guloader | 2f423571a318924318504db10008bc4cc48afd550c59caf89b40a04c94a890f7

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rpayment.scr.exe
Size

701KB
MD5

e7bbeae6c391accd957b6475dd5f0e63
SHA1

9460741f8eaff856a8163ad5a22c68dd24a0595e
SHA256

2f423571a318924318504db10008bc4cc48afd550c59caf89b40a04c94a890f7
SHA512

83feec2439997a2b9f7a2ae67966d7ab831d8eb9d8d8836746223b05c73e45e48cce3fc5d6ba420907e3c279ae2916d734b366829404786936cb93bc567f18d8
SSDEEP

12288:LR3BUIa3RVtFRe5L7lwvIuBUz3D46l0xFXc3gIwEL:V3GIQHY5vlI7Mnl0Pg73L

Score

10^/10

guloader remcos host-2 collection credential_access discovery downloader rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

Host-2

176.65.142.14:6060

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-HM3EZ8
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 4 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4556-54-0x0000000000400000-0x000000000047D000-memory.dmp	Nirsoft
behavioral2/memory/4556-56-0x0000000000400000-0x000000000047D000-memory.dmp	Nirsoft
behavioral2/memory/3652-66-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3332-63-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/3332-63-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4556-54-0x0000000000400000-0x000000000047D000-memory.dmp	WebBrowserPassView
behavioral2/memory/4556-56-0x0000000000400000-0x000000000047D000-memory.dmp	WebBrowserPassView

Uses browser remote debugging 2 TTPs 19 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
4656	Chrome.exe
380	Chrome.exe
5488	Chrome.exe
6116	msedge.exe
3532	Chrome.exe
2496	Chrome.exe
5412	msedge.exe
4016	msedge.exe
6028	msedge.exe
1556	Chrome.exe
4552	Chrome.exe
4784	Chrome.exe
3152	Chrome.exe
1668	Chrome.exe
6136	msedge.exe
6124	msedge.exe
4164	Chrome.exe
3660	Chrome.exe
5100	msedge.exe

Loads dropped DLL 2 IoCs

pid	Process
3456	rpayment.scr.exe
3456	rpayment.scr.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	recover.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
28	drive.google.com
27	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
408	rpayment.scr.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3456	rpayment.scr.exe
408	rpayment.scr.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 408 set thread context of 4556	408	rpayment.scr.exe	102
PID 408 set thread context of 3332	408	rpayment.scr.exe	105
PID 408 set thread context of 3652	408	rpayment.scr.exe	107

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\crepe\satanerne.ini	rpayment.scr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rpayment.scr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rpayment.scr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	recover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	recover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	recover.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	Chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133876064996197484"	Chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-805952410-2104024357-1716932545-1000\{F89E166F-D096-4662-B352-7CC97BA0F2E1}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
408	rpayment.scr.exe
408	rpayment.scr.exe
4556	recover.exe
4556	recover.exe
3652	recover.exe
3652	recover.exe
4656	Chrome.exe
4656	Chrome.exe
4556	recover.exe
4556	recover.exe
408	rpayment.scr.exe
408	rpayment.scr.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
3456	rpayment.scr.exe
408	rpayment.scr.exe
408	rpayment.scr.exe
408	rpayment.scr.exe
408	rpayment.scr.exe
408	rpayment.scr.exe
408	rpayment.scr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5412	msedge.exe
5412	msedge.exe
5412	msedge.exe
5412	msedge.exe
5412	msedge.exe
5412	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	3652	recover.exe
Token: SeShutdownPrivilege	4656	Chrome.exe
Token: SeCreatePagefilePrivilege	4656	Chrome.exe
Token: SeShutdownPrivilege	4656	Chrome.exe
Token: SeCreatePagefilePrivilege	4656	Chrome.exe
Token: SeShutdownPrivilege	4656	Chrome.exe
Token: SeCreatePagefilePrivilege	4656	Chrome.exe
Token: SeShutdownPrivilege	4656	Chrome.exe
Token: SeCreatePagefilePrivilege	4656	Chrome.exe
Token: SeShutdownPrivilege	4656	Chrome.exe
Token: SeCreatePagefilePrivilege	4656	Chrome.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
408	rpayment.scr.exe
4656	Chrome.exe
4656	Chrome.exe
5412	msedge.exe
5412	msedge.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
408	rpayment.scr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 408	3456	rpayment.scr.exe	92
PID 3456 wrote to memory of 408	3456	rpayment.scr.exe	92
PID 3456 wrote to memory of 408	3456	rpayment.scr.exe	92
PID 3456 wrote to memory of 408	3456	rpayment.scr.exe	92
PID 4656 wrote to memory of 2024	4656	Chrome.exe	101
PID 4656 wrote to memory of 2024	4656	Chrome.exe	101
PID 408 wrote to memory of 4556	408	rpayment.scr.exe	102
PID 408 wrote to memory of 4556	408	rpayment.scr.exe	102
PID 408 wrote to memory of 4556	408	rpayment.scr.exe	102
PID 408 wrote to memory of 4556	408	rpayment.scr.exe	102
PID 408 wrote to memory of 2604	408	rpayment.scr.exe	103
PID 408 wrote to memory of 2604	408	rpayment.scr.exe	103
PID 408 wrote to memory of 2604	408	rpayment.scr.exe	103
PID 408 wrote to memory of 3972	408	rpayment.scr.exe	104
PID 408 wrote to memory of 3972	408	rpayment.scr.exe	104
PID 408 wrote to memory of 3972	408	rpayment.scr.exe	104
PID 408 wrote to memory of 3332	408	rpayment.scr.exe	105
PID 408 wrote to memory of 3332	408	rpayment.scr.exe	105
PID 408 wrote to memory of 3332	408	rpayment.scr.exe	105
PID 408 wrote to memory of 3332	408	rpayment.scr.exe	105
PID 408 wrote to memory of 1108	408	rpayment.scr.exe	106
PID 408 wrote to memory of 1108	408	rpayment.scr.exe	106
PID 408 wrote to memory of 1108	408	rpayment.scr.exe	106
PID 408 wrote to memory of 3652	408	rpayment.scr.exe	107
PID 408 wrote to memory of 3652	408	rpayment.scr.exe	107
PID 408 wrote to memory of 3652	408	rpayment.scr.exe	107
PID 408 wrote to memory of 3652	408	rpayment.scr.exe	107
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 3936	4656	Chrome.exe	109
PID 4656 wrote to memory of 3936	4656	Chrome.exe	109
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 1976	4656	Chrome.exe	108
PID 4656 wrote to memory of 220	4656	Chrome.exe	110
PID 4656 wrote to memory of 220	4656	Chrome.exe	110
PID 4656 wrote to memory of 220	4656	Chrome.exe	110
PID 4656 wrote to memory of 220	4656	Chrome.exe	110
PID 4656 wrote to memory of 220	4656	Chrome.exe	110

C:\Users\Admin\AppData\Local\Temp\rpayment.scr.exe
"C:\Users\Admin\AppData\Local\Temp\rpayment.scr.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Users\Admin\AppData\Local\Temp\rpayment.scr.exe
  "C:\Users\Admin\AppData\Local\Temp\rpayment.scr.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Program Files\Google\Chrome\Application\Chrome.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4656
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffc1533dcf8,0x7ffc1533dd04,0x7ffc1533dd10
      4⤵
      PID:2024
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1928,i,7878785708906136486,8644333414653374600,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2040 /prefetch:2
      4⤵
      PID:1976
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --field-trial-handle=2088,i,7878785708906136486,8644333414653374600,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2084 /prefetch:3
      4⤵
      PID:3936
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --field-trial-handle=2496,i,7878785708906136486,8644333414653374600,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2492 /prefetch:8
      4⤵
      PID:220
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3176,i,7878785708906136486,8644333414653374600,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3172 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1556
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3216,i,7878785708906136486,8644333414653374600,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3212 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3532
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --field-trial-handle=4808,i,7878785708906136486,8644333414653374600,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4804 /prefetch:8
      4⤵
      PID:5048
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --field-trial-handle=4840,i,7878785708906136486,8644333414653374600,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4836 /prefetch:8
      4⤵
      PID:3800
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5028,i,7878785708906136486,8644333414653374600,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5024 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4552
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5056,i,7878785708906136486,8644333414653374600,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5052 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4164
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5508,i,7878785708906136486,8644333414653374600,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5504 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4784
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4300,i,7878785708906136486,8644333414653374600,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5304 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3152
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --field-trial-handle=4164,i,7878785708906136486,8644333414653374600,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4912 /prefetch:8
      4⤵
      PID:2240
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4328,i,7878785708906136486,8644333414653374600,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3464 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3660
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --field-trial-handle=3440,i,7878785708906136486,8644333414653374600,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5148 /prefetch:8
      4⤵
      PID:4260
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5300,i,7878785708906136486,8644333414653374600,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4860 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2496
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --field-trial-handle=5048,i,7878785708906136486,8644333414653374600,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3180 /prefetch:8
      4⤵
      PID:1100
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=3172,i,7878785708906136486,8644333414653374600,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3476 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:380
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5280,i,7878785708906136486,8644333414653374600,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5724 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1668
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --field-trial-handle=5492,i,7878785708906136486,8644333414653374600,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5236 /prefetch:8
      4⤵
      PID:2508
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5688,i,7878785708906136486,8644333414653374600,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5692 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:5488
- - C:\Windows\SysWOW64\recover.exe
    C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\eqdmqraan"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4556
- - C:\Windows\SysWOW64\recover.exe
    C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\hsjfqjlcbjpsk"
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\recover.exe
    C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\hsjfqjlcbjpsk"
    3⤵
    PID:3972
- - C:\Windows\SysWOW64\recover.exe
    C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\hsjfqjlcbjpsk"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:3332
- - C:\Windows\SysWOW64\recover.exe
    C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\rmoqrcvvprhfnqgg"
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\recover.exe
    C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\rmoqrcvvprhfnqgg"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:5412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x25c,0x260,0x264,0x258,0x284,0x7ffc0610f208,0x7ffc0610f214,0x7ffc0610f220
      4⤵
      PID:5448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=2212,i,17798758300453250115,5469054746895554710,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:3
      4⤵
      PID:5804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2180,i,17798758300453250115,5469054746895554710,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2172 /prefetch:2
      4⤵
      PID:5776
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=2584,i,17798758300453250115,5469054746895554710,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2580 /prefetch:8
      4⤵
      PID:5648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --instant-process --remote-debugging-port=9222 --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3532,i,17798758300453250115,5469054746895554710,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:6028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --extension-process --renderer-sub-type=extension --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4092,i,17798758300453250115,5469054746895554710,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4088 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:6116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --remote-debugging-port=9222 --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=4112,i,17798758300453250115,5469054746895554710,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:6124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --extension-process --renderer-sub-type=extension --remote-debugging-port=9222 --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=4240,i,17798758300453250115,5469054746895554710,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4372 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:6136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=5156,i,17798758300453250115,5469054746895554710,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5192 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --remote-debugging-port=9222 --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=5180,i,17798758300453250115,5469054746895554710,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5248 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=5504,i,17798758300453250115,5469054746895554710,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4396 /prefetch:8
      4⤵
      PID:872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=5456,i,17798758300453250115,5469054746895554710,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5236 /prefetch:8
      4⤵
      PID:5544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=5656,i,17798758300453250115,5469054746895554710,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5640 /prefetch:8
      4⤵
      PID:1532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=5624,i,17798758300453250115,5469054746895554710,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4576 /prefetch:8
      4⤵
      PID:3604
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=6096,i,17798758300453250115,5469054746895554710,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=6092 /prefetch:8
      4⤵
      PID:3180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=6096,i,17798758300453250115,5469054746895554710,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=6092 /prefetch:8
      4⤵
      PID:4652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=6212,i,17798758300453250115,5469054746895554710,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=6216 /prefetch:8
      4⤵
      PID:5436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=6360,i,17798758300453250115,5469054746895554710,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=6352 /prefetch:8
      4⤵
      PID:5688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=6356,i,17798758300453250115,5469054746895554710,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=6368 /prefetch:8
      4⤵
      PID:5692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=6248,i,17798758300453250115,5469054746895554710,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=6264 /prefetch:8
      4⤵
      PID:5180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=6620,i,17798758300453250115,5469054746895554710,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=6616 /prefetch:8
      4⤵
      PID:3324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=6788,i,17798758300453250115,5469054746895554710,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=6784 /prefetch:8
      4⤵
      PID:1104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=6944,i,17798758300453250115,5469054746895554710,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=6772 /prefetch:8
      4⤵
      PID:4508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=6960,i,17798758300453250115,5469054746895554710,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=7068 /prefetch:8
      4⤵
      PID:5000

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
7db59d1f3926880c0439cbcab16737b4

SHA1
915f8ef1e1833eb262baebb1e09df3580a169138

SHA256
03a8a66decd9508880cac7c3eaccf0b025406951126c72ea95e8c83a17b1c187

SHA512
7703e472e55a123a6f398eeeb4943e84b4d305a5990199ac68d956fefad52173de9c558a6de617a993bae67f3d333ddf80f5bd9a7264f7b12342dedbda4d0611

Download Submit
C:\Users\Admin\AppData\Local\Temp\5fd0faf1-2543-4dbd-a80a-063a81bb0441.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\CrashpadMetrics-active.pma

Filesize
1024KB

MD5
b0366599d64b0fc1adb2a712dcd02ee1

SHA1
b7a1c09ccd2846664cab5f76bd80b8e9f107acb0

SHA256
ae1bddb9e2cc97b0c9cd78ef3cd17553be6e5204677bd67e0b8f7fa27007f189

SHA512
d7de6d48285018f8b709c81ca01688126db7893ce9f48829524ee3122aa6f2200c7f78186b5a558d0b1ecf8157ee78a20064b63b45ab89f7aa0835b8409435d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
40B

MD5
8aa8ef679b5149f7d91774142ea2523d

SHA1
f114dda4f5e20eb1f3bcec7dc72591ea73dc3b4d

SHA256
ce78b193e005679049b18966582b950f529b0e7b6db323414c84a22f0b354a56

SHA512
eb2dfbc333df9569fe5fb31128e9995c041fbe98eb86f4f43cdcfc5c7c3715dcee4fc9ace444a036a45baa89169d12648dca9df99052b7403f9dd55cb9b364e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
280B

MD5
4d2ca91179622e57049b9d02d0457bf4

SHA1
58d4286abde71f126a204fa0a5d176795e1cb030

SHA256
2ff99ace01884940e8590b5f2a053f41dc68d6315c4eccd3be1d0cb1659250e2

SHA512
5bacdad0ac8708f9b7f6483d1cd0799eed362e9ff3daac603db8916c8b19f5cba4d59c16f01ca9c3a3371f5ee10acc731c7daef6cc0fded266bccdd670138da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
280B

MD5
0b9d965e1c0ae1d5978dfef2b9eb18fd

SHA1
065291b82e80902aff011faf9c230081efe8796d

SHA256
7b95e9622a653489d769678cdd3136339ce9fc83a60a5bdbdbbc162ef1e62ce4

SHA512
9dcdac0af0475d47f9ae6b422d060aeecdaa3ce147b7c27537112d5232b9b76bca6e073b32207ed965c9737ca7208daa8a77b0c3442fb3821ea6dbb575475614

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
280B

MD5
2f54e7caa7dae7a20712a72083d035d5

SHA1
153012dc573c9b7d61349af2dd738bc6ca80438f

SHA256
db7d39feca2c725ffff55995153a95df710be444efcb3f2244036304c346d5ca

SHA512
f6f89faede50730b3749a4d585fc2a716e4a099c581479b257e72ae388cf1be5e5e51b8a4ea532f6b2755df586f1af54fbffd0c461556534ce2bbed3c87ca94d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\25fbb8f5-63a6-4f25-b4e5-097dd197e0c9.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
a675eec42d7b5101baae3fd440b2e082

SHA1
9b15bf20f704502a8b13a22023a3cd986c29b510

SHA256
015b56a264efe2f133e279550f254daef93553d545cfae08da681139be54b9e8

SHA512
37d998ac04ebf6b11b402ab88b20832df2a735fcfa452f75b039b1fcdf865b649a1fd8da717e2280803b45976b47c2dfc7a9e840f2f1d3081821a1240e487dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Cache\Cache_Data\index

Filesize
256KB

MD5
b9652854ea4905c2326286e5cac58e9d

SHA1
4fd16725232cbff992b75fa21953dd965f15c159

SHA256
6d2a15844dd8d38f4c98f3c0e2bbc8e76dc7a694d73e392162266e2bf2ce4229

SHA512
7a7863964dd047023750cad1fb5ef27d8455712afe7d4ba8d821638cde3a6e852cba863a8347df6f705d8278d78216116ed44339e431c00a4186cf80545db8a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
009f074040d7caa5041cb62a739d2cd6

SHA1
09ff2ab70730776fc65d6422c7a3b12817ca2333

SHA256
a8420c2a314e009e12fba4a7c7605cdd2ffeec1614ed3c38021598145c2ca357

SHA512
1a103541aa0fd81b02a6caa6558dd8e2b6d588558c026eb1ec8814edf003cca59bea210ba39468267666c2786e74a0ff656a45b75c06bd2805e7a56ff17d3a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\DawnWebGPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_1\_locales\en_US\messages.json

Filesize
1KB

MD5
578215fbb8c12cb7e6cd73fbd16ec994

SHA1
9471d71fa6d82ce1863b74e24237ad4fd9477187

SHA256
102b586b197ea7d6edfeb874b97f95b05d229ea6a92780ea8544c4ff1e6bc5b1

SHA512
e698b1a6a6ed6963182f7d25ac12c6de06c45d14499ddc91e81bdb35474e7ec9071cfebd869b7d129cb2cd127bc1442c75e408e21eb8e5e6906a607a3982b212

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_1\manifest.json

Filesize
2KB

MD5
1048f1f4d861f5c812e5bc268eb68a06

SHA1
4c9495a3202f63fd0878086f27310db6d3bf5be9

SHA256
8b3b5b96a5d6d7c613052b4a751c6632f5f91cb0a912c96e515978999b6f43f5

SHA512
158ca9fc4e59568c8d04b8f6ad16fd8216ee10d8869ce1e2dec844e52d3d3b19bd98433665fa003552e8896a2691531141ee11fef212d8d66283d7002ece8c76

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js

Filesize
9KB

MD5
3d20584f7f6c8eac79e17cca4207fb79

SHA1
3c16dcc27ae52431c8cdd92fbaab0341524d3092

SHA256
0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

SHA512
315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

Filesize
20KB

MD5
5fe946b50f50671b58e01acd3f32c154

SHA1
4f0922a90dfba2e200c6b83985388037d8b7fe5c

SHA256
0e5d2a19290aaf2999d750b286a6ac33ae17d58bf2463a64af094a3c164813c4

SHA512
dc7eca1c60f70abfde8ea4dfdf08373d8889eeb2d93280de1a34d69593047d1967ef3bbc0aea9fce6ab0cde7eb8d0435e357ba173d9d8c86c9ce54448b2666b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

Filesize
20KB

MD5
a156bfab7f06800d5287d4616d6f8733

SHA1
8f365ec4db582dc519774dcbbfcc8001dd37b512

SHA256
e87b3d155c7582d4c1d889308b58f84e8fe90a1581014b21b785d6694bd156cc

SHA512
6c8eeab3ae6fb0d5be7758cca521665b216f31aed1aeeeaf121c99dc9f0192b385de0da36e94f90dd4a9bbbac6be2c5a55d2f284a24ccb7dec2c5302fb9b027c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Network Persistent State

Filesize
885B

MD5
ae954acdff6bcb13db500c4ea45e2cb4

SHA1
688b2247c5725ef0620742bc97e25e4c10722943

SHA256
dc2da3a034b597cd7aabbee8e1f66b5a69dc848b3c2df1d837bf0f3e18f10499

SHA512
81540af966aceb03f3652894ff2bda1bd2ac2d8b1ee95494ffb3d8a172a4f2d8aabf829f60c6dd1c394eb23c5c5caca791de9c66571478dda02593638b3bee4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Network Persistent State

Filesize
1KB

MD5
d51a8e2dd8f89995afddbdbb08dc6131

SHA1
40e6d9325584940b5cbaf839d15dac99dad9a2da

SHA256
d6023f64dcace2a64865da6659fca172fb9054221dc371de57801e13dd34d4c0

SHA512
6523426e4149ae5148104de006d10ecd29b93541467d4eacbb35ecc1e21e7e4e6db0a63fb281e279084a65a7f4f50e53159a5a850e70b019084ab89f1048eac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Reporting and NEL

Filesize
36KB

MD5
fa739570350b78ef09e5d8ca61d0d71f

SHA1
d4e932ca96e76aeb84d3a151d847658df6a5555e

SHA256
951ea521116baf347ce89b628eabc22479fb8e3edfb7597659db2174fbb59804

SHA512
8dc44c2f20c0a051568e7479e4553dbbf8ad4ee6b4d5474d8493c4b957f563f858918d862621ff7ccb190be693877dfb0a1245998925f47f9976d431a007ac86

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Trust Tokens

Filesize
36KB

MD5
4203aba60fd9de5b4232fc624db3f817

SHA1
1f07dfc552d6b509c83c36cb05986007ce29e250

SHA256
19e1e0d60dc0a70455014fec98b5e4b73e93a80651600368745ab0d4a49c9529

SHA512
6240f8ef505e093f0ea99306adfa90969b3de094cde08b61076bd2c737763c0815108f532ec17e766fe15f9b1bcb9d82096f799ef04d50c3ce2305d8247bfeb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
7KB

MD5
dd7298e31029dbe2c60879ef568ad5d2

SHA1
d2affe0710857610b285d130cb6d0068b05724c4

SHA256
dfcc0b49a08bc920462aefdc0233bd9529767ea0ae14b872a96e8f80fc142e71

SHA512
51c6cba43b37b33c4079b6aee3c76ede4a58e767b673d8c4901c46fbc64f5d64e9f6c449ac0e5f26a67ace57fd8dc8a7b2fd7fe9d26b5eb067d0b2e68304d677

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
11KB

MD5
a77e0969179f890b74783769e2b272c5

SHA1
9c8797df02f1ff22905b27ccc30762fafd734ec8

SHA256
b191b3cc6b9da3b24eb36a5359c215750781a7c78ed4756be0e5e7588bc300dc

SHA512
db0585c821bc66e65133d8de1912cbe5313cc1d3bc870ed58d3a10f36c4b51e030a3d25313cfcd921b4c1ef28e63f6b7437202b24e212ec02679955aa1328f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
15KB

MD5
fd30e951ea171f3fa9bc81ed8bf99239

SHA1
4c0feba53143d25e0fc1bf00ddb392d2d9e778a0

SHA256
6866568eb67d4d996d510694b38d20e665f5a7e266ec05b40224914dc3e36878

SHA512
7b4a758c95b4a903a2b889ed08ec54cae62e39cde2b59dddda0f49c04e6e5e94cd5622b98ba85fa6618cfd36ac0f835ec7ae671f986b97032457612b9994da5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
15KB

MD5
76a56e81c523da5a8421dd15db91f5e7

SHA1
400c0bab89897a0a41c15901c56e89c27accfba6

SHA256
af47cc101b21fe0c9652d37f9feed3dad039deb23d8e7151c11e1bd06d65625d

SHA512
4bb5ea0f2f1dd5ea83a16f6cd69c99d327fd8fc03794a761d9c345d76d12be6b9e460185f5107f03aea10d514d481793662a597920fce0c33fe7aeac5ab20a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
24KB

MD5
f5ca6051ccf232afb19f13db9c84bcf7

SHA1
98131d62a86e5ba61f6f1e7b464540912f90a218

SHA256
7bd642d77b996b0991e33f9daa336671007f4ea620c54ea14b48bb1c8e30803f

SHA512
08871a5fa22b24c8305425ce970488b6be6e64e39dddce8c2db2dce46edb82414527aa9814cd8f417040f1b201dd398cc69d3f43237fdeb6fe4f8b9fee28d8d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
32KB

MD5
a792c07c74516a3850348e16f22ad049

SHA1
254a785fb0d831e604c21921629f15faf2957856

SHA256
1fc10531f099e54da2b3f4d48cbfc43519040287e9b89d04d342dc5a5aae209b

SHA512
0f81537bed2dac52aefdd8ec1399ff12f41952a766a403fdec337d52f70537a69b902816e1cdcf9fea77de3ab90c0c1db375b9f48b8ef5709a09b5fdef9dd8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
96cced47ddd4dafd0174ceadd4e77544

SHA1
c93aec068299b953de4cc22d4c42b4ff8317e270

SHA256
382027322622a3ebc5975af0df41e8c8d369a994047d04c57fa5abfb35e19f56

SHA512
b3610df5d93b837e3090724cb87a21c03964238d3bebe4627bc972a0e0ad15ef3506dc3d75d6518265bceb38d65b84b5873adbbc4b0d1213e9dabb64da02f1f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c97a.TMP

Filesize
48B

MD5
271c64ab6f8d757733adc56d5c8834c8

SHA1
afaa6c1a9cd587c873c7e65bf1355fcf09f8f6a6

SHA256
d93e5858302799c58ddbe5db4c3cc22074a7dccf7c5e702dd497ea7a921400cb

SHA512
ec0929f1a727767a00fd0fb6f8fa267337c2a0beb60022ed1331daef20ab0b136e96fd7d1e24b1d5ab6ca2512acc3284e0fd5c3b5fc02b86376862020c12a66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Shared Dictionary\cache\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Shared Dictionary\cache\index-dir\the-real-index

Filesize
48B

MD5
ca46ea3631db65e20eaa5fd09c080232

SHA1
2ce51aa80367c3811cfacd81649623aa6af82c15

SHA256
887e97d98b5991bb63183f00700181bf228f76a3af372953ac01c89831e0e9a0

SHA512
30d49a68b44f6b60ce22d922ece15bd2c63c830034c8275274c9227e54c06ef3b1405d603651ead7729b9e237f87ba7a44ac339d8d24086549451930cac63d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Shared Dictionary\db

Filesize
44KB

MD5
b581f0ff8f8aa3371ae47b48c95329e8

SHA1
4f588efadf3675f3526cbe762c50eb8e79d9f2e5

SHA256
f8e7cd835195e4eff7855d20676484ca75f7e7e4fe5b13164fc926b365e1dea0

SHA512
e0a79452acb39838afea8ce34e05c7e5cde68f2a786fe4423ddf2588fc6047339e8e4c3140d7e0447f938b2266f52b9ddbdcc0f40c495d833b47b3f27d7996de

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

Filesize
293B

MD5
6226f8345633c8c5c4cf9336da256666

SHA1
b1622375336157615714e6a983e839691debcb64

SHA256
6c1f0b01a797dbcf71db005f0b7ff67241368a0531f9578be522c27033387eeb

SHA512
19f796c6f9ddce5536ab4fa3b5969665a10cbe4608322c505e64930d516671ae545ef94ecb724e39b83bec737be1fe4286bb27113d2b820ca3783a8010d7d230

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

Filesize
267B

MD5
46432039bc7562c7079f6bba71d832bf

SHA1
a93d9f8fe95c6d3ac6ab22c96efb741282180c13

SHA256
a70f4a2ac2aab48bbc097e1f3f851431afc6d8df165859ebfc9e1d2cdecfc3fb

SHA512
095d7d1a9f8bc0df08652650321271e03d01969223d6a11fc09a7030cc055055b777a2083ee7215a7b63811d7b53f9800752ad007af95adf0308a76837fb5fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
668B

MD5
65bf6ec9e9e73401eeb529849b839885

SHA1
e98ce7efdbfe13299f915393bb728ef21424798b

SHA256
7a49bc31b11f2ee492ba323fd8c9e90420c75bd7e7f8ae60fbbc7d8183666da4

SHA512
ba7ebca80281f1b354bcf4ecef5357b4ac654fce4d1622fae8dc4f9c7221b216399875e51d208ceeb9ade0f1b088070881de3f40206f239b34f72a355d5a28e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
1KB

MD5
d8bb67576dd16bfd85427d1c63e96f8f

SHA1
600be5c57b96428d26e815c33a8d633c42630946

SHA256
7d186804772c68a6c763cd0a5182108a255bf2f512d2542cdecc0ebcfef3b78d

SHA512
43913059da7f746ebee5763708aee2cd5783c2bed6b84bce58b41b3b2654d6677bfc28684335e833b9b78296939e1a13fa6d947f4c31ca1e96a2e95a482f2860

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

Filesize
13B

MD5
3e45022839c8def44fd96e24f29a9f4b

SHA1
c798352b5a0860f8edfd5c1589cf6e5842c5c226

SHA256
01a3e5d854762d8fdd01b235ce536fde31bf9a6be0596c295e3cea9aaf40f3dd

SHA512
2888982860091421f89f3d7444cacccb1938ef70fc084d3028d8a29021e6e1d83eaef62108eace2f0d590ed41ece0e443d8b564e9c9a860fc48d766edb1dc3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
80KB

MD5
7c003a268feca69da9075d9c8e5e7ba9

SHA1
3cd539e31b1f4fc907a9d7b298514b2c21baa802

SHA256
864756e6efe504d197645d3404512fe51e7346837bfecfd27a6d2120cbd18687

SHA512
89c8650c37dfd5da9671f0b38e9f0011050e3dd55cefd2eab46f5daf8b4a65315f4d1741d11104feeafb3a6ca0331dcf23b7a5dc6b1b534bd353948973a1904c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
6KB

MD5
e1600ab86995d3d0358f8730dde767d2

SHA1
79aa8edf8e65f20c62cd7ca083f83415c2a5c171

SHA256
3eae52e1a9ea9a921584024b4b5dd55682f135e4478e0f8afbf42754b216e416

SHA512
81516ca0269685796c4062fafc97e808f8de48078d64cc9f759c7127eace8a7bd3f98d78a41ac77efdf5801d9280e57e232eb6daa01876a5d2a732a3e2144c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
6KB

MD5
b6bc6da1e46a647c97e85f6363dccb6c

SHA1
75295fd9e8e607ae5cb0f89060e735391eb9cf04

SHA256
df13cac9470ba42ea5f72a3e6150b9fe2ea2c22b90c41c92871f159d26b34f09

SHA512
ecbb0706aadc77a399e5592f9a11ee7cf8487f236dfd5d1645173fa364a7e89c6e3dec121bca6f073743bdad551b3de58432c8c17d018bafa9496218db82c272

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
154KB

MD5
2b246159c4e902e6321bb47415a35808

SHA1
2b0a5ffbebc64d7528e97d57eeb549635a2c1823

SHA256
cd61ba96620907982d2ddac0180dc519fc98a7ae828e78759c9f00766a072d70

SHA512
5c3c33fe537852c0688324ddd0b6adb363440c96a95e009ecea6f5d236f20e2df0033e1bfe065c5701844327fcf032116330b4e2ba64dc418a24b63e99c0c050

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
28KB

MD5
f0a205cfd17313e4f6000c6fde276413

SHA1
97ca27c48fe6b04b0ab7fa22eb7cfce653fa1185

SHA256
9a1914b0bcadafb63e9cbbf7991d5eafbd360feb3606abca91bd187a670a3212

SHA512
7456964d1b0602e278562a3b566871003c37b3591f3488e8115591150a203a98e2e25124327a2e9bb73a399988817157265dcbee7c084b1fec9ff2cc38c8b040

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\ShaderCache\index

Filesize
256KB

MD5
ad561cdb80e01a616ad91dd90b553179

SHA1
af226853f876c2686a2f29e96c98e186eda428e8

SHA256
94153f5c0bfb1ece83055741bd8608ba8b277a9745596de96d558e79f5174c63

SHA512
3fc43cc9a673a46ecf330feac50b64a344dc8bf95fd72148c3e7433b9375df8074b64fee6fba21bedc30105ad7e8f64dc4a121e362e5670f5dc9c7d35b684dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Variations

Filesize
86B

MD5
f732dbed9289177d15e236d0f8f2ddd3

SHA1
53f822af51b014bc3d4b575865d9c3ef0e4debde

SHA256
2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93

SHA512
b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqdmqraan

Filesize
4KB

MD5
8226df3949710bda5349b90534411546

SHA1
8eef5cabad426156b3f4bde2eaaa779c83032b3b

SHA256
dc661613f5182f8455d7c8055753485245d3f7383083978c6192735e52cc6cd3

SHA512
bb3d8c60f9701e811a298e9a24f110a67bf2d8df70c9a77c18e0c33075dff321ba00dafb0852f4da444d5bbc2377ba94524e65cd47b75a2a8a1e550f18025e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6BDA.tmp\System.dll

Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4656_2046474091\a359ba16-d7ca-40a9-b85a-5e5456559fbe.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5412_245282034\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5412_245282034\CRX_INSTALL\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5412_245282034\CRX_INSTALL\_locales\en_US\messages.json

Filesize
1KB

MD5
64eaeb92cb15bf128429c2354ef22977

SHA1
45ec549acaa1fda7c664d3906835ced6295ee752

SHA256
4f70eca8e28541855a11ec7a4e6b3bc6dd16c672ff9b596ecfb7715bb3b5898c

SHA512
f63ee02159812146eee84c4eb2034edfc2858a287119cc34a8b38c309c1b98953e14ca1ca6304d6b32b715754b15ba1b3aa4b46976631b5944d50581b2f49def

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5412_245282034\CRX_INSTALL\manifest.json

Filesize
1KB

MD5
2a738ca67be8dd698c70974c9d4bb21b

SHA1
45a4086c876d276954ffce187af2ebe3dc667b5f

SHA256
b08d566a5705247ddc9abf5e970fc93034970b02cf4cb3d5ccc90e1a1f8c816e

SHA512
f72b9190f9f2b1acc52f7fbb920d48797a96e62dfc0659c418edbbc0299dccf1931f6c508b86c940b976016745b9877f88f2ee081d3e3d5dcdcc2cc7e7884492

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
410e2d9efc8b88d7e2bb3e1e699844bc

SHA1
b5e122d80e15478019cf7bd35bad68fc302eb3e6

SHA256
fbb2acc82ef27337e86c0d228e94f56d918296d2946c0617f0a1d4d292539ee3

SHA512
24846f405166edf7f4b35f16d3a303c1c4c418151fb75696aca62a8a52fec06565a05d03ac87fee550630072fabe9df0a39f1d18ba33047440e3ffee165f14f0

Download Submit
memory/408-48-0x0000000033370000-0x00000000333A4000-memory.dmp

Filesize
208KB

Download
memory/408-877-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/408-1545-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/408-1544-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/408-47-0x0000000033370000-0x00000000333A4000-memory.dmp

Filesize
208KB

Download
memory/408-1549-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/408-45-0x0000000033370000-0x00000000333A4000-memory.dmp

Filesize
208KB

Download
memory/408-42-0x00000000016E0000-0x0000000002879000-memory.dmp

Filesize
17.6MB

Download
memory/408-1550-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/408-1547-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/408-973-0x0000000033370000-0x00000000333A4000-memory.dmp

Filesize
208KB

Download
memory/408-41-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/408-1548-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/408-40-0x00000000775B1000-0x00000000776D1000-memory.dmp

Filesize
1.1MB

Download
memory/408-1546-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/408-35-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/408-159-0x0000000033A90000-0x0000000033AA9000-memory.dmp

Filesize
100KB

Download
memory/408-1539-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/408-25-0x0000000077655000-0x0000000077656000-memory.dmp

Filesize
4KB

Download
memory/408-39-0x00000000016E0000-0x0000000002879000-memory.dmp

Filesize
17.6MB

Download
memory/408-158-0x0000000033A90000-0x0000000033AA9000-memory.dmp

Filesize
100KB

Download
memory/408-155-0x0000000033A90000-0x0000000033AA9000-memory.dmp

Filesize
100KB

Download
memory/408-24-0x0000000077638000-0x0000000077639000-memory.dmp

Filesize
4KB

Download
memory/408-23-0x00000000016E0000-0x0000000002879000-memory.dmp

Filesize
17.6MB

Download
memory/408-1543-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/408-1542-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/408-251-0x00000000775B1000-0x00000000776D1000-memory.dmp

Filesize
1.1MB

Download
memory/408-1541-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/408-1540-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/3332-57-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3332-58-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3332-63-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3456-18-0x0000000004FF0000-0x0000000006189000-memory.dmp

Filesize
17.6MB

Download
memory/3456-19-0x00000000775B1000-0x00000000776D1000-memory.dmp

Filesize
1.1MB

Download
memory/3456-20-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/3456-22-0x0000000004FF0000-0x0000000006189000-memory.dmp

Filesize
17.6MB

Download
memory/3652-66-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3652-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3652-64-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4556-54-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4556-56-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download