a3

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
dd8fb7f6741d1895e37128d5ceb7e2f5

SHA1
81a7edf4739995f2a25e6478fdf61b1e0bde1193

SHA256
18961443194564fd3206144598f7da2e0298179b92f3415e4425a607c40de0ce

SHA512
3857e04625c65f59b16638e835668a8c9732b5a3117e2b4f2bf2874da4784fb1f11c04c23527e69fbd51783cac6184605b4fc46857c192e14bb2cd3ca7596c81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
77700906b3c9cced9ca6ae57f8b4a313

SHA1
e2359505abe7b36705084aebd1b4c4f37a7e8366

SHA256
18a8bf8668e3ec0ab7924999f2acace98750078488f9b6e7916948022cd5d1aa

SHA512
adb40efbdfb33e2ff9b211c34a36c269348ecc2750c73d2a6f41f5b80fc8f442a392715e87e66502f115baf0890635e789ebcbb7b461c077b3d0f27931771041

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
972df20fcd1025ac1bb58737aeae374b

SHA1
f952cc3780524368900a492b616b6d42455bcd54

SHA256
0c8a8338f6b2682ff5218dd8afd74652b50eaf83c4153d4f829368627b6a710c

SHA512
237c5a172dde6b22cad7ca89044c87fab2e042b5dd4419195d3f998b23f6c64f98ddb472b04c5f380e1560619340160e9802e9bf83cbba74a1629f1b6f9cd692

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

Filesize
320B

MD5
4553d805d397e13cd1da648a4af1f8e7

SHA1
5ba51b982252432cf20ea7d50ee186c5734a3413

SHA256
40f0ac73e6ac1137c49350fcfe0bcf8905d08529a0b7edd8b74e2f0ec3c62b64

SHA512
3ead0ebc955a4322a32ef1e21099592c9ef70b13874a3429e9474d9b8549ba7b5a28a32af7e402dd3781ff244a4a231f5db59162e211ac4f47cd9de98137c741

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
329B

MD5
4e5d86a2dd39addd2d01ba4218c7c62b

SHA1
38441442dbf75dd68a65bd749db5658aaa699c20

SHA256
a7889f281b6b18592e6a56414d70ac9db314c06f618ef5a345870a018773bd2f

SHA512
c7b313a4c2399574d201668baa2efb430d094ed5b707fd299c1ac90b1f5e9994ad50871830ec39630ca80abf2fc37cc51f4e58084f0f823c24d11e8ce75f730b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6f53ccf7daa0cd7c5e52a9c29b6725f9

SHA1
5c326af781197f1cdc3dc841b0460b6061db4631

SHA256
696e5a3ddc89f217c23b8f5199762780f83d2af76803ccd23aa7ce0466eeb462

SHA512
30bc3485fc34ca952f11b39b9a3b66d3f0263be4b552ccdf4c1a537a65ce06eed39ba8e2ac9eb20e098b0025b202d1a54db34744156e609b8f2efe6e3b31bcd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
9f9103c75634ed4db821a1affc5fb36e

SHA1
3902ec706ff55b505034b0cb4d210bb7b379b3b6

SHA256
f69ebc8ef79d1b1187eb9d14e51fb6620d23789f1ebffa5177e2b6c21258a46b

SHA512
b48b6dd26b856ed8ee87168a9767913171d44e086e3ccd063c0aecf0e4d57284607ebd08129eee97ecfd2e3f52610e28561cc1d2db4fec12a036d54f9954d5f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a4a834ec68902ce5efda4a954c054af3

SHA1
49c1acf73149fa306f92739cf6b2a11ab7931844

SHA256
3a39572d96369a61ce74e2adf81faa20f2f8c8f4f9f27744f5c9465053688e9b

SHA512
a92e0db6616efeabc56a918132ec20b7d37d00e307e4af7529fbf05ce51f9d05dfa9c2eacbdd1f7a46e774d387b640f713e1859a08140767f65d1080451ee14a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0af208a8c669e12cf4c56d66ab28b650

SHA1
ef623d5380c3d46e2d4c1bb8a4cc6a5a65e53f8e

SHA256
f01446c83d666f66553a8516c2ac9ccf85b2f3aac93a3a369ba7ce54655afe52

SHA512
a6d1ed592661e5c7ffe7ae918f21ff904f822d81c15f5d21504fe200b4356cdf852fbae9fa355a7bbde6f0db85bd44d4fa11fb16b9b90ce9239f5543670b3692

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
c413067e64e0f331aae457767cf9973b

SHA1
9aa1f9217a6b36bac78184867e952543f34c3a6d

SHA256
aa74dc69f8463c5b573369da8b7b218e7e967bbbda8077356a91fbae070a657e

SHA512
93406bb31d82c8abfed433743b978a5c46cc42a8d5ef58f1905f8344056120a79ef1a77c80381041d29f95af7571addc77908eef676aa7993451c582c32135d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9b1e81f4dc522c72198f7722e12e4f0b

SHA1
b493d155b3f38f517b0a81aec56b74bcd3336a45

SHA256
abd0548e00277efc97d87ef7e8cd20df1d4c44a02902a1f9a32c883966036c1b

SHA512
4de08ebcecca734e559403dafa41beceae5906c0a2ea81a0ee7e89d23323fd20dfe708a1ac1480d465ad7199310ddac79a3e21b91e00fc64fb3a3551f6a15327

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a2277e122f784d26300e59ff87cf7eeb

SHA1
f379124bc8e0fdd65924b329159d05bae1083d00

SHA256
f88ad6c17d863cbde581795bb33b5e3c09ae84815d8c12ef25db4481d13eabeb

SHA512
e153f855f88e67ac71df6f657abea31760da329c6e13522f09f0992f3480de622e40cf749471600a15a85700c76b465333d4d4679177159fce73deca6aa6c51c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
3da649f5c5a0985fdaf2720f80c3edf8

SHA1
471310264e003fcf63cdecd07533798a22072bbc

SHA256
e1c33b41b0d409582c3e320e155e51373ff1699588c01291c5defadf8def05e4

SHA512
8793e9962175dc6c9216a7ddc49bb0631c3e50710e44d94d5352bab95b876b644e89f0d1364fa7006c905d3a7b197c20b4b2d531fe8c33c92a0c10791ce2be29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ae350520b99e131bfa450f8799c05372

SHA1
316b101ad1601df9a89097c5ffe72a003366dff0

SHA256
a3b7ccdbf1e1a815d38935d14e4308bf4e537f09785440c62bc01b2132ee8fb3

SHA512
7c832c329b1ac5cdbcd2dd18493daacd93ffb1aaf187ae8977ce2de6719af770f3d8221f88bb9c8adc137f59eabc96fb1cce61a2b3899c78e0910e55b2f0e26c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
26209afc1b6f9ad38a5614e0fe9d550b

SHA1
0dd60d1bf04b07faa168c9765922f200996ccd62

SHA256
b2b0b91922c4d3c69b778a721241e8b60d661301537d7cb37ffa982f04c34d83

SHA512
27e1d2117d8da3d41599261730f48f0774edf4cc94d5477b45d645600b8fc5941b07ad715d0f97849686d7afa45ae61c2f5b5cf723d9e4ded66a1e0d80806b13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
942030ce58ae6624d77cfbca6cb4919d

SHA1
49cb76920eaf426e4ad575990419748e7bc6c65c

SHA256
f606c9726dd9386e9633cdb2077c49d2e808fce8ad3fe6253c603db486d51fbf

SHA512
bcd06b4daa96f392821fce69df27288ce099d6aecba3986b2cbaa230e878c9aeed1f46fb284ac5708b86c476ed7003b6b75363ef1188ed157b55ae3e1d1014aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
af74c64ba1ae6b6e0b19aea7b78184d0

SHA1
fd5886b364ca527fc5ced6b77a76fd26469487be

SHA256
61a85ea18bae11ce688a03cd1eef2b89b1ec0c84640446f9725801e3aafb1769

SHA512
55fe7d1714ed7c55bb8c98e0cca13517fd1e6fd3d121f9f7dfe6ae1fa42d60d68f8e963dee2348b3c2880b9479033788e4cd8efcf4708f5947b04879bd105253

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
46db43b2b985e85868c7fd41e3510c1b

SHA1
02bd59bd0c1f5c4c88c1b5b5b6494c1f9e6e14a6

SHA256
7930558d35194d01f79947e23266da679166cf1035eb153397509d3b45faa759

SHA512
cf6329f15166d4be469a7cb714805dea3f38627ce3ec0fdce8a4538b24923ea029e282bd8df567385cbe7e2b0ecae528a8c237732bccbd42f55636a726aa9cac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
5e401e09aaf73954b7f73423603c8616

SHA1
772c551c29f0301e977a9aa753af004fab32c7c9

SHA256
51f431bd480048fb79de0ba76b03271f5284301a19e073acb445b7aef9daefaa

SHA512
2c1429c77ec209693741144bf9e38d2c5c6c0526673e7253b0321b170f2221d36ba04e57afc1b9e11ee43d21c7f480367c099bbeaa111d7c00d501d1d6990a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1bc11e412180b775a7ad9e0796e6e815

SHA1
5977dfae39e564cee8134dc99cf6c852c7399a87

SHA256
1a1187418209ef878ec7c3c71b45d475c7944fe9780f6897cffcb42586a6ff60

SHA512
7132322358c209c8afbaee6590ae66d12841f932aafc0c808b4cf9f3ee83b3646329b61b97c4f5b269a28011a50f725a9b0133c6f4713ec8f52c31abb0b374e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7fb2b3577dae16dc1532822181933d66

SHA1
ff2023807006c47be872a578923902b563948682

SHA256
87cca8cf79c6c7aec5059eab34a6dcabea22130a7f6140b6b6245d4e4bb0792a

SHA512
c6028f92cadd1e07b356493a2d1c724bcbf39e7ddfa1705942a00a4b62e5ffc004703d9329d690048d56b06a9e43567ac53bec58292f0aac014bd413b1fef9be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ef586b58a174d477fe52c1f4239793f1

SHA1
e44907b82b67394e206a3467aae3f1b878a141c9

SHA256
fb199ac9cba54923739b7e0d9809fe18d6751ebe262e258bfa1570900c30eff0

SHA512
93507f44dc249eb1b3f0c7235f3e030fd9649b8584d1ac0ce8f975fbfbec1031c3d46347113e61ef486fcef4e9fccea2336048868cfcb0dd8bb62942f983d9fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
bf333354014d5c1a3226772941b7f33d

SHA1
954ce3d823c8deffbe6c86449333e2b4ace7246e

SHA256
5f4139f29100c393cf240e7ef2fedee5d2c6c3f1c017718e3eff15abfa0e818b

SHA512
9f6491153190a5b4e138ba16a32188bd2a10eecc403b2c64a7efd13c9937d43682e658bfee6a17eadcd5cd10e9847537f8a5070ef7f109595990a893957f5a84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
05f874d69e47e0a43851794cb17b2ba3

SHA1
a600b7652f68aa91ea855181a654d7495d9a92f8

SHA256
0885ec3d23673537beca9dc066309d32d09e2676b356d61c100bfc4a0dc5ec7c

SHA512
5f5c2ba61ea689db9ed431c3b33d6b7ae1e6534b6183645a8d5709a59270f3e3b10160c97fd090bb9462f610002a8b5c46cdc91dca18dcfce217c99f657847d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
0c436a59fe6143c2f748f8388c1bbdd6

SHA1
2e599a99833d006a88b7de39b05b9eea89a50072

SHA256
72eb7fc4c5f62901ea5b70522a42a4fb133403c41ed29cfb6d06f6345988d9cb

SHA512
13179bf3dbd392a1d0b99a9626ca1db9c9e71e42e9b7e67da37f82beb34a086593272c656b7747c9f45f4b1b2240e6c22b317be35a7de449b1e109027b47fb06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b2bc1c672f5d3f633730d7f200c78388

SHA1
885ac5e3d847543dc4673d8cb331f09736910be4

SHA256
d8cea13dc814e4703fab77485d093ae6d5edf8bae7faef93799bc87ee9ade610

SHA512
0b687eaa07fee78a2db632ffb888a4116e3932f2cc774aef38ec889d7aa67fc5887569a245970ba603a01ce7270c655fd814bcb5bac284f2bb5c647d1c5bc82e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
37dc542a5ee5bca0ecdd811acdf04273

SHA1
153f4cf370e5fa3266d1fc6d526dd297b2990981

SHA256
fe29bf8cb232607bb8f713b5820cc6c7eb47893c992cf8952b509e7484bf2799

SHA512
22d0ef30a4d8740a4111cfb0ffee1710c98904cf6707a6cea20c182278bbf76a02fe73b0783e07d247dd61276e534e27f24cad03162cf55703a6c0d9910f3b55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG

Filesize
333B

MD5
dbe3ea6a3acc40e11a5d4ce87634703a

SHA1
7068bb1fedd81b2123016d00d1d3efb33f9fdecc

SHA256
d7d6168a6ce7f8a32bbfb16eae68bc5d91c28f10b77fa6b3ad6728b297e75854

SHA512
5352b21e10140cbdb440d23d8e39cc5e377bfe7883485887f120521e938baf58e349763c04993c245373f5be9c8b553ed14245f0fb7ee2be1a109f0f367243e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

Filesize
308B

MD5
4e7982b86b3d7d916b7722aa3b3f0669

SHA1
ce4e874903cb71d9012cc7654ca7a6ba5e4f7efd

SHA256
cbee1100a2c9add47776b7e416b58a809f6feb9fe458bef8185b0c176b5db340

SHA512
c4dda8b36e90a327061dab901730f47fc23cca129b02a157f1ed0c566a1d6dddf272a4e74d3acbf14eb3a7fac0820387a584db9e19ca299724ed7f3030f891bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

Filesize
317B

MD5
c754c71458e6e8abb1a66a08aeffdb4c

SHA1
53565194b813d9d7036661334114f9c69a256bc6

SHA256
f103a8fa2778aafb2f4de65c497d6163f1379b6e632ade4e1ab598c961676f3e

SHA512
0a89ebf2a03a6aac97704e6ebf0d1dd4889bcfdc0427d2b0ae2227ab2edb9a5856392fe68d77692349e678c7460208d005d55a65593fa446972d1b9bcd7aee30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
348B

MD5
f7bab2342e8ed2dc47df05eca874e66d

SHA1
678eec2c073d2beefcb5cbe506cd732a65219b32

SHA256
c4b0f100d492be471c089e7338059287e62d5717c75f411c232d9af939cac6db

SHA512
86db5f6e42c02b137dcdcb03a6ee97e6ae4ca52c92ddd71c5ed438888895aeecd5a89b140158a7f4bb179b328cfa2dbd1b24a7d4afa2dad46bf7b5eac3498fee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
324B

MD5
6593530258a0d2a299f75f67c63a810e

SHA1
46f0518acc92a1428934dc2f001a689e6ffa9a98

SHA256
be0e962d3aededfec087f020e19c64aedc580c5890f200716fc29ea952d57f33

SHA512
bb22a2ba2c4fa25a8b5d829277c7309a5d96fb395b0b5504e33f86a32747f1074f4397845bd8c4935453ae21dc6ada11da2360b40833f2daf43f4c28696c5aeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager-journal

Filesize
8KB

MD5
9c6cee37064123f3f11e30d726900aa9

SHA1
cec72dfacf08c51d0e93e1bdbc3e17a4afadb697

SHA256
7e1a2322ac12531be4473203f7ede5e8a82e6309ba46a9953272d2c7def84ef3

SHA512
89063df5d7be2c6b490d5a8442a88eea0e06bb50cae453275fdea931631a856857b1da2087d16b8561ecc186d3749b33cd725c5b9a90d3333c89e17e2d12b9e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

Filesize
14KB

MD5
69d8bc4fcb89ffd58ae8d3410541263c

SHA1
679a65a3b8cb40ecd4836c15830ec3da47e3898e

SHA256
2fc1eada86145053e69ce9dda09ef012c66223d4f77c137284c0a6debf1bfc07

SHA512
094b4fa3da5f5d71104060ac3f006518f39e2497da3c0cd03e73b2eefd268d8d1972ac818918b60cab5206cdc487a5d47969b0341502dad2e631ec502c0d62e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

Filesize
320B

MD5
ea944a977111977d26beeb894b5f50c3

SHA1
d85d047e3948f855a133b17d68d215ae89f48826

SHA256
77e369af7300dbe8f3950cc2ccc506880b9bbad43946ccb1c1eeb0d9e78c7e20

SHA512
bd6ee81abca33655af5ac3c5132ebdacc9e2fbf4aa775d757db31d9975d95e11cc6f55fe9c364fc5e763ec708bd90eba373d94627dd6ef8ecd7259cb327689d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
1KB

MD5
a10039d87d213e4efa58e030a57bc50f

SHA1
2affe180c597957406a0a6e7ca723d42391d80ab

SHA256
9c17f2f2966ae10f5ada758f0cd164d4f9f910649f60cc686299a99848fe52b9

SHA512
ed0a8332f3ef5967eba04ab74490bb20915695b4a5f1798ca2537b4bc0d34384901a93bdf1228a7b341b52f8fbe5f42c78c592153b4cad7bd02fd410ba4c931b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
338B

MD5
f26bd955ea5e9d5253766e87a73021d2

SHA1
a6121c7b8445291d290e427ed72b66bef16364b2

SHA256
900d203e22a6a2fdfc7be40f2350786ab27c1be661fa6535ecb6eb03538152d7

SHA512
d81950b1067ba69c07bc001fb6dc970b6634101c1bb8af80a58c757df4490fc1c03810fb1694462980a013ec0d2e1716c8814ce9182862c4ffb3cf33a7c68ad5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
44KB

MD5
c3866860a1a4cb761edbd32c4253a8e5

SHA1
92b76f5eb708e86e017f7f01b92a9eda49c3a949

SHA256
9fa0206c1f001140fcccbaf9c7ba68933018b862ee9939ac2de1b02863774f0f

SHA512
5f813f53e17988e7d56d92143517afdb4f950b62d43fdee54c404aebc4ee3bfa7cd17cf4e47b7a8561d53a6769f884144dced5cf75c30349524c4e71cfa6cab9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
6f1355f8a1bed07b8664088e68519b5c

SHA1
34ca9145b7fa8d131f7a13653c07ea23919c808f

SHA256
d9a64aff71d122d55d4d73e077d76bcc636b2f0eb088e61292d28ceb37271296

SHA512
d9bf7a68d9b32a443b9ad2f7bfc1e937ef003fd5d5590945eb1a43f2f4feb8cddb3850baab5692da9fd54d1a184dec718e79c6cbe9f531f67df63b2a8c221810

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

Filesize
4.0MB

MD5
7f5d3012b0f3b9756d0c2ab60ee7d368

SHA1
a15be6827c3a110fcc5b9fef253e248599c442f2

SHA256
051d10a5b80e18dde1a60ccf45f68687fd230820c15f6b7c33cdd1a23a262010

SHA512
ffd7c1bfe7c779a8c29c519213ad5f5c03b8868da812f40d5d031d8a32b8624b37cdfa48f2dffbe3fb2f12e9cdbe9798846d5faecb1985c68683a22dd814ccb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
ef48733031b712ca7027624fff3ab208

SHA1
da4f3812e6afc4b90d2185f4709dfbb6b47714fa

SHA256
c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99

SHA512
ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
246KB

MD5
93faf8766b6fea086e5f3897987d97da

SHA1
61c2cb49bb6c6d5ad3789c8bed4bc171dbdad767

SHA256
f182b450b25a272e272f31c1eabe9f61028d38f6cd2e3895cd75aed6791c66fe

SHA512
41c972a073bed6aaa547d72ccacd83f950d846289047e544f265960d1dbacb38c3ce917cc5b07b7f7a1202d303ac34c61d38f90e1a19ebbdf54c842ada135bff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
246KB

MD5
40ba5fdb94addc5eeec67a569d54f874

SHA1
ddbaf92417b17f9f00121c84ae35dc077744234a

SHA256
04d37aff1d47a0cfda03104edea81212018b0b9b0c98761d965395ff732cfb1e

SHA512
2a8c18401cf74f6a00e0405e3201b6635ef0c45b43cb1230dd1edcfe9d4b61db2c333e957e24edc3a9bd99d210d6b84c0a14ede5226a22773c9d9661a3986160

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
446c3266fe2d269282887afb9e0953c9

SHA1
3a856b7d606d3606dc5dffa8f4065e9c920ed7ab

SHA256
0f87f1cf57f5c29713b90eb32a68572e44b4f0638c21dd7002526c037d0d78eb

SHA512
e1e7a3c2e1fafa33a6bcbac6404615eafe7059c665887c49830152858087145a595e4a3afa87eceff7c79dd124a2818110be591b93e083e7f7f9b4e942728c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_40tj0s4c.oj2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\BETKL74S.exe

Filesize
11.8MB

MD5
eca54760f1e96a78e3f6bc537debc6bc

SHA1
82ef61482d781849a80f9f9cff67e2f76ffb7035

SHA256
b9b69e4088f61ce32506078d301f9cfc7db064945d6e608724e213aab5852db5

SHA512
f70749a89d7d66c2089981fc161db8c88cdf4a3ff6ae6df18b2c6f30b351ad9dd33e527ebea0052db2b60896f7caa44ca2edafa9381db689867d2f9806e36944

Download Submit
C:\Users\Admin\AppData\Roaming\VBSP14J5.exe

Filesize
200KB

MD5
00affd80e21068e56ae72712509f7a98

SHA1
ca6af85f9f2a735f258e1a43043a4b54cdffa9df

SHA256
a03ce36025010929a9cc0d286ed02100d259ffc7693beb3623ea7007dce4802c

SHA512
07c3f0336e4a6d85bc7c14f1fcba924e45e077f0ada157fa17c4b989fced5d1ac59054c7e90729e63ce3d4f0de7e280a35776c614f681609714418d9a847b7d6

Download Submit
memory/3132-70-0x00007FFBBFD30000-0x00007FFBBFD32000-memory.dmp

Filesize
8KB

Download
memory/3132-71-0x00007FF7D15C0000-0x00007FF7D289D000-memory.dmp

Filesize
18.9MB

Download
memory/3280-75-0x00007FF7D15C0000-0x00007FF7D289E000-memory.dmp

Filesize
18.9MB

Download
memory/3556-12-0x00007FFB9ECD0000-0x00007FFB9F792000-memory.dmp

Filesize
10.8MB

Download
memory/3556-10-0x00007FFB9ECD0000-0x00007FFB9F792000-memory.dmp

Filesize
10.8MB

Download
memory/3556-13-0x00007FFB9ECD0000-0x00007FFB9F792000-memory.dmp

Filesize
10.8MB

Download
memory/3556-0-0x00007FFB9ECD3000-0x00007FFB9ECD5000-memory.dmp

Filesize
8KB

Download
memory/3556-14-0x00007FFB9ECD0000-0x00007FFB9F792000-memory.dmp

Filesize
10.8MB

Download
memory/3556-11-0x00007FFB9ECD0000-0x00007FFB9F792000-memory.dmp

Filesize
10.8MB

Download
memory/3556-15-0x00007FFB9ECD0000-0x00007FFB9F792000-memory.dmp

Filesize
10.8MB

Download
memory/3556-67-0x00007FFB9ECD0000-0x00007FFB9F792000-memory.dmp

Filesize
10.8MB

Download
memory/3556-9-0x000001A6F4050000-0x000001A6F4072000-memory.dmp

Filesize
136KB

Download
memory/3596-40-0x0000000004FD0000-0x0000000005576000-memory.dmp

Filesize
5.6MB

Download
memory/3596-39-0x0000000000140000-0x0000000000176000-memory.dmp

Filesize
216KB

Download
memory/3972-22-0x00007FFB9ECD0000-0x00007FFB9F792000-memory.dmp

Filesize
10.8MB

Download
memory/3972-16-0x00007FFB9ECD0000-0x00007FFB9F792000-memory.dmp

Filesize
10.8MB

Download
memory/3972-27-0x00007FFB9ECD0000-0x00007FFB9F792000-memory.dmp

Filesize
10.8MB

Download
memory/4416-78-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4416-117-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4416-73-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4416-47-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4720-76-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4720-69-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4720-77-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4720-133-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4720-42-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4720-46-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download