e1369268642ccda5e7b9faf8befc73e502ffddf79eda69d5189cac13a8557a63

max time kernel
99s
max time network
250s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

730880284326.html
Size

550B
MD5

60ee7118f7d5d6737e4577103711e257
SHA1

df5d33bf26a9882e6e512e4803438031559cfca2
SHA256

e1369268642ccda5e7b9faf8befc73e502ffddf79eda69d5189cac13a8557a63
SHA512

3d4816c0e6b591fad2fdcc10a9b38ed0fb84fd62f7ad99e42e11f79e91b8776db7d0bf9eb2583bc89e0ee55e937e4dd1f39bd9f1dbc63058d104e37ec440e62a

Score

8^/10

defense_evasion discovery spyware stealer trojan

Malware Config

Signatures

Downloads MZ/PE file 2 IoCs

flow	pid	Process
16	2792	chrome.exe
64	2384	HexagonPlayerLauncher.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation	HexagonPlayerLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation	RBX-13E71F14.tmp

Executes dropped EXE 2 IoCs

pid	Process
2384	HexagonPlayerLauncher.exe
2916	RBX-13E71F14.tmp

Loads dropped DLL 9 IoCs

pid	Process
2384	HexagonPlayerLauncher.exe
2384	HexagonPlayerLauncher.exe
2384	HexagonPlayerLauncher.exe
2384	HexagonPlayerLauncher.exe
2384	HexagonPlayerLauncher.exe
2916	RBX-13E71F14.tmp
2916	RBX-13E71F14.tmp
2916	RBX-13E71F14.tmp
2916	RBX-13E71F14.tmp

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	HexagonPlayerLauncher.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RBX-13E71F14.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\ui\InsertButton_dn.png	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\ui\PropertyButton_dn.png	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\fonts\CompositTorsoBase.mesh	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\fonts\SourceSansBold.font	RBX-13E71F14.tmp
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\PlatformContent\pc\textures\fabric\diffuse.dds	RBX-13E71F14.tmp
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\PlatformContent\pc\textures\water\normal_06.dds	RBX-13E71F14.tmp
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\sounds\impact_water.mp3	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\sounds\woodice2.mp3	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\sounds\woodmetal.mp3	RBX-13E71F14.tmp
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\ui\Chat\[email protected]	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\fonts\CompositPantsTemplate.mesh	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\particles\forceFieldBeam.particle	RBX-13E71F14.tmp
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\Roblox-loading-glow.png	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\shaders\source\water_r3.hlsl	RBX-13E71F14.tmp
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\ui\chat_teamButton.png	RBX-13E71F14.tmp
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\ui\scrollbuttonDown.png	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\PlatformContent\pc\textures\grass\normaldetail.dds	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\ui\[email protected]	RBX-13E71F14.tmp
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\ui\PaintButton.png	RBX-13E71F14.tmp
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\ui\slider_new_tab.png	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\particles\explosion01_smoke_main.dds	RBX-13E71F14.tmp
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\particles\forcefield_glow_alpha.dds	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\PlatformContent\pc\textures\water\normal_02.dds	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\ui\dialog_purpose_shop.png	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\ui\[email protected]	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\ui\Inlets.png	RBX-13E71F14.tmp
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\ui\scrollbuttonUp_ds.png	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\particles\explosion01_shockwave_main.dds	RBX-13E71F14.tmp
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\PlatformContent\pc\textures\granite\specular.dds	RBX-13E71F14.tmp
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\PlatformContent\pc\textures\metal\specular.dds	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\sounds\electronicpingshort.mp3	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\shaders\source\concrete.hlsl	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\shaders\source\pebble.hlsl	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\shaders\source\wood.hlsl	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\PlatformContent\pc\textures\water\normal_23.dds	RBX-13E71F14.tmp
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\ReflectionMetadata.xml	RBX-13E71F14.tmp
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\ui\scrollbuttonDown_ds.png	RBX-13E71F14.tmp
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\fonts\headJ.mesh	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\Log.dll	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\shaders\source\marble.hlsl	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\ArrowFarCursor.png	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\ui\ButtonLeft.png	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\ui\CorrodedMetal.png	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\ui\icon_TBC-16.png	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\PlatformContent\pc\textures\slate\normal.dds	RBX-13E71F14.tmp
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\sounds\switch.mp3	RBX-13E71F14.tmp
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\GrabRotateCursor.png	RBX-13E71F14.tmp
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\script.png	RBX-13E71F14.tmp
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\sounds\woodstone2.mp3	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\shaders\source\grass.hlsl	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\blackBkg_round.png	RBX-13E71F14.tmp
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\ui\icon_BC-16.png	RBX-13E71F14.tmp
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\sounds\ice3.mp3	RBX-13E71F14.tmp
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\ui\[email protected]	RBX-13E71F14.tmp
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\ui\Backpack_Open.png	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\ui\Health-BKG-Right-Cap.png	RBX-13E71F14.tmp
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\ui\icon_mutualfollowing-16.png	RBX-13E71F14.tmp
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\fonts\headA.mesh	RBX-13E71F14.tmp
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\fonts\headI.mesh	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\PlatformContent\pc\textures\wood\normaldetail.dds	RBX-13E71F14.tmp
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\sounds\impact_explosion_01.mp3	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\sounds\plasticplastic2.mp3	RBX-13E71F14.tmp
File opened for modification	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\CloneDownCursor.png	RBX-13E71F14.tmp
File created	C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\content\textures\ui\ButtonRightDown.png	RBX-13E71F14.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HexagonPlayerLauncher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX-13E71F14.tmp

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FDA105C4-D2C0-4681-892F-0D28C3B73B3D}	RBX-13E71F14.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FDA105C4-D2C0-4681-892F-0D28C3B73B3D}\AppName = "HexagonPlayerLauncher.exe"	RBX-13E71F14.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FDA105C4-D2C0-4681-892F-0D28C3B73B3D}\Policy = "3"	RBX-13E71F14.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FDA105C4-D2C0-4681-892F-0D28C3B73B3D}\AppPath = "C:\\Program Files (x86)\\Hexagon\\Versions\\version-18302bd6e67335f8\\"	RBX-13E71F14.tmp

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2396	chrome.exe
2396	chrome.exe
2916	RBX-13E71F14.tmp
2916	RBX-13E71F14.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 1492	2396	chrome.exe	30
PID 2396 wrote to memory of 1492	2396	chrome.exe	30
PID 2396 wrote to memory of 1492	2396	chrome.exe	30
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2732	2396	chrome.exe	32
PID 2396 wrote to memory of 2792	2396	chrome.exe	33
PID 2396 wrote to memory of 2792	2396	chrome.exe	33
PID 2396 wrote to memory of 2792	2396	chrome.exe	33
PID 2396 wrote to memory of 2804	2396	chrome.exe	34
PID 2396 wrote to memory of 2804	2396	chrome.exe	34
PID 2396 wrote to memory of 2804	2396	chrome.exe	34
PID 2396 wrote to memory of 2804	2396	chrome.exe	34
PID 2396 wrote to memory of 2804	2396	chrome.exe	34
PID 2396 wrote to memory of 2804	2396	chrome.exe	34
PID 2396 wrote to memory of 2804	2396	chrome.exe	34
PID 2396 wrote to memory of 2804	2396	chrome.exe	34
PID 2396 wrote to memory of 2804	2396	chrome.exe	34
PID 2396 wrote to memory of 2804	2396	chrome.exe	34
PID 2396 wrote to memory of 2804	2396	chrome.exe	34
PID 2396 wrote to memory of 2804	2396	chrome.exe	34
PID 2396 wrote to memory of 2804	2396	chrome.exe	34
PID 2396 wrote to memory of 2804	2396	chrome.exe	34
PID 2396 wrote to memory of 2804	2396	chrome.exe	34
PID 2396 wrote to memory of 2804	2396	chrome.exe	34
PID 2396 wrote to memory of 2804	2396	chrome.exe	34
PID 2396 wrote to memory of 2804	2396	chrome.exe	34
PID 2396 wrote to memory of 2804	2396	chrome.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\730880284326.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6df9758,0x7fef6df9768,0x7fef6df9778
  2⤵
  PID:1492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=976,i,10085908484960163425,13141059227075895316,131072 /prefetch:2
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=976,i,10085908484960163425,13141059227075895316,131072 /prefetch:8
  2⤵
  - Downloads MZ/PE file
  PID:2792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=976,i,10085908484960163425,13141059227075895316,131072 /prefetch:8
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2220 --field-trial-handle=976,i,10085908484960163425,13141059227075895316,131072 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2232 --field-trial-handle=976,i,10085908484960163425,13141059227075895316,131072 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1152 --field-trial-handle=976,i,10085908484960163425,13141059227075895316,131072 /prefetch:2
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3376 --field-trial-handle=976,i,10085908484960163425,13141059227075895316,131072 /prefetch:8
  2⤵
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3408 --field-trial-handle=976,i,10085908484960163425,13141059227075895316,131072 /prefetch:1
  2⤵
  PID:844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3596 --field-trial-handle=976,i,10085908484960163425,13141059227075895316,131072 /prefetch:8
  2⤵
  PID:676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=1276 --field-trial-handle=976,i,10085908484960163425,13141059227075895316,131072 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3748 --field-trial-handle=976,i,10085908484960163425,13141059227075895316,131072 /prefetch:8
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3916 --field-trial-handle=976,i,10085908484960163425,13141059227075895316,131072 /prefetch:8
  2⤵
  PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3944 --field-trial-handle=976,i,10085908484960163425,13141059227075895316,131072 /prefetch:8
  2⤵
  PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3964 --field-trial-handle=976,i,10085908484960163425,13141059227075895316,131072 /prefetch:8
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3948 --field-trial-handle=976,i,10085908484960163425,13141059227075895316,131072 /prefetch:8
  2⤵
  PID:2304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2660 --field-trial-handle=976,i,10085908484960163425,13141059227075895316,131072 /prefetch:8
  2⤵
  PID:1076
- C:\Users\Admin\Downloads\HexagonPlayerLauncher.exe
  "C:\Users\Admin\Downloads\HexagonPlayerLauncher.exe"
  2⤵
  - Downloads MZ/PE file
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  PID:2384
- - C:\Users\Admin\AppData\Local\Temp\RBX-13E71F14.tmp
    "C:\Users\Admin\AppData\Local\Temp\RBX-13E71F14.tmp"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    PID:2916

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Hexagon\DOWNLO~1\03986B~1

Filesize
926KB

MD5
03986bb2e8ee04fae6286462f9e48bdd

SHA1
105a8b06af30856c282eeaaa57f95293a1f75cc3

SHA256
240255b35eb69fded1bd9f9317c43fff91147b84ee7ad4154248c03478420b81

SHA512
59567a023e3099f4382a315439a20c1b228c9f1f7e1d27f5261e7abe7c74d0dae51025178c7fb05600a8bff4dc6b8cae3488a962c6b9f96a6380b258896a8268

Download Submit
C:\PROGRA~3\Hexagon\DOWNLO~1\269746~1

Filesize
1.1MB

MD5
26974685e8ac4f9feb313c2c3eba3ceb

SHA1
9588bf59c439a306e7069861dacfb65a826b6fe7

SHA256
eca99098c6ca46bd96aa10c22aa5a3d89ee277566f401b6d050a3bd5f170209d

SHA512
1ebea1879aac59a98428c4362dd313d1b6c11bd5b6a9ed2b5df8d8b2c172a30d84f0e15271156f462753334b4f2367b24feab3dcb449499f95b6431c8a038861

Download Submit
C:\PROGRA~3\Hexagon\DOWNLO~1\3055FC~1

Filesize
1.8MB

MD5
3055fc28f2b2fdc989ce4c7558e34917

SHA1
6df272706d67fecfe5e15e7726ecf6a02eee555b

SHA256
37ba47d5ef2c683b385a1a098e5699cc206dc8918d3a178c63277cc2bcf8a43c

SHA512
56d0608d3f4caf954daa2a40563200b53669b703f4a9dd551686f634006ef9cbddd89e72a770c93deee7ce64709bff33b604a8173729a480d529a2815d597d81

Download Submit
C:\PROGRA~3\Hexagon\DOWNLO~1\3AB4AD~1

Filesize
15.3MB

MD5
3ab4ad848d98e2e750bcf569e77ad39c

SHA1
dc616e297df3daebc6d34bbe5b7a45e963f07d86

SHA256
f0786cf74bf63f24f25f3ec333ba1b2ebd1ae689f34305c8631cd229c62cc8bd

SHA512
252746a0b89fcb33c66545cf2cd3a62f9466f26566daa17884f71cb32e4f88522b279fa374d7af739955b151e919df1e410fc84e2044608eff799c84edfd6504

Download Submit
C:\PROGRA~3\Hexagon\DOWNLO~1\576198~1

Filesize
2.6MB

MD5
57619889e276e5fe626759738e3d8bc6

SHA1
b591881ce3917252e286f75820a447d70f129c32

SHA256
76b306d933fa9681bc84a4983acd4645644719653d3407880cb681619da08b8e

SHA512
e536e878035f3b59149837bb51e62d1f6fd4c0e219cf03a1dae3163db9a424c25b5035fc0f34a32e32940bd36f136b3eb6123a624479fbfcfb2caffc196637cf

Download Submit
C:\PROGRA~3\Hexagon\DOWNLO~1\60284C~1

Filesize
5.1MB

MD5
60284cba7539b40b398445412355b667

SHA1
17f53b87a252f76a8ff106300b510cf6d1f6749b

SHA256
cf3d44c56bbeeb8f2ba630898856477f9283d6b375281bc888b3e081f8cf769f

SHA512
695bc5d5f80ac25f7fae8251dcf60ebcda149ad641e8e29412316ab346252b432655503ece0eb94c53bd11f8f3686d52103ec8011aa9fcb7adc84c647838b345

Download Submit
C:\PROGRA~3\Hexagon\DOWNLO~1\627592~1

Filesize
40KB

MD5
62759277a2578290a7a33f60eb3661b1

SHA1
05cc8c11c017a28177c0d64114184e0b78eba47c

SHA256
3048e51018a869c561468be87d4a89d79c2bc3ed920aed79ec107bdb0606eb1d

SHA512
43762724674a5cbd0daf4311ee83b099b57a84632f71397d6a79746e543c5b8871036385b6087837bd3a7eaf538d956fef5f0f2ee021ef541ee59dacc2dbe922

Download Submit
C:\PROGRA~3\Hexagon\DOWNLO~1\6B6BDB~1

Filesize
1.4MB

MD5
6b6bdba5836d09596ed35471a39b4f2c

SHA1
f289386296460a5f868ac818826eec5e072dcae8

SHA256
d5c389729ad08839e11178ec2896620d27af40ff29ed34dc0cbebc0ffb2a5369

SHA512
299f5fa48357fb6e52ad4b8dbd5def5bc89d717ddd004781f075638cadef948ea68052daca814f163b1c38003487b488764d89fffa319c45cc4ba9005a93b1e9

Download Submit
C:\PROGRA~3\Hexagon\DOWNLO~1\7424CF~1

Filesize
44.4MB

MD5
7424cf8fe3f0e630d14f47eb896389f1

SHA1
e93766b83a2bfa82f2bf7e289f47cb093328828f

SHA256
0f311b2ec3f52e08d692c71939ecbd976335b46c471eef0cc7fd8a06f583810b

SHA512
10bda15e69171591abf4dce824448b079eccb87746fc3a7632c268c911b4274665ba7c87a542aed906414fb109ceae317e612a73d6b5f94b098ae5f27a1d06f3

Download Submit
C:\PROGRA~3\Hexagon\DOWNLO~1\A37C4A~1

Filesize
43.0MB

MD5
a37c4ac76a4f1ced4267befe8ffb81dc

SHA1
a2b74a1ff033cc6f4fb52ed5237ffaba9fa5bc5e

SHA256
bc018d8af406c329cd8b3bd986c677fa64f4caa5fc62dc2ebe8ecac52a0ca0ee

SHA512
7a543c5331bcec65c753e6538087f2ebdd8e48f394be069317b27a0874307551245914c78990075b0a96132cdcf3b6037ad075cfb05a105351f65392c85bf902

Download Submit
C:\PROGRA~3\Hexagon\DOWNLO~1\FB22CA~1

Filesize
9KB

MD5
fb22caec92794437bbbde3b53bae5ec1

SHA1
c0bde9043c4560f12584b1bb967f4b515a1fdb5d

SHA256
3e38b233cec4a5075a2e6849038008bf7437b7ca6d2cd3743eadb6ab3f77f04f

SHA512
899ac28cf75ab0e0f5e1e63cf0f5c4b99b7a20b4fe8b964dc5d6ecccd82775cc7f283621783758301b66afe5dde907234efb603e9a6a048753cb5b9c8329a351

Download Submit
C:\Program Files (x86)\Hexagon\Versions\version-18302bd6e67335f8\PlatformContent\pc\textures\cobblestone\normaldetail.dds

Filesize
176B

MD5
f527b5859d7ca6c080ba954f3013883f

SHA1
3d00b598b1fb762ae0921bcc49ca189f05f417d2

SHA256
ff11c95774ee0405666fa313f1e53ebb46b1352bfff3456ac2b2caccdab07b4d

SHA512
e908a29c4316a15f5c16a005c69b402e0525b80e0c3284d6f19074ab8b05d62d079ecf43974b223a68d7c56cbf1789df69ab260553de1aab0edfbdad5e6d654d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
1024KB

MD5
2df8f0e2e2aa7f54f77729cdd3916249

SHA1
9a63851b9591c4f3ded80f3f3d1c445a3ccf977a

SHA256
507cf795e187f10d0c27e99fa6b6119e93cb3ddee047d4e199128f8fc18e567d

SHA512
e566aeff11f11adbf52b689a165cfc9ff252c2db2212524e03fd58bb8b3b5301cc6d500da0f74044bc28fa701c88acf8e292459407cc9645bf7d217c08c6f1dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000031

Filesize
915KB

MD5
0374c67a6ec5441b382be9c72f63dc9d

SHA1
0da380a239f36bbaf619986a6ea74c10262bebbf

SHA256
7b8b6472510c7b9dcf389e51fb9ceeba56fd8cfa74166c74065283d6b5918e60

SHA512
071f184202d4621f0af7d8c33235412f2ec36dc765e6c384cd0c00af6269b15868ebd8bcdd12396047739a6aa6e3d92abe579e9d9293b7df5be4bdbb8147f591

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
02ef8bdb9462ec230173b61e2038e382

SHA1
78cd5870f6066ca7fc90a551d7229c8b2e05770d

SHA256
f50374e20d761c81915fbc345894ea9976dfba2d6dced4853d0a0cfa572ef8ff

SHA512
3b9bfe52e0c3470effbbb8c3842956e4cde839c08d3ca95080987fdfe17945baa836cf61cda6c39bd33c19d85d16ab07a7cf61bdd37de62c36ba8d8d5914e3fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
409df213dba9487461e35315b77b6d1c

SHA1
4fe8067b3ffb84f833c39c3f3e58478996d768ce

SHA256
764dda58227e94c7fc790e47ac331c01479332d366b6dd3f3b33224d49187c01

SHA512
b76beb906fd179c96254eb27d0b2c6f39defc41ab32c882b12e4e340a389658c1222308e242725a091bfc082af3573bc625af9dab68df41b8f37ca18b43c3fe7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
067ae9d67a920e46d7621ae7e9f26faf

SHA1
b596521d11307a749c7f858647f58cef1f460914

SHA256
27f088b8fe24dd0f1a046e19fe16a8b1d91da50f12cc212a92914f19264f4928

SHA512
47959a48e4fe1fe390225a67b5df208b8cfb80ca70ea5800455a36babcfdde1c48c55e30263bc73f06a3e7664ab2d9cbc007e8ac7fb58fa36fd05905541cb8ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d4d2e0e4e4603d2ceb8112de463051d6

SHA1
a49112a382014707382f2e792c39f148b421207e

SHA256
997f3a303e2df26f186541fee5b9d34f4c439ac8f2cb9f7eff82e06bd0b908e3

SHA512
aac358762af36aa6bf8b8512e6621300cbf851a7d1298d0249123d28463c456677f2b6b372f43d0b392595a4bd54926696c4885b1adfebffec08a8235b61e9b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
db1b5681308784a2610185dd738f5c15

SHA1
192d49adf25dc48ee92e3e8926bf5b35b6985a28

SHA256
32bc4687c8ea889f841bba4d7d4757b9e5e5ed2f8dab901d8a104a1b5cf2420d

SHA512
80d8bdc89306e643c45a13da7795a9250aa6938ebaca125aa3437fb3473e8328e556621f8ebe7735a4c71cb01d0a9b4d3541ce9a45f4a59dd4f084419feac4a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3ba67151c746dd84a25314d97d7a8835

SHA1
de2dc8b38c5b627d0fa4c32bf46f1a55d9f49528

SHA256
1ce722151d7c59f7b996f3b3f7efb0b95d42fbffd3d5b66a257f21fadcd190cd

SHA512
20c3e7788170996344975554f2040d53e8bf39ca9af1f1aeeb2213bf351301db5f1fc7d487072f2d960f2a8e94123569936ebe479e7df704ed85b8cd73eb35fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
334KB

MD5
b1b07a2a71c84e3c077f5bd0dba1a95a

SHA1
3de6466f6f06a21d57fd00d669ba980e5cad2e06

SHA256
4ed48e30f23ef4f13764c9219138afa1a9247cdfa070d20ce3494905e2141090

SHA512
830cbeabf866aab3630039a408d465c39287c2aef71a8f757ad4d56180e2eb9cd13918ee5a7fbf3c3ba81dad4badd4d20b28e204b99d55e984de3e558417418e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
77KB

MD5
be103b600cdede8c8c4d0a45f92f474c

SHA1
a2dbab7e594572555f451539f8244d69d4dd76f5

SHA256
fb78e6e226c0842f9226adde2b499fefa681640a3ed9fd277c0ce8566be8260c

SHA512
80f9cf00e77b90fe233be870a4a391ed5e8176423db8ff0f6573a0a96e9ea03cd430ecf230d0d5bfd683deacd62e6918be3d3801689934939d7c89175d1eddf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBCE0.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
\Users\Admin\AppData\Local\Temp\RBX-13E71F14.tmp

Filesize
915KB

MD5
3e91f5609f397e8d288a4153234b447d

SHA1
fb141a2b2c05da080ee0914523404c84270baabe

SHA256
d9c59ba85f3900ef65fe932ddad745bd269ea1c0548f46a212d66c70b9ffd91d

SHA512
c750fcff26e9765eaed343f5869ca6047ec857d5467e4987496cce96a6a946b3694c3dcad8893dbcc0331682797f906ddad03725b3ac2783d1c4b64e5dd8a296

Download Submit