lumma | 3c5a551b8fee65ffc444a3c0730b990591c3a95e442426563539f0a2ca3871d2

Analysis

max time kernel
149s
max time network
153s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
29/03/2025, 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

v7942.exe
Size

634KB
MD5

d62b289592043f863f302d7e8582e9bc
SHA1

cc72a132de961bb1f4398b933d88585ef8c29a41
SHA256

3c5a551b8fee65ffc444a3c0730b990591c3a95e442426563539f0a2ca3871d2
SHA512

63d389102c1b78ea5157aad0a3f45f351a5752ae896729d85be81b70721f19869efdb8dfa87906f891be9bec0d9154b7498e4ac4216fd3ec574fae64707e258c
SSDEEP

12288:SaQ9+ICJkAp0mBpehM8ppy+E4J/aDQy5b4WeZGl/GtWV3OH2JrZw9RlUR:Kw4GBpehMjcuP5b4Fty3pZwXlUR

Score

10^/10

lumma stealc vidar 928af183c2a2807a3c0526e8c0c9369d default credential_access discovery persistence spyware stealer

Malware Config

Extracted

Family

vidar

Version

13.3

Botnet

928af183c2a2807a3c0526e8c0c9369d

https://t.me/lw25chm

https://steamcommunity.com/profiles/76561199839170361

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Extracted

Family

lumma

https://wxayfarer.live/ALosnz

https://byteplusx.digital/aXweAX

https://travewlio.shop/ZNxbHi

https://skynetxc.live/AksoPA

https://pixtreev.run/LkaUz

https://advennture.top/GKsiio

https://atargett.top/dsANGt

https://70sparkiob.digital/KeASUp

https://appgridn.live/LEjdAK

Extracted

Family

stealc

Botnet

default

http://77.90.153.241

Attributes

url_path
/612acd258782ade8.php

Signatures

Detect Vidar Stealer 34 IoCs

stealer

resource	yara_rule
behavioral1/memory/4408-2-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-1-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-0-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-9-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-10-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-11-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-12-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-13-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-14-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-16-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-15-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-17-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-18-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-35-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-350-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-352-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-351-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-353-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-354-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-355-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-356-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-357-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-358-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-625-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-684-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-683-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-685-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-686-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-687-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-688-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-690-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-691-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-692-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4408-744-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Downloads MZ/PE file 2 IoCs

flow	pid	Process
160	4408	MSBuild.exe
378	2780	MSBuild.exe

Uses browser remote debugging 2 TTPs 17 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
6020	msedge.exe
8324	chrome.exe
6708	chrome.exe
2424	msedge.exe
6128	msedge.exe
6696	chrome.exe
7096	msedge.exe
7076	msedge.exe
5460	chrome.exe
4936	chrome.exe
5020	chrome.exe
4940	msedge.exe
3560	chrome.exe
4460	chrome.exe
2524	msedge.exe
5016	chrome.exe
2300	chrome.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChrome.lnk	bqMJ34L5llNOTnKy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChrome.lnk	biRAnXVqEiQoUgsc.exe

Executes dropped EXE 7 IoCs

pid	Process
1664	ec2n7q9z58.exe
448	k6fcj58y5f.exe
4440	vsj5xtj5xb.exe
5688	bqMJ34L5llNOTnKy.exe
4892	biRAnXVqEiQoUgsc.exe
1560	bqMJ34L5llNOTnKy.exe
4600	fAixGh4fFlFdwFbN.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChrome = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Qx2wstpc\\bqMJ34L5llNOTnKy.exe"	bqMJ34L5llNOTnKy.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5432 set thread context of 4408	5432	v7942.exe	81
PID 1664 set thread context of 5708	1664	ec2n7q9z58.exe	119
PID 448 set thread context of 2780	448	k6fcj58y5f.exe	122

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
10924	4892	WerFault.exe	126

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bqMJ34L5llNOTnKy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fAixGh4fFlFdwFbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biRAnXVqEiQoUgsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vsj5xtj5xb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bqMJ34L5llNOTnKy.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
8664	timeout.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133877279481025486"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
4408	MSBuild.exe
4408	MSBuild.exe
4408	MSBuild.exe
4408	MSBuild.exe
5460	chrome.exe
5460	chrome.exe
4408	MSBuild.exe
4408	MSBuild.exe
4408	MSBuild.exe
4408	MSBuild.exe
4408	MSBuild.exe
4408	MSBuild.exe
4408	MSBuild.exe
4408	MSBuild.exe
5708	MSBuild.exe
5708	MSBuild.exe
5708	MSBuild.exe
5708	MSBuild.exe
2780	MSBuild.exe
2780	MSBuild.exe
5688	bqMJ34L5llNOTnKy.exe
5688	bqMJ34L5llNOTnKy.exe
4892	biRAnXVqEiQoUgsc.exe
4892	biRAnXVqEiQoUgsc.exe
4892	biRAnXVqEiQoUgsc.exe
4892	biRAnXVqEiQoUgsc.exe
1560	bqMJ34L5llNOTnKy.exe
1560	bqMJ34L5llNOTnKy.exe
1560	bqMJ34L5llNOTnKy.exe
1560	bqMJ34L5llNOTnKy.exe
4600	fAixGh4fFlFdwFbN.exe
4600	fAixGh4fFlFdwFbN.exe
2780	MSBuild.exe
2780	MSBuild.exe
8324	chrome.exe
8324	chrome.exe
8324	chrome.exe
2780	MSBuild.exe
2780	MSBuild.exe
2780	MSBuild.exe
2780	MSBuild.exe
2780	MSBuild.exe
2780	MSBuild.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
4940	msedge.exe
4940	msedge.exe
8324	chrome.exe
8324	chrome.exe
8324	chrome.exe
8324	chrome.exe
7076	msedge.exe
7076	msedge.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	5460	chrome.exe
Token: SeCreatePagefilePrivilege	5460	chrome.exe
Token: SeShutdownPrivilege	8324	chrome.exe
Token: SeCreatePagefilePrivilege	8324	chrome.exe
Token: SeShutdownPrivilege	8324	chrome.exe
Token: SeCreatePagefilePrivilege	8324	chrome.exe
Token: SeShutdownPrivilege	8324	chrome.exe
Token: SeCreatePagefilePrivilege	8324	chrome.exe
Token: SeShutdownPrivilege	8324	chrome.exe
Token: SeCreatePagefilePrivilege	8324	chrome.exe
Token: SeShutdownPrivilege	8324	chrome.exe
Token: SeCreatePagefilePrivilege	8324	chrome.exe
Token: SeShutdownPrivilege	8324	chrome.exe
Token: SeCreatePagefilePrivilege	8324	chrome.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
5460	chrome.exe
4940	msedge.exe
8324	chrome.exe
8324	chrome.exe
8324	chrome.exe
8324	chrome.exe
8324	chrome.exe
8324	chrome.exe
8324	chrome.exe
8324	chrome.exe
8324	chrome.exe
8324	chrome.exe
8324	chrome.exe
8324	chrome.exe
8324	chrome.exe
8324	chrome.exe
8324	chrome.exe
8324	chrome.exe
8324	chrome.exe
8324	chrome.exe
8324	chrome.exe
8324	chrome.exe
8324	chrome.exe
8324	chrome.exe
8324	chrome.exe
8324	chrome.exe
8324	chrome.exe
8324	chrome.exe
7076	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5432 wrote to memory of 4408	5432	v7942.exe	81
PID 5432 wrote to memory of 4408	5432	v7942.exe	81
PID 5432 wrote to memory of 4408	5432	v7942.exe	81
PID 5432 wrote to memory of 4408	5432	v7942.exe	81
PID 5432 wrote to memory of 4408	5432	v7942.exe	81
PID 5432 wrote to memory of 4408	5432	v7942.exe	81
PID 5432 wrote to memory of 4408	5432	v7942.exe	81
PID 5432 wrote to memory of 4408	5432	v7942.exe	81
PID 5432 wrote to memory of 4408	5432	v7942.exe	81
PID 5432 wrote to memory of 4408	5432	v7942.exe	81
PID 5432 wrote to memory of 4408	5432	v7942.exe	81
PID 5432 wrote to memory of 4408	5432	v7942.exe	81
PID 4408 wrote to memory of 5460	4408	MSBuild.exe	86
PID 4408 wrote to memory of 5460	4408	MSBuild.exe	86
PID 5460 wrote to memory of 1716	5460	chrome.exe	87
PID 5460 wrote to memory of 1716	5460	chrome.exe	87
PID 5460 wrote to memory of 4748	5460	chrome.exe	88
PID 5460 wrote to memory of 4748	5460	chrome.exe	88
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4756	5460	chrome.exe	89
PID 5460 wrote to memory of 4660	5460	chrome.exe	90
PID 5460 wrote to memory of 4660	5460	chrome.exe	90
PID 5460 wrote to memory of 4660	5460	chrome.exe	90
PID 5460 wrote to memory of 4660	5460	chrome.exe	90
PID 5460 wrote to memory of 4660	5460	chrome.exe	90
PID 5460 wrote to memory of 4660	5460	chrome.exe	90
PID 5460 wrote to memory of 4660	5460	chrome.exe	90
PID 5460 wrote to memory of 4660	5460	chrome.exe	90
PID 5460 wrote to memory of 4660	5460	chrome.exe	90
PID 5460 wrote to memory of 4660	5460	chrome.exe	90
PID 5460 wrote to memory of 4660	5460	chrome.exe	90
PID 5460 wrote to memory of 4660	5460	chrome.exe	90
PID 5460 wrote to memory of 4660	5460	chrome.exe	90
PID 5460 wrote to memory of 4660	5460	chrome.exe	90
PID 5460 wrote to memory of 4660	5460	chrome.exe	90
PID 5460 wrote to memory of 4660	5460	chrome.exe	90

C:\Users\Admin\AppData\Local\Temp\v7942.exe
"C:\Users\Admin\AppData\Local\Temp\v7942.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Downloads MZ/PE file
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5460
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffb0dccdcf8,0x7ffb0dccdd04,0x7ffb0dccdd10
      4⤵
      PID:1716
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2104,i,14852796103877122677,16236922841797539505,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2124 /prefetch:3
      4⤵
      PID:4748
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2044,i,14852796103877122677,16236922841797539505,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2040 /prefetch:2
      4⤵
      PID:4756
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2396,i,14852796103877122677,16236922841797539505,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2564 /prefetch:8
      4⤵
      PID:4660
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3248,i,14852796103877122677,16236922841797539505,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3340 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5020
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,14852796103877122677,16236922841797539505,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3368 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5016
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3776,i,14852796103877122677,16236922841797539505,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4364 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:4936
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3864,i,14852796103877122677,16236922841797539505,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4748 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2300
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5012,i,14852796103877122677,16236922841797539505,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5024 /prefetch:8
      4⤵
      PID:3232
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5464,i,14852796103877122677,16236922841797539505,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5024 /prefetch:8
      4⤵
      PID:5884
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5380,i,14852796103877122677,16236922841797539505,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5632 /prefetch:8
      4⤵
      PID:4044
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4204,i,14852796103877122677,16236922841797539505,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5684 /prefetch:8
      4⤵
      PID:4292
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5652,i,14852796103877122677,16236922841797539505,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5660 /prefetch:8
      4⤵
      PID:2860
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5616,i,14852796103877122677,16236922841797539505,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5696 /prefetch:8
      4⤵
      PID:1268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:4940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x264,0x268,0x26c,0x260,0x274,0x7ffb0e08f208,0x7ffb0e08f214,0x7ffb0e08f220
      4⤵
      PID:1916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1960,i,15508745183579006606,2772865751867257474,262144 --variations-seed-version --mojo-platform-channel-handle=2220 /prefetch:3
      4⤵
      PID:5280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2184,i,15508745183579006606,2772865751867257474,262144 --variations-seed-version --mojo-platform-channel-handle=2180 /prefetch:2
      4⤵
      PID:4108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2548,i,15508745183579006606,2772865751867257474,262144 --variations-seed-version --mojo-platform-channel-handle=2708 /prefetch:8
      4⤵
      PID:944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3524,i,15508745183579006606,2772865751867257474,262144 --variations-seed-version --mojo-platform-channel-handle=3572 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:6128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3540,i,15508745183579006606,2772865751867257474,262144 --variations-seed-version --mojo-platform-channel-handle=3580 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:6020
- - C:\ProgramData\ec2n7q9z58.exe
    "C:\ProgramData\ec2n7q9z58.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1664
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5708
- - C:\ProgramData\k6fcj58y5f.exe
    "C:\ProgramData\k6fcj58y5f.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:448
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      Downloads MZ/PE file
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2780
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        5⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:8324
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffb0ebbdcf8,0x7ffb0ebbdd04,0x7ffb0ebbdd10
        6⤵
        
        PID:8308
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1180,i,2768829343711005263,5549130450011933653,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2524 /prefetch:3
        6⤵
        
        PID:7404
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2124,i,2768829343711005263,5549130450011933653,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2596 /prefetch:8
        6⤵
        
        PID:7396
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2448,i,2768829343711005263,5549130450011933653,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2440 /prefetch:2
        6⤵
        
        PID:7360
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3268,i,2768829343711005263,5549130450011933653,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3288 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:6696
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3248,i,2768829343711005263,5549130450011933653,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3260 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:6708
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4312,i,2768829343711005263,5549130450011933653,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4336 /prefetch:2
        6⤵
        Uses browser remote debugging
        
        PID:3560
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4640,i,2768829343711005263,5549130450011933653,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4688 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4460
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5316,i,2768829343711005263,5549130450011933653,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5324 /prefetch:8
        6⤵
        
        PID:8224
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5324,i,2768829343711005263,5549130450011933653,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5520 /prefetch:8
        6⤵
        
        PID:8252
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5548,i,2768829343711005263,5549130450011933653,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5596 /prefetch:8
        6⤵
        
        PID:7600
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5368,i,2768829343711005263,5549130450011933653,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5332 /prefetch:8
        6⤵
        
        PID:6928
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5596,i,2768829343711005263,5549130450011933653,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5712 /prefetch:8
        6⤵
        
        PID:6844
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5948,i,2768829343711005263,5549130450011933653,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5356 /prefetch:8
        6⤵
        
        PID:2244
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
        5⤵
        Uses browser remote debugging
        
        PID:7096
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --edge-skip-compat-layer-relaunch
        6⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:7076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x260,0x264,0x268,0x25c,0x308,0x7ffb0e35f208,0x7ffb0e35f214,0x7ffb0e35f220
        7⤵
        
        PID:7744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2056,i,295259748201604524,1293647105141648488,262144 --variations-seed-version --mojo-platform-channel-handle=2044 /prefetch:2
        7⤵
        
        PID:6204
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=2220,i,295259748201604524,1293647105141648488,262144 --variations-seed-version --mojo-platform-channel-handle=2228 /prefetch:3
        7⤵
        
        PID:2448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2428,i,295259748201604524,1293647105141648488,262144 --variations-seed-version --mojo-platform-channel-handle=2492 /prefetch:8
        7⤵
        
        PID:6172
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3472,i,295259748201604524,1293647105141648488,262144 --variations-seed-version --mojo-platform-channel-handle=3508 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:2524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3496,i,295259748201604524,1293647105141648488,262144 --variations-seed-version --mojo-platform-channel-handle=3524 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:2424
- - C:\ProgramData\vsj5xtj5xb.exe
    "C:\ProgramData\vsj5xtj5xb.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4440
  - - C:\Users\Admin\AppData\Local\Temp\Qx2wstpc\bqMJ34L5llNOTnKy.exe
      C:\Users\Admin\AppData\Local\Temp\Qx2wstpc\bqMJ34L5llNOTnKy.exe 0
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5688
    - - C:\Users\Admin\AppData\Local\Temp\Qx2wstpc\biRAnXVqEiQoUgsc.exe
        
        C:\Users\Admin\AppData\Local\Temp\Qx2wstpc\biRAnXVqEiQoUgsc.exe 5688
        5⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4892
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1076
        6⤵
        Program crash
        
        PID:10924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\aaieu" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8616
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 11
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:8664

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1544

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Qx2wstpc\bqMJ34L5llNOTnKy.exe
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\Qx2wstpc\bqMJ34L5llNOTnKy.exe
  C:\Users\Admin\AppData\Local\Temp\Qx2wstpc\bqMJ34L5llNOTnKy.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1560
- - C:\Users\Admin\AppData\Local\Temp\551V2zKP\fAixGh4fFlFdwFbN.exe
    C:\Users\Admin\AppData\Local\Temp\551V2zKP\fAixGh4fFlFdwFbN.exe 1560
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4600

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:6996

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4892 -ip 4892
1⤵
PID:10824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ec2n7q9z58.exe

Filesize
850KB

MD5
260faa08dbff4bc7ca6346061f42b956

SHA1
ccef508bb2693b097510015ef89ebb8f0289c5c1

SHA256
c47a55b842177445756163ca2d5cadaed5cdd4d313d7897b9aaac8e1d1c6e810

SHA512
ae30c903720f58abef12b9e091872d4a6470bae5ba246fc1d35dbaa4aecad04803647a0339490090a037de780b09df4282d5cc6247731729bf24e8fe872c42dc

Download Submit
C:\ProgramData\k6fcj58y5f.exe

Filesize
736KB

MD5
18e5e760b807fc2b05172215540398b3

SHA1
6a1b4d3227088473c45869469b68a1737b26b90d

SHA256
6cff9733bcd32c2af2da61eab8281cd412a6d208ce6b763b783157be2901d5bd

SHA512
23430597753696466eea1c54337b1d37a734918433be2e0637aaf022c0ef09d5f8b04a3793ccb1a296bb83d13fda832d677cb926730653d78b0833f96737fa04

Download Submit
C:\ProgramData\vsj5xtj5xb.exe

Filesize
251KB

MD5
58d3a0d574e37dc90b40603f0658abd2

SHA1
bf5419ce7000113002b8112ace2a9ac35d0dc557

SHA256
dcc05c3ac7ae22d601bcb7c97cfcda568f3041bd39b2fd8899282dfde83369a5

SHA512
df61329a32e9261b01c5b7d95e0d9a3fb8cc36e5d90ede72bc16befe00fb32c221898a8346db9de07c0f5dcba57dcdbb09a22ca8b73223f989d33ec433c3a90a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma

Filesize
1024KB

MD5
34c29bdb9e41b1f47f2d2786762c12ec

SHA1
4075131b18c3487e3e848361e112009c897629c7

SHA256
67ee11b51cd6f637795e31ab501f135ed595c8459bce885735f08b0418513a17

SHA512
ca3a978798e77b2ced27b379f38e935ef18beaa7ea23e34270a9af20b37e1b1c5edf9478606311cf1acabd83992766cb3da8444de9394c674d5955bdbc53c0d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
3f693d0a8e0b6b2c96e5c1e94b99112f

SHA1
d056a2261262c06c8c7bc5ef24eaaed70f50abf6

SHA256
a58f75e3e2bc1698805c50205cffd1ba2ef6fd580f9333182f1e0b043800e1a7

SHA512
6bfd298b6259e26f8ac8486eb978180a1d3a46cfd29ea633927a2ce9f93e1ed23e73baf86e72f539bb7a081a2e217da83eb8978859f7d56740a2d121bebe1a98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
75120bc48597a64cc5ec7a925f4f57ec

SHA1
6a5fa3487347b2b0919f36d79d391f742c18b1ff

SHA256
5d370918e6e935f2dd6d69337414da9a6bf61a4657a30a0a959afa8709071451

SHA512
8e9257da316a76a5b66c5621d0a1e7b8af0b0a150b72cf2efe573fd8edb8bd562b8c4cbf65f802c6fc8dc6c5d44aed83cc06ad89548430ca8dc6eed14ddda5fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
5abddabe523b8f22ce2272e771e19cfd

SHA1
9835f843699ad10aeba5e0b333e9abc12c7aa304

SHA256
6d18a9a861407ecaa12295f6b11291a5dd2c4583c9d843573fe6e8efe87f6bb9

SHA512
111776fc0941e58a1ee10e3fd33865140f9cbabd097b5e43381ab2d745f4fda164238602238325c3990f9b8775ced75030c05772a4d747946e27e1e5fc30a125

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
b063a1059e4296b05470703aa91a934d

SHA1
339d4c287e20916ac1d169a274815832b3e86f6a

SHA256
5f32df0742f0bb51dacc418d4507a7ad783fb87648cf4f9ef29e4f9051b9d764

SHA512
283b704289d62a000282ab0e35899ed568487c5f540798a2a311dc233bdedf107bc9c623c35ca040e94b082f066899d58d006a7540b51bb7cee44f902a9ac854

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
0605b75c5c345cc202a7885499cc09a7

SHA1
540568cdb245ba26bce8711347e456320012e83d

SHA256
8ed5d8964a977a79c5aacf34853c9e5e00a06de2f2f0964a56c4089805a2dda8

SHA512
dae16a98e4cf861b918d684f0d7660e1c6647897afeded6859253a51f8dd95c41f007e3f20fe43da0292b493c170cb94fb8370d7b17b4f23cf2950cec477f9a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
c1ba61b88e775f668fbcbb1672d1fde5

SHA1
4558b66ce877c6d1e651992066fb1044099dfd9a

SHA256
64ef656e8adf440d67301f591d4b0c331255c66d44fdec50e11ef3e338844089

SHA512
7edd5977f83b22c24c0c5192f344667feebc1c9212740939b15f6f02de98ebb4d9e5db7c7cacdc91d4209a628747d76eaeae8a4246b3c5e37700cbd41f17d296

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
35KB

MD5
6529923ddd2c94055885e97270413748

SHA1
d1a69463442e43fe0121c71aa3d0413ed4281c12

SHA256
c703df93d7907aeadfd33559e80a544294328366e25693a3f887568460cf9245

SHA512
fc5c4383bb41e23bfcb5a92c936fa091103e755de4627914ba64bf97b537ec7bc8c5965b860e1c4abdca6c7319a31bb3d309167859b0cf2c0a4fa8b127c663fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
63KB

MD5
1901d2bcbbabee4bbb9804c30642ae2b

SHA1
f31774bc12614be681c0b0c7de3ac128f0e932db

SHA256
15eba349e5829f11363614b8f3dd9c3d04994586601d3c4c4d8069e0f5655310

SHA512
bdb94d7d8cf47b239c61559545b1dd26e05da909fec05d215471388545879cd8ec9e1fea51c04ed43927e2b07b5b80a74f09eb9038c8d9045e4161ea69df215f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
38KB

MD5
f53236bc138719b68ccd1c7efb02a276

SHA1
26b7d3eea5d3b12d0b0e173ebf2af50a7d7e56d6

SHA256
787c14f8cc865430c03c96a345044b7c5b8dc8a032511a500d4a42228533acd8

SHA512
5485bc7ccce8ec75f60bca3be846086a4bd4466009c8e22da9cdd16bb1154529af2fb2667cd3a97485cc4f6635fb79ac0fdda4f3e1f39f25f6196f708a92d740

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

Filesize
320B

MD5
5cbb56de856b55836560f7078cbea9dd

SHA1
fbc54460260d368c7b70c04bb57f3a206b253f2f

SHA256
ddff2050dd646f354332c15be6b27d165aee2b6e8c77f17accb1fed2f4197c37

SHA512
3d98a3d42d95115f1b22c1a93ae2ead73a04400f2f2be256a0d72cd30366724269e72e758f4b871536b050900a0f450f068e5e69bdca261d2d4657460e4d4813

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
332B

MD5
7dce0c56d79029b52fa3e541fccb8394

SHA1
8cf90329dcb60e972f11ff873df398dc44b6532a

SHA256
a0a50ca04d5f60ff86d6a996d2465f719730414e0cd77c9c4f551a143de4e93d

SHA512
790feb37b838247facaffb020f360016c792d8d076feb96b10b33cdbb520080c65e84e71585164b0a8c63c74e97f9fc9b81e3298f5466feb226319e2841bb2a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000003.log

Filesize
3KB

MD5
d5c027623be636025fb7ad1c98ec355c

SHA1
8dea7ec36af79b6a0927c112fde922fe6eb188b8

SHA256
87fb405216a9d98698f1ca3e3b117ed3f012ed2ca7fd9bce08bf9ce978ed250a

SHA512
1a68c593f17f171cc87bd5ceff5206afd8d7f1ac589263f1c2e9d0aeecd1e74b1d7b6b0fbbed12c2f9d291ca1ed28a2cd669c8abfebfbd001dc9f70c079b58a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG

Filesize
336B

MD5
3da47d84cc41309401b3e355f4f26bc1

SHA1
bc2b5b51af6afb19cc1a37db4b2d756c6b8e8eff

SHA256
b3f64c117683b99e0d0e270508aafcbaba93d16d391a6607d0434537527770cf

SHA512
ab694020256f76a0385a504ee7e64867961b5df1be2dcf42ddf1def33d15a4e57a508f187310c1f38dbc666639a23c1adf169b02911708f99c98b6277f11c6ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\f1cdccba37924bda_0

Filesize
128KB

MD5
ad5500392a3d6dab62cbbed72729419d

SHA1
74b1d039a44cc37e62dc573d0d14efe2ead9e391

SHA256
aac955452d846e19791a2c1f30dba6a9c1ebde5b20547d37c6e7ebb6c62154eb

SHA512
454433c661570990955c25eedb52ebdf5ae2317ac062cb23be3537b1cc8b5afc2a1d3d1e370951641a473cccb0f3ddee9db34dee2bb7f52db5bb4c9a609a1872

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\f1cdccba37924bda_1

Filesize
343KB

MD5
fe0afab9e43167cfacab107f21d040b4

SHA1
6448a3243f17b73cf4cb5fa0c0d13e8e59751f83

SHA256
3cbdbe25233c061eee0a1826abfbd94d5e4cbd3a1af33b36cedd7c330293eedd

SHA512
eaca957714b139b3da6fd096407007b0940f280a1aea7922220678958a37869a5640422f7acb232732b6ee2063fbd8f9de080ec49bb5d8c0210b859a8b7ca883

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
fae2ca7477638405225ae7a4fee7bfa7

SHA1
d154824a0ac97fa40dbe39703d03572d432beff7

SHA256
2189476ab82985de29eddfbef193870f9f6a0c6ef3ba538a582177cef3543dd8

SHA512
57eda70f2fd0c52bbc30228623a68e4145d345ed8789a91abfedfe2a121666affba41e562f552ef663b5b6bae6a61016a16ee70e10ff18d75800127f768ff60a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

Filesize
308B

MD5
4e7982b86b3d7d916b7722aa3b3f0669

SHA1
ce4e874903cb71d9012cc7654ca7a6ba5e4f7efd

SHA256
cbee1100a2c9add47776b7e416b58a809f6feb9fe458bef8185b0c176b5db340

SHA512
c4dda8b36e90a327061dab901730f47fc23cca129b02a157f1ed0c566a1d6dddf272a4e74d3acbf14eb3a7fac0820387a584db9e19ca299724ed7f3030f891bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

Filesize
320B

MD5
2821898daf5587ced49962e2b40eba90

SHA1
32449e1135e9955bd710c4ab665380b6d45fa13b

SHA256
d1acb8902b3f2fc734b0dbb48166cc2d74198517f3523b45e8479bd3b478ca21

SHA512
0283b57b85b9aab05ecc964297de01f540b2534e0164e6d028b1f4eded463a93e76bdf2c42a860f8ea48fcbfd8df4c56d739d8bd3470f671f719223e37971f02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
348B

MD5
994c6dd40ec1edc782be5213f565e728

SHA1
99574d9f8730200c7bf1eb82bf2fe8c0d9b8c49f

SHA256
a51df0ecfd9d46b61953c321a05beb1310447b74624c516f03177f49d82c49c2

SHA512
2d595ff536445fe11006f0c762fc5b465f319683f80712855112e046e6afdb71be3c930ebbd92849b4ff4dd899390f9cf1f54171bdd176d77b367e46463f7537

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
324B

MD5
e0629adcee551e5eb86a0ed7eb3b334b

SHA1
df3ef970de685e51291e64c5e9711f432bc69f7d

SHA256
a9a93860687dc30e2b4c2e7683705270efc3b9110b3dd1599dc24673c3be2728

SHA512
7151095ec042b0a909b8f30e5c93189609f74dce792e7d88997d1ca4c0730f178b6316da91d8191a31ca1cf380d173d18b0fb6f70e0ac5d5a48d277f9135e32f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
130KB

MD5
171a1bf92821c4143b5f2274dabca380

SHA1
da99916a80751cbb054943630803ce48f7035239

SHA256
a00f44e3256486b0d502633f39d83be5f6f70a79cb85641486365fa5770f813e

SHA512
0b7f96c1ed1817f8525274be019ffc0eb8cc5cd6b21ef716f9b45821bdd9a79aab9b90f72709b27dd1ca8b61215480c9912f918d9d69a7b349782915c21b4b4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager-journal

Filesize
12KB

MD5
56d68b718636f8895cd82b2b0dd110cd

SHA1
4cc843cdb0ec68bc7c3b7fb8ccc7ae00f0a2fbe8

SHA256
1ce0cf028c3916086f1836734107947408c2a1171de7ef9027d0b979cff977ea

SHA512
606fe209ff211dd4d903c76367bfa341690489b66e98fcc873ae9adeea32c0828399b78fe5a818c2d8d2a1286e924e3124bd375d0e4d0c58497729186a193ea1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

Filesize
19KB

MD5
c969235a6a4f8638f67ae9434a5d4ac1

SHA1
64344a5236f8cb995adc19612f423eb975c91d10

SHA256
77acb349792bd138d3a6fe2f3a4f653ad5c0cdb8ad3e53cbb996a612f376507b

SHA512
946a2ad15e8aee4ac44491b2e54120c226ce61aad7b6408d88fe99d35e56c7710f12987cd154c15cfd9ecc59c7e7e2fa7b3d3ce4ca70679f01f9ad4282306551

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

Filesize
320B

MD5
33ab0e5caeae1904993c7aec343604e9

SHA1
d6d80148b76aecf4cfe7280af1d9e1085ed5072b

SHA256
6b2cbcd1a898f15d218d4770992b336a3ed01aa90612f487d6fc86a8d33e8e06

SHA512
605fa2cbad81425f03ec1ec1645d3b63e9fdef43f7074bcf40bb83f274bb4d135bfff1a82ab9c8ceefbf7cad4f7c56fb32ed5997dcf0b3f7f095fbc78b6e3b41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
1KB

MD5
1395ccca3678bdd62745584108b486b5

SHA1
34cdbab0cfee30c82a66ed7b20318893ce26672a

SHA256
78407aa72f61f4ff3101d7f6f4758268314b776bcfb6f9e2aecb573930125ff7

SHA512
fdaecc18dcf5096dc2ec76e2293e45ffdb786773a2c8dec52cbeb1246b436333f6bafc583a8eaebb7702db18ba384c3d862f84f36b5c3572d48ac5a8b37f2a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
338B

MD5
63e7fc89399882d9ba635f73a5e1a588

SHA1
3ecc9ff65abdf32b76832a4d26f7ae4fc519ec4d

SHA256
d84a1cb7a511337f8490501f999899647fbf5d1a0aafc86b9af060f0592c2db7

SHA512
591c7ba4ed2f1740f52a637e20d838c8d2807470dc6023e6f9aaea8b8870a2d8fad3ca0a2d0f9145c5bf758189c6edb92df7d75f3d908444c1219772eca39b84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
44KB

MD5
53f70fff24943228ba0d3c37e9fdc416

SHA1
3efa86509b9a0db232a98dc4d2300ccd693ca48e

SHA256
0029b11cd3d650bc7f3ce020ca0cf10a184770bd91ba7a832a93fb892a580d2f

SHA512
d91f912c3d1ccfcd262c6c9c66bbb8f01d6e04d968f5336b77f3e33fa5956800d1290d9d3afe81993a2c64bc7dbeb2cc4175d7a365e73d37e6f3a9acedd5c2fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
56ea4ed75b36d98dc95d5a1ceb896e47

SHA1
a6eb07d3a8d05a801ce146d071d72586eee02cc5

SHA256
68b7168dd15d6bb46b40d0f99d67c37eeb0c68e6f30221cb2341065b8f145c0b

SHA512
8a849099d90201d23258a5059272216dee2a44154da951e33b4af787c1443cacd887bb09ad47eeb7dd006e5d3acfd2eb1f2bdab17989b808c27df5685ac38ce0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

Filesize
4.0MB

MD5
88f527767168952f0ee54ba076b62abc

SHA1
f4cfcd164d1e525273990aa4708e74f7333fe7ee

SHA256
84d8e48e9a71b706ccd24f089a372b10b0da48c8c27a65a309a2a25b30b87787

SHA512
da343cd1963262e741ab8341d3218fdcf3f2d2f62c6e4f4db9d3c62a7faf2716d31b9c02189f3cbf9129e82d3fb5a293f3cdba4800e5705e36941ce13a80f185

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
13B

MD5
a4710a30ca124ef24daf2c2462a1da92

SHA1
96958e2fe60d71e08ea922dfd5e69a50e38cc5db

SHA256
7114eaf0a021d2eb098b1e9f56f3500dc4f74ac68a87f5256922e4a4b9fa66b7

SHA512
43878e3bc6479df9e4ebd11092be61a73ab5a1441cd0bc8755edd401d37032c44a7279bab477c01d563ab4fa5d8078c0ba163a9207383538e894e0a7ff5a3e15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
febbcabc8366ea58d75f8a3cdba1fd33

SHA1
e3316df66d73256f0b70183e500e13511c3c8084

SHA256
6502b37f2eec8dce71b3424a6ce2340b44c5c64d74021b09355ff934a6a0bf92

SHA512
b82b7325604dae0e6240f927a7c73c5a22a9e0469b6941c8baf910f5c12e60f68f0a85f22ac34211929e735ca3ea447c6aaf54f788ac8725a7205646367fecc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
16b7586b9eba5296ea04b791fc3d675e

SHA1
8890767dd7eb4d1beab829324ba8b9599051f0b0

SHA256
474d668707f1cb929fef1e3798b71b632e50675bd1a9dceaab90c9587f72f680

SHA512
58668d0c28b63548a1f13d2c2dfa19bcc14c0b7406833ad8e72dfc07f46d8df6ded46265d74a042d07fbc88f78a59cb32389ef384ec78a55976dfc2737868771

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
32ef698c5d7adfb5d0941f1c1394b72c

SHA1
91d88ca060657cb2ffdfe1784aa004e7ef5c765e

SHA256
f345cb941696a3f6650ffead8a73fb893709e3da2683e9f1ea15c6b7a2834bf4

SHA512
5978fa3c82bebb06bd34475cf734aa1c768eb3cbc66171c1c526116597169d8a12e13ee07e4a9ca64c55d3349cd8c096177ee9851a67129e493a1804e713b695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
9a1d48286ce97f5ce9bb99ff9b214ed5

SHA1
f185dae5f66c2d622bd1fefeaa30223f737a67e7

SHA256
0cf61088061592d94572c01fc6e6009cca561f2c3fdaacf76b6895964ad6e7a9

SHA512
d1125f928650766c4fa2f12e614cd2f6de47b650cd56e8770e91cedff4edd03bea4229c9962dfc4778c2e55a7e39a959fb61cc16f4689830c157c93dd6934e0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\182a2c66-5fd7-422f-a6d9-ec6fd331b19f\index-dir\the-real-index

Filesize
1KB

MD5
96af6cd1c0be116ec1cb7aafd0fe0fc9

SHA1
ac6cda477a41eb5db7e30e2889448c66223238d3

SHA256
d5f8dd8f2f388dc9bb03c4cbbb55a900b8ef5a5e905dc9392d1ff3eb1f217f18

SHA512
ada509e7c6e38a3a7639497b947ab6e060398978fa2060aadd57b8d528f79af7f3d64bf450810bd6456cbbf29c0ff2afbbda555e037beb539ea2057176c992fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\182a2c66-5fd7-422f-a6d9-ec6fd331b19f\index-dir\the-real-index

Filesize
1KB

MD5
d77852458c4a3ba6c239580fc649a940

SHA1
adbef6b198c8a81d43fa33a9352db107fddeb8d3

SHA256
cbeabd6c1cb5faaa894c54ce519f18863a7c1e1bdba7bc653cdfbb4cac7bdfe2

SHA512
535d62e3696ad7f4f8de6e1e89a563e0b8fefbfbacba691250c62f44ece87b941246dc49668675b1f978c94ef2856ca4321ba0ba482664f5f79c289b6ffc2290

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\182a2c66-5fd7-422f-a6d9-ec6fd331b19f\index-dir\the-real-index~RFe579a7b.TMP

Filesize
1KB

MD5
24b82fe040d5e0d4dd1f584bbd0a43e5

SHA1
c65202468c5056c7de08b61f377d8713819b8e8f

SHA256
1d7b0e60f34d71fc58d060707891763b5b9cb1bb479d7481a60c998ef223e1f1

SHA512
a153348e39f4ce1b881a9a68b7893a82146073b6cd76d0f2c39ceabcbf73a99facd6f2ce3ea8b7c7240f6e4259fcdba96a7972306f316ebb1d8595a33cd5291e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\182a2c66-5fd7-422f-a6d9-ec6fd331b19f\index-dir\the-real-index~RFe59693f.TMP

Filesize
1KB

MD5
f6a334d4fa9e3abdb42a5ad4383dedc1

SHA1
17f77d36f98e254e73458a2d9276ae352cb16bdc

SHA256
1f49affc8c49bc48eeeb7cf660bbb5c207c46e15ec7978430df54c2e972f74ec

SHA512
2a0c11c5f9f986a8291834af43dbf4ee94184e8c5dc18e433351a6e2d1f184bd1ea277fd255faabdb4458391d9188727e9893b4b3cc00b135119de10bf0ff0ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\deac7957-e4e2-4a1f-afa8-5b602ab1fcff.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
d52e1431876da1363aa3355030e94ce6

SHA1
993df74b156fd5bc54f0693f2ec59f08d6061066

SHA256
ef26c989e128bb038f5e93113a3570fe18f6ebdbda0d50b3d5998cf121730560

SHA512
cca7133b6984e65e468e24cb3987e6e0d26d0730cf1344cec1a724ffcd03c6d04c267e5904952cc891cdad8d8072066d5b23d8f5409721647b1307ab19bf11c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2f255ef-c356-4b35-b8f9-5924db98ed06.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir8324_698882898\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir8324_698882898\CRX_INSTALL\_locales\en_US\messages.json

Filesize
1KB

MD5
64eaeb92cb15bf128429c2354ef22977

SHA1
45ec549acaa1fda7c664d3906835ced6295ee752

SHA256
4f70eca8e28541855a11ec7a4e6b3bc6dd16c672ff9b596ecfb7715bb3b5898c

SHA512
f63ee02159812146eee84c4eb2034edfc2858a287119cc34a8b38c309c1b98953e14ca1ca6304d6b32b715754b15ba1b3aa4b46976631b5944d50581b2f49def

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir8324_698882898\CRX_INSTALL\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir8324_698882898\CRX_INSTALL\manifest.json

Filesize
1KB

MD5
2a738ca67be8dd698c70974c9d4bb21b

SHA1
45a4086c876d276954ffce187af2ebe3dc667b5f

SHA256
b08d566a5705247ddc9abf5e970fc93034970b02cf4cb3d5ccc90e1a1f8c816e

SHA512
f72b9190f9f2b1acc52f7fbb920d48797a96e62dfc0659c418edbbc0299dccf1931f6c508b86c940b976016745b9877f88f2ee081d3e3d5dcdcc2cc7e7884492

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChrome.lnk

Filesize
1KB

MD5
707e70d6dd8d4b9bd685b689cd5dee93

SHA1
8376bd44b060ec5a841d9fbf50091b07828e5e58

SHA256
26b2dd254839e88e7c106ad7b5d76d75db49ace6f81fcb677a6d17127ff686e6

SHA512
3b58ec251ce910213c3326e162c0095308c40d1ed5f3abd31db91831d737862ccc0103fb56691ad8c82f9a1f39e9d76b14a744ad0c3f159671e3674e5e5d9b05

Download Submit
memory/2780-722-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/2780-721-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/2780-745-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4408-357-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-354-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-353-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-691-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-690-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-688-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-687-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-686-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-685-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-683-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-684-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-625-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-358-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-744-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-356-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-355-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-692-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-351-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-352-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-350-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-737-0x0000000000B00000-0x0000000000B44000-memory.dmp

Filesize
272KB

Download
memory/5708-707-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5708-706-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download