hxxps://mega[.]nz/file/VkMHWZCZ#74nsIJnwxZqVcE4z6or5r-NFViFbcT5B14iLnA8r5ro

Analysis

max time kernel
101s
max time network
75s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
28/03/2025, 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/VkMHWZCZ#74nsIJnwxZqVcE4z6or5r-NFViFbcT5B14iLnA8r5ro

Score

8^/10

credential_access discovery execution spyware stealer

Malware Config

Signatures

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
5192	msedge.exe
2068	msedge.exe
1700	msedge.exe
5808	msedge.exe
2404	chrome.exe
2356	chrome.exe
5284	chrome.exe
3032	chrome.exe
4908	msedge.exe

Loads dropped DLL 2 IoCs

pid	Process
5920	VapeV4.exe
5920	VapeV4.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	api.ipify.org

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
2340	tasklist.exe
5224	tasklist.exe
1784	tasklist.exe
5836	tasklist.exe
1532	tasklist.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4516	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4304	WMIC.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 6 IoCs

defense_evasion

pid	Process
5404	taskkill.exe
1672	taskkill.exe
3108	taskkill.exe
4392	taskkill.exe
5440	taskkill.exe
1508	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133876289192414084"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings	chrome.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\VapeV4.rar:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\VapeV4.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
4736	powershell.exe
4736	powershell.exe
4736	powershell.exe
4516	powershell.exe
4516	powershell.exe
4516	powershell.exe
2356	chrome.exe
2356	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
2356	chrome.exe
2356	chrome.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: 33	4384	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4384	AUDIODG.EXE
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
2356	chrome.exe
4908	msedge.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 2528	3144	chrome.exe	79
PID 3144 wrote to memory of 2528	3144	chrome.exe	79
PID 3144 wrote to memory of 5908	3144	chrome.exe	80
PID 3144 wrote to memory of 5908	3144	chrome.exe	80
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 984	3144	chrome.exe	81
PID 3144 wrote to memory of 4732	3144	chrome.exe	82
PID 3144 wrote to memory of 4732	3144	chrome.exe	82
PID 3144 wrote to memory of 4732	3144	chrome.exe	82
PID 3144 wrote to memory of 4732	3144	chrome.exe	82
PID 3144 wrote to memory of 4732	3144	chrome.exe	82
PID 3144 wrote to memory of 4732	3144	chrome.exe	82
PID 3144 wrote to memory of 4732	3144	chrome.exe	82
PID 3144 wrote to memory of 4732	3144	chrome.exe	82
PID 3144 wrote to memory of 4732	3144	chrome.exe	82
PID 3144 wrote to memory of 4732	3144	chrome.exe	82
PID 3144 wrote to memory of 4732	3144	chrome.exe	82
PID 3144 wrote to memory of 4732	3144	chrome.exe	82
PID 3144 wrote to memory of 4732	3144	chrome.exe	82
PID 3144 wrote to memory of 4732	3144	chrome.exe	82
PID 3144 wrote to memory of 4732	3144	chrome.exe	82
PID 3144 wrote to memory of 4732	3144	chrome.exe	82
PID 3144 wrote to memory of 4732	3144	chrome.exe	82
PID 3144 wrote to memory of 4732	3144	chrome.exe	82
PID 3144 wrote to memory of 4732	3144	chrome.exe	82
PID 3144 wrote to memory of 4732	3144	chrome.exe	82
PID 3144 wrote to memory of 4732	3144	chrome.exe	82
PID 3144 wrote to memory of 4732	3144	chrome.exe	82
PID 3144 wrote to memory of 4732	3144	chrome.exe	82
PID 3144 wrote to memory of 4732	3144	chrome.exe	82
PID 3144 wrote to memory of 4732	3144	chrome.exe	82
PID 3144 wrote to memory of 4732	3144	chrome.exe	82
PID 3144 wrote to memory of 4732	3144	chrome.exe	82
PID 3144 wrote to memory of 4732	3144	chrome.exe	82
PID 3144 wrote to memory of 4732	3144	chrome.exe	82
PID 3144 wrote to memory of 4732	3144	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/VkMHWZCZ#74nsIJnwxZqVcE4z6or5r-NFViFbcT5B14iLnA8r5ro
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff6aebdcf8,0x7fff6aebdd04,0x7fff6aebdd10
  2⤵
  PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1416,i,2614038720004550240,4622952967114194063,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=1996 /prefetch:11
  2⤵
  PID:5908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2020,i,2614038720004550240,4622952967114194063,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2016 /prefetch:2
  2⤵
  PID:984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2324,i,2614038720004550240,4622952967114194063,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2476 /prefetch:13
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,2614038720004550240,4622952967114194063,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,2614038720004550240,4622952967114194063,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4148,i,2614038720004550240,4622952967114194063,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4212 /prefetch:9
  2⤵
  PID:5748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5172,i,2614038720004550240,4622952967114194063,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5196 /prefetch:14
  2⤵
  PID:5808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5452,i,2614038720004550240,4622952967114194063,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5712,i,2614038720004550240,4622952967114194063,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5416 /prefetch:12
  2⤵
  PID:5912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5708,i,2614038720004550240,4622952967114194063,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5944,i,2614038720004550240,4622952967114194063,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6256,i,2614038720004550240,4622952967114194063,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=6332 /prefetch:14
  2⤵
  - NTFS ADS
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=6312,i,2614038720004550240,4622952967114194063,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=6332 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5572,i,2614038720004550240,4622952967114194063,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:5140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6480,i,2614038720004550240,4622952967114194063,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=212 /prefetch:14
  2⤵
  PID:6036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5552,i,2614038720004550240,4622952967114194063,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5480 /prefetch:14
  2⤵
  PID:1468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5912,i,2614038720004550240,4622952967114194063,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5568 /prefetch:14
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5880,i,2614038720004550240,4622952967114194063,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=6324 /prefetch:14
  2⤵
  - NTFS ADS
  PID:3028

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:236

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x000000000000049C 0x00000000000004DC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\Temp1_VapeV4.zip\VapeV4.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_VapeV4.zip\VapeV4.exe"
1⤵
- Loads dropped DLL
PID:5920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5856
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:2336
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:3512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:1128
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4336
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5080
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -NoProfile -Command " Add-Type -Name Window -Namespace Console -MemberDefinition ' [DllImport(\"Kernel32.dll\")] public static extern IntPtr GetConsoleWindow(); [DllImport(\"user32.dll\")] public static extern bool ShowWindow(IntPtr hWnd, Int32 nCmdShow); '; $consolePtr = [Console.Window]::GetConsoleWindow(); [Console.Window]::ShowWindow($consolePtr, 0); ""
  2⤵
  PID:1520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -Command " Add-Type -Name Window -Namespace Console -MemberDefinition ' [DllImport(\"Kernel32.dll\")] public static extern IntPtr GetConsoleWindow(); [DllImport(\"user32.dll\")] public static extern bool ShowWindow(IntPtr hWnd, Int32 nCmdShow); '; $consolePtr = [Console.Window]::GetConsoleWindow(); [Console.Window]::ShowWindow($consolePtr, 0); "
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4516
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5e1os1cs\5e1os1cs.cmdline"
      4⤵
      PID:1612
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7AD8.tmp" "c:\Users\Admin\AppData\Local\Temp\5e1os1cs\CSCF4F10C5B807F4B848E81FA317402EC0.TMP"
        5⤵
        
        PID:1168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FO LIST"
  2⤵
  PID:5136
- - C:\Windows\system32\tasklist.exe
    tasklist /FO LIST
    3⤵
    - Enumerates processes with tasklist
    PID:5224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM chrome.exe"
  2⤵
  PID:5972
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM chrome.exe
    3⤵
    - Kills process with taskkill
    PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:/Program Files/Google/Chrome/Application/chrome.exe" --restore-last-session --remote-debugging-port=9184 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory=Default --window-position=-32000,-32000 --headless https://mail.google.com
  2⤵
  - Uses browser remote debugging
  PID:2404
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff6aebdcf8,0x7fff6aebdd04,0x7fff6aebdd10
    3⤵
    PID:6064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM chrome.exe /IM chrome.exe /IM chrome.exe /IM chrome.exe /IM chrome.exe /IM chrome.exe /IM chrome.exe /IM chrome.exe /IM chrome.exe /IM chrome.exe /IM chrome.exe /IM chrome.exe /T"
  2⤵
  PID:2496
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM chrome.exe /IM chrome.exe /IM chrome.exe /IM chrome.exe /IM chrome.exe /IM chrome.exe /IM chrome.exe /IM chrome.exe /IM chrome.exe /IM chrome.exe /IM chrome.exe /IM chrome.exe /T
    3⤵
    - Kills process with taskkill
    PID:5404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM chrome.exe"
  2⤵
  PID:3012
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM chrome.exe
    3⤵
    - Kills process with taskkill
    PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:/Program Files/Google/Chrome/Application/chrome.exe" --restore-last-session --remote-debugging-port=9185 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory=Default --window-position=-32000,-32000 --headless https://mail.google.com
  2⤵
  - Uses browser remote debugging
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:2356
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff6aebdcf8,0x7fff6aebdd04,0x7fff6aebdd10
    3⤵
    PID:5312
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1812,i,6810685444186038041,2854608704452421303,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=1804 /prefetch:2
    3⤵
    PID:5112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2136,i,6810685444186038041,2854608704452421303,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2132 /prefetch:11
    3⤵
    PID:868
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2152,i,6810685444186038041,2854608704452421303,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2144 /prefetch:13
    3⤵
    PID:5640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9185 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3244,i,6810685444186038041,2854608704452421303,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3240 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:3032
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9185 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3276,i,6810685444186038041,2854608704452421303,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3272 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:5284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM chrome.exe"
  2⤵
  PID:4676
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM chrome.exe
    3⤵
    - Kills process with taskkill
    PID:3108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM msedge.exe"
  2⤵
  PID:2840
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM msedge.exe
    3⤵
    - Kills process with taskkill
    PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:/Program Files (x86)/Microsoft/Edge/Application/msedge.exe" --restore-last-session --remote-debugging-port=9184 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default --window-position=-32000,-32000 --headless https://mail.google.com
  2⤵
  - Uses browser remote debugging
  PID:1700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:/Program Files (x86)/Microsoft/Edge/Application/msedge.exe" --restore-last-session --remote-debugging-port=9184 --remote-allow-origins=* --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default --window-position=-32000,-32000 --headless --edge-skip-compat-layer-relaunch https://mail.google.com
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:4908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x25c,0x7fff6ab0f208,0x7fff6ab0f214,0x7fff6ab0f220
      4⤵
      PID:5900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2180,i,7381904384219251770,2014235047565651706,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2176 /prefetch:11
      4⤵
      PID:2480
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2036,i,7381904384219251770,2014235047565651706,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2024 /prefetch:2
      4⤵
      PID:1400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2656,i,7381904384219251770,2014235047565651706,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2652 /prefetch:13
      4⤵
      PID:4056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --remote-debugging-port=9184 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3592,i,7381904384219251770,2014235047565651706,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3588 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --pdf-upsell-enabled --remote-debugging-port=9184 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3608,i,7381904384219251770,2014235047565651706,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3596 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --remote-debugging-port=9184 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4060,i,7381904384219251770,2014235047565651706,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4056 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM msedge.exe"
  2⤵
  PID:5012
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM msedge.exe
    3⤵
    - Kills process with taskkill
    PID:5440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5508
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3280
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "where /r . cookies.sqlite"
  2⤵
  PID:5428
- - C:\Windows\system32\where.exe
    where /r . cookies.sqlite
    3⤵
    PID:1656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FO LIST"
  2⤵
  PID:2952
- - C:\Windows\system32\tasklist.exe
    tasklist /FO LIST
    3⤵
    - Enumerates processes with tasklist
    PID:1532

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:6080

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma

Filesize
1024KB

MD5
34c29bdb9e41b1f47f2d2786762c12ec

SHA1
4075131b18c3487e3e848361e112009c897629c7

SHA256
67ee11b51cd6f637795e31ab501f135ed595c8459bce885735f08b0418513a17

SHA512
ca3a978798e77b2ced27b379f38e935ef18beaa7ea23e34270a9af20b37e1b1c5edf9478606311cf1acabd83992766cb3da8444de9394c674d5955bdbc53c0d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
c3673a4c9da7657f9648a6b1c1393afc

SHA1
657dba6bf73ac27fb71a147ef450c8adfe247e5f

SHA256
71e032027fe13620e1d4298778855983aabb9e23d23223650bccb1df4b5b33e0

SHA512
2c7a04f2d498b971e1936423df9eaab44cec4ff64335577ce4acd7207a5aa45985aa88d6e9e6702c254aa541c6f667326cb762486f385c1ced80b68271dd42b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
fb9fea6f536f4d648bc906145d4d707e

SHA1
20883b76884dcbdd3d68bdb834e42e06cbf85903

SHA256
50f00c7d9865fa238840aa8b056ff6d17e400749c1d2b9eebff1533229d86fa1

SHA512
1240ae2a3421c432822735c01cbf097babb655d8e0e540baaa04f69d33add515f34facf47b1ba20083eab4cdfe36c990f8cd54b95159c344771e1c686b3b2e53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
1530f8351ac75162779556426840cef3

SHA1
44dfc5879cc4fefa87f167b63abca65b51285f2f

SHA256
c91439a983164a6dedc21c31fbc082fb40966b3b81f7eeb58a6eafdf87579b5a

SHA512
5a0338926fd7e0d585dc47d62f22580009b4b0c79f25b45d1d72d13d07209c98c7dcde100380531f39c19352c4e82f5c417afaa76a4f51d05b0083d662f43c6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
9ed9e9a8cc259b0912eaa2a830569c0f

SHA1
e5043a607189086b576fc094a043b487b5c23475

SHA256
7f8bf0c3c54349d1db8bc3e9f87d34c81c6a170fde40425444fecab2ca0364b4

SHA512
f5aecf05c343166d44e9d88eba446c526990c1b85c817bc02feefb01738df78cd81800d93cd669da417fe759eea02886ed67194fbb6b057c9f1c6b903109e6cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
e57946ad5c07333abeb79162912dd1cd

SHA1
4aec3dddf06462d1d5fe68dc7443834306595ded

SHA256
1fac08795478c56455b55ad4b83d009cd06e5866265809880f0ad40f63b1e832

SHA512
ff8418ee48c9ac38112fa7fc5c5cd5253a6137f4105252a1b3d8a86bb1feeba48a8b31f1f5132d04a53034a75387651772a0bc289bdd2df828c71ab1481f94c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
2a51c7a2e4a1a0a4eafba35ca2848a4e

SHA1
e7d8171cf00ddf7614ba87a9688f636d8dbfe43c

SHA256
383dbf290cba1098cc289d8739dc4f970f4866aab7bfc224f58108db0a09fee5

SHA512
7227ae3b78a67fba154f7627742466b339f64ea9c5aaed9f0571e0d75f761aaed3b2e28a6cf117e12ed077e97b826d15b86712106c279296f7ff4a3d61126097

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
364KB

MD5
1bbfe828f62ef9bfe3c8dd5279b49471

SHA1
2e9c9c488c85afbfb9d51bf4f7f600c75454769c

SHA256
e98b842917b22e3412227373252bcdc18b281bf6583e7ddd3da75ac31daa7f68

SHA512
3653e238dd881c1449d64f11f357a59f54147a84e1b7c61e756ddf0847c23385b718108d99299c54b6bdd5fdff1e55b38725d72a5f4bd507208e4be037bdf583

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
399KB

MD5
60a49d2550bc927366cd7893d2d9c4d2

SHA1
1b2dc9079a8353fdd95154bc01b2b9842cb86a53

SHA256
b39fd96caac37a89d3815985b6eb07f97244e21773e8aa399e7cfb4b714b2b30

SHA512
22de5d7d36ca7b612fc5c1be5958bf1bd660d1d7d3255374764ff2971718f6dc7d1631e64c65700e0acafa39f6ac14efcc0d54c32b3bbd63e1364c8a91433859

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
444KB

MD5
4bd5656982ef46de3263d991427f05a5

SHA1
e99d9b8ade67fe8535465bb539a66d9acfe65e45

SHA256
f965e4026bab7f54cedd13f0d798eeac7e323f65ab4e1a09333f9cb015560f68

SHA512
da98fcdf0f15ba5e76d87dc352069121f9dd03fd325d591de10b159e72ffcba8ca0962d44ba6777453daf45454254284f1543a6ab07c6bbe1f8fe507ed03a0aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
377KB

MD5
9b61b5fd9677652844c45f36e71abb4f

SHA1
25219861a0cc1affeefb59c0040a74e38d4593c1

SHA256
826ffdd92e741b069bab63b4f138ba29a62692770120da66d1ed3ba72957b6c9

SHA512
cce39dba82f0ff066f71cb371e31d2a820f82338f37a8c82f7b3709f42cc8bfe7ef5cff1cdabfd0825a2cc1a5ffa5ce51c01e1891b1be29c18eb2e9a07fb0ff3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
403KB

MD5
714e7ed8d4cc38013db0d5c9fbff48bf

SHA1
352486e56f14b395edf4c1ee0bf7c50f224a3ff2

SHA256
37d6113cc70d1717825af31a4568f4765f23ac6be8e1f69afa2d7e0e0c8fa1f2

SHA512
0a320952e85822e6ba2d63671661861c4fc4a723b5dcdc65c225369c6ec0d257ae9404648447758ee2eab87c335acce5ca7e89799b017bd0f2564497ae6c291f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
498KB

MD5
94a27146ad61d47571b898e0c7ee6793

SHA1
6049a720ff5459fd850d61a93297262cf01cb2bb

SHA256
b09669b3c22022066a86a94c93e6a26311d85d350094cda6b2732abfc74a375d

SHA512
f914e87fc4545c3339788e959c688e9b49743f10a08a0ffcb36993111f8b0dff09dc6877e33e821bd05e0bf6b4c473583a00b8f8fe9e72acf7c399dae894420a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
456KB

MD5
7b2d782ba1fbe2c2e0d5082fcc3d57bb

SHA1
814f05fe003859b961dc13c402bd8fa854f7e41f

SHA256
ee44c33712ce7280a97b5ef46305aff9e351ff5ce57c7e26502fd3e302ae7554

SHA512
c7438ef2b40080c5b0fe28ca76ebefd0291b27241533b04beca38e98c2d88f51b1e43922c3a4cee491db2b89f5e2a4cb007ed7241eea746d57b86f5d7b3b064d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
502KB

MD5
331bac563ff64febf1e84f01437e7019

SHA1
0fcc408fc4ea6d79f4613bdb66bdec2a517bf2f4

SHA256
3e31a0e2f72da10e914fd68d2dcff71a5856071abaf4b6f78f104075bdf0f127

SHA512
94ba11ca7c857c6b0a034e452f8614213f9f7582e7a6ab0d06d59dcd0068054ad046955375a2b6ed7cb39d26ea0bce91a37c5d5e412f37fc1998ca9de93a450a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
500KB

MD5
d0f0df51a9328880a20171d669130bab

SHA1
1935f8f05f64455ad9e06b9df596d62dc01c79f3

SHA256
a0082c5e8d8e6201eb87ce0682c67866b56264f0266fdf62559a27336fdde668

SHA512
1da7d06cff119cfc6d9566d747e166ba8d388ae97110763d5d7a02bc7084e85e19f242bcc98561fedd76a32fb4dc83b787830dcc90058c208b6cc89fc0a176dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
685KB

MD5
114d38110825fef3484ecf4d966498fd

SHA1
1d57351678bef9e8472a3bb1d73813fd583ae18f

SHA256
ec4da54ef2951b117b270de896e3396c73e6023e27c1888190f8531fce71f112

SHA512
ed497c73dfdd398f114c636f97c491903a695c03d9bced749cd9b759a2c1376c4b21576b7c410e097738d253dfd2d2eb020790c499fddec389ecba0bb85ed44d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f

Filesize
153KB

MD5
b21ae2d5e8560a73f9dd3f99860e8972

SHA1
62647382f48913a4dd72f9e710fafe4de0f80d35

SHA256
5e429dba28746a75411f1a306a96420243ac7aa8750d23c114ac83dc5d1099ea

SHA512
21edb99e59637c795ca32a366a74ad805bc5104408e62472f1d6ace1a210ae49e7bae88a01096f6e93e1a9b1dee75a482459f78fa46a657e974de1fac97c672f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

Filesize
495KB

MD5
cfd87a846ee4ece608a2d02038d5a7fd

SHA1
f215e4547c148f6c0bc2925761ce64e509fe8b7b

SHA256
214440fc09b81311a6d9f2e7c30bc89b0dfd8ded9eadda8d29e9d65b8dda2cb9

SHA512
00e848fe3452ea566b890575d9adc00c57f6abdb5f966a43a29f973c7b3ce745bac87ffd6ade0622fb39a67ae3d6e9e8728fc47a37d790f923ca9917b953d67b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000031

Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
aa49358e5eb480a4a790f96470fb5949

SHA1
958a2d43c05334e111c67ec4a8c410cbc7575eb2

SHA256
5bd785620fb3c58744a579103933156f36df6195e78fd8d2e0eaa4c35c83cd51

SHA512
11592e8a4d144734a76509274fc6963e373292229a64f0171ec16d01caf8c4e40ee74265fb5d0667efe280b57508e63470e64a72d8f8a6eb5917aed24f2a0f38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Favicons

Filesize
28KB

MD5
359065ead2c9d6ccf6dccca99213ccc3

SHA1
87145067c6afdb17f31b64c9355abb0d2c7d6efa

SHA256
9e8644dce9df56fc1584fb84789865356abf1bca503fabddc99bfb45f3e6b898

SHA512
29a283d617ee0716a309f961b1eacf79de6085075d648769c6ecbf44b864ded86db37ad6928823a2c2c60175dede9f2012d7a3c20eb55a38f10864cd0940a79c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
160KB

MD5
c0ed52a256f6b3f8e23f6ad4705cab4a

SHA1
fd51d502eda768d7217ae5359148ccccb51655f8

SHA256
928c0c6b0f17cc9128ce629d2d0717b6c982201c6efc84c4bc1ba197826de3fd

SHA512
d49efe2d9629dbf01f66053eb65d93529176c2e6c77050cef730f534e8879c01e9d317a4bac552f763128b305a4a192f59cdef9846361116b44ffc6af42e72c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History-journal

Filesize
20KB

MD5
7d4991eb091031386bb87e0b4b0d132a

SHA1
f5f236a14c2dceb67a16fec17cdc52d52a0c7522

SHA256
ab7b3d60c9fb6aee489e654ec82da4538ed966676f9c63c21cc92edd7043ec6d

SHA512
126275cd5d9166ef1f058a196b1d089611d4c46baf69c1c67599241c1227296198b4af7079cc01d9e3a639790c9174fd6bf3b2cb7a5cbb2b59f642d490eb8e83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
67d3b061cf95b3415eda56b7d8e300ec

SHA1
681fbbbb2dd8972da2493a502a2e84059df11cb9

SHA256
5264e872501633077f43b96bb6a9d56ee23a468b988c9cbe5240e563d036ed53

SHA512
decea9ef5a749ef2137d6521869f4f7872c77907252bddf2146e380b3e8fbd9a3658ec2feadf4b7ad9fb26b4b95f7e1393cc2b22aa85c2335f3b9cea5058c6aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
5625fe867433251c7dd7c42542a6e3ef

SHA1
0008849b6ada36cb74837e09fff18c12b4b9b71c

SHA256
9a657742c51c32643246ef86b022315abcbc07cfb053f9ac9bf5da692f404f7d

SHA512
2a6277e0896272e69abcc1a17f9c8f150d3fa73f9a098c77bc28f93b7f31869fb8a959ebfdce437ebad61e2b51cd3755e0e091ae000d263465c011292a969a2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
65dc3d026930d3d2f83beefd35f39df7

SHA1
2b3f461b128b704a06cf634a401b712e4277116a

SHA256
da12f06c08644daca108b89ab3d03929e94344c316611994ce0415029c24f8f9

SHA512
11958074bdd3db5989e25bc795c22ed7a7042bae03e588867a4d83009e3751ffd8a56623ce8290e58ffefa32c4d56d7d4f3d8b82fdc47438037e8c8d3c047386

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
40d54f3bdf8cd3b4bd9a2e34e0c1db77

SHA1
54ece698e44afaf9582f7e269d36776f54c96fb9

SHA256
0602644e396b94be66d8c02679b558a505e7c519371906a69719c254a4a03683

SHA512
1b10da00ad7ff6bc4b56cbf9610fd033ec1b3f608f5bc8de1034204befa3eaf5019f4fcd8b6a1f6cf5809e972649ba058fea1cd1d0177993d0f9383598f96226

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
8c767153270134ff67f3dd4ec752018c

SHA1
42410c9826c5ff96cfdc8163096d903d687da0d2

SHA256
25dcc03ab8d06e9b12461e9227bb92a15634b66ebe6760d3a322ef492a4cc7bf

SHA512
df952af3cb1514315dec428fe4aae1d8de2d7e2a53a1fa250ae47c5af5f3c1af177ad0a2f34d9eeeb40b073157860d2055b79823a1cb399f51b415b92a7c9739

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000003.log

Filesize
4KB

MD5
fa7255d17430dec4ad7eaced2c7b5cc0

SHA1
abf47687b84bec585f079d1d6893416a669c2938

SHA256
2bb776625e9c2a37abf3b99ea78dce242be49abfacfa2086338bcc05e9402e2f

SHA512
e608550d196af80f15d5d53f21b3942f6dd666dda995157842572fa67f46ab57df82e3a64520ad1117d1a9b6f7d915fb1de504ccdf2dd509f0655bdc50fddf68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG

Filesize
333B

MD5
632fa37d3d7ee7af5c9d3110d1ed5bf4

SHA1
c40cf9d3b605027d7340d66a4bcd37f6f86f990f

SHA256
6ba5df3775f84f5d31b4ff5d164037944cb10fe1a19af61354274835ff15628b

SHA512
802caddae829b0fe67bac9472a2110c6980e756e6afb5994f6c099b3a4134d191d77784e40ed758906c1d0813588ffc0bc98f80e96da1f4b81142468d1c5be28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
fa0aad075300713ce4e81be88ae85ac5

SHA1
f0d7cb2d33ccad219edc5cd2e3016e1ab49c31eb

SHA256
ca846ebd91c06dbd55a4e8e7df423db398a1ce60bf6c62ecab7fd7ccadc2f0c0

SHA512
0e891e5ee25c2764377882e4d240416a5deba2365fd0b9212bf944c70c8b093a4529382c150871af4a45c93055a5be24af47fa217f84e4c451e759856ea6e235

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c890.TMP

Filesize
48B

MD5
f06db3c34c8841556e805e3fa02da82e

SHA1
5b06dc36381e755155ac29e001c667eb53b01e9c

SHA256
8617f3cea92d0041ff872e592eed002efc7478a2bafd12cfaf241550cf373219

SHA512
a29a1131b14c13bb12b8c8b35bfa5740f7f9eb46a464d2e00f00e21ea34d08882ea03c3f7d0b66ed9a869ec963a75112ad21d3f620d9f0ecb549e55aa9b09e28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.log

Filesize
100B

MD5
3d4d5756a756966cab854b52165cbd6d

SHA1
c8b7d496bf2cd3a437b31d5762ed5ca7456f4bd6

SHA256
30e70135a201569dc3d673ee9f9ce64d3e591649a59324572955933a681a9ea1

SHA512
f0528436d7a4e573c9cc9ae8ef1ad124e790a44058639b7542d1a98013e3dcd2b5601131cde8ad56cc7e40d72249e5d8d9f40ba0a757bbca6be600834e4dd5f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
348B

MD5
48143060e1405ae3948cd70151e5a78c

SHA1
712e5ec922f1172eaee60b3b9a9cb4b366ab9896

SHA256
fee8ca459e59379097647cde98b4772857cbd6a08cdf70a55337ee6648735eaa

SHA512
827c1243df642518f8ff02746a8b4309969134bd8e63bcb9d7e632f9473806ef44fdbebc696f2555c4d8edf575cf1bad82df0fc33ee05e396d705f84ec0d817e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
321B

MD5
2601f50d9ca328bd8964e4741d23c024

SHA1
bb809b1ce7bae15116c39316ca7ce5361807991d

SHA256
4f5869c66c4b7f95527abab1c64fdac61497b31984a98312c85deaa8dc199cec

SHA512
008fe9ebfaaca902e248f346c355f84e51fa8ce718aeca68c9684dd2ed8fbb856302ce3aecce8a3df76cf81236b18b5adcb68dda34d626960ad65460fb9c487c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Visited Links

Filesize
128KB

MD5
e95a287226ae59ef96d73f73a138e576

SHA1
1df7ba7a8358a23aa9ad2c54807e2f119e8c9a37

SHA256
2df31a870a9064425f879dcb49e52076a5cdbd2ebf2fe9e4e5bec63ea6258064

SHA512
66bdbc706c9297b5861a5216442642be42d0c6790bf448eb1a9c32b9c354282160812302e831baa9b901461b0ea67bec509cf890c4d7df903afa8179ab5e5331

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
13B

MD5
a4710a30ca124ef24daf2c2462a1da92

SHA1
96958e2fe60d71e08ea922dfd5e69a50e38cc5db

SHA256
7114eaf0a021d2eb098b1e9f56f3500dc4f74ac68a87f5256922e4a4b9fa66b7

SHA512
43878e3bc6479df9e4ebd11092be61a73ab5a1441cd0bc8755edd401d37032c44a7279bab477c01d563ab4fa5d8078c0ba163a9207383538e894e0a7ff5a3e15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
119KB

MD5
5cd88d25a9a2b578be5d68ae9db47d4b

SHA1
5079f3f49c014b6edc37c1879822d6bbeae4575c

SHA256
2d5c84215d358d32fa6085add6965c6a64d4a64cca43566464eaab2b57d65f68

SHA512
5caa30d5b74b58de87fdb207dadca5b4c82c16ef78b5c90e295bb4b7ce45934c2abd77f1c9557b3fd9e21db5f1b351780004713a8dfc6bdd9ab9e5a66bb71a23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
544ae82ccb1c9cb7f1ee5b3730807e99

SHA1
6189c7a33c8de4730da3cbe6e436141eb2e83f66

SHA256
d40e9b830567c367324b3c5ac6d33b1261f4e44e1c4a91bfa23c9a35fbfe2de0

SHA512
e3fcce4c7643fc60d73ee791fbe5a3d6ce629e56529d6b16738ea8ee8ed6e6b9cdeede813a8dd5bdaf3d7548984deb74c9d53aa27b7baf6219deb550fcbc3866

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
819d0971a4634573f9eec961d19b2171

SHA1
33836e91c2f114b23766ebf29fe4007421a89e2f

SHA256
eec6a44b364a325dc8db5320de942c0c76aa839baad4be0a91b4636406dd9d10

SHA512
83eb50cfc3415bd4624babeaedcffb5aa8e2f48dceb3f99ec0614267bbd376c8d737eda797afcf67b847180ecc3f4cd484ca0028e3f61bccdf2a1abcb15ecd38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
29791b7c73e99b7eda1581dbf1f9464b

SHA1
7f930ade2d5bd09c265327255a03f0f1320c32ca

SHA256
88d6e406057e975efef2ab1bc2555740e64d45549c68d2738651ba9f8392169c

SHA512
b5c6f89fe0a2308a1e0c2e806014b89c28b7d00c322dfd8d4d075fdc0b5b497db0b29047f6bbf09282d4b61a5f0b24fcd80d7312c953d3ee06dedd5fb5c7669f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
ec4090e213abb64b4ca8308b5952e43e

SHA1
754d3023cc04eea4de2b4c83ecac45dcd46518d5

SHA256
d5fd965718724659b52d3f068e2e9bbcfbcf48b469881aada114e5d11f7010c2

SHA512
4e64127a50392b0c4410df0d56794144bec0b657ffcbabba1bce4e5c6f19953b5397be30e0d2409c0270e6cb8399f375b1ca0ec459b6cce98766997783609fcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
16b7586b9eba5296ea04b791fc3d675e

SHA1
8890767dd7eb4d1beab829324ba8b9599051f0b0

SHA256
474d668707f1cb929fef1e3798b71b632e50675bd1a9dceaab90c9587f72f680

SHA512
58668d0c28b63548a1f13d2c2dfa19bcc14c0b7406833ad8e72dfc07f46d8df6ded46265d74a042d07fbc88f78a59cb32389ef384ec78a55976dfc2737868771

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\segmentation_platform\ukm_db-wal

Filesize
160KB

MD5
ab5d26ae2a9cb4bf8635c2942308a2b0

SHA1
cf109c5f532322b759296f8d35a142a7a57e06f5

SHA256
1b0fd74c9197b81e39acd0c084688caf94f68773eeb0f891fd5db67a747d0c59

SHA512
97caf9d703f57ef92984d43f02dd5b74affb9c1c96c008dd64d5986eb06c74b67d4cb3cb64e70b99d10e119ec8932a7608de740901ded9d849f579b72c73efa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
88dc70c361a22feac57b031dd9c1f02f

SHA1
a9b4732260c2a323750022a73480f229ce25d46d

SHA256
43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59

SHA512
19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
e5f3655796637b7d0f4a8ed402e119ea

SHA1
3baaf516676664d46727759914745776a166016a

SHA256
22d91a4321390a9445110f04d5600f49f03604a2d7ecadd10c663248295c88dd

SHA512
2125899d678c926c9f85ad81892f8ee91aa0a74e4c533bcb6e48675ebf0eccbe0db17998f3e3ab961cf3beb8fef7f950588398c5868327aa2d33f81bde797ebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\60b7ce2d-76ec-4a11-bae7-4a54ca6a0169.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
621b9ed33237f5a68dba17eefd4c4b99

SHA1
9aed0a5f53fb3a781f0bcbc16a232385e17df445

SHA256
9e5924f7ec9b46486a13a657dfb5da9cf63f9c8a741577ebd437c5525a6d230d

SHA512
6200a63b7f2eca163f7e86700a36f252df188040da25e3cbb5181fc1cc469607eccec941a5d402f9b4755d567751f223c9ccdcf15a8544e8ee31774e861fd2a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e1os1cs\5e1os1cs.dll

Filesize
3KB

MD5
e0f0792385b80fde6880ca344b6b4ae7

SHA1
314945c3b36234c79a43b608dc088de4ad3e2d99

SHA256
0c66877b98562d6f2276a14439b4595cb0fbdc0e10ec28c52c947534bf7b509f

SHA512
9f186d49d5da3959c267ba84fc23ba2b0ab8db4d805fbddca7975a60276e9c33f9ad713a3e035be22046e5f85ee7778bd4dbcae680c4de51c02403fe8e42986c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7AD8.tmp

Filesize
1KB

MD5
9b64c87e4b61d774cc75683d10525a62

SHA1
5fdde9cb96138cbfeeff61e26cc9f01dca902769

SHA256
30509e6e422c01fb293c1af11326186d79198cb545fe5baece60ef75b9c519ab

SHA512
bf783dd5dfcde3b3bbaa21477531857f36a895f74b0f1358d1355cfa182ad10e1cd648b41b550995872f9b4dac8f30fdf3d092f12e27a1bbcbaf22274adf26d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3kukwtkc.0a3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd\ilovingcats\prebuilds\win32-x64\node.napi.node

Filesize
137KB

MD5
04bfbfec8db966420fe4c7b85ebb506a

SHA1
939bb742a354a92e1dcd3661a62d69e48030a335

SHA256
da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd

SHA512
4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\wjnSI5UPzg80pUGCRQ50PqGSZ\Chromium Bypass\Chrome-Default.txt

Filesize
2KB

MD5
f3f8cdc5ad3ae31fa3ff2eab12590c72

SHA1
a9d58da4a93d113434672cede6b3bf7fe99c1557

SHA256
9f3c462dad617230d499358e735117539f8a0e6d29252b9c8b9c5c36f37cd0e4

SHA512
c14bfae0c5e0a98b7bd358fbf7eb4954941551963bf2d09496d0c703c924c9c6db386489813ba4670d306d896e75b361ecef049ac0f54b961dec1be5b69dad85

Download Submit
C:\Users\Admin\Downloads\VapeV4.rar

Filesize
16.6MB

MD5
7b48ae117479c5b5415b0e7e1ceffe81

SHA1
b632c0f2694c7938a8f6ee1fcaf8f4a7306ddfdf

SHA256
107a24499a41b05f6aeda55094398ec84c1e51ca4c0f2d7f5ea5c6867998b9b4

SHA512
4e5a2634bc2ebd7638a3c7fa88c6c65da269a8874674ee6a5166ac994017475fd4e385f2e250fefe06506335026f1ce5f554755534ae030f001d82987e2b8dbe

Download Submit
C:\Users\Admin\Downloads\VapeV4.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\VapeV4.zip.crdownload

Filesize
21.5MB

MD5
713324cf2285145df629eb2d6dac61b9

SHA1
5047ae485663289a45aa51c8db8461584d2a5232

SHA256
8e834bc884ef2b77ca2acdd60d5b0faca6c8e664ffcd1c86779f8e5c55d65145

SHA512
4c8ae1062e3e137f44c76d77f183759db2404a7be4b3cdf54685f7a2481a1d4884acd20794b5f96061a70ab14a296949835d70942a9467b7e2b3fc4371f45c59

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5e1os1cs\5e1os1cs.0.cs

Filesize
312B

MD5
f326972440187292e167a1aeecb37631

SHA1
37b1e3727365ea5f02833cb80d7c340612fe8a0f

SHA256
a5c3410c34e03d37491bd44c462beb054179cb6b34c53649fed031c59c2e4123

SHA512
80001f9886d6875a86c3d807411343f19104fc15d659d37dcf173d241f5c5098fbb9e4df8b86bdc13aebceffb88023ba2ee2bffd1240c5fa5d2f471474ca08d5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5e1os1cs\5e1os1cs.cmdline

Filesize
369B

MD5
4e6d458c0236b849e446a310253c3126

SHA1
99016fa9093ca6574fc70e312eae310d05d1896c

SHA256
9041b5967b091c9dc9837195c3ebb72080028d275a06d3e0a5b56b93fe7459c3

SHA512
0fc1a0b66674aecd00bccad43bd365b95bdb3da31a39a27419bff2b13a871765aef3d63be6d74c37dc5043e93ca1afe45660c442d84dcf1e1061b4cfda182264

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5e1os1cs\CSCF4F10C5B807F4B848E81FA317402EC0.TMP

Filesize
652B

MD5
84f5b95442d1ab1256b5fbbf5fa57b46

SHA1
f97df1368f7c037f654664092d3f631ce45e17b0

SHA256
140b2fa644c51232e97eb042bb65d4da3b909db46d6807600e5069d8d0ad4300

SHA512
ce70fd20a1e2509e2709f72e8d2f5df8f2ad4e84565f9cd610262dbf69aa10b0d42a98ef8a768c412d57656b91c5fb4db3df9a58fd866523a811af50b6208cb0

Download Submit
memory/4516-562-0x0000019F2E0D0000-0x0000019F2E0D8000-memory.dmp

Filesize
32KB

Download
memory/4736-527-0x000002A15E080000-0x000002A15E0A2000-memory.dmp

Filesize
136KB

Download