lumma | 3c5a551b8fee65ffc444a3c0730b990591c3a95e442426563539f0a2ca3871d2

Analysis

max time kernel
149s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
29/03/2025, 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

v7942.exe
Size

634KB
MD5

d62b289592043f863f302d7e8582e9bc
SHA1

cc72a132de961bb1f4398b933d88585ef8c29a41
SHA256

3c5a551b8fee65ffc444a3c0730b990591c3a95e442426563539f0a2ca3871d2
SHA512

63d389102c1b78ea5157aad0a3f45f351a5752ae896729d85be81b70721f19869efdb8dfa87906f891be9bec0d9154b7498e4ac4216fd3ec574fae64707e258c
SSDEEP

12288:SaQ9+ICJkAp0mBpehM8ppy+E4J/aDQy5b4WeZGl/GtWV3OH2JrZw9RlUR:Kw4GBpehMjcuP5b4Fty3pZwXlUR

Score

10^/10

lumma stealc vidar 928af183c2a2807a3c0526e8c0c9369d default credential_access discovery persistence spyware stealer

Malware Config

Extracted

Family

vidar

Version

13.3

Botnet

928af183c2a2807a3c0526e8c0c9369d

https://t.me/lw25chm

https://steamcommunity.com/profiles/76561199839170361

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Extracted

Family

lumma

https://wxayfarer.live/ALosnz

https://byteplusx.digital/aXweAX

https://travewlio.shop/ZNxbHi

https://skynetxc.live/AksoPA

https://pixtreev.run/LkaUz

https://advennture.top/GKsiio

https://atargett.top/dsANGt

https://70sparkiob.digital/KeASUp

https://appgridn.live/LEjdAK

Extracted

Family

stealc

Botnet

default

http://77.90.153.241

Attributes

url_path
/612acd258782ade8.php

Signatures

Detect Vidar Stealer 44 IoCs

stealer

resource	yara_rule
behavioral2/memory/2748-0-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-1-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-2-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-11-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-16-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-17-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-18-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-21-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-22-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-26-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-27-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-31-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-49-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-50-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-374-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-375-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-376-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-379-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-383-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-387-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-388-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-389-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-556-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-647-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-648-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-651-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-652-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-653-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-654-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-655-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-656-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-657-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-658-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2748-716-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2460-1274-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2460-1294-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2460-1295-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2460-1300-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2460-1301-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2460-1304-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2460-1308-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2460-1309-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2460-1310-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2460-1314-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Downloads MZ/PE file 10 IoCs

flow	pid	Process
162	2748	MSBuild.exe
162	2748	MSBuild.exe
230	5200	MSBuild.exe
230	5200	MSBuild.exe
230	5200	MSBuild.exe
230	5200	MSBuild.exe
230	5200	MSBuild.exe
230	5200	MSBuild.exe
292	5200	MSBuild.exe
292	5200	MSBuild.exe

Uses browser remote debugging 2 TTPs 22 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
2080	msedge.exe
4836	chrome.exe
4612	chrome.exe
4736	chrome.exe
6068	msedge.exe
384	chrome.exe
2656	chrome.exe
3700	chrome.exe
6988	msedge.exe
4844	chrome.exe
5476	msedge.exe
1140	chrome.exe
2512	chrome.exe
3380	msedge.exe
6980	msedge.exe
6164	chrome.exe
2764	chrome.exe
3376	chrome.exe
4180	chrome.exe
5592	msedge.exe
16880	chrome.exe
4784	chrome.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChrome.lnk	XqaxJOdr3Trg4bsJ.exe

Executes dropped EXE 12 IoCs

pid	Process
3656	ct26fknglf.exe
4808	ny5pzukxtr.exe
4572	wtr1no89hv.exe
4548	XqaxJOdr3Trg4bsJ.exe
4580	H2LwgaaHEOPh3Nfu.exe
2352	XqaxJOdr3Trg4bsJ.exe
916	qdLvhAYorsWNT9bq.exe
972	CFCFHJDBKJ.exe
4640	AAFIJKKEHJ.exe
2832	CBFCBKKFBA.exe
2140	r2pSTIMr9np8cZrl.exe
4644	qgapbkj30rfYHPXM.exe

Loads dropped DLL 2 IoCs

pid	Process
5200	MSBuild.exe
5200	MSBuild.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChrome = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JLb8eT3Y\\XqaxJOdr3Trg4bsJ.exe"	XqaxJOdr3Trg4bsJ.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 560 set thread context of 2748	560	v7942.exe	78
PID 3656 set thread context of 6072	3656	ct26fknglf.exe	109
PID 4808 set thread context of 5200	4808	ny5pzukxtr.exe	111
PID 972 set thread context of 2460	972	CFCFHJDBKJ.exe	159
PID 4640 set thread context of 1648	4640	AAFIJKKEHJ.exe	163

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qdLvhAYorsWNT9bq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CBFCBKKFBA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	r2pSTIMr9np8cZrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wtr1no89hv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XqaxJOdr3Trg4bsJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XqaxJOdr3Trg4bsJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qgapbkj30rfYHPXM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	H2LwgaaHEOPh3Nfu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
5468	timeout.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133877279489709328"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-976934595-4290022905-4081117292-1000\{31117D23-C051-4F3B-9F1D-44EE2B7ED39C}	msedge.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
2748	MSBuild.exe
2748	MSBuild.exe
2748	MSBuild.exe
2748	MSBuild.exe
2764	chrome.exe
2764	chrome.exe
2748	MSBuild.exe
2748	MSBuild.exe
2748	MSBuild.exe
2748	MSBuild.exe
2748	MSBuild.exe
2748	MSBuild.exe
2748	MSBuild.exe
2748	MSBuild.exe
6072	MSBuild.exe
6072	MSBuild.exe
6072	MSBuild.exe
6072	MSBuild.exe
5200	MSBuild.exe
5200	MSBuild.exe
4548	XqaxJOdr3Trg4bsJ.exe
4548	XqaxJOdr3Trg4bsJ.exe
4580	H2LwgaaHEOPh3Nfu.exe
4580	H2LwgaaHEOPh3Nfu.exe
4580	H2LwgaaHEOPh3Nfu.exe
4580	H2LwgaaHEOPh3Nfu.exe
2352	XqaxJOdr3Trg4bsJ.exe
2352	XqaxJOdr3Trg4bsJ.exe
2352	XqaxJOdr3Trg4bsJ.exe
2352	XqaxJOdr3Trg4bsJ.exe
916	qdLvhAYorsWNT9bq.exe
916	qdLvhAYorsWNT9bq.exe
5200	MSBuild.exe
5200	MSBuild.exe
1140	chrome.exe
1140	chrome.exe
5200	MSBuild.exe
5200	MSBuild.exe
5200	MSBuild.exe
5200	MSBuild.exe
5200	MSBuild.exe
5200	MSBuild.exe
5200	MSBuild.exe
5200	MSBuild.exe
2140	r2pSTIMr9np8cZrl.exe
2140	r2pSTIMr9np8cZrl.exe
4644	qgapbkj30rfYHPXM.exe
4644	qgapbkj30rfYHPXM.exe
4644	qgapbkj30rfYHPXM.exe
4644	qgapbkj30rfYHPXM.exe
1648	MSBuild.exe
1648	MSBuild.exe
1648	MSBuild.exe
1648	MSBuild.exe
2460	MSBuild.exe
2460	MSBuild.exe
2460	MSBuild.exe
2460	MSBuild.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
5476	msedge.exe
5476	msedge.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
2080	msedge.exe
2080	msedge.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	2764	chrome.exe
Token: SeCreatePagefilePrivilege	2764	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe
Token: SeShutdownPrivilege	1140	chrome.exe
Token: SeCreatePagefilePrivilege	1140	chrome.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
2764	chrome.exe
5476	msedge.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
1140	chrome.exe
2080	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 2748	560	v7942.exe	78
PID 560 wrote to memory of 2748	560	v7942.exe	78
PID 560 wrote to memory of 2748	560	v7942.exe	78
PID 560 wrote to memory of 2748	560	v7942.exe	78
PID 560 wrote to memory of 2748	560	v7942.exe	78
PID 560 wrote to memory of 2748	560	v7942.exe	78
PID 560 wrote to memory of 2748	560	v7942.exe	78
PID 560 wrote to memory of 2748	560	v7942.exe	78
PID 560 wrote to memory of 2748	560	v7942.exe	78
PID 560 wrote to memory of 2748	560	v7942.exe	78
PID 560 wrote to memory of 2748	560	v7942.exe	78
PID 560 wrote to memory of 2748	560	v7942.exe	78
PID 2748 wrote to memory of 2764	2748	MSBuild.exe	79
PID 2748 wrote to memory of 2764	2748	MSBuild.exe	79
PID 2764 wrote to memory of 4080	2764	chrome.exe	80
PID 2764 wrote to memory of 4080	2764	chrome.exe	80
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4860	2764	chrome.exe	81
PID 2764 wrote to memory of 4516	2764	chrome.exe	82
PID 2764 wrote to memory of 4516	2764	chrome.exe	82
PID 2764 wrote to memory of 896	2764	chrome.exe	83
PID 2764 wrote to memory of 896	2764	chrome.exe	83
PID 2764 wrote to memory of 896	2764	chrome.exe	83
PID 2764 wrote to memory of 896	2764	chrome.exe	83
PID 2764 wrote to memory of 896	2764	chrome.exe	83
PID 2764 wrote to memory of 896	2764	chrome.exe	83
PID 2764 wrote to memory of 896	2764	chrome.exe	83
PID 2764 wrote to memory of 896	2764	chrome.exe	83
PID 2764 wrote to memory of 896	2764	chrome.exe	83
PID 2764 wrote to memory of 896	2764	chrome.exe	83
PID 2764 wrote to memory of 896	2764	chrome.exe	83
PID 2764 wrote to memory of 896	2764	chrome.exe	83
PID 2764 wrote to memory of 896	2764	chrome.exe	83
PID 2764 wrote to memory of 896	2764	chrome.exe	83
PID 2764 wrote to memory of 896	2764	chrome.exe	83
PID 2764 wrote to memory of 896	2764	chrome.exe	83

C:\Users\Admin\AppData\Local\Temp\v7942.exe
"C:\Users\Admin\AppData\Local\Temp\v7942.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Downloads MZ/PE file
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffd42ccdcf8,0x7ffd42ccdd04,0x7ffd42ccdd10
      4⤵
      PID:4080
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1948,i,9029596345801435636,9480569738570433463,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1944 /prefetch:2
      4⤵
      PID:4860
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2228,i,9029596345801435636,9480569738570433463,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2232 /prefetch:11
      4⤵
      PID:4516
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2288,i,9029596345801435636,9480569738570433463,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2960 /prefetch:13
      4⤵
      PID:896
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3280,i,9029596345801435636,9480569738570433463,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3300 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4736
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3288,i,9029596345801435636,9480569738570433463,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3360 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4784
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4332,i,9029596345801435636,9480569738570433463,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4356 /prefetch:9
      4⤵
      Uses browser remote debugging
      PID:3376
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4736,i,9029596345801435636,9480569738570433463,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4656 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4180
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5332,i,9029596345801435636,9480569738570433463,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5344 /prefetch:14
      4⤵
      PID:2796
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5516,i,9029596345801435636,9480569738570433463,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5260 /prefetch:14
      4⤵
      PID:2268
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5272,i,9029596345801435636,9480569738570433463,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5440 /prefetch:14
      4⤵
      PID:128
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5784,i,9029596345801435636,9480569738570433463,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5704 /prefetch:14
      4⤵
      PID:2104
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5412,i,9029596345801435636,9480569738570433463,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5376 /prefetch:14
      4⤵
      PID:1824
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5804,i,9029596345801435636,9480569738570433463,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5792 /prefetch:14
      4⤵
      PID:5052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:5476
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x264,0x7ffd42caf208,0x7ffd42caf214,0x7ffd42caf220
      4⤵
      PID:6016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1892,i,1936412401751957215,5920727573310929771,262144 --variations-seed-version --mojo-platform-channel-handle=2136 /prefetch:11
      4⤵
      PID:5564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2100,i,1936412401751957215,5920727573310929771,262144 --variations-seed-version --mojo-platform-channel-handle=2096 /prefetch:2
      4⤵
      PID:2288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2380,i,1936412401751957215,5920727573310929771,262144 --variations-seed-version --mojo-platform-channel-handle=2404 /prefetch:13
      4⤵
      PID:3412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3444,i,1936412401751957215,5920727573310929771,262144 --variations-seed-version --mojo-platform-channel-handle=3484 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:6068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3468,i,1936412401751957215,5920727573310929771,262144 --variations-seed-version --mojo-platform-channel-handle=3488 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5592
- - C:\ProgramData\ct26fknglf.exe
    "C:\ProgramData\ct26fknglf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:3656
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:6072
- - C:\ProgramData\ny5pzukxtr.exe
    "C:\ProgramData\ny5pzukxtr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4808
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      Downloads MZ/PE file
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:5200
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        5⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:1140
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd42bddcf8,0x7ffd42bddd04,0x7ffd42bddd10
        6⤵
        
        PID:5240
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1932,i,14649584703260894555,8234908965164356852,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2136 /prefetch:11
        6⤵
        
        PID:1528
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2084,i,14649584703260894555,8234908965164356852,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2068 /prefetch:2
        6⤵
        
        PID:5228
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2428,i,14649584703260894555,8234908965164356852,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2440 /prefetch:13
        6⤵
        
        PID:2316
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,14649584703260894555,8234908965164356852,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3144 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2512
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,14649584703260894555,8234908965164356852,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3188 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:384
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4324,i,14649584703260894555,8234908965164356852,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4352 /prefetch:9
        6⤵
        Uses browser remote debugging
        
        PID:2656
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4668,i,14649584703260894555,8234908965164356852,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3788 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3700
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5348,i,14649584703260894555,8234908965164356852,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5340 /prefetch:14
        6⤵
        
        PID:4824
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5536,i,14649584703260894555,8234908965164356852,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5544 /prefetch:14
        6⤵
        
        PID:3488
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5544,i,14649584703260894555,8234908965164356852,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5496 /prefetch:14
        6⤵
        
        PID:1356
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5736,i,14649584703260894555,8234908965164356852,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5748 /prefetch:14
        6⤵
        
        PID:1536
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5884,i,14649584703260894555,8234908965164356852,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5900 /prefetch:14
        6⤵
        
        PID:5208
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5568,i,14649584703260894555,8234908965164356852,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5748 /prefetch:14
        6⤵
        
        PID:7548
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
        5⤵
        Uses browser remote debugging
        
        PID:3380
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --edge-skip-compat-layer-relaunch
        6⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Modifies registry class
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:2080
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x2f0,0x7ffd42bbf208,0x7ffd42bbf214,0x7ffd42bbf220
        7⤵
        
        PID:3212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2176,i,14487499483261597664,5463420724174729498,262144 --variations-seed-version --mojo-platform-channel-handle=2172 /prefetch:2
        7⤵
        
        PID:4748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1840,i,14487499483261597664,5463420724174729498,262144 --variations-seed-version --mojo-platform-channel-handle=2540 /prefetch:11
        7⤵
        
        PID:5456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2096,i,14487499483261597664,5463420724174729498,262144 --variations-seed-version --mojo-platform-channel-handle=2668 /prefetch:13
        7⤵
        
        PID:7280
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3468,i,14487499483261597664,5463420724174729498,262144 --variations-seed-version --mojo-platform-channel-handle=3512 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:6988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3472,i,14487499483261597664,5463420724174729498,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:6980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4916,i,14487499483261597664,5463420724174729498,262144 --variations-seed-version --mojo-platform-channel-handle=4952 /prefetch:14
        7⤵
        
        PID:6552
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4924,i,14487499483261597664,5463420724174729498,262144 --variations-seed-version --mojo-platform-channel-handle=4972 /prefetch:14
        7⤵
        
        PID:6560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5756,i,14487499483261597664,5463420724174729498,262144 --variations-seed-version --mojo-platform-channel-handle=5772 /prefetch:14
        7⤵
        
        PID:6448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
        
        cookie_exporter.exe --cookie-json=1140
        8⤵
        
        PID:6336
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5916,i,14487499483261597664,5463420724174729498,262144 --variations-seed-version --mojo-platform-channel-handle=5776 /prefetch:14
        7⤵
        
        PID:6320
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5916,i,14487499483261597664,5463420724174729498,262144 --variations-seed-version --mojo-platform-channel-handle=5776 /prefetch:14
        7⤵
        
        PID:6260
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5980,i,14487499483261597664,5463420724174729498,262144 --variations-seed-version --mojo-platform-channel-handle=5992 /prefetch:14
        7⤵
        
        PID:6240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
        
        cookie_exporter.exe --cookie-json=596
        8⤵
        
        PID:4632
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\CFCFHJDBKJ.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6188
      - C:\Users\Admin\CFCFHJDBKJ.exe
        
        "C:\Users\Admin\CFCFHJDBKJ.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:6336
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2460
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        
        PID:6164
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd3f14dcf8,0x7ffd3f14dd04,0x7ffd3f14dd10
        9⤵
        
        PID:3320
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1448,i,7060768984765210085,18184476377637655137,262144 --variations-seed-version --mojo-platform-channel-handle=3036 /prefetch:11
        9⤵
        
        PID:4708
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=3000,i,7060768984765210085,18184476377637655137,262144 --variations-seed-version --mojo-platform-channel-handle=2996 /prefetch:2
        9⤵
        
        PID:3720
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=1976,i,7060768984765210085,18184476377637655137,262144 --variations-seed-version --mojo-platform-channel-handle=3080 /prefetch:13
        9⤵
        
        PID:1496
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2964,i,7060768984765210085,18184476377637655137,262144 --variations-seed-version --mojo-platform-channel-handle=3128 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:4836
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2992,i,7060768984765210085,18184476377637655137,262144 --variations-seed-version --mojo-platform-channel-handle=3144 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:4844
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4204,i,7060768984765210085,18184476377637655137,262144 --variations-seed-version --mojo-platform-channel-handle=4224 /prefetch:9
        9⤵
        Uses browser remote debugging
        
        PID:4612
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4612,i,7060768984765210085,18184476377637655137,262144 --variations-seed-version --mojo-platform-channel-handle=4640 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:16880
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AAFIJKKEHJ.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5988
      - C:\Users\Admin\AAFIJKKEHJ.exe
        
        "C:\Users\Admin\AAFIJKKEHJ.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4640
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1648
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\CBFCBKKFBA.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5088
      - C:\Users\Admin\CBFCBKKFBA.exe
        
        "C:\Users\Admin\CBFCBKKFBA.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\tBN7gp0q\r2pSTIMr9np8cZrl.exe
        
        C:\Users\Admin\AppData\Local\Temp\tBN7gp0q\r2pSTIMr9np8cZrl.exe 0
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\tBN7gp0q\qgapbkj30rfYHPXM.exe
        
        C:\Users\Admin\AppData\Local\Temp\tBN7gp0q\qgapbkj30rfYHPXM.exe 2140
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4644
- - C:\ProgramData\wtr1no89hv.exe
    "C:\ProgramData\wtr1no89hv.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4572
  - - C:\Users\Admin\AppData\Local\Temp\JLb8eT3Y\XqaxJOdr3Trg4bsJ.exe
      C:\Users\Admin\AppData\Local\Temp\JLb8eT3Y\XqaxJOdr3Trg4bsJ.exe 0
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4548
    - - C:\Users\Admin\AppData\Local\Temp\JLb8eT3Y\H2LwgaaHEOPh3Nfu.exe
        
        C:\Users\Admin\AppData\Local\Temp\JLb8eT3Y\H2LwgaaHEOPh3Nfu.exe 4548
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4580
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\ymym7" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3600
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 11
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:5468

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5308

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\JLb8eT3Y\XqaxJOdr3Trg4bsJ.exe
1⤵
PID:4628
- C:\Users\Admin\AppData\Local\Temp\JLb8eT3Y\XqaxJOdr3Trg4bsJ.exe
  C:\Users\Admin\AppData\Local\Temp\JLb8eT3Y\XqaxJOdr3Trg4bsJ.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2352
- - C:\Users\Admin\AppData\Local\Temp\fphgPgHZ\qdLvhAYorsWNT9bq.exe
    C:\Users\Admin\AppData\Local\Temp\fphgPgHZ\qdLvhAYorsWNT9bq.exe 2352
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:916

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:6112

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:6972

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 4644 -ip 4644
1⤵
PID:16972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2140 -ip 2140
1⤵
PID:16980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\EHDHIDAEHCFHJJJJECAA

Filesize
6KB

MD5
942093306662f719800319ff2aaca141

SHA1
bbaa21191da24891a1ed9854635e32a6f8efb406

SHA256
0b3f29b3ed6ed6e2e7c25c873b502d5d0e8c87a0c75834d0740bf86118983407

SHA512
44ce184e67ef66ec2edb8297fa53d90fef3d0d9720221134ec4f084c06fd6980614e9dd6b90f0f7e611a5f7c88078e5b0fedcb3a6d70a6850b4f7d486729b080

Download Submit
C:\ProgramData\ct26fknglf.exe

Filesize
850KB

MD5
260faa08dbff4bc7ca6346061f42b956

SHA1
ccef508bb2693b097510015ef89ebb8f0289c5c1

SHA256
c47a55b842177445756163ca2d5cadaed5cdd4d313d7897b9aaac8e1d1c6e810

SHA512
ae30c903720f58abef12b9e091872d4a6470bae5ba246fc1d35dbaa4aecad04803647a0339490090a037de780b09df4282d5cc6247731729bf24e8fe872c42dc

Download Submit
C:\ProgramData\jeua1\16pp89

Filesize
130KB

MD5
6f9aea4c80ae01d13a1fc4effbb700a4

SHA1
e4a510495a89397be9e101f0e01c0f42b3da18de

SHA256
7131902d326719aa85e7d00cee1f88d93ea8b1cc4bed77ae3406d3a9a94dfa10

SHA512
62f0ef8c8aebec6d459ad5df5273a3008c76f3d6bdcdc335eeff0c7949179ec9e9360b719b809ba213053e625997f8adbbceab46c75d7e0dcbee61aca7171598

Download Submit
C:\ProgramData\jeua1\ym7yus0z5

Filesize
40KB

MD5
dfd4f60adc85fc874327517efed62ff7

SHA1
f97489afb75bfd5ee52892f37383fbc85aa14a69

SHA256
c007da2e5fd780008f28336940b427c3bfd509c72a40bfb7759592149ff3606e

SHA512
d76f75b1b5b23aa4f87c53ce44c3d3b7e41a44401e53d89f05a114600ea3dcd8beda9ca1977b489ac6ea5586cf26e47396e92d4796c370e89fab0aa76f38f3c4

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\ny5pzukxtr.exe

Filesize
736KB

MD5
18e5e760b807fc2b05172215540398b3

SHA1
6a1b4d3227088473c45869469b68a1737b26b90d

SHA256
6cff9733bcd32c2af2da61eab8281cd412a6d208ce6b763b783157be2901d5bd

SHA512
23430597753696466eea1c54337b1d37a734918433be2e0637aaf022c0ef09d5f8b04a3793ccb1a296bb83d13fda832d677cb926730653d78b0833f96737fa04

Download Submit
C:\ProgramData\wtr1no89hv.exe

Filesize
251KB

MD5
58d3a0d574e37dc90b40603f0658abd2

SHA1
bf5419ce7000113002b8112ace2a9ac35d0dc557

SHA256
dcc05c3ac7ae22d601bcb7c97cfcda568f3041bd39b2fd8899282dfde83369a5

SHA512
df61329a32e9261b01c5b7d95e0d9a3fb8cc36e5d90ede72bc16befe00fb32c221898a8346db9de07c0f5dcba57dcdbb09a22ca8b73223f989d33ec433c3a90a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma

Filesize
1024KB

MD5
34c29bdb9e41b1f47f2d2786762c12ec

SHA1
4075131b18c3487e3e848361e112009c897629c7

SHA256
67ee11b51cd6f637795e31ab501f135ed595c8459bce885735f08b0418513a17

SHA512
ca3a978798e77b2ced27b379f38e935ef18beaa7ea23e34270a9af20b37e1b1c5edf9478606311cf1acabd83992766cb3da8444de9394c674d5955bdbc53c0d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
46576fbe37e6ef4db33a5c78899f7c46

SHA1
3f6215c316e49037cf7d982d1e3c61c24e2ebc69

SHA256
3a7d9bef6f92fa6c1635434581c6c7c18553b9de1d6ea7752eba2fc084158121

SHA512
6ddc495cd18d425636369b63e9405bbd58699e3ccbcea9db0e31aac66875583c355f99988b46fd04de018daeaa773ce5199adb4a8b664fddc691682e87825b2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
c355424600512e17522cf022485b856b

SHA1
63d55ff4fc24b2b28cdc6d1179caa4fc791e9417

SHA256
01543ca8ae883277df94c125d0117eb5defee596619766f394ba74f645992891

SHA512
fb017d122700510eb68e66bccdd4408e7160031870ea7cbe2ee8258b650413d0c199ad985c1b3c53a3217a27547d8611adaf32e01451ae4892e7697e5ac5262d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
1c2c411679b735b6cd8ba776e55895f4

SHA1
cd3106b0f29767b7c12827385449fed7e9af7fe2

SHA256
17f3a363dc2e9a7cefa533bb8e7230d8cf8699d1d6788321140ee993116610e1

SHA512
ac0459af8ad1239db38b4078bf3a6a90318c4e887f0cb56e18dbc16cc74bd9f609d4845b34ba6f599a651233af577c9edf50f5ff7f32e293ff2e2700769eb206

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
f4ac8b1dc42cb3bbcea73ec4f3782d8e

SHA1
db2502570f1e0890d416be490500b80059b041ec

SHA256
82bdef33a7b5160f953ce9e6d87dbb2256e5f9b1564c337998fe76bf8e90938d

SHA512
c38472b33529749a70c7f6ee17fbdc0dd4844b6137fd3a1a091349525b5cb1ebb5d26df38265720d20b03e24b92d5123ecf1b1dc6cd70d4e7d40555024b668a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
0605b75c5c345cc202a7885499cc09a7

SHA1
540568cdb245ba26bce8711347e456320012e83d

SHA256
8ed5d8964a977a79c5aacf34853c9e5e00a06de2f2f0964a56c4089805a2dda8

SHA512
dae16a98e4cf861b918d684f0d7660e1c6647897afeded6859253a51f8dd95c41f007e3f20fe43da0292b493c170cb94fb8370d7b17b4f23cf2950cec477f9a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
0d1b66972b5283b79f352e51948e9291

SHA1
64989ae3c270b2d9cb9f9218a897ead0328c4e99

SHA256
db56f6fc69a7eec16ccc478bd50d9825e7521952d11ed9dab784fb0d55fb41e8

SHA512
cfe58630b2015db5860291847cc454e55f19eea1d6dc744d0f2c3b32c143ec1fc9f435ca07f4cdb3488a342a7c63d561ef4abaa740d9fae1203d3b525a71dc95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
35KB

MD5
db586f027cd1721a7673df08947c88ab

SHA1
9f5bd061079ec16bcd0dc4db1cc564fdb58a5da6

SHA256
2115de6ffcc6efa9da616aca4eb51c3138dacc884045f021e7a42bf4d3e115cb

SHA512
ffddf403d03daf73ad42db3d8358da72aa60408dd42259d50e7533fa881f67271315095dbb1717b1b0ebbe81ec93d7ab25a4202425330e054b7e9ffbb3088dd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
63KB

MD5
1901d2bcbbabee4bbb9804c30642ae2b

SHA1
f31774bc12614be681c0b0c7de3ac128f0e932db

SHA256
15eba349e5829f11363614b8f3dd9c3d04994586601d3c4c4d8069e0f5655310

SHA512
bdb94d7d8cf47b239c61559545b1dd26e05da909fec05d215471388545879cd8ec9e1fea51c04ed43927e2b07b5b80a74f09eb9038c8d9045e4161ea69df215f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
38KB

MD5
f53236bc138719b68ccd1c7efb02a276

SHA1
26b7d3eea5d3b12d0b0e173ebf2af50a7d7e56d6

SHA256
787c14f8cc865430c03c96a345044b7c5b8dc8a032511a500d4a42228533acd8

SHA512
5485bc7ccce8ec75f60bca3be846086a4bd4466009c8e22da9cdd16bb1154529af2fb2667cd3a97485cc4f6635fb79ac0fdda4f3e1f39f25f6196f708a92d740

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

Filesize
320B

MD5
2ee46dc48a3654819dcc32002658106f

SHA1
cf685cb3b994f0151d9ddec08c26f6c3a31f7649

SHA256
97fc50699342d189223d8428b5b0d5ee7bfddcb4a8358b434e41136906c096db

SHA512
14952d76ee2cafe565d774fbeeb9bfb1d2e9d7d3d7753aa24f946989e4fc68766eb988b63bf60ce4fa7eee9311a2bc9c9f5ffd2c91d105caa384f0a7debf798b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
329B

MD5
45a97d663cbd288bcf4713e4bf871ce8

SHA1
f6699c3de869861a841f5baa436580c3113fb9cd

SHA256
46bc3c8fd5e66b18d24a93d0b00c21f9ee0fdbe4659ece058e9524f691b809a1

SHA512
60914b03f9c0332d8fb991db71affff8dba48d29a085706599d7ba9a72a26740abb379af86ae6a1a6477294fd9ea5981fd7f0e5f2183fc6cc9c04d539d7c17b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000003.log

Filesize
3KB

MD5
b794c3c051c1ce98c42d4467a42dd7e1

SHA1
73b25320a098652eacd643c7192db1c16448dbe3

SHA256
c07529e14ad9febffaa9dde696ab7bbfe881d6cdfa21d50e4fd45dad6eac7f00

SHA512
34990f0f13e508da91ea0b030320ca6e4e1e4b083e18d5e2276d71c1fecf1b86d33f7f146bd43982569b9c19573cc2ac9c90c30b7fe2924bea2d880b2fdbb0f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG

Filesize
336B

MD5
0bc30f675165b3f22574484a093e1bf9

SHA1
ac8eb5a1662524b1477a1391b4bfceb0e0e3e5be

SHA256
9758c3dea0719fd8ee9b0c976976d2ae9152ad77480ab6e2efce683abc939264

SHA512
73dfd1175053881e1cc113928f8ec29fd3a592f59a0b328312d0c87709b4f23a2e604ef90abbb280d5c884e6f7cd3a7bc88cc462779a1bc61132975407a41f00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\f1cdccba37924bda_0

Filesize
128KB

MD5
ad5500392a3d6dab62cbbed72729419d

SHA1
74b1d039a44cc37e62dc573d0d14efe2ead9e391

SHA256
aac955452d846e19791a2c1f30dba6a9c1ebde5b20547d37c6e7ebb6c62154eb

SHA512
454433c661570990955c25eedb52ebdf5ae2317ac062cb23be3537b1cc8b5afc2a1d3d1e370951641a473cccb0f3ddee9db34dee2bb7f52db5bb4c9a609a1872

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\f1cdccba37924bda_1

Filesize
343KB

MD5
fe0afab9e43167cfacab107f21d040b4

SHA1
6448a3243f17b73cf4cb5fa0c0d13e8e59751f83

SHA256
3cbdbe25233c061eee0a1826abfbd94d5e4cbd3a1af33b36cedd7c330293eedd

SHA512
eaca957714b139b3da6fd096407007b0940f280a1aea7922220678958a37869a5640422f7acb232732b6ee2063fbd8f9de080ec49bb5d8c0210b859a8b7ca883

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
48B

MD5
0873a8ba4ece64e2820f22c638516b85

SHA1
a20446103212d0e52bd7a622dbc7f926d843b18b

SHA256
8050f11ce77ccaef9c9c47ba0094fc6e1caefe6e724791ed668d9567a1b29c3b

SHA512
c6fa48cc3b6f13d92005f358a419e04795dd6f5effdf9d0eceb7cafb539914da0bb7187960118f3e89bda66439bb2c82b1bac9620166b589bd50a968f9498e8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

Filesize
308B

MD5
4e7982b86b3d7d916b7722aa3b3f0669

SHA1
ce4e874903cb71d9012cc7654ca7a6ba5e4f7efd

SHA256
cbee1100a2c9add47776b7e416b58a809f6feb9fe458bef8185b0c176b5db340

SHA512
c4dda8b36e90a327061dab901730f47fc23cca129b02a157f1ed0c566a1d6dddf272a4e74d3acbf14eb3a7fac0820387a584db9e19ca299724ed7f3030f891bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

Filesize
320B

MD5
447f705103443bbbad2cf2f4170386f2

SHA1
113e000ea2a7e9fee311a59b7aaf3750821d6cfc

SHA256
6e3c43d0e9c16fb35894c0ccfc04acf12334917ef57e143b367a972c5d7aaa37

SHA512
22ba3ab52e03c3f87529c95f2f94ad7b453a919ef9560e0394fc0425966b1d3d6e943bd9e3d57b30cd33d64c9361dcd282f83b66b34f2bb40b559cd4d733469e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
345B

MD5
384224103bae5c4b712f89cbfa74bfa3

SHA1
d378569bb60d33e21e5ba63f23b60d3383a8188d

SHA256
bc89509731fa47e00e800ce53a1bf59cb69d42a6a3c41c359d817638c9e458f7

SHA512
6d16451c115289bc3bdcd320616a6b69528d6c5155083707a794f35a3161d190784d126bc732304054ec973546e4c32d780f978d670d6cf64d7235e360beabe9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
321B

MD5
1b0edb5b3bea27ea9cfcd92732081d01

SHA1
b67567158fa83d43b77ac2884615033ea59e26eb

SHA256
714d83ba1b1e2d40f127e7ba81a93ffce4ea6a658dad060bb23428f414086f21

SHA512
8262b801825969f8d678255cade6fdd12a792ca1553a320e4637eb4e616c98d5bcb3b16059c9ec7393703dccaac3be051736f931e378eb35564f02a7aae566a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
130KB

MD5
65e559018dd3fbbb9cd4c7b62d1e7662

SHA1
d816d25f0fbe5f123424c119eead94f4cd8b7b35

SHA256
fa01d1be58753c8012b32fe58b0fe62a9b8ba605d2129436d734bd5b08045105

SHA512
98b5f6f37f99e5ed8e450982fad8e30ab3772dcb0b712569cdc55861dc1ad49ec0e3302a511565762d60d5c2844df1f61762d752bd178e2c491dd3b510606a7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager-journal

Filesize
12KB

MD5
f287b36d46f6b1ad3f2598fe817dbd6f

SHA1
db0ebe135e3009fb1006ce0a63a3a1af9c71da76

SHA256
42423cf19cde94b12c1bdf35365b2e82a5074a9d3ebdc1111d14f1cd295a66f1

SHA512
c9ddf825d6f65890cd32348ca3f692fca53bc9161af88b7a22c6b741cc7f562b964217a1f93c9b0965fbd6c5518d0c215dd16cfba1ae2a10ef1e3f78d99414ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

Filesize
24KB

MD5
421541473c5c4a3c8676ef08a5b77adb

SHA1
bb773018b08205124c9c57195a19b8c38caed7da

SHA256
f5fc03f50f00ad2d0bfdf54e0f12837615cfba822604779665cc35363c329197

SHA512
fef3aa9fb055d0ade90bcdb12026334a44be6881ca87ccd0de88706393574a61fb80285da21bdaeba6c388845e3649392547636486534c726ce2637d26ef4aaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

Filesize
320B

MD5
128a91ce9a6c48ae9ce1530bd4bc167c

SHA1
90ed84d0d60b3592c9a7a9abdfc819d0172861cc

SHA256
c935fa0f5de9ca673ecd15941bf6c8b34add7b88342bf5891666c1bad9e62e66

SHA512
6bb856418fef0e416b482fd78d2c497d8d8d965a7e5111279f0358f96529302171e5004a55e51c83fc9934cca94fccbab3bf42dfd7608d732dd2e9999f7b74ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
1KB

MD5
6caaced3f4222714443c993b94255a2e

SHA1
82d2a261d87c218527056f6e1dd098f21880099a

SHA256
0034793f7606bb0ce4294f8367775d580d13fb7526fd475eaba32550d47502ea

SHA512
93144900dfdfd66f08cf48a4a581f371f92362b7f060fca606c28c0bb7242b4283b8eb50dc9970117e3a01da847c3c25004023c35242063e053264c4cce486cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
338B

MD5
bd7d7b5f594a0b7e36dc1f0d654ac8b5

SHA1
f6887edc7deea2dd3d9e739ac4bd8e5524a8c182

SHA256
cfd4a4a1ea2dcce24c596679be703fb4eff26c0f6fbc7a1843302c6da5f3e01f

SHA512
cdcf49220fa6cd20fe0697295379059ed7dca319993e1453ff22f2f041491418369abd760403ac209010d6139116d1a62017b3b5784ddb6ab3d7cb4b9c65028d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
13B

MD5
a4710a30ca124ef24daf2c2462a1da92

SHA1
96958e2fe60d71e08ea922dfd5e69a50e38cc5db

SHA256
7114eaf0a021d2eb098b1e9f56f3500dc4f74ac68a87f5256922e4a4b9fa66b7

SHA512
43878e3bc6479df9e4ebd11092be61a73ab5a1441cd0bc8755edd401d37032c44a7279bab477c01d563ab4fa5d8078c0ba163a9207383538e894e0a7ff5a3e15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
177f7925405e630757214f2003b58fe3

SHA1
dfdd5548832c256bad49a3ba981ba6640538f4c6

SHA256
ff7fe430d93cbce86bf6bad7ea0911abe81aacc55ae05f0bdd000359071e3c24

SHA512
75dfc7095f053dee0f68e1dd42db7421419b27ea6ab90209b85f5c72aeef175c59975d435d786762c73f379ad3ca1fee098b51774a57cedc71cbba8f45532149

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
16b7586b9eba5296ea04b791fc3d675e

SHA1
8890767dd7eb4d1beab829324ba8b9599051f0b0

SHA256
474d668707f1cb929fef1e3798b71b632e50675bd1a9dceaab90c9587f72f680

SHA512
58668d0c28b63548a1f13d2c2dfa19bcc14c0b7406833ad8e72dfc07f46d8df6ded46265d74a042d07fbc88f78a59cb32389ef384ec78a55976dfc2737868771

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
7680d04dd8578b4cccb8725dfe8ced4f

SHA1
5b94b3ef185bda1ee008d4fa2da90de42d847468

SHA256
7cea7ffa680c77093de6ff80357316c049b9bddd665c6a2289bb07debafb5688

SHA512
fe1719d4ef3cd3e28bd585853c6497ede8c5006585d64a93361ebca5d5ff51063eb6aea89fd37cc7e0318aa8c90e63d7864b27a92f771ec4cf60ee7eba1af236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
623d0eb0c4a36135a270354557aae018

SHA1
864d2599207960d2aedba50ada4a3b1b2a5a8b87

SHA256
52b485675b621aa85ff48f5cef95a29f845616b63d9a683bb7503f324cee3d03

SHA512
685e69631c295fee7ddb6bedccb9ddab7ac0fd5d5476f5236ee22d7b8af871f9705be8f30ec71b0bfdeabc69927be677942bf8bfcfbdb7ed1151e7dfe80105ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\cc6df4d9-21a0-415c-a960-a810ec9b1432\index-dir\the-real-index

Filesize
2KB

MD5
b044397d6497a995fa8c8e79b5da8686

SHA1
490cba78113834f63526ecee2f3d031e1473ea83

SHA256
d609d1e2d4a8ed4b78b4578306c0c60a58a3c0eeaad07e04482c2b2564088050

SHA512
d00eef0ebe69759a2c131fe25357e85b640bd80d347fd53a3850ca7c0df4b4d4bf1d8bbb1d03569a87036e64ac4482c1eb46b96d98ce07eacb0195df84820b30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\cc6df4d9-21a0-415c-a960-a810ec9b1432\index-dir\the-real-index~RFe57d4c5.TMP

Filesize
2KB

MD5
825c056dc6a81ed2517fb942081e1cb2

SHA1
cd3845d03abe67e48c382f544b0066d9ed86597a

SHA256
237361f9095d8561c5ebdbc89c8b05c88ec32967d7525f0d8e4a4af07e445ed6

SHA512
134e1769fe35e75773bdc348f600a3de4bdb893e97f65e89b04914b0d6aad5cd3bfe1fffe404499511e0065418d14ce0c9fb8733b17b81d5c51f92e15134e76e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
8c06d97dec9fcb5e2b5838edce962f31

SHA1
6a619b53ede2a70c463946341c0491f715312107

SHA256
5c27578292b9f7c62ffc60493c8f891d5bde9f60bc8094463d7449615e3fba2b

SHA512
f0321ed7366c7543ca9c379166959366b2762578c203dbfdc7b6ec2dd705f8c49c2633df20d42aba7042b7f8761b85847c52ac208b77bf46acf22230c0bf1329

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\bc9fda70-b799-41ad-ab67-ebf5f4965bfa.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
6bba61aa28557ab5eb9f47314b815dc3

SHA1
e0320892c02d286bc37c393e90786f37700e3312

SHA256
c04e67adead4c51d5e0e883f4751d8340dacd0ee9357d02fef2e5594cc730a0e

SHA512
412c2db2908e1d1734b669c619d6a0aadffe3a3a6bb6fe28f384096b3a85b3510adb7d584fb5bcec8cb096228ec7322ac91ed09f4fb0bf57a5f6881ebef636f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1140_1747962787\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1140_1747962787\CRX_INSTALL\_locales\en_US\messages.json

Filesize
1KB

MD5
64eaeb92cb15bf128429c2354ef22977

SHA1
45ec549acaa1fda7c664d3906835ced6295ee752

SHA256
4f70eca8e28541855a11ec7a4e6b3bc6dd16c672ff9b596ecfb7715bb3b5898c

SHA512
f63ee02159812146eee84c4eb2034edfc2858a287119cc34a8b38c309c1b98953e14ca1ca6304d6b32b715754b15ba1b3aa4b46976631b5944d50581b2f49def

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1140_1747962787\CRX_INSTALL\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1140_1747962787\CRX_INSTALL\manifest.json

Filesize
1KB

MD5
2a738ca67be8dd698c70974c9d4bb21b

SHA1
45a4086c876d276954ffce187af2ebe3dc667b5f

SHA256
b08d566a5705247ddc9abf5e970fc93034970b02cf4cb3d5ccc90e1a1f8c816e

SHA512
f72b9190f9f2b1acc52f7fbb920d48797a96e62dfc0659c418edbbc0299dccf1931f6c508b86c940b976016745b9877f88f2ee081d3e3d5dcdcc2cc7e7884492

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2764_1509556532\ac41663a-9b05-412e-96c7-078457771369.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
memory/2460-1294-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2460-1309-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2460-1310-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2460-1308-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2460-1304-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2460-1301-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2460-1300-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2460-1295-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2460-1274-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2460-1314-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-388-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-387-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-716-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-658-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-657-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-656-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-655-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-654-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-653-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-652-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-651-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-648-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-647-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-556-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-389-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-383-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-379-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-376-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-375-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-374-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2832-1289-0x0000000000F50000-0x0000000000F94000-memory.dmp

Filesize
272KB

Download
memory/4572-698-0x0000000000E70000-0x0000000000EB4000-memory.dmp

Filesize
272KB

Download
memory/5200-717-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/5200-681-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/5200-682-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/6072-669-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/6072-670-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download