vidar | 3cb52ef8bc5ae1920d1abab6de44b3b40d3d30cc65904c5f074cf0a3946c3f2b

Analysis

max time kernel
78s
max time network
80s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-es
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-eslocale:es-esos:windows10-ltsc_2021-x64systemwindows
submitted
01/04/2025, 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

X-ToolUnlock/XToolUnlock_v3.1.exe
Size

634KB
MD5

93adf8065f0c98800caaa0c04643086d
SHA1

1d9155ca4e97cd715a2053e98578bc3c41e144dd
SHA256

93333cc84d80767f88528b50cd5f563a7fc2626e0817ab9a666df733dd51d369
SHA512

6253872a445477fff892ba37f51aa44e655a7f61dc8ee8e9242911b8c2e9dac105234681255cdf82526239bfc582e8205f8aa9fb7e6a94b4cf2bf696dd26524b
SSDEEP

12288:SaQ9+ICJkAp0mBpehM8ppy+E4J/aDQy5b4WeZGl/GtWV3OH2JrZwIRlUR:Kw4GBpehMjcuP5b4Fty3pZwglUR

Score

10^/10

vidar 286abd424eeeb855a080435369086f7f credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

13.3

Botnet

286abd424eeeb855a080435369086f7f

https://t.me/lw25chm

https://steamcommunity.com/profiles/76561199839170361

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Signatures

Detect Vidar Stealer 57 IoCs

stealer

resource	yara_rule
behavioral1/memory/5648-0-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-1-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-2-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-9-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-10-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-11-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-12-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-13-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-14-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-15-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-16-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-17-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-350-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-351-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-352-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-353-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-354-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-355-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-356-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-357-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-358-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-359-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-423-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-425-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-426-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-427-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-428-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-429-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-431-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-432-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-434-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-435-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-436-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/5648-437-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3036-439-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3036-444-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3036-445-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3036-446-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3036-447-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3036-448-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3036-449-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3036-450-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3036-451-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3036-453-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3036-454-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3036-818-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3036-819-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4920-840-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4920-841-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4920-842-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4920-843-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4920-844-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4920-845-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4920-846-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4920-847-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4920-848-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/4920-849-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Uses browser remote debugging 2 TTPs 13 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
5044	chrome.exe
2560	chrome.exe
5668	chrome.exe
2660	chrome.exe
3208	msedge.exe
4284	msedge.exe
3008	chrome.exe
2488	chrome.exe
5136	chrome.exe
4828	chrome.exe
4316	chrome.exe
3744	msedge.exe
1984	chrome.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 6116 set thread context of 5648	6116	XToolUnlock_v3.1.exe	81
PID 3576 set thread context of 3036	3576	XToolUnlock_v3.1.exe	132
PID 4468 set thread context of 4920	4468	XToolUnlock_v3.1.exe	152

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2660	timeout.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133879427101763726"	chrome.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
5648	MSBuild.exe
5648	MSBuild.exe
5648	MSBuild.exe
5648	MSBuild.exe
4828	chrome.exe
4828	chrome.exe
5648	MSBuild.exe
5648	MSBuild.exe
5648	MSBuild.exe
5648	MSBuild.exe
5648	MSBuild.exe
5648	MSBuild.exe
5648	MSBuild.exe
5648	MSBuild.exe
3036	MSBuild.exe
3036	MSBuild.exe
3036	MSBuild.exe
3036	MSBuild.exe
3008	chrome.exe
3008	chrome.exe
4920	MSBuild.exe
4920	MSBuild.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
3744	msedge.exe
3744	msedge.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
3744	msedge.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6116 wrote to memory of 5648	6116	XToolUnlock_v3.1.exe	81
PID 6116 wrote to memory of 5648	6116	XToolUnlock_v3.1.exe	81
PID 6116 wrote to memory of 5648	6116	XToolUnlock_v3.1.exe	81
PID 6116 wrote to memory of 5648	6116	XToolUnlock_v3.1.exe	81
PID 6116 wrote to memory of 5648	6116	XToolUnlock_v3.1.exe	81
PID 6116 wrote to memory of 5648	6116	XToolUnlock_v3.1.exe	81
PID 6116 wrote to memory of 5648	6116	XToolUnlock_v3.1.exe	81
PID 6116 wrote to memory of 5648	6116	XToolUnlock_v3.1.exe	81
PID 6116 wrote to memory of 5648	6116	XToolUnlock_v3.1.exe	81
PID 6116 wrote to memory of 5648	6116	XToolUnlock_v3.1.exe	81
PID 6116 wrote to memory of 5648	6116	XToolUnlock_v3.1.exe	81
PID 6116 wrote to memory of 5648	6116	XToolUnlock_v3.1.exe	81
PID 5648 wrote to memory of 4828	5648	MSBuild.exe	87
PID 5648 wrote to memory of 4828	5648	MSBuild.exe	87
PID 4828 wrote to memory of 4816	4828	chrome.exe	88
PID 4828 wrote to memory of 4816	4828	chrome.exe	88
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 3956	4828	chrome.exe	89
PID 4828 wrote to memory of 5980	4828	chrome.exe	90
PID 4828 wrote to memory of 5980	4828	chrome.exe	90
PID 4828 wrote to memory of 5920	4828	chrome.exe	91
PID 4828 wrote to memory of 5920	4828	chrome.exe	91
PID 4828 wrote to memory of 5920	4828	chrome.exe	91
PID 4828 wrote to memory of 5920	4828	chrome.exe	91
PID 4828 wrote to memory of 5920	4828	chrome.exe	91
PID 4828 wrote to memory of 5920	4828	chrome.exe	91
PID 4828 wrote to memory of 5920	4828	chrome.exe	91
PID 4828 wrote to memory of 5920	4828	chrome.exe	91
PID 4828 wrote to memory of 5920	4828	chrome.exe	91
PID 4828 wrote to memory of 5920	4828	chrome.exe	91
PID 4828 wrote to memory of 5920	4828	chrome.exe	91
PID 4828 wrote to memory of 5920	4828	chrome.exe	91
PID 4828 wrote to memory of 5920	4828	chrome.exe	91
PID 4828 wrote to memory of 5920	4828	chrome.exe	91
PID 4828 wrote to memory of 5920	4828	chrome.exe	91
PID 4828 wrote to memory of 5920	4828	chrome.exe	91

C:\Users\Admin\AppData\Local\Temp\X-ToolUnlock\XToolUnlock_v3.1.exe
"C:\Users\Admin\AppData\Local\Temp\X-ToolUnlock\XToolUnlock_v3.1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:6116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5648
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffdfe5adcf8,0x7ffdfe5add04,0x7ffdfe5add10
      4⤵
      PID:4816
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1980,i,17847981178291784051,14377188076007492319,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1976 /prefetch:2
      4⤵
      PID:3956
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=es --service-sandbox-type=none --string-annotations --field-trial-handle=1576,i,17847981178291784051,14377188076007492319,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2220 /prefetch:3
      4⤵
      PID:5980
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=es --service-sandbox-type=service --string-annotations --field-trial-handle=2372,i,17847981178291784051,14377188076007492319,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2440 /prefetch:8
      4⤵
      PID:5920
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=es --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3244,i,17847981178291784051,14377188076007492319,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3256 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2560
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=es --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3276,i,17847981178291784051,14377188076007492319,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3304 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4316
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=es --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4308,i,17847981178291784051,14377188076007492319,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4344 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:5668
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=es --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3936,i,17847981178291784051,14377188076007492319,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4716 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2660
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=es --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5292,i,17847981178291784051,14377188076007492319,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5304 /prefetch:8
      4⤵
      PID:5632
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=es --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5552,i,17847981178291784051,14377188076007492319,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5564 /prefetch:8
      4⤵
      PID:5776
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=es --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5648,i,17847981178291784051,14377188076007492319,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5320 /prefetch:8
      4⤵
      PID:4328
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=es --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5636,i,17847981178291784051,14377188076007492319,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5564 /prefetch:8
      4⤵
      PID:3052
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=es --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5428,i,17847981178291784051,14377188076007492319,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5748 /prefetch:8
      4⤵
      PID:6040
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=es --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5432,i,17847981178291784051,14377188076007492319,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5360 /prefetch:8
      4⤵
      PID:2012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:3744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x264,0x268,0x26c,0x260,0x28c,0x7ffdfe80f208,0x7ffdfe80f214,0x7ffdfe80f220
      4⤵
      PID:3748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=es --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1912,i,4695843800575786617,14460433332047784519,262144 --variations-seed-version --mojo-platform-channel-handle=2200 /prefetch:3
      4⤵
      PID:1088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2172,i,4695843800575786617,14460433332047784519,262144 --variations-seed-version --mojo-platform-channel-handle=2168 /prefetch:2
      4⤵
      PID:760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=es --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2484,i,4695843800575786617,14460433332047784519,262144 --variations-seed-version --mojo-platform-channel-handle=2660 /prefetch:8
      4⤵
      PID:5660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=es --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3464,i,4695843800575786617,14460433332047784519,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=es --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3484,i,4695843800575786617,14460433332047784519,262144 --variations-seed-version --mojo-platform-channel-handle=3568 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3208
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\myuai" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5008
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 11
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2660

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5584

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:1328

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5676

C:\Users\Admin\AppData\Local\Temp\X-ToolUnlock\XToolUnlock_v3.1.exe
"C:\Users\Admin\AppData\Local\Temp\X-ToolUnlock\XToolUnlock_v3.1.exe"
1⤵
- Suspicious use of SetThreadContext
PID:3576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3036
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:3008
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffdfd0edcf8,0x7ffdfd0edd04,0x7ffdfd0edd10
      4⤵
      PID:1352
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2072,i,10673319909302844633,7304464241249685996,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2068 /prefetch:2
      4⤵
      PID:5644
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=es --service-sandbox-type=none --string-annotations --field-trial-handle=1904,i,10673319909302844633,7304464241249685996,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2100 /prefetch:3
      4⤵
      PID:3624
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=es --service-sandbox-type=service --string-annotations --field-trial-handle=2408,i,10673319909302844633,7304464241249685996,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2564 /prefetch:8
      4⤵
      PID:4268
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=es --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3256,i,10673319909302844633,7304464241249685996,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3156 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5136
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=es --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3276,i,10673319909302844633,7304464241249685996,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3296 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1984
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=es --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4304,i,10673319909302844633,7304464241249685996,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3824 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:2488
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=es --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4732,i,10673319909302844633,7304464241249685996,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4704 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5044
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=es --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5236,i,10673319909302844633,7304464241249685996,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5272 /prefetch:8
      4⤵
      PID:5012
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=es --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5272,i,10673319909302844633,7304464241249685996,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5480 /prefetch:8
      4⤵
      PID:4904
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=es --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5472,i,10673319909302844633,7304464241249685996,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5488 /prefetch:8
      4⤵
      PID:5540
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=es --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5368,i,10673319909302844633,7304464241249685996,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5588 /prefetch:8
      4⤵
      PID:4828
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=es --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5676,i,10673319909302844633,7304464241249685996,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5668 /prefetch:8
      4⤵
      PID:2636
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=es --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5720,i,10673319909302844633,7304464241249685996,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5824 /prefetch:8
      4⤵
      PID:5968

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4128

C:\Users\Admin\Desktop\X-ToolUnlock\XToolUnlock_v3.1.exe
"C:\Users\Admin\Desktop\X-ToolUnlock\XToolUnlock_v3.1.exe"
1⤵
- Suspicious use of SetThreadContext
PID:4468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
734B

MD5
e192462f281446b5d1500d474fbacc4b

SHA1
5ed0044ac937193b78f9878ad7bac5c9ff7534ff

SHA256
f1ba9f1b63c447682ebf9de956d0da2a027b1b779abef9522d347d3479139a60

SHA512
cc69a761a4e8e1d4bf6585aa8e3e5a7dfed610f540a6d43a288ebb35b16e669874ed5d2b06756ee4f30854f6465c84ee423502fc5b67ee9e7758a2dab41b31d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4129DC8EEBADFD4645EB90062D7176AE_8EB15DA476A4FFCCBC194DB7844B4E7E

Filesize
345B

MD5
b4c2caf5c593a303fb93713dcd81d50b

SHA1
8c53a62936762d823859c65746b410d8ae8f5fbf

SHA256
287832a41564c41e66217da3a0d628b93ada97e97a20701e07de2241f60e040a

SHA512
0b3813edc43c8c4ca0944f0faa17b78d71462e36d1f1cdbb05975331f051dc57d00b10a1459f76ee240b3bbc73e0c446bc5335c0ef28fc5275e133d9df5b09c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
767b34ff6e55bbdc1c0c3d67f3925c09

SHA1
9afbf3c60557c6df5595efd97a445efc3ece0b4c

SHA256
7fee701c269e9758467339341751745d6a321474a3562ba396cb87383eeee770

SHA512
cde60186b559f387f4db0db9355d5eeeede0599434e63d5215b2cd2441eaca97657def1fe343ef02166625a486be7b742b24a8802519ea68892a33a9f97b8bb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4129DC8EEBADFD4645EB90062D7176AE_8EB15DA476A4FFCCBC194DB7844B4E7E

Filesize
548B

MD5
831c15d8a22089ef86e9fdf008c6cf8e

SHA1
6026a47152aa9817dd45380bd55f82c77d85bc3e

SHA256
b29016c32678949f4e1e12642d18da8f8b5366e1d7904c37f5fdb982ab505656

SHA512
767f315360e6d39aeaa3437f3660488d3ef82b99a7fa21bb4eaf1748d416a200810b6e594694fb789d1cabbcefb71de9c5e385dee1dc2767c5d7a7451d85bee9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma

Filesize
1024KB

MD5
34c29bdb9e41b1f47f2d2786762c12ec

SHA1
4075131b18c3487e3e848361e112009c897629c7

SHA256
67ee11b51cd6f637795e31ab501f135ed595c8459bce885735f08b0418513a17

SHA512
ca3a978798e77b2ced27b379f38e935ef18beaa7ea23e34270a9af20b37e1b1c5edf9478606311cf1acabd83992766cb3da8444de9394c674d5955bdbc53c0d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
1a32e2a5f5d5c980670db002d6a1fb95

SHA1
b1b9296fb5ce6e542a3c58cab190e356a3c3dd98

SHA256
39d9ce56424444a8708233a38e9cd2f2c740b9b9adadd418becd4bcb1291c460

SHA512
36f5db3c07d48f712c018f14d673251ce16bcb0b7c5d82e43e42c63a2e1f025a23e595ad7e2a590ea9b03a6fcf8d2570c9d3a7f1d758ded804e0ade869e79a35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b54a10c22ab4d297d6dc315565331d2b

SHA1
045197dc090baf43cbc978fb3f3f17582a83876e

SHA256
7d56a1778476c8c1afc2d103528740cc8d7d6b93b743137d3f707623e78ca94b

SHA512
42bec224a69988556e860d9bea925eabbc9ea0e925230831c7a748740c75f9b3019d41dfdc3d2bd92be366b06b6907b01c46cfe4f21c6ea35d8ce5cc30ef8d62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
d8231b273e8ca8601a7c8c2ee03b1ffc

SHA1
811cefec1ed2b7f2d8af9f9fc3ab62e81c7e41f5

SHA256
cf652b39d8f17061d874f70134080e7f00cb2207cc5db15367ba4f8f51a1533d

SHA512
cf6d92dfd00d4cdcd5c88f1afe99a7a7b5e041c00f8b6ad28b46575b8d6dec5e1efe3919ad8bd05288f927f4cf82b99876214b6d94db3c316732f130016981cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
f356c5ad6b03b7ae3f0446e9845a4055

SHA1
8f90ffc3d96bf5bf6edc7e1dcd30cf6f5764890e

SHA256
053e3911104ed2924eb58ab7ea973091f0bfabb096bb0e757af3e49c08df62de

SHA512
d72641d94c11bddee4041248c0ae8500489b7301c903841f2de2c43c0b45606cb8e7c43eb9fb9de8cc4a6689a3cd8e512884b465bbc6cbb8a74b954864afef46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
0605b75c5c345cc202a7885499cc09a7

SHA1
540568cdb245ba26bce8711347e456320012e83d

SHA256
8ed5d8964a977a79c5aacf34853c9e5e00a06de2f2f0964a56c4089805a2dda8

SHA512
dae16a98e4cf861b918d684f0d7660e1c6647897afeded6859253a51f8dd95c41f007e3f20fe43da0292b493c170cb94fb8370d7b17b4f23cf2950cec477f9a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
73380c320b1b9cf67f26621cfd10ad26

SHA1
cb62da22382e619cfce33392658a12aae871d861

SHA256
f1be531ee338e7778058f8f44fda0f07866a99c825a084c9a91a291f5750e685

SHA512
e5ccbf7e7ccae9ab2509fdb229589e46e3dfcf3f39b2990bafb44c170b3337550360e02f173da1aedfbe0824d1408e197759bb4d57450276673202ad87beda2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
35KB

MD5
f803fa95df6b1a44d92e13037e968c94

SHA1
41ae9bc4952a81b9ed8aab8f0f74dd9471be9572

SHA256
91daeff08d19dc01e8c938525aaa9b173fe3218c1ed109114241b52161f10015

SHA512
77d14ba98b3733a09246972d7f1d6dff9db056ef38beacc5acd516baecc2062e99877731aba3a2c008cf30df1f615c6cd5762e9c42c6be3d379d648692bf2ab6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
63KB

MD5
1901d2bcbbabee4bbb9804c30642ae2b

SHA1
f31774bc12614be681c0b0c7de3ac128f0e932db

SHA256
15eba349e5829f11363614b8f3dd9c3d04994586601d3c4c4d8069e0f5655310

SHA512
bdb94d7d8cf47b239c61559545b1dd26e05da909fec05d215471388545879cd8ec9e1fea51c04ed43927e2b07b5b80a74f09eb9038c8d9045e4161ea69df215f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
38KB

MD5
f53236bc138719b68ccd1c7efb02a276

SHA1
26b7d3eea5d3b12d0b0e173ebf2af50a7d7e56d6

SHA256
787c14f8cc865430c03c96a345044b7c5b8dc8a032511a500d4a42228533acd8

SHA512
5485bc7ccce8ec75f60bca3be846086a4bd4466009c8e22da9cdd16bb1154529af2fb2667cd3a97485cc4f6635fb79ac0fdda4f3e1f39f25f6196f708a92d740

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

Filesize
320B

MD5
720b5130cef8df0e1f499ebaf46c5ed7

SHA1
cc98a1cce7c7bd870762f9cdf686e1f88194b855

SHA256
528b43b1987c3256aabfae7d55aac2cd34ab4cb5adb5a2a68a13f59ea36e78ac

SHA512
10c6fdb47e3dce3e856bdf7809558e64bc07a347c925dbb654041246950530ce630bab059a800f549b0198c1407fce9f4255fd8fd3451a7992aead32ccef7f49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log

Filesize
106B

MD5
c441b448b2ed3281ec2d040b40aaf8a3

SHA1
0cdb52276b299da33a381dc57c23a987a4670eab

SHA256
3a0abb41f1f0fe1382e1a68d716c9fe77e222a518a2d468ad4c98dd82b8f3b15

SHA512
3eeb4f51e1f68b6ffda74ea9e6b027744e1b10bb30fae8f97790fd82874252a177e57bb8c9a291b4664b0116d00336576cef016d6fad344d375bbbaa0f0f9f53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG

Filesize
404B

MD5
e601ae922740d3f430e7ff63db0b7d3a

SHA1
5c7683bcbdac172e97ffd518ca99a267662eb09e

SHA256
3d43e593effd51c8e12ffa3e1739c8299b53c617d359ab1047d91c560073815b

SHA512
1634469cfc1bb1392dadaa0ef991e91fc9dc3d6da256332838ebc7e4ff610987d1c0be55f7d64a50a49b8042d461ff236f5bbb2b897e977165d9d37aaf011e4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
332B

MD5
df7e8cd9a14699acff471846d9cd3066

SHA1
295d90d2d9c29892888a35baf3b01cad21599179

SHA256
fcb244ac797bfe612b1eb05e9a097cfe130c182d99b47ba64345149295d89c28

SHA512
566d34ad0b6a36a0ed24cb348672f57b2fade94279abb4793018cd168a6753511a6d9cb1ae262af1bac6b69d13d92c8fb736c6e379bcfba65966c17eae1db965

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOG

Filesize
334B

MD5
20c7a180d58b917ecb03b00f423104b2

SHA1
5d626ab48cda37ce575c5bdcce7b914b0e6a4441

SHA256
3f78c3aef2cc95a1a179e30a9e76caf4a7a3c4b60ab3cb0b24bab1eb43b17982

SHA512
218cc9a1d4fdcc11da93237e96a6d8fe1c0c1fd64ce52e9e64baaebaf57ccc69f8e404b8504d3e9623238e8ca84fa21589cd6423328f6866850f1b6cf6cce63b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
69d3e3750e1bcdba98b902b541a1b007

SHA1
3aa2a5128380800a68ef29d8e6e60916a72d6632

SHA256
1d94a376b6831081a3b9b4df535322ec6458f48586ccbe8b936a8ebeacc0b66c

SHA512
3f58f76926caa372a3efd81bffdd9fc2e76a101c9ef7739b2e77813286708bf61e3d31e48a7ffa8e6dbdfdd5d86a69c5c7768bb74a877c14f484158ef51345a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
71f520899d875036b9ac0d2608382754

SHA1
146e8b099a7bf9944a264187e9ba287b89bb7ec8

SHA256
a8aca20ead04d143ebf540e15a2af1468713217b047c698ec6b54c41c25bfccb

SHA512
5838966d6521e87c386d1b459d235bac9dd55361959f3fd11d248c3b1c25f3b48cc0f38d7a3dfc721ccadd85d7b566c49ddbdf407ccbec0f1ed8aa97cd4b38c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000003.log

Filesize
3KB

MD5
17d2478c0d5b98bd3895989bb11a1554

SHA1
255e9fb488c0bb98394d918c8f4c044de7335ec2

SHA256
9fd814ac15b5e6731dc32d3accc1d1eb3db6bb852c2d57aa474045c91101b0e3

SHA512
b7dc069ffd0322ab07a7ba54b251d95a19ca3043448fbf2f4f945948bb47b96893f7015dbffb8ca651ceeb086e06f993290286a30fc6f03d755312f839b4cbfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG

Filesize
336B

MD5
299cdcbec99f8686e25d4862776a3108

SHA1
421000a3169bfecdc36a0a165a22eb5c49f09d7f

SHA256
dd753c96e74e3e040a9a609853869fabb50c7abae5ea7731b906cffa49947021

SHA512
8c3103d6779cdfdb95e2dfcf5585ae036225afc1171b57457bfbd21afd57056a4c2e3b39a620b3017a8fa0cc8e3f49233155f6dceae9d58bb3a8ec38a7d72365

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\ba23d8ecda68de77_0

Filesize
128KB

MD5
028d7845b069fb83c99db7cda3aee936

SHA1
c2be7849b640a02c03c489d8f6c3b0209acceb93

SHA256
bcd361261b958afd0f8fbfb18c4eda3401ae1fff3f2b3dee947b8cb3d0ecf416

SHA512
c76b5ef824933e60afb952d592b9667582d67780131401998c0b5f34c8413b2ad736d82fffc6629cb835ff7614d542abb5f09cea72efe064e23dcfa88f41f852

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\ba23d8ecda68de77_1

Filesize
343KB

MD5
235ad81f37c2f1be98e0f28e986c0caa

SHA1
b4445ff79b1a1c45c488eba2328ddee909f4e367

SHA256
71118322ef09a3988c0e29fa888e4cfb8309cd2e425ceaebeb4a0dac50b671e1

SHA512
0ddf345a66cefe8dd2ef38e1f85de97e021a6279167ae2f347015d728498d59f5a0db7b7f5a7bb9a5fd033940f272a9af7cd832ddc2c34ca92d5c4b9b04584a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
48B

MD5
a2b8c8517b0e701b09cd83ec74c4dbcc

SHA1
cac87a507acb3ac3b5ddb9ccd0fe577d357873fb

SHA256
2ac58de2d2ada27381f121e469595a6229abfcbbce4f5c1aa44ac01768a4e815

SHA512
53078250aa19a6cc454355bac37ddda97f38dec69486c773805468b9aeea57d7e67c8df0ab4065561988a1023e437e15163c90c47f596286f76059daf540a501

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

Filesize
308B

MD5
4e7982b86b3d7d916b7722aa3b3f0669

SHA1
ce4e874903cb71d9012cc7654ca7a6ba5e4f7efd

SHA256
cbee1100a2c9add47776b7e416b58a809f6feb9fe458bef8185b0c176b5db340

SHA512
c4dda8b36e90a327061dab901730f47fc23cca129b02a157f1ed0c566a1d6dddf272a4e74d3acbf14eb3a7fac0820387a584db9e19ca299724ed7f3030f891bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

Filesize
320B

MD5
22a39552518e6ca9873f105130f83b89

SHA1
7f56ef45399f832915ffccab136231ea0aa1955e

SHA256
23795d264e6c560521cf50c746597efa721646aca2961fd7654e59cb374a7315

SHA512
67c8f108497af6413a416d19fa5712006e9277e9429fe39bb8e2181380337efd2823cc19b9d9f396eb3e2309b2c9f424d554989f8ee55d3627aa0f6280afd9bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13387942708968981

Filesize
2KB

MD5
4358db6d239cd2d29942eba8ed3a0671

SHA1
35db61c0b32b36cfc30dcf0db3b53b32357876d2

SHA256
fbab448fbcf72ceb17dec6480f531047dd283ea5649747054a41f22b57572e75

SHA512
ffd8bd2963b99746a1bd2c260cb2eea30ce7fc8d84bb72017d7c849ae3f972fa899a516a809716a318d088fae34d4cfa49296bce85f83dcc619b633897ed4838

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
348B

MD5
20860b3e2ed26291f2365d571f94fe9d

SHA1
3c9a057e6c999451244a5e2716d57c4eca30bc22

SHA256
e12ea475a3d74e08d51e5d76bde59833a5a24e1f6e8c4851961ce04b5c388bae

SHA512
2d5b0dee231f66d039b9df82957d8ae5962f10e3f39c91d9938d1a5bcdd93556ee937c5ada4f89976b74daa9a048bc335580b13aefff1231113c4ab70f6029f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
324B

MD5
dcd8db41627e2fec2d5f6e63cbfcc08c

SHA1
0a285a98e22e0392504e65bd40cab3efc85b53d5

SHA256
b13220bfd998a36ce64083756e5ed6a2f91baa2b33a50bd946dacf4251d07723

SHA512
9ae72dccaa23d8f15f14d899e23ca370dda77553b3bd82eb066421e9e614082cfd392747bf06dfb4db96a812220840e400a018313678d52995c9f8eda8f71a11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
130KB

MD5
7d83c198e323b10fe1f55b8f56114bb0

SHA1
0016224b401df8b10e11bb7b84f1b3f62bd48aeb

SHA256
0fdce669a53c99efa05b1d3eda068ddd5ddcc325b59a9b970a16905f2b6ec689

SHA512
6390cc2e266c1819403a743ed301d5e5149331d5d27a3457d98a95508a951801c5ea4fd02985074bd6f3e9dda3becc019ad34bc5eebd5c2d3f20fba1c04e8d72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager-journal

Filesize
12KB

MD5
83f65b593f2221522443b69a9b0b41fb

SHA1
f7d6efe3b07f4de79147d2bf6e5150adbafb0fea

SHA256
3be73a1582a9ab0ebf982b7b56dd2edeb9c372eea899520f52da239be7cb8a3d

SHA512
1f9c395565ab4ba7862b25b587c750d638b801039bd5775f6d115006c4e643c8166ce5add5feb872afa56b2fd12bdce6355f2c6b09cdf70c3c5dbd31c1e6c66c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

Filesize
24KB

MD5
4f24a2e709cb48ff1f6f3b09314d999f

SHA1
c3f393331a5651615531b9f1f13dfa71f45e72cc

SHA256
4865a22bb03dc2dbe00779b3e07d566ac078e731ba7fde2468312a87e323d180

SHA512
caa65fca8fd670cfb385bf28a5e342e873ef33811a9ed9b0dadf3ede35d64c18dc72610064868cefa160a752a4b709e46cdb17b207bba28e5744f6c785362b4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

Filesize
320B

MD5
0c241c948e9c2280e74eaea3f4a3a830

SHA1
d2399038267d61e3bfe63b457537fca183872f68

SHA256
4be79bba3c91a5773bd9235520d14e1d8434da21877c7c85d625b99cb5879d2e

SHA512
b48bff80b461fad2db6aabe6a0d810e145fcb8ceab7b7f47ef693878f183da7055e387d9ba8efd4fdb3d0fa897cd7a08eb870ed9012e444e1c3854b34c13ef38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
1KB

MD5
052706edcd2f0cf65f4c291ec01324b8

SHA1
e9d69183dd69ef54fd0f3d2803e9cc08a9d41c8a

SHA256
09990e73946b9ce8521135994c1875a0dfe17e06b1c552875dfe86920f3da6fe

SHA512
6ec4906cae54aa83f3e99635a5be8ece39e8dc42d1bc499e769332fb9e1aaefebd3298088270721ca5f5748e804db5cad1e71e2189d0061f2f3ed52f98cc9b22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
338B

MD5
9247faae7aea72f7daa1c4a9e9fd41ee

SHA1
b5d6496c8f2a920291e3bf73aaa9bba75985d20e

SHA256
3d05f30477129aec4c1d5cb77e739c73245459156dfc51eb0696317db9790b5e

SHA512
6dd022448a8af3ef90be824ae8df488603cf167e1745c00d50e34e604f0a6d130ec226fe97a64c49867d80948074955653bd6819bd98cb52e44675680f0bd2e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
44KB

MD5
82f13499802a0896efa18460bfce5b23

SHA1
6a6bc2e46ffd74fa7f02ee62eb52cfad6e804ed4

SHA256
d4480f2f50633d8fd1c9b7f9bde94c2a39b14275b3d3fb84c404dfc930bec208

SHA512
ca26f58dfb75ed2e6ed2a9787c0cd12a07aef2664cb48a36169a8217b807aba71783e1956f6aa0385b60a6fe9c795fc588f9514f046a932f23262d14797b07d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
343f187d2733acb29e5df6e94b5f0e63

SHA1
b77ef0d2783847b8a7866b7bf7084ed8bc0c75af

SHA256
1b73d3548c27685ac7870647b68f562c016ba3d2051b305a7d2a2d85af21d677

SHA512
3adf3eccbb926206edc51b48fe55060b15277cfe654a8288856bb3692339a699170dc8f47c63ffa54927ab4b1dcb1ba8c9cb99f27ba44323a632c1cdf3f73281

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

Filesize
4.0MB

MD5
6ba52f1e5ecd6e9503e8da1b92abda08

SHA1
0b23a8c203226342b76dd33b56062b9c9810cce1

SHA256
0095d3d6231bba75b19c216e64012ac68eb63d29bcdccae02dfeef8a3a8f2f0d

SHA512
39d9ce49b68955daa987425972b251c6eb5212effd9f60519fdbfbb933b03aebeb94c6d956fec9c358b2b80c348aaf227291cb47b4a1b6d908313130ae0d07bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
13B

MD5
a4710a30ca124ef24daf2c2462a1da92

SHA1
96958e2fe60d71e08ea922dfd5e69a50e38cc5db

SHA256
7114eaf0a021d2eb098b1e9f56f3500dc4f74ac68a87f5256922e4a4b9fa66b7

SHA512
43878e3bc6479df9e4ebd11092be61a73ab5a1441cd0bc8755edd401d37032c44a7279bab477c01d563ab4fa5d8078c0ba163a9207383538e894e0a7ff5a3e15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
0adf8d86b92f57dc13ef433ced7099ab

SHA1
eebe501f98a41eab0ccc77ac7dd05f1d338be631

SHA256
beb65580f6095fa60c9fe40675724b3b777b5e03e3a1b641145c8f50c2790adf

SHA512
b6dabfc358c38a5b1f8c8ed596e6ad7c44606c33c6114babbd74677dc3f6df4cd7d7ef1626bffe9a2a4c952d2bf622ee27b077d0c997c80e1295d56d16e7b506

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
154KB

MD5
9901c4306bb0ce0fde901eee5b4adbf1

SHA1
23d16edd4426fc8896b2b3b579870af8e61cec46

SHA256
c6dea888935e4da24a98e754285bb61158c18530f5de0aa2c68d7307ee673e5d

SHA512
2dd9d920f3a96e7f3dfb2ef36cc179693e41db776cb518b20e77b10939180c7f021fa59afe42ffd87473bc8a3f03b412a55dadf88d6007a4ead864250dd981fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
f732dbed9289177d15e236d0f8f2ddd3

SHA1
53f822af51b014bc3d4b575865d9c3ef0e4debde

SHA256
2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93

SHA512
b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
edd4d726b54181570252b83dd2493242

SHA1
1459ed864cd47e81c0f3ee785ab862cc866e7000

SHA256
7c447d3878e464bc5cf60551a134108c839c761b7263c5c11b0ccc7903a7aa45

SHA512
21a42510306ad1e9be2bd6288dc573f5fe2426402dc2d6d60661bd0b01e56ce71d11da73307243f6d51ec55e0f86d66ca9033773db2bbf4d50641503fbbe827a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\248f1e82-460f-4db2-97b5-dbe022fbb907.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
3a84a1098394bb3c7bb6a6fb5759bdd9

SHA1
43bf7f458cd2c697ba9297c981b0fe2c96a8fd2f

SHA256
ca7bb7aaced183ac124b24b11e4bc7137f75be422cd8f6f2bb252511235ed6de

SHA512
890e8a17e79475cd65528ad3a624847fa4ba34514e5b46597de3c6dc88c55790b1846d6e286a057b125e60e5c12fd85235671d578cb1aeb21bba87acd55e35c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\132bb14e-0471-4400-8f4e-63f6a3e4640c.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3008_915032011\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3008_915032011\CRX_INSTALL\_locales\en_US\messages.json

Filesize
1KB

MD5
64eaeb92cb15bf128429c2354ef22977

SHA1
45ec549acaa1fda7c664d3906835ced6295ee752

SHA256
4f70eca8e28541855a11ec7a4e6b3bc6dd16c672ff9b596ecfb7715bb3b5898c

SHA512
f63ee02159812146eee84c4eb2034edfc2858a287119cc34a8b38c309c1b98953e14ca1ca6304d6b32b715754b15ba1b3aa4b46976631b5944d50581b2f49def

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3008_915032011\CRX_INSTALL\_locales\es\messages.json

Filesize
878B

MD5
59cb3a9999dfbd19c3e3098f3b067634

SHA1
bcfdf1c9c7f5d0ce35d7918060ce704a99803bf4

SHA256
02168993a23e074e0800cbb338fe279f99ef420e326bf92916ffed83c1f06533

SHA512
9968acb9821bfff6f427aabfcde3023f5a6f588bbfc0efd2275f201930ec5e16d64ff228c76f77958d36091a3dbd510e95385f0cb99a3e4dde693f34e9e3ebf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3008_915032011\CRX_INSTALL\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3008_915032011\CRX_INSTALL\manifest.json

Filesize
1KB

MD5
2a738ca67be8dd698c70974c9d4bb21b

SHA1
45a4086c876d276954ffce187af2ebe3dc667b5f

SHA256
b08d566a5705247ddc9abf5e970fc93034970b02cf4cb3d5ccc90e1a1f8c816e

SHA512
f72b9190f9f2b1acc52f7fbb920d48797a96e62dfc0659c418edbbc0299dccf1931f6c508b86c940b976016745b9877f88f2ee081d3e3d5dcdcc2cc7e7884492

Download Submit
memory/3036-819-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3036-445-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3036-439-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3036-444-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3036-454-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3036-446-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3036-447-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3036-818-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3036-453-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3036-451-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3036-450-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3036-449-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3036-448-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4920-840-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4920-841-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4920-842-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4920-845-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4920-843-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4920-846-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4920-847-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4920-848-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4920-849-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4920-844-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-429-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-350-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-351-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-352-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-353-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-354-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-355-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-356-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-357-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-358-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-359-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-423-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-425-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-426-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-427-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-428-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-437-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-431-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-432-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-434-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-435-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-436-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download