vidar | c7d2fda303d9928f804d3269d128b216844d9afcb2f533054c8d87e1c6fd4aeb

Analysis

max time kernel
595s
max time network
429s
platform
windows11-21h2_x64
resource
win11-20250210-en
resource tags

arch:x64arch:x86image:win11-20250210-enlocale:en-usos:windows11-21h2-x64system
submitted
10-02-2025 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

data-Setup/Setup.exe
Size

44KB
MD5

f86507ff0856923a8686d869bbd0aa55
SHA1

d561b9cdbba69fdafb08af428033c4aa506802f8
SHA256

94f4fd6f2cb781ae7839ad2ee0322df732c8c7297e62834457662f8cde29dcbb
SHA512

6c1c073fc09498407b2c6b46d7a7e04c2db3c6f8d68c0dc0775211864c4508c48c2bd92e3849dc3805caacc856f9e31e1eea118661a55f526bfa61638f88c3da
SSDEEP

384:RozxIpl4504JaAystntGecMJ6gjpS1BO2NjrLVXjW9VBhKigecicWwnWzYDTFu:Rg04PGeZQG2NDVXjWLu1imL

Score

10^/10

vidar credential_access discovery execution spyware stealer

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://micfriosogprodnorthghostcom.top/kjgkjlKLkjfjkrhjHRGHKLNMREJGHKJnlGKL3454345BFJKKJnVBEKERJKRGEGREGRGERGERWBFDGGBTfgfbergsc4334ggd/lice

exe.dropper

https://micfriosogprodnorthghostcom.top/kjgkjlKLkjfjkrhjHRGHKLNMREJGHKJnlGKL3454345BFJKKJnVBEKERJKRGEGREGRGERGERWBFDGGBTfgfbergsc4334ggd/lice

Extracted

Family

vidar

https://t.me/sok33tn

https://steamcommunity.com/profiles/76561199824159981

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Signatures

Detect Vidar Stealer 16 IoCs

stealer

resource	yara_rule
behavioral3/memory/3376-46-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral3/memory/3376-51-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral3/memory/2928-53-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral3/memory/2928-70-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral3/memory/2928-77-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral3/memory/2928-78-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral3/memory/2928-79-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral3/memory/3376-115-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral3/memory/3376-116-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral3/memory/3376-154-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral3/memory/3376-138-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral3/memory/2928-171-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral3/memory/2928-178-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral3/memory/3376-193-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral3/memory/3376-197-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral3/memory/2928-199-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	4688	powershell.exe
4	4688	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4688	powershell.exe
2728	powershell.exe

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
3948	chrome.exe
1496	chrome.exe
5044	chrome.exe
1032	chrome.exe
4968	chrome.exe
2608	chrome.exe
1792	chrome.exe
1484	chrome.exe

Executes dropped EXE 6 IoCs

pid	Process
2684	8E6SWRF0.exe
3376	8E6SWRF0.exe
3260	8E6SWRF0.exe
2928	8E6SWRF0.exe
3176	8E6SWRF0.exe
2360	V3NDCB5J.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2684 set thread context of 3376	2684	8E6SWRF0.exe	92
PID 2684 set thread context of 2928	2684	8E6SWRF0.exe	95

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3216	2684	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8E6SWRF0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8E6SWRF0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8E6SWRF0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	8E6SWRF0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	8E6SWRF0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	8E6SWRF0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	8E6SWRF0.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
3976	timeout.exe
3892	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
4688	powershell.exe
4688	powershell.exe
2728	powershell.exe
2728	powershell.exe
2928	8E6SWRF0.exe
2928	8E6SWRF0.exe
2360	V3NDCB5J.exe
2360	V3NDCB5J.exe
2360	V3NDCB5J.exe
2360	V3NDCB5J.exe
2928	8E6SWRF0.exe
2928	8E6SWRF0.exe
4968	chrome.exe
4968	chrome.exe
3376	8E6SWRF0.exe
3376	8E6SWRF0.exe
3376	8E6SWRF0.exe
3376	8E6SWRF0.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
2928	8E6SWRF0.exe
2928	8E6SWRF0.exe
3376	8E6SWRF0.exe
3376	8E6SWRF0.exe
1776	MicrosoftEdgeUpdate.exe
1776	MicrosoftEdgeUpdate.exe
1776	MicrosoftEdgeUpdate.exe
1776	MicrosoftEdgeUpdate.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3228	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4516	7za.exe
Token: 35	4516	7za.exe
Token: SeSecurityPrivilege	4516	7za.exe
Token: SeSecurityPrivilege	4516	7za.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeDebugPrivilege	1776	MicrosoftEdgeUpdate.exe
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 3756	3452	Setup.exe	80
PID 3452 wrote to memory of 3756	3452	Setup.exe	80
PID 3756 wrote to memory of 4516	3756	cmd.exe	82
PID 3756 wrote to memory of 4516	3756	cmd.exe	82
PID 3756 wrote to memory of 4516	3756	cmd.exe	82
PID 3756 wrote to memory of 3976	3756	cmd.exe	83
PID 3756 wrote to memory of 3976	3756	cmd.exe	83
PID 3756 wrote to memory of 4632	3756	cmd.exe	84
PID 3756 wrote to memory of 4632	3756	cmd.exe	84
PID 3756 wrote to memory of 3892	3756	cmd.exe	86
PID 3756 wrote to memory of 3892	3756	cmd.exe	86
PID 4632 wrote to memory of 644	4632	cmd.exe	87
PID 4632 wrote to memory of 644	4632	cmd.exe	87
PID 644 wrote to memory of 2988	644	net.exe	88
PID 644 wrote to memory of 2988	644	net.exe	88
PID 4632 wrote to memory of 4688	4632	cmd.exe	89
PID 4632 wrote to memory of 4688	4632	cmd.exe	89
PID 4688 wrote to memory of 2728	4688	powershell.exe	90
PID 4688 wrote to memory of 2728	4688	powershell.exe	90
PID 4688 wrote to memory of 2684	4688	powershell.exe	91
PID 4688 wrote to memory of 2684	4688	powershell.exe	91
PID 4688 wrote to memory of 2684	4688	powershell.exe	91
PID 2684 wrote to memory of 3376	2684	8E6SWRF0.exe	92
PID 2684 wrote to memory of 3376	2684	8E6SWRF0.exe	92
PID 2684 wrote to memory of 3376	2684	8E6SWRF0.exe	92
PID 2684 wrote to memory of 3376	2684	8E6SWRF0.exe	92
PID 2684 wrote to memory of 3376	2684	8E6SWRF0.exe	92
PID 2684 wrote to memory of 3376	2684	8E6SWRF0.exe	92
PID 2684 wrote to memory of 3376	2684	8E6SWRF0.exe	92
PID 2684 wrote to memory of 3376	2684	8E6SWRF0.exe	92
PID 2684 wrote to memory of 3376	2684	8E6SWRF0.exe	92
PID 2684 wrote to memory of 3376	2684	8E6SWRF0.exe	92
PID 2684 wrote to memory of 3376	2684	8E6SWRF0.exe	92
PID 2684 wrote to memory of 3260	2684	8E6SWRF0.exe	93
PID 2684 wrote to memory of 3260	2684	8E6SWRF0.exe	93
PID 2684 wrote to memory of 3260	2684	8E6SWRF0.exe	93
PID 2684 wrote to memory of 3176	2684	8E6SWRF0.exe	94
PID 2684 wrote to memory of 3176	2684	8E6SWRF0.exe	94
PID 2684 wrote to memory of 3176	2684	8E6SWRF0.exe	94
PID 2684 wrote to memory of 2928	2684	8E6SWRF0.exe	95
PID 2684 wrote to memory of 2928	2684	8E6SWRF0.exe	95
PID 2684 wrote to memory of 2928	2684	8E6SWRF0.exe	95
PID 2684 wrote to memory of 2928	2684	8E6SWRF0.exe	95
PID 2684 wrote to memory of 2928	2684	8E6SWRF0.exe	95
PID 2684 wrote to memory of 2928	2684	8E6SWRF0.exe	95
PID 2684 wrote to memory of 2928	2684	8E6SWRF0.exe	95
PID 2684 wrote to memory of 2928	2684	8E6SWRF0.exe	95
PID 2684 wrote to memory of 2928	2684	8E6SWRF0.exe	95
PID 2684 wrote to memory of 2928	2684	8E6SWRF0.exe	95
PID 2684 wrote to memory of 2928	2684	8E6SWRF0.exe	95
PID 4688 wrote to memory of 2360	4688	powershell.exe	99
PID 4688 wrote to memory of 2360	4688	powershell.exe	99
PID 2360 wrote to memory of 3228	2360	V3NDCB5J.exe	52
PID 2928 wrote to memory of 4968	2928	8E6SWRF0.exe	100
PID 2928 wrote to memory of 4968	2928	8E6SWRF0.exe	100
PID 4968 wrote to memory of 1368	4968	chrome.exe	101
PID 4968 wrote to memory of 1368	4968	chrome.exe	101
PID 4968 wrote to memory of 2060	4968	chrome.exe	102
PID 4968 wrote to memory of 2060	4968	chrome.exe	102
PID 4968 wrote to memory of 2060	4968	chrome.exe	102
PID 4968 wrote to memory of 2060	4968	chrome.exe	102
PID 4968 wrote to memory of 2060	4968	chrome.exe	102
PID 4968 wrote to memory of 2060	4968	chrome.exe	102
PID 4968 wrote to memory of 2060	4968	chrome.exe	102

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3228
- C:\Users\Admin\AppData\Local\Temp\data-Setup\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\data-Setup\Setup.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\data-Setup\data\extract_and_run.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3756
  - - C:\Users\Admin\AppData\Local\Temp\data-Setup\data\7za.exe
      7za.exe e bin.zip -pYOUR_PASSWORD -oextracted_5913
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4516
  - - C:\Windows\system32\timeout.exe
      timeout /t 2
      4⤵
      Delays execution with timeout.exe
      PID:3976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "extracted_5913\sss.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4632
    - - C:\Windows\system32\net.exe
        
        net session
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:644
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        6⤵
        
        PID:2988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\data-Setup\data\extracted_5913\script.ps1"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4688
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
      - C:\Users\Admin\AppData\Roaming\8E6SWRF0.exe
        
        "C:\Users\Admin\AppData\Roaming\8E6SWRF0.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Users\Admin\AppData\Roaming\8E6SWRF0.exe
        
        "C:\Users\Admin\AppData\Roaming\8E6SWRF0.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:3376
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:3948
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdbb24cc40,0x7ffdbb24cc4c,0x7ffdbb24cc58
        9⤵
        
        PID:3972
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,6702987588219173302,1874472325751283253,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=1948 /prefetch:2
        9⤵
        
        PID:3212
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1676,i,6702987588219173302,1874472325751283253,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=1984 /prefetch:3
        9⤵
        
        PID:2660
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2164,i,6702987588219173302,1874472325751283253,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=2388 /prefetch:8
        9⤵
        
        PID:4448
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,6702987588219173302,1874472325751283253,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3148 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:5044
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,6702987588219173302,1874472325751283253,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3200 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:1496
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4468,i,6702987588219173302,1874472325751283253,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4488 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:1032
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4396,i,6702987588219173302,1874472325751283253,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3676 /prefetch:8
        9⤵
        
        PID:1624
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,6702987588219173302,1874472325751283253,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4732 /prefetch:8
        9⤵
        
        PID:3420
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4860,i,6702987588219173302,1874472325751283253,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4756 /prefetch:8
        9⤵
        
        PID:2084
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4408,i,6702987588219173302,1874472325751283253,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4772 /prefetch:8
        9⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Roaming\8E6SWRF0.exe
        
        "C:\Users\Admin\AppData\Roaming\8E6SWRF0.exe"
        7⤵
        Executes dropped EXE
        
        PID:3260
        
        C:\Users\Admin\AppData\Roaming\8E6SWRF0.exe
        
        "C:\Users\Admin\AppData\Roaming\8E6SWRF0.exe"
        7⤵
        Executes dropped EXE
        
        PID:3176
        
        C:\Users\Admin\AppData\Roaming\8E6SWRF0.exe
        
        "C:\Users\Admin\AppData\Roaming\8E6SWRF0.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdbb24cc40,0x7ffdbb24cc4c,0x7ffdbb24cc58
        9⤵
        
        PID:1368
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1796,i,11961844377216314266,4576432886732229482,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=1792 /prefetch:2
        9⤵
        
        PID:2060
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,11961844377216314266,4576432886732229482,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=2100 /prefetch:3
        9⤵
        
        PID:3740
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,11961844377216314266,4576432886732229482,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=2148 /prefetch:8
        9⤵
        
        PID:4736
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,11961844377216314266,4576432886732229482,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3140 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:1792
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,11961844377216314266,4576432886732229482,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3176 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:2608
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4500,i,11961844377216314266,4576432886732229482,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4520 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:1484
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4156,i,11961844377216314266,4576432886732229482,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4136 /prefetch:8
        9⤵
        
        PID:4896
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4208,i,11961844377216314266,4576432886732229482,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4700 /prefetch:8
        9⤵
        
        PID:5024
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4824,i,11961844377216314266,4576432886732229482,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4720 /prefetch:8
        9⤵
        
        PID:2944
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4184,i,11961844377216314266,4576432886732229482,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4616 /prefetch:8
        9⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 852
        7⤵
        Program crash
        
        PID:3216
      - C:\Users\Admin\AppData\Roaming\V3NDCB5J.exe
        
        "C:\Users\Admin\AppData\Roaming\V3NDCB5J.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2360
  - - C:\Windows\system32\timeout.exe
      timeout /t 2
      4⤵
      Delays execution with timeout.exe
      PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2684 -ip 2684
1⤵
PID:2160

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5080

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3068

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
734B

MD5
e192462f281446b5d1500d474fbacc4b

SHA1
5ed0044ac937193b78f9878ad7bac5c9ff7534ff

SHA256
f1ba9f1b63c447682ebf9de956d0da2a027b1b779abef9522d347d3479139a60

SHA512
cc69a761a4e8e1d4bf6585aa8e3e5a7dfed610f540a6d43a288ebb35b16e669874ed5d2b06756ee4f30854f6465c84ee423502fc5b67ee9e7758a2dab41b31d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A35D9ABCF6B2146E5B1E68A4E5BEE886

Filesize
344B

MD5
00feadcb431c4010bc2358bf39d2d02b

SHA1
7572a1a88736860005017e808f21d05cd45b1e45

SHA256
f04eb0908e2c25f459dc6d6a900ca2ac458b2b5f6da5a611110547b1c66c6b6d

SHA512
07566bfa9be5e5471090ebd9663d0c5e3e774fc4b73f9533acf6871c8f6e8461824d0355a7e6da4966afa853b963c2d73edbe59d10116a3e2273f46cc1453c59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
2fa0c46a44fad55ac283dfeeec86cb15

SHA1
6f0394ec57db12655c707153c4127df0f356ccdb

SHA256
317458af99e30ba769391897c09bccddba4bbaf0d3b6219a19c40e855099020f

SHA512
a48dce1b675bb91e499644ba4e145b2ea2ff0657850781969c6bb2947ecb5740bbe6d10f1db0019c1df38342861135b91436283b9a0fc3d1707bbc3085c4c08e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A35D9ABCF6B2146E5B1E68A4E5BEE886

Filesize
540B

MD5
926dfff48d476d5d891566e617ad5b15

SHA1
f13a361b7ff2e82b243b02073bad1b37d6379d69

SHA256
90d6a11958649b51c25a999bf57d49cbc087901864db81a164a5e82c87456721

SHA512
2e152ea746254f6e474e19e16d51c98262631903bde50b924039a9ec536ff17b77722bd4cce65c0be61bdf462b043d47341d18b0ee3d5fd8085baf202f0a344d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
486e63a749298e092db1d1e9e9564597

SHA1
f3a54eb07b0dfe9a770f8928adb5a1ef625c9848

SHA256
7671a3d3efac6424569e3b21fcfa22e0f92d16cd99cf71a639a33e471cab52c9

SHA512
d42e5129cc0c5689b08a95192169124663932a5f48370050dd9642c3180d2cf2d5138e3ae996543985555688c8057da22f9bcf5486fccf1dcf1427ba35e7f123

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
7edec284565116c4af75ad08e5f947c8

SHA1
66f3bf0aa2b6687ed10c9de1af065a5d4f3abfd1

SHA256
72a3b6003b8db50fe15194952f97d38837a9200ec159963816bc17f16fcc93cb

SHA512
fffdb356cd02b4a90503a18b35ac0bdc1078bb509bd8d53c711a5394e0ec750bc0c63c1a81ff962024db4449afdc8a08c9f6aca6550b25704147dec0cd4ab3fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
64f6877f09e0e4a9f9008294024d84e0

SHA1
9e2f5984cae11a53ccaa83fb69ad24c0a1503eed

SHA256
3bb0394ade58722d5c5319525355798a91f044ab0804b14783d5e4cb5c989288

SHA512
70d27239243f765b3bb9813554a3da10b38f7ae28fcfaeabf95bdfe986d831ee963666fe07638ced8a11259fbd78ed941157c2be1abd4548e40a54965bc6ea33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
a3755c0a595947d2898cb484afc4cd0b

SHA1
411be8f47a4ee52db5e7c146a45fdce8a4f9b499

SHA256
b2ee69d4ec4609122b22e044e5ebec916a501b293b816698086952fbaafd647a

SHA512
4da97e9cd494691b3b544ad5c916517ea381e7f87c98ba6f9da834434f1f951b0f8365d218b86f0051816e39a3d9e1229758eac8dbd909a916ec5b931e98bfe2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
36KB

MD5
77fc572272bd9daa98052b8326892769

SHA1
f64e519b1b445fd189143ad19c979b6f58ce6b0a

SHA256
d31e1efb1854135a81dfd40033c041083b10aa57da6f54958753282f8e28c0fb

SHA512
fa836c6ca016dc31c755bfd4a701adeb2d121b58371fa9b736d714d818825a53523e627c747fdedb6cfbf8140555d5e2fc922cf148f98980627cabdf84906d20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

Filesize
317B

MD5
0112b9e609046f89487e215dafd98181

SHA1
1e997d6ffaa5a8d9b37a80f14dbc71ad0ad95f1c

SHA256
27be5c6a041f5d25965ddf7a6fdf9ce11f1e928a5869877f1913b7670e2834c8

SHA512
cdd45cbee86857c32240ac64b79fdc4276b60d09ff82cf7ea9f6e4cb8f6c92ac1bc747238a7074a03c1c76d0271eefae8f56aa082dff6e061ea46025a2a50142

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG

Filesize
327B

MD5
07eaff9ea25ab99bafd2a4b6212f7fcf

SHA1
b940384a5877357c7ef2e70a440aec3c27f4171d

SHA256
44d434ce6a419160b184593660cf5f228d304e0fb03303cb34e561127ec231f8

SHA512
14f93f1733e48081b181db3472f99a72b040f4b8eb32a693b653cd1e9a1666215e5026a9dfacf46a219509d4b1d5974f3683b47eb022cbb166f46731638f8ca5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_0

Filesize
44KB

MD5
5a0d80334df4b49bc8007b8b28bebaee

SHA1
0f629556dcc4cdb0ae9674a45bc34444d4332b32

SHA256
bfaa6382ef449745600dfdfb45fd949e6f5de01ee075aab90163c9e69f1d9ce2

SHA512
83d2c145e89128370afe62d561ae3fc664d6f3ff189cfd3a56d6181f06973edb50d6d2ab662144d35b93d6fbe030da4ecedcd31a8614b33f7427ed1c18863cef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
ae523e831b6428a220d5011af128c70d

SHA1
92a84e3f4fce75cb09476983c4ed3a7209489d85

SHA256
2024a6f990911b51742c7387b7e036848002960f1b89e86dd3e402b83e742e53

SHA512
12a288c424be036532f569cad6429a0aeb00405491f33e6dae5d8e62a152223baf45e6e2b56a82ed24b1bd73ed623384753bd9deb7b4c3b3a8d31b94e8408bef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2

Filesize
1.0MB

MD5
52bb6b1a8d9db924fcb2ddb45668fa72

SHA1
12996023e66ef0ae44d4e8a36c5d6f1ec78a85e8

SHA256
ae324698ce5ffcd56026f3de4c29ed754e9706f1ae1029a0409b4a3998128b52

SHA512
944d29fee61a718410e5a45bb55008dd2a7b9107380def625768c849b31c325c9592795c53b7d5818e883c791d7c6e271c1691ae0805c557ab9f1d0c2f9c36f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_3

Filesize
4.0MB

MD5
cfa172a650b84b3abdbcc47097ea7b57

SHA1
5b45943b506c37225942826c102fcca6bb743847

SHA256
74581baa80a130006b3dd5628aa4845b20089bb80a5c5710c459e2708c95b038

SHA512
fd8626ec91e0b48a17bfe1bbf51ff8419717f631109ea2ca39b908dbc06d7628b4ff5d861bee7bc2070685c59a63c9c3759db1cb589299a0cf430a7d3b5dabfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
329B

MD5
87295cc2c807ea1d23efbdbbd3a6629e

SHA1
339c85097b517bd1b7d9a3759fda477603f71537

SHA256
4cd85f21cea4a47e9a7b8596df980a8fc417be7c5aff21e1a2392697947defa0

SHA512
b2e00e74317557a08007c13d1ef3431074fdbcf8444f3e6745866799037f54861cabdf1470179a76ba1a8fddaa77edd1a5fc929995310e39b40f45e6a57e78c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG

Filesize
333B

MD5
eab0c4d19e786d8d1b00873444292dc0

SHA1
b034d43ff55a8aea609a463c1603daf8a2bc1f75

SHA256
7cc975b55a806c00bf1eed9ae0930d57eed0a8672c9652e4a27e6bc4f6db3e88

SHA512
4ab4b6aa45adf3108b523d2c9aa066a4d20962524bfef1900649c4facef2717b36185628c657b1ee9899f996698a8e6f469871fe2aaa1b9419b4b593b7346d0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

Filesize
308B

MD5
4e7982b86b3d7d916b7722aa3b3f0669

SHA1
ce4e874903cb71d9012cc7654ca7a6ba5e4f7efd

SHA256
cbee1100a2c9add47776b7e416b58a809f6feb9fe458bef8185b0c176b5db340

SHA512
c4dda8b36e90a327061dab901730f47fc23cca129b02a157f1ed0c566a1d6dddf272a4e74d3acbf14eb3a7fac0820387a584db9e19ca299724ed7f3030f891bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

Filesize
317B

MD5
105b0b5aded2f59abed16ca63b22806a

SHA1
511ecf3a1c8bdc1b3ad25c8739e1e1b579490edf

SHA256
0a672abd3c8d3fbf271263d1b579454c49583f21f0cb170daf180b1192e317f0

SHA512
50163c2e092b6ad09bd0ce06fb7ee778bf4c91261a0e6e42d7fd1a6a40e63cb5c671d2c4562033944ed86a5b9074221e49228ff6e231559f18eb3b56fec3c99e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13383691071837098

Filesize
2KB

MD5
ce661507b43158e43aa13712f5503f67

SHA1
a2e0d31a43b862e732c97067a7b6364c1e8af69b

SHA256
e5d2b23b3eeb1f484ee5772548e500e6aa6d3da490f991835f61bc75c51cee0c

SHA512
867167202e302049ad89eb0f382b12060f4179e685a9c501fd196c4531c335ddddd46f1f234c70303c1e7a6f42dd04ba10ddfde61193588d93ac72fe1c2b625e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
345B

MD5
167db858f0a83769151e104aa6a7c3ed

SHA1
77efa67ea2445e70ab31ecbf2216229ab618e2e2

SHA256
3af01db618a0ba47184dd4aa811839dbe5ae01faaccebcf0e093103cb7894a2b

SHA512
5f30a7fa3966c03d52a083c1fe663a577bc07cd069a3c59697d706f91a4e686f89f5335e2893de98d1f6d907d032f024758c37671fe1ab33d052c83226f174e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
321B

MD5
fac3e21ea7351ec5e33c1048f6dbf896

SHA1
7cda3d2e9f110e4a5d296c15fe8854a6e8d9799c

SHA256
ab93590eb36fa00b2e43c1fbaca9a374e275c898cab00f336367f9bb5cc06fe3

SHA512
bfac4991698a7ac6bf30b69bc60ff1bc441ba4e987d64e6a0b6cadf23f922d25b3c5e521da6297ee82e6949a8bc1d4f2650d3ae4fee308463f4f8201b2ce0270

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager-journal

Filesize
8KB

MD5
31bf89ee1eca7b23082cebd49a0bcc3e

SHA1
0c3d6a967e25b855f93473003dc33167b50c4650

SHA256
d15930e5e8659fdf30e226b3f975105d16a86233e5afa26cf832efb7c5c2535a

SHA512
7914c4d764fab92979d05630684c17722536b8aa4074a55d141c98545345cb7acaae7a68993efb9f70e7f35461c4be70f8818d987a8ffc1121cabf7db2a651a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

Filesize
14KB

MD5
07896502398fc4cc28713d74e6f83f1e

SHA1
96adfbc11525cbfb3e620b9cc52d89e815d38235

SHA256
819479f0406c28ed8e293e4f2ad9d8c9bd1145308a6c1ed54b7da21b6c4b9e73

SHA512
ac0f058e2dcd1af23d7082e7257ff9c4081700a23ed15076518b845dc9d9d67860f3cf5237fc2ec8299b6c49c5e7a1f8419273ab6bb94eee95b6e2af5005a250

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

Filesize
320B

MD5
1baa3edb77efb86423d762d6b4c24667

SHA1
b5407b362b339a5b9dc82105b13a12fb2400646a

SHA256
7bd9ed9fdba17d8f0a9325b4aaf40888e2bc1a61d34802d0b1b891c3cdbd1476

SHA512
3ba6a68240f8d1e65b2d90dfd2e4f09d27e5df80b0165359f74370efd4903554c744c6a610b99f2fbc4ee2be5880567e75362638cfcc645fb1573f8f3f6ab74d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
1KB

MD5
a6c30aebba22b46c9d2874543ae1f02b

SHA1
5572afb71e4ea1621df676f83f52f3e3a2c3c4b0

SHA256
ab9fa9c082866f9c0f726da01f749770879af2d6f634fb0b69671aa097c7111d

SHA512
ad4ab18300033378d824e3c884cb5e4ca9e2970e498d34ebfedcf7f2c9d17656cd0e11ea82b34a26382b70d0c2ddc220b4e64c568795d82e5044d5dcec025349

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
335B

MD5
532676f95e08801b00d6575574e376d4

SHA1
a140337781b59380bf32193bdb3034889c02a9c2

SHA256
be3ce6995f805a39a29006d6027e5122621e07c8ba363dc97dcae4c4ca2dd7cf

SHA512
1908c79ee7c5d4f20687fd2cc5484f6d46425aee4a08e5c575cc81a703d2910f80746bafc79775ad324200185c379d3ea330a0cc37b4e16c95a7d39fe95011f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
44KB

MD5
8686d64a5c1d9cb17b70b46828eef7da

SHA1
c225d5236a98a7dbd416bed91ff44f8e6c2054f1

SHA256
ca3937d4899557a21915daa646115abb602b4a9043074408a69bb0c381532606

SHA512
a5dff5f52b6f11f611e90da00436d83b40ff95d38b6e81a342a1920e4dc899dd9de615a2661caafac396b2f6b879ed7da5ca1e5618687349a18e7b9b69838296

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
7c18781a61b312430c273797c60a2a38

SHA1
5580272d97532fa1ceab72d548ff21eb29bfb657

SHA256
1cc7e297c3c4977b4e4f03c1b450825b07cb72aabe6991ad2fd67d93163541b3

SHA512
b18b4c234a4f96e2e64b065ec7847c32740c60cf72da7dd2413d737ff6c5abad8893dfee22fe656f09d64f0c73325599253214d5531a2684bbb705025433fded

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

Filesize
4.0MB

MD5
1c7fc78ee3296a925bdd683de26c4cd3

SHA1
9a5a7cccaa47a0e7dfe4154f72a050d5edd0f754

SHA256
44b7e64315ee54a6786bd257d080b752961fb131757b84678b5c5c26c48c3852

SHA512
3596a48e04af43bd59b6b80581df6032b84d351d3eaa2d2461c21d67fd5bb455246b8d517144e7bf4b1e4966dcd43bb44aa852dfd0e311d63bdd0b20cb19b74b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
ef48733031b712ca7027624fff3ab208

SHA1
da4f3812e6afc4b90d2185f4709dfbb6b47714fa

SHA256
c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99

SHA512
ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1fd24ec79892c54c63d3ead89a6b2433

SHA1
b98fada90485b7b021f1851815ac5b95eb8127d1

SHA256
f6ef45061bfcf9de410b6274a541078ec8bc32b16bca958718aea2c9e998c6b8

SHA512
d99ffa389633a25d1acc7d99adbecaa3211888759fcb44084aa6cb290fa71000c341d853cf3588e2e9e82b5c404fb916baa19450943d18495f0eae9ad8041bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iaiap33f.aaa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\data-Setup\data\extract_and_run.bat

Filesize
952B

MD5
fae61599308bbc78cae99ebdcb666f43

SHA1
de0a1d2344b09b29b1040bd4904f604a47a6d8c6

SHA256
f65af4a3d9d7f4464de4f7c136122f548c3b662a389e569d842be7e3a60d7863

SHA512
8e3d8d8ed97e65acd719d60624fa5c5506696e6fbbad5b0466748cccc24832e130bdf584fe0ce55f14628c68ca0a602310f7cb964cd38cf56735a6c64e4ddbf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\data-Setup\data\extracted_5913\script.ps1

Filesize
2KB

MD5
d11c3a63c5ba659b5fe7b5534cb03df5

SHA1
d08b1e6af9e5c66454236e5ba64e4c3659db4c47

SHA256
02fba22cf32e907760e64c7e4bc4803e2b5395a7eef2091f3f0c9c103aaa3187

SHA512
a62a807f7ec5ca51ae392f10b68f3b6a326ae596ee2fdd4da662e58662142d5842d8e8abf1f7a84aba85ef2b067803733301b769024ae8c7bc3ce625c485b4ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\data-Setup\data\extracted_5913\sss.bat

Filesize
405B

MD5
9ca3883fd45a5a455e64704ac6151ac9

SHA1
e7f89032ce544253a51020d7e894f6919fc35839

SHA256
c981688479756c987d6207e5804ed2b97fb50dfc80469309646c3f79d5ed05b4

SHA512
e5746faaae0680f68295db94f3865a7ec56663553d7401f996cce18bdc67ade23aef10c81018da28992e82a8178dc8a567b5b355479c7ceedfb87e46be9efa5a

Download Submit
C:\Users\Admin\AppData\Roaming\8E6SWRF0.exe

Filesize
200KB

MD5
00affd80e21068e56ae72712509f7a98

SHA1
ca6af85f9f2a735f258e1a43043a4b54cdffa9df

SHA256
a03ce36025010929a9cc0d286ed02100d259ffc7693beb3623ea7007dce4802c

SHA512
07c3f0336e4a6d85bc7c14f1fcba924e45e077f0ada157fa17c4b989fced5d1ac59054c7e90729e63ce3d4f0de7e280a35776c614f681609714418d9a847b7d6

Download Submit
C:\Users\Admin\AppData\Roaming\V3NDCB5J.exe

Filesize
11.8MB

MD5
eca54760f1e96a78e3f6bc537debc6bc

SHA1
82ef61482d781849a80f9f9cff67e2f76ffb7035

SHA256
b9b69e4088f61ce32506078d301f9cfc7db064945d6e608724e213aab5852db5

SHA512
f70749a89d7d66c2089981fc161db8c88cdf4a3ff6ae6df18b2c6f30b351ad9dd33e527ebea0052db2b60896f7caa44ca2edafa9381db689867d2f9806e36944

Download Submit
memory/2360-72-0x00007FFDC9F90000-0x00007FFDC9F92000-memory.dmp

Filesize
8KB

Download
memory/2360-73-0x00007FF6A8470000-0x00007FF6A974D000-memory.dmp

Filesize
18.9MB

Download
memory/2684-44-0x0000000005E60000-0x0000000006406000-memory.dmp

Filesize
5.6MB

Download
memory/2684-43-0x0000000000E40000-0x0000000000E76000-memory.dmp

Filesize
216KB

Download
memory/2928-78-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2928-70-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2928-199-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2928-53-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2928-178-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2928-171-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2928-77-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2928-79-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3228-76-0x00007FF6A8470000-0x00007FF6A974E000-memory.dmp

Filesize
18.9MB

Download
memory/3376-51-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3376-46-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3376-197-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3376-193-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3376-115-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3376-116-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3376-154-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3376-138-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4688-22-0x00007FFDA8A00000-0x00007FFDA94C2000-memory.dmp

Filesize
10.8MB

Download
memory/4688-17-0x000001EB36230000-0x000001EB36252000-memory.dmp

Filesize
136KB

Download
memory/4688-8-0x00007FFDA8A03000-0x00007FFDA8A05000-memory.dmp

Filesize
8KB

Download
memory/4688-21-0x00007FFDA8A00000-0x00007FFDA94C2000-memory.dmp

Filesize
10.8MB

Download
memory/4688-18-0x00007FFDA8A00000-0x00007FFDA94C2000-memory.dmp

Filesize
10.8MB

Download
memory/4688-20-0x00007FFDA8A00000-0x00007FFDA94C2000-memory.dmp

Filesize
10.8MB

Download
memory/4688-69-0x00007FFDA8A00000-0x00007FFDA94C2000-memory.dmp

Filesize
10.8MB

Download