005d0acad4b988b933bc58b249238a601d4a6104324db85fa9a67bc29c57abda

Analysis

max time kernel
50s
max time network
139s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
30/03/2025, 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows11DebloaterV205/Config/advanceddebloater/advanceddebloater.ps1
Size

33KB
MD5

ed4f7322de8ddf560bbe7d83d62b2ea7
SHA1

5a84667c371edd7640c1e3580a8f6ac5e4a00d63
SHA256

0835a0e8cf1cc013fa9243061a166d532567f7b697b18bf31e6d50e1fae962f4
SHA512

6fe06302dec800c0ebb5657e9fc33f912487591fa41147adbae3c99f7a10d1b75b87ae80115e499e863df16c96b8bf7bf1bdbc3b6cbc503c48d1de11cede391b
SSDEEP

768:3tXZRI44RuTzhU4E7bqyDKHezhz8gWOTDDOxIo7Uq0eZa6FWZc:3YxKHezR+

Score

10^/10

defense_evasion discovery evasion execution ransomware

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	powershell.exe

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2428	bcdedit.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1096	icacls.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3028	powershell.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "2"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "0"	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3028	powershell.exe
1864	chrome.exe
1864	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeBackupPrivilege	2560	vssvc.exe
Token: SeRestorePrivilege	2560	vssvc.exe
Token: SeAuditPrivilege	2560	vssvc.exe
Token: SeRestorePrivilege	1460	DrvInst.exe
Token: SeRestorePrivilege	1460	DrvInst.exe
Token: SeRestorePrivilege	1460	DrvInst.exe
Token: SeRestorePrivilege	1460	DrvInst.exe
Token: SeRestorePrivilege	1460	DrvInst.exe
Token: SeRestorePrivilege	1460	DrvInst.exe
Token: SeRestorePrivilege	1460	DrvInst.exe
Token: SeLoadDriverPrivilege	1460	DrvInst.exe
Token: SeLoadDriverPrivilege	1460	DrvInst.exe
Token: SeLoadDriverPrivilege	1460	DrvInst.exe
Token: SeRestorePrivilege	2008	DrvInst.exe
Token: SeRestorePrivilege	2008	DrvInst.exe
Token: SeRestorePrivilege	2008	DrvInst.exe
Token: SeRestorePrivilege	2008	DrvInst.exe
Token: SeRestorePrivilege	2008	DrvInst.exe
Token: SeRestorePrivilege	2008	DrvInst.exe
Token: SeRestorePrivilege	2008	DrvInst.exe
Token: SeLoadDriverPrivilege	2008	DrvInst.exe
Token: SeLoadDriverPrivilege	2008	DrvInst.exe
Token: SeLoadDriverPrivilege	2008	DrvInst.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2428	3028	powershell.exe	36
PID 3028 wrote to memory of 2428	3028	powershell.exe	36
PID 3028 wrote to memory of 2428	3028	powershell.exe	36
PID 3028 wrote to memory of 1096	3028	powershell.exe	37
PID 3028 wrote to memory of 1096	3028	powershell.exe	37
PID 3028 wrote to memory of 1096	3028	powershell.exe	37
PID 1864 wrote to memory of 2156	1864	chrome.exe	40
PID 1864 wrote to memory of 2156	1864	chrome.exe	40
PID 1864 wrote to memory of 2156	1864	chrome.exe	40
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2100	1864	chrome.exe	41
PID 1864 wrote to memory of 2176	1864	chrome.exe	42
PID 1864 wrote to memory of 2176	1864	chrome.exe	42
PID 1864 wrote to memory of 2176	1864	chrome.exe	42
PID 1864 wrote to memory of 1456	1864	chrome.exe	43
PID 1864 wrote to memory of 1456	1864	chrome.exe	43
PID 1864 wrote to memory of 1456	1864	chrome.exe	43
PID 1864 wrote to memory of 1456	1864	chrome.exe	43
PID 1864 wrote to memory of 1456	1864	chrome.exe	43
PID 1864 wrote to memory of 1456	1864	chrome.exe	43
PID 1864 wrote to memory of 1456	1864	chrome.exe	43
PID 1864 wrote to memory of 1456	1864	chrome.exe	43
PID 1864 wrote to memory of 1456	1864	chrome.exe	43
PID 1864 wrote to memory of 1456	1864	chrome.exe	43
PID 1864 wrote to memory of 1456	1864	chrome.exe	43
PID 1864 wrote to memory of 1456	1864	chrome.exe	43
PID 1864 wrote to memory of 1456	1864	chrome.exe	43

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Windows11DebloaterV205\Config\advanceddebloater\advanceddebloater.ps1
1⤵
- Modifies visibility of file extensions in Explorer
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\system32\bcdedit.exe
  "C:\Windows\system32\bcdedit.exe" /set {current} bootmenupolicy Legacy
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2428
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /deny SYSTEM:(OI)(CI)F
  2⤵
  - Modifies file permissions
  PID:1096

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004A0" "00000000000004A8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot20" "" "" "65dbac317" "0000000000000000" "0000000000000548" "00000000000003CC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef1c09758,0x7fef1c09768,0x7fef1c09778
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1144 --field-trial-handle=1284,i,16741829922428616093,7272916105873125569,131072 /prefetch:2
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1284,i,16741829922428616093,7272916105873125569,131072 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1284,i,16741829922428616093,7272916105873125569,131072 /prefetch:8
  2⤵
  PID:1456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2304 --field-trial-handle=1284,i,16741829922428616093,7272916105873125569,131072 /prefetch:1
  2⤵
  PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2312 --field-trial-handle=1284,i,16741829922428616093,7272916105873125569,131072 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1464 --field-trial-handle=1284,i,16741829922428616093,7272916105873125569,131072 /prefetch:2
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2180 --field-trial-handle=1284,i,16741829922428616093,7272916105873125569,131072 /prefetch:2
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1396 --field-trial-handle=1284,i,16741829922428616093,7272916105873125569,131072 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3336 --field-trial-handle=1284,i,16741829922428616093,7272916105873125569,131072 /prefetch:8
  2⤵
  PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3560 --field-trial-handle=1284,i,16741829922428616093,7272916105873125569,131072 /prefetch:8
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3676 --field-trial-handle=1284,i,16741829922428616093,7272916105873125569,131072 /prefetch:8
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3556 --field-trial-handle=1284,i,16741829922428616093,7272916105873125569,131072 /prefetch:8
  2⤵
  PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3628 --field-trial-handle=1284,i,16741829922428616093,7272916105873125569,131072 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3616 --field-trial-handle=1284,i,16741829922428616093,7272916105873125569,131072 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3688 --field-trial-handle=1284,i,16741829922428616093,7272916105873125569,131072 /prefetch:8
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2348 --field-trial-handle=1284,i,16741829922428616093,7272916105873125569,131072 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3812 --field-trial-handle=1284,i,16741829922428616093,7272916105873125569,131072 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3800 --field-trial-handle=1284,i,16741829922428616093,7272916105873125569,131072 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=2464 --field-trial-handle=1284,i,16741829922428616093,7272916105873125569,131072 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=2804 --field-trial-handle=1284,i,16741829922428616093,7272916105873125569,131072 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3552 --field-trial-handle=1284,i,16741829922428616093,7272916105873125569,131072 /prefetch:1
  2⤵
  PID:776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=2644 --field-trial-handle=1284,i,16741829922428616093,7272916105873125569,131072 /prefetch:1
  2⤵
  PID:444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=880 --field-trial-handle=1284,i,16741829922428616093,7272916105873125569,131072 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=3788 --field-trial-handle=1284,i,16741829922428616093,7272916105873125569,131072 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=3532 --field-trial-handle=1284,i,16741829922428616093,7272916105873125569,131072 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=3236 --field-trial-handle=1284,i,16741829922428616093,7272916105873125569,131072 /prefetch:1
  2⤵
  PID:1744

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8aef2d48be76a0b38739952e8ba346d8

SHA1
9b7bd4c378e131ff4e4153c89fa872a12efc7f03

SHA256
910ebb1dd1364cb242d94526b1bcf41cd0476d7a904dcf48afe24f5348b28065

SHA512
fcba5c08b917d5f1bc92fad7d0e903701cb60bee6970ad3ba9c5bd1739c13876a24aa49b5a7c2accff1fdf0eb2844e7620883fd385bf0b77da760420c2a9d442

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
4af14b992d16a9097ddb4009c70b96b9

SHA1
2606b4a060c324c2048ea8d54374d4f2402886eb

SHA256
6ed45c34d54bb5f6e8b2a14aeb78406c243ca3d5eecd7a00089957e8c98dc7ce

SHA512
3d7642f60e8a54040b80872747cd6f37017c77ad3ec3f4370fe5641f8a0b76ffbf59f6592f9851d35ee192789b525e2e20d9cabb4c52f00cc08ea3bd94fa8987

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\5e27983e-baed-4d7e-9bb0-e714521c41d7.tmp

Filesize
5KB

MD5
a29d8dba3a47e6fcee5dfeb941bdfad3

SHA1
b8e7e2e2cfb35328bee140989851f37859539f6a

SHA256
0742e5e8bf37546b9934c8103e837c3322d70286255cc1987be3da98858ebf9a

SHA512
5f26fd081c0506e0d81d172d35b1ba2d4a0e10db81935067806e9f413a7fe77d62555b74fdbe4af6745c39a9946dcf6fc1e954fc138ef21554566477d8e64f2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fa2a9480b6a0833eaeeb8ca75205eb0f

SHA1
416fe531bc2a4ce4340c4e6b8b12d1ffb179df8a

SHA256
c7299d59566b696dbb884d8216088dea65ac1dbce5ce626c3a730767fde1942d

SHA512
668769dd53ae975570c08d37f49cdd24ccab4c5c610297f2448cc3272e6c24a104f6bd5860c1936e4d1ff51280ccb173b391d8746073db70d735993fc9305494

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9ff5e9424780267dc572869a01060f3b

SHA1
1a4de36c56708e05ef62ada726e00f549741a1a2

SHA256
e3812c53805ad0b285a2445a666501e55388fb4bf55568779081d0f3a5b83da5

SHA512
15e0b735ea23cb6fc361bab08768e264a6866202d7261f7d561252b2b57cffe0b157db8123961ac332e7d816392e81a4e3b3deed151b8ea9366ad3c3c941ee29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
344KB

MD5
cd036893ea3b82146a9b7986aeb8c454

SHA1
a13bb84334b8643c316d0b0ab78c1afaf1f5e3b2

SHA256
9a687d9ed8108945ab2cd8d18e41293ceda24fbcccaec588bba4c728ab2b734b

SHA512
68b1ff07f51314d7b0ae2f1cc6b0305638e123bfe30de8e044e38de4ff6c1d995cb3a2d75b21be3c057928fefd5b880a9eded267b60e8762f8d3b889e7d8c58d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
344KB

MD5
99ab07bb1a984d35574d7c92206c16f8

SHA1
675911ab593617f665a5b137a212ab215e7a853f

SHA256
61750d8a65c05fb4667d65d01741f3c0a1be0011a6a1a195e375deeaff6dc038

SHA512
5abbf32eec7cbf761535281059b67dd9fe87539e4acd00c9e1c75097d3325bc68e7deece7afc81634d8428459c8faf6510399327118eb71b0a420eab19e3dc49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
344KB

MD5
005f838c3e1dbe3b94842efbc98b4fe2

SHA1
86c8c2e4dd7644ed7a396fa09cf0dc4b8ca9975a

SHA256
ac2def4046409c56d548a99c091e19623360f8503c4bbe410e1014838c42d6e0

SHA512
b8652cd955d8a2c90067de8115368241d8bb47b4db69cc4c0053d6c5c320b7475afe47523a24af0346e46cb0324258b62442d3e59cb53356674680751091b8e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
344KB

MD5
02f820dd91542bde05c107a5801375d4

SHA1
34e6e209a8f93bd06422e9dd514b9d076641c619

SHA256
53698202afcd1ac4b82ea8cd46dac3029255cb23a1a253a8feb66577412e9fbb

SHA512
1f786248f8923e00280e6db1f796362ca208f1878e6896d2193ef7ff39d207e1bb247e2c5987d6f1391d308b59ee7d27b5c0dc5c99d8a053b2e275d44dc38423

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\cab01e17-776f-4d38-9ccc-42afab4316e7.tmp

Filesize
344KB

MD5
fec1a337c095ddee1bd1a34e1a44df23

SHA1
7bd37e7d970fed642f8f7d9b6ccda5512a356d31

SHA256
37857f3c57dd256e37b332e3b02154d7dd238d87342138bc3aa46aac12114f66

SHA512
d14de9d944d9fa1fc64faca45a7382d251690f8e53f1b934b1790b539383cb73053ab38ffb57a2935f800501ac076bfaed9a6c4b5ef138b739ed6150ef5746f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC385.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
memory/3028-8-0x000007FEF4F30000-0x000007FEF58CD000-memory.dmp

Filesize
9.6MB

Download
memory/3028-9-0x000007FEF4F30000-0x000007FEF58CD000-memory.dmp

Filesize
9.6MB

Download
memory/3028-4-0x000007FEF51EE000-0x000007FEF51EF000-memory.dmp

Filesize
4KB

Download
memory/3028-7-0x000007FEF4F30000-0x000007FEF58CD000-memory.dmp

Filesize
9.6MB

Download
memory/3028-6-0x0000000002080000-0x0000000002088000-memory.dmp

Filesize
32KB

Download
memory/3028-10-0x000007FEF51EE000-0x000007FEF51EF000-memory.dmp

Filesize
4KB

Download
memory/3028-5-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/3028-11-0x000007FEF4F30000-0x000007FEF58CD000-memory.dmp

Filesize
9.6MB

Download
memory/3028-12-0x000007FEF4F30000-0x000007FEF58CD000-memory.dmp

Filesize
9.6MB

Download
memory/3028-738-0x000007FEF4F30000-0x000007FEF58CD000-memory.dmp

Filesize
9.6MB

Download