dcrat | 96890d1d86aad9940fd54604ef09dd7e2dcf5cc084eeaf63a1062b4fbead91ae

Resubmissions

09-08-2023 01:09

230809-bh9ksage22 3

12-06-2023 15:59

230612-tfk4hsde3v 10

Analysis

max time kernel
959s
max time network
1188s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12-06-2023 15:59

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Telegram Desktop.exe
Size

3.8MB
MD5

1d156ea00258d8c5ed190ab425b6bf67
SHA1

92014a052c4654a167e933702d8b12b13ca6a90d
SHA256

96890d1d86aad9940fd54604ef09dd7e2dcf5cc084eeaf63a1062b4fbead91ae
SHA512

1eaa1fe0a8bfab0004d6dc5b773f710aebd5027f2258e41b5cf24eb164a70eb65a2395cee7d3244898e011baee3e3fc6d83dbcfbe1048d117984fa9fc40d8a54
SSDEEP

98304:iFgMEhr3Or19KXlcw1CdU2uP318hXjETV:uzGrO4n2uP3iwV

Score

10^/10

dcrat pandastealer stormkitty infostealer persistence rat spyware stealer vmprotect

Malware Config

Signatures

DCrat 2 IoCs

DarkCrystalrat.

rat

resource	yara_rule
behavioral2/files/0x000700000001270f-313.dat	Dark_crystal_rat
behavioral2/files/0x000700000001270f-314.dat	Dark_crystal_rat

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Panda Stealer payload 2 IoCs

resource	yara_rule
behavioral2/files/0x001a0000000124a1-328.dat	family_pandastealer
behavioral2/files/0x000a00000001232c-331.dat	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	692	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	692	schtasks.exe	54

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 10 IoCs

resource	yara_rule
behavioral2/files/0x00070000000126ed-79.dat	family_stormkitty
behavioral2/files/0x00070000000126ed-81.dat	family_stormkitty
behavioral2/files/0x00070000000126ed-80.dat	family_stormkitty
behavioral2/files/0x000700000001269c-84.dat	family_stormkitty
behavioral2/files/0x000700000001269c-83.dat	family_stormkitty
behavioral2/files/0x000700000001269c-82.dat	family_stormkitty
behavioral2/memory/1668-447-0x000000013FDE0000-0x000000013FE30000-memory.dmp	family_stormkitty
behavioral2/memory/1668-450-0x00000000021B0000-0x0000000002224000-memory.dmp	family_stormkitty
behavioral2/memory/2592-485-0x000000013F2F0000-0x000000013F340000-memory.dmp	family_stormkitty
behavioral2/memory/2592-486-0x0000000000590000-0x0000000000604000-memory.dmp	family_stormkitty

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000700000001270f-313.dat	dcrat
behavioral2/files/0x000700000001270f-314.dat	dcrat
behavioral2/memory/1664-413-0x0000000000F90000-0x0000000001220000-memory.dmp	dcrat
behavioral2/files/0x0005000000019489-445.dat	dcrat
behavioral2/memory/2188-496-0x0000000000CF0000-0x0000000000F80000-memory.dmp	dcrat

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
2192	CHEAT and Bypass Matrix.exe
520	Matrix Bypass.exe
740	VapeInstaller.exe
1664	msSurrogateHost.exe
1668	MatrixHackByFilard.exe
2592	RussiaHack.exe
2188	services.exe

Loads dropped DLL 8 IoCs

pid	Process
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
672	cmd.exe
672	cmd.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x000600000001a048-514.dat	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
53	ipinfo.io
54	ipinfo.io
43	ip-api.com

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\spoolsv.exe	msSurrogateHost.exe
File created	C:\Program Files\7-Zip\f3b6ecef712a24	msSurrogateHost.exe
File created	C:\Program Files\VideoLAN\VLC\lua\chrome.exe	msSurrogateHost.exe
File created	C:\Program Files\VideoLAN\VLC\lua\7a73b78f679a6f	msSurrogateHost.exe
File created	C:\Program Files\VideoLAN\sppsvc.exe	msSurrogateHost.exe
File created	C:\Program Files\Windows Portable Devices\6ccacd8608530f	msSurrogateHost.exe
File created	C:\Program Files\Windows Portable Devices\smss.exe	msSurrogateHost.exe
File created	C:\Program Files\Windows Portable Devices\Idle.exe	msSurrogateHost.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\sppsvc.exe	msSurrogateHost.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\0a1fd5f707cd16	msSurrogateHost.exe
File created	C:\Program Files (x86)\MSBuild\c5b4cb5e9653cc	msSurrogateHost.exe
File opened for modification	C:\Program Files\Windows Portable Devices\Idle.exe	msSurrogateHost.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\7a73b78f679a6f	msSurrogateHost.exe
File created	C:\Program Files\Windows Portable Devices\69ddcba757bf72	msSurrogateHost.exe
File created	C:\Program Files (x86)\MSBuild\services.exe	msSurrogateHost.exe
File created	C:\Program Files\VideoLAN\0a1fd5f707cd16	msSurrogateHost.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\chrome.exe	msSurrogateHost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\tracing\7a73b78f679a6f	msSurrogateHost.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Favorites\System.exe	msSurrogateHost.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Favorites\27d1bcfc3c54e0	msSurrogateHost.exe
File created	C:\Windows\tracing\chrome.exe	msSurrogateHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2224	schtasks.exe
2424	schtasks.exe
3068	schtasks.exe
2336	schtasks.exe
1688	schtasks.exe
288	schtasks.exe
2328	schtasks.exe
1728	schtasks.exe
2396	schtasks.exe
1812	schtasks.exe
1768	schtasks.exe
592	schtasks.exe
2580	schtasks.exe
2772	schtasks.exe
2336	schtasks.exe
964	schtasks.exe
2588	schtasks.exe
828	schtasks.exe
2928	schtasks.exe
2904	schtasks.exe
3052	schtasks.exe
964	schtasks.exe
2676	schtasks.exe
2444	schtasks.exe
2448	schtasks.exe
2252	schtasks.exe
2916	schtasks.exe
288	schtasks.exe
1716	schtasks.exe
2864	schtasks.exe
2532	schtasks.exe
2124	schtasks.exe
2132	schtasks.exe
2212	schtasks.exe
1260	schtasks.exe
2144	schtasks.exe
2200	schtasks.exe
1572	schtasks.exe
2428	schtasks.exe
2540	schtasks.exe
2412	schtasks.exe
2908	schtasks.exe
2828	schtasks.exe
2068	schtasks.exe
1360	schtasks.exe
2212	schtasks.exe
2236	schtasks.exe
1720	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1296	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1656	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	Telegram Desktop.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	RussiaHack.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	RussiaHack.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
520	Matrix Bypass.exe
896	chrome.exe
896	chrome.exe
1664	msSurrogateHost.exe
2188	services.exe
2592	RussiaHack.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
2248	NOTEPAD.EXE
1620	chrome.exe
896	chrome.exe
896	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1724	Telegram Desktop.exe
1724	Telegram Desktop.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 1476	1620	chrome.exe	31
PID 1620 wrote to memory of 1476	1620	chrome.exe	31
PID 1620 wrote to memory of 1476	1620	chrome.exe	31
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 820	1620	chrome.exe	33
PID 1620 wrote to memory of 832	1620	chrome.exe	34
PID 1620 wrote to memory of 832	1620	chrome.exe	34
PID 1620 wrote to memory of 832	1620	chrome.exe	34
PID 1620 wrote to memory of 428	1620	chrome.exe	35
PID 1620 wrote to memory of 428	1620	chrome.exe	35
PID 1620 wrote to memory of 428	1620	chrome.exe	35
PID 1620 wrote to memory of 428	1620	chrome.exe	35
PID 1620 wrote to memory of 428	1620	chrome.exe	35
PID 1620 wrote to memory of 428	1620	chrome.exe	35
PID 1620 wrote to memory of 428	1620	chrome.exe	35
PID 1620 wrote to memory of 428	1620	chrome.exe	35
PID 1620 wrote to memory of 428	1620	chrome.exe	35
PID 1620 wrote to memory of 428	1620	chrome.exe	35
PID 1620 wrote to memory of 428	1620	chrome.exe	35
PID 1620 wrote to memory of 428	1620	chrome.exe	35
PID 1620 wrote to memory of 428	1620	chrome.exe	35
PID 1620 wrote to memory of 428	1620	chrome.exe	35
PID 1620 wrote to memory of 428	1620	chrome.exe	35
PID 1620 wrote to memory of 428	1620	chrome.exe	35
PID 1620 wrote to memory of 428	1620	chrome.exe	35
PID 1620 wrote to memory of 428	1620	chrome.exe	35
PID 1620 wrote to memory of 428	1620	chrome.exe	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Telegram Desktop.exe
"C:\Users\Admin\AppData\Local\Temp\Telegram Desktop.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6229758,0x7fef6229768,0x7fef6229778
  2⤵
  PID:1476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1192 --field-trial-handle=1212,i,14891102405157715756,472811149966584105,131072 /prefetch:2
  2⤵
  PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1544 --field-trial-handle=1212,i,14891102405157715756,472811149966584105,131072 /prefetch:8
  2⤵
  PID:832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1640 --field-trial-handle=1212,i,14891102405157715756,472811149966584105,131072 /prefetch:8
  2⤵
  PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2204 --field-trial-handle=1212,i,14891102405157715756,472811149966584105,131072 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2244 --field-trial-handle=1212,i,14891102405157715756,472811149966584105,131072 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1500 --field-trial-handle=1212,i,14891102405157715756,472811149966584105,131072 /prefetch:2
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1492 --field-trial-handle=1212,i,14891102405157715756,472811149966584105,131072 /prefetch:1
  2⤵
  PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3788 --field-trial-handle=1212,i,14891102405157715756,472811149966584105,131072 /prefetch:8
  2⤵
  PID:544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3812 --field-trial-handle=1212,i,14891102405157715756,472811149966584105,131072 /prefetch:8
  2⤵
  PID:480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4188 --field-trial-handle=1212,i,14891102405157715756,472811149966584105,131072 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=712 --field-trial-handle=1212,i,14891102405157715756,472811149966584105,131072 /prefetch:8
  2⤵
  PID:2652

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1076

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Пароли Microsoft Edge.csv
1⤵
- Suspicious use of FindShellTrayWindow
PID:2248

C:\Users\Admin\Desktop\CHEAT and Bypass Matrix.exe
"C:\Users\Admin\Desktop\CHEAT and Bypass Matrix.exe"
1⤵
- Executes dropped EXE
PID:2192
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msagentsessionruntimemonitor\Q2YeCqE8qxd61K1ktFeXh5Nj.vbe"
  2⤵
  PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Roaming\msagentsessionruntimemonitor\L2kmnRelizDcO70ipFvI.bat" "
    3⤵
    - Loads dropped DLL
    PID:672
  - - C:\Users\Admin\AppData\Roaming\msagentsessionruntimemonitor\msSurrogateHost.exe
      "C:\Users\Admin\AppData\Roaming\msagentsessionruntimemonitor\msSurrogateHost.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      PID:1664
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iT80OSBb4H.bat"
        5⤵
        
        PID:1676
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2872
      - C:\Program Files (x86)\MSBuild\services.exe
        
        "C:\Program Files (x86)\MSBuild\services.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2188
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        7⤵
        
        PID:2448
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6229758,0x7fef6229768,0x7fef6229778
        8⤵
        
        PID:1728
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msagentsessionruntimemonitor\file.vbs"
  2⤵
  PID:2324

C:\Users\Admin\Desktop\Matrix Bypass.exe
"C:\Users\Admin\Desktop\Matrix Bypass.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:520

C:\Users\Admin\Desktop\VapeInstaller.exe
"C:\Users\Admin\Desktop\VapeInstaller.exe"
1⤵
- Executes dropped EXE
PID:740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6229758,0x7fef6229768,0x7fef6229778
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1536 --field-trial-handle=1204,i,8163571856760892926,11335421739896374699,131072 /prefetch:8
  2⤵
  PID:1228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1404 --field-trial-handle=1204,i,8163571856760892926,11335421739896374699,131072 /prefetch:8
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1204,i,8163571856760892926,11335421739896374699,131072 /prefetch:2
  2⤵
  PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2316 --field-trial-handle=1204,i,8163571856760892926,11335421739896374699,131072 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2300 --field-trial-handle=1204,i,8163571856760892926,11335421739896374699,131072 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1704 --field-trial-handle=1204,i,8163571856760892926,11335421739896374699,131072 /prefetch:2
  2⤵
  PID:1244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3584 --field-trial-handle=1204,i,8163571856760892926,11335421739896374699,131072 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3920 --field-trial-handle=1204,i,8163571856760892926,11335421739896374699,131072 /prefetch:8
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3788 --field-trial-handle=1204,i,8163571856760892926,11335421739896374699,131072 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3920 --field-trial-handle=1204,i,8163571856760892926,11335421739896374699,131072 /prefetch:8
  2⤵
  PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3828 --field-trial-handle=1204,i,8163571856760892926,11335421739896374699,131072 /prefetch:8
  2⤵
  PID:2036

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\chrome.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:964

C:\Users\Admin\Desktop\MatrixHackByFilard.exe
"C:\Users\Admin\Desktop\MatrixHackByFilard.exe"
1⤵
- Executes dropped EXE
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Videos\chrome.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Users\Public\Videos\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\chrome.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Windows\tracing\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 7 /tr "'C:\Windows\tracing\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Favorites\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Favorites\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Favorites\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 13 /tr "'C:\Users\Public\chrome.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Users\Public\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 12 /tr "'C:\Users\Public\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Music\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\Music\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Music\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\7-Zip\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\ServiceProfiles\NetworkService\Favorites\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\Favorites\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\ServiceProfiles\NetworkService\Favorites\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\lua\chrome.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:288

C:\Users\Admin\Desktop\RussiaHack.exe
"C:\Users\Admin\Desktop\RussiaHack.exe"
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2592
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpAA16.tmp.bat
  2⤵
  PID:2420
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2092
- - C:\Windows\system32\taskkill.exe
    TaskKill /F /IM 2592
    3⤵
    - Kills process with taskkill
    PID:1656
- - C:\Windows\system32\timeout.exe
    Timeout /T 2 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\lua\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2584

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x590
1⤵
PID:1572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\Microsoft\chrome.exe

Filesize
2.5MB

MD5
75136c00a06c6ee8c30e8a969fac27a9

SHA1
d4d02785c465a544573f6d113849d48f2ad35fed

SHA256
28c79c3f0bd6ee03025e4e4f61a2d25a00bebc0b1d3776bfabc824fc49013fcf

SHA512
187385d74f340932ba2b46970846e72f0da058a29f49a50879edde3aef17dc910ca49fb0ae24cc2d49745cd1f21c4450aa4f3d258b8a129918a51b217506af2d

Download Submit
C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-10-1.bdic

Filesize
441KB

MD5
4604e676a0a7d18770853919e24ec465

SHA1
415ef3b2ca0851e00ebaf0d6c9f6213c561ac98f

SHA256
a075b01d9b015c616511a9e87da77da3d9881621db32f584e4606ddabf1c1100

SHA512
3d89c21f20772a8bebdb70b29c42fca2f6bffcda49dff9d5644f3f3910b7c710a5c20154a7af5134c9c7a8624a1251b5e56ced9351d87463f31bed8188eb0774

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
05c11be5ee31e733adc0c96dfb2571b4

SHA1
49719516e9eb5084278c231a731367d40285e990

SHA256
3ccaed3b3b645cab33deffee5571a0d84424ce61bbbbff0945b34867c6130d43

SHA512
56c9ad596413c6e5d8810e02b6beb5ae6148cee99788e3abf48784f3aa0c85a6a2637f67d772e866a7c0d7be625da5f64b111dd7fe417ce81e367ef145be0e2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\65d97931-c9b4-4566-864b-7c02948a40d2.tmp

Filesize
159KB

MD5
a64f5b2b943b513510f783d3c0b763d8

SHA1
f4bf375980b8b0f21661a8466fefed71d954ad31

SHA256
014efa20b8d30091057d3b2ebda0660a94ee5bc28f600e96908ed808710473f1

SHA512
526fb7c8560cec3cedb08694c72f59be632e1f5a9fbf4d5cd9f3466e7d770d1faae89f0e7f0e9fe906c7e3461366883646a636d536905a834fdc24f45bccc17f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
1b07b7753f3c944754b1790fd9694beb

SHA1
5c9036d395fc83e80f302e311b4f5e9c9ca0ea83

SHA256
b2f762c1c9be27df51ffa896115174ad0bddac04e5777e94a2fce03cf1c97c46

SHA512
b00e8158fc07f07db5e5e569e5a21b1bb269abac91f0bd25676d73b71e718978e1090d3263a12fe8a065e2f8ce9e74748c1165587a11640d9e0dc54fa540df44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
1b07b7753f3c944754b1790fd9694beb

SHA1
5c9036d395fc83e80f302e311b4f5e9c9ca0ea83

SHA256
b2f762c1c9be27df51ffa896115174ad0bddac04e5777e94a2fce03cf1c97c46

SHA512
b00e8158fc07f07db5e5e569e5a21b1bb269abac91f0bd25676d73b71e718978e1090d3263a12fe8a065e2f8ce9e74748c1165587a11640d9e0dc54fa540df44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8c1a7f06-d484-4503-8ae5-8f3d19129ed3.tmp

Filesize
4KB

MD5
9e302324eafbf999acce1f11ab9979e4

SHA1
74f762bebbca800fff00f403adba97e9a96ab7e6

SHA256
1be2bb277642d503c19ecb3375f536b0ed3a2c6f8a85ad6337a07acfea3625e7

SHA512
0ab5fdcf06585c23dbe010f53e312899a5f43dd682f644abad6a7fd7427cb99bf25a487e2eab97f4a797656da96b610922372a50508f8bd32fde540952e74b04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
5eea148692f380907b362fec8de9f996

SHA1
19f988f09b8d96a5b4b3b4f412c87b1f748d36dd

SHA256
617d0ba5a247153d52e38203954b334e3183265fd1696ace16a204b02fb86088

SHA512
ddaad1f10ef9dc2bb6e4a45463fa212647ac09c3e8c87d2005cfcc614d020c921fb85806bdf27b5a60d3dd09393437471145aafef82381100225a51988bdc28f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
ae0e8053377d59a3fcc2063b7814e0b3

SHA1
d59277694e9b5fa9379cc1ccae3759d9eaaa41db

SHA256
7b3a7f4a2f041ffdf662cafaecbfcf5db2e0a05aea11af515b9f9dafb954dbf9

SHA512
4be1796d90e5a5752abbb09f6dba625d410d2e70420f0d34f6f714f9f7b7ecf6528eb038878d33ae7ef018950dfa000a41108e4c11014f60355359f8973f6bd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
bd2765cef0b224bc8ccc3a78491cff7b

SHA1
b72129416b927ce9d17b0afa2a582b4d040cd2b7

SHA256
897de597308f6cd33a040ade204d51d88079ff93150576a770683171f42955f8

SHA512
35fcc04f73fc9277585c03e5c3d7de7f1fce5bafc77c8449ce084bd583ac723cf98d529f8dcb714553d7796fd49529651754dbad9264f591c39a4e727bffc117

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
e05ed429ac9fef95de70cf2ee36f4255

SHA1
ba8f55f80f667c1bf6bcfdcbe0ecc4714b69bb43

SHA256
8a95f081fe8fccdaa21e851b894a57472a21138260cb8ebc01c98dc0cbab8d61

SHA512
69fe0559b6a2927339da06e4a21e439fef2102b0a027469ed398384f5c8160abeccb270123b7c1cd9dac93163621914c9493cdd830e27b8e80c7c32c4c23be56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT~RF792e33.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
e05ed429ac9fef95de70cf2ee36f4255

SHA1
ba8f55f80f667c1bf6bcfdcbe0ecc4714b69bb43

SHA256
8a95f081fe8fccdaa21e851b894a57472a21138260cb8ebc01c98dc0cbab8d61

SHA512
69fe0559b6a2927339da06e4a21e439fef2102b0a027469ed398384f5c8160abeccb270123b7c1cd9dac93163621914c9493cdd830e27b8e80c7c32c4c23be56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
148KB

MD5
5f151ba29ba019103c98f1de8075de5b

SHA1
f84723adef688c1c6fe6b10bc4263cd2196b13b9

SHA256
7e34a340a2ee4290e19952b693a356b44c56fa440fd450fff88360541a03f5d0

SHA512
9a7bd6f88ee2a0fa05772fd9fdc2ecd998bc08688f7edc50717c6754f9ad1fc79543bf4619111ce4501c068e99952393f69828e6e4d49d34487bb451e099f386

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000005.log

Filesize
109B

MD5
eebb4445cc67416ef8d107ed0667c3be

SHA1
eafccd84cfee531697309050fa5dae6b3fe5d850

SHA256
4e3fe4a6bdd082d37a1c0dad8cd87546d6b7229c5e3cc91495e78e4704813bd1

SHA512
a7db2e75c03ecebaef4657e9e5eaef5496ce826dff999f544b0a9ebdd51d4bf5bd0b8cc39558f0db04006536809a69802b5e6435b22fdd54956323af1516ba04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
136B

MD5
bfc45dcf85aaabc724f444557e95b45d

SHA1
0575467bed4c6d1d0694dd8d9b1790dfd4f91869

SHA256
0d501d35c1dee5fe356c6734ba5bd598897e21de4bef547f793dea5f2a827cff

SHA512
3a82bd01f5574fe42b2122202343a5ca714dbae8a7be0823c63f4d28cb3b0d320d4d09cb9be0e170b5a6d1b94b098a2cb5f768ac8c19a939d41a6e2faad67f29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000004

Filesize
50B

MD5
031d6d1e28fe41a9bdcbd8a21da92df1

SHA1
38cee81cb035a60a23d6e045e5d72116f2a58683

SHA256
b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da

SHA512
e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data

Filesize
46KB

MD5
2a80c14a616e5497407b853386973e06

SHA1
5a52ff19961682565b1a91701da9c6b10392d3a4

SHA256
7eed53b5466a05fa3b7e096893e4afb584c77184f6a7c0f1ff33790f0246b8a1

SHA512
df2f433e08279809bc1a8b4a25ac32e8ed0dd42a2844656c14787c317e7273f192d83fef9d42401a9fc13bf124ff4e39d214cd544270e45fe9c87dd16ade39d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7f4c2d1920d903d55cd90333cfbeb22c

SHA1
1f545422008bd81a3257fb3be287afb28ba4fbfe

SHA256
1dae39ef8b6d2010abf843ed0578a913cf11b55cb89c62eb85afdde0e307e300

SHA512
69d9c33b36a9399bad7ec37667b01dbcf9e307974e047f3bcfcb3b13db64649a3e4f5829c16204bf58f76ba1cca562d39f74e9a74363cc037d857f46a306ac71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1b721b97cece2446f75c7ccb1901cd14

SHA1
0cf0ac9adad5d4cda2012747b189ed18e05794f4

SHA256
8d644ed0a09a594e7b0958380ebb2a7ec26b24b782f474fb9980debc43c8f1ec

SHA512
e0a94c5d6a7e42dc35241fa649a69e49b9518958e6118b6317464e724b8fc4473d8b2391a84209db02a2318fbbac93a354d6520270d7d2f5a78af1d1899a2c80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
81b62bb1f79b375778f2997e6df9cfe3

SHA1
106b1fa7bfa0c918b242142c58e13100ff16aa77

SHA256
dd8d6e13f2facbf36e99a06defebd93cfba6df7aa4946fcd4891199ee6f4bdbe

SHA512
9d2706c28c671da5ae537fe8de86155e60cce5b3fe0e264c40189fab31f974dfdd6c0967eed13726d43059859be439d3961c13209ef8584ac3c38e0a4bfd146c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
0b35c5c130cae7e71418b4c4d6986585

SHA1
d20035f996f21f45442f22d98862f3f0d8418bff

SHA256
5170103482fc56a808dcfd7b9bac59d289d1078f5cf2a425bd320184487d7574

SHA512
e1a09064a2edf9666461eb18068a5b2ca112ed09e40b75ee497dce8ea5537bc2a79bc81e8ded12db9f36fcfdd2f5ff729994400653f7b94a66b13e8ce15b0faa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
0a41db2536b1e3f2940cf024a731cc7f

SHA1
4c89e983d818d74cdfb54ad53b086233d3ecfe7f

SHA256
0ac0b8cd84791ad292815fef4a588819b2999819e6c40f13c2a3851edcd9227a

SHA512
24d1e4dc47171ee4e7dfc172469fae35372cb600e47cf0ba772ec1c1a0fa3485ee92b2ad42dff908f053c0f81b252d1a3de42d1b4741808ab427327013b2ebaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
21a1c015d00cf4ab11f1a2bbc6d9118a

SHA1
b6250414c4996ab20d6ca48c5165e551d8107ab2

SHA256
e49a835cf130ba97c006be4c8ee656597e9a03ffe2043faa79c27a026714bbd0

SHA512
8ffab39162bdbca215343ef98e199be37ffcbec88e458cbf1a69d612cdc6c35285cc504e1127462bd41caf720aabff8338fbff350fb17c804a0cd2d5b6e1ff30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
c7d0371ac97fcbaaac3747c963dc7c8c

SHA1
34ba5e72b07083d2b0255fd07c7943352dfde75e

SHA256
5355b5bdfe1093da92a64774944424a386ec2a2b82e28bc772a8a02925726e5f

SHA512
e66e1584bc914cd46f1a7a29ab7bb7da483cf82306fa715342c1fe96f2cec63d3eff31e56479bbec8a75dfde1a8cbc9dbe7221e8a0d5dcec957e314b786c09da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
3c366641137517cd36cd038da8cbffad

SHA1
5c461bce1a6d8735d86c40da7be4b48b1b93f1dd

SHA256
cf2ba06538f606fa67c242bd85eb0bb75d4f556ffe05d9e4b7f699e121e1ea31

SHA512
e17c55f439da8bc82d08f94996340dc460c985cb5f356a608af98482aca263bcf31aa561cb7e22b89685831b0b4e81eb3de539ea8cefa56cdb5767ec23e4321e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
95279a50e0aa13170b06e964f226fa61

SHA1
1baf951be94c232c4b6ca558033495f92d069e3d

SHA256
3b41df9ae0225a642ab636e6cd1ee0b85e8c188d5ecca0021c658eb6849dc99f

SHA512
86906367be78849953b014ba56c9c5777a379cb686f1f0a636f574805585a66c6b5e466ef3d75804fe9005a54d60b628e58f10f5e280753e6631a16f7ecac739

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
5f3c79f1a67e1b988ce95141ef52019e

SHA1
65adf0a7243a23ce956f534503460e89f431b533

SHA256
8eca8ae5a2d005a4ae75acee328d3adce72ddc4f37e8c44d9dbcf2e8b4ccdd30

SHA512
42161a5ba4d3a813819f3dc0c1abee9b56043a8dbabff41ea57731039d5f0b205895e52f8c83f1bb9b29d87d04ce5e9c8dd4440005b3e387e78dd9863ed08486

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
b754703c00ae7cd0d149fa904850c7d6

SHA1
11a30f17e6ae36dae78570f6ae81facfc7e0d372

SHA256
7a1aab0de135975327ef7a4020e0bcf064be7a531e49b66184df8be96e944e90

SHA512
5107aed747e7848f51c437e242583efdc7b1905d2bc854fe897fa4f030e7634df38f53f7c9a57ebd942db64eb19f986fae9c4db811cbab7f2d22abf3a9538a1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

Filesize
249B

MD5
255fbede64afa03cb346434d595b06eb

SHA1
93e93d01934643a2f53347ae08b2f3b9412850b4

SHA256
4242409466fc033da34cb1edf30331d45ce0f9c13936d73c258947b0cb2c8676

SHA512
755ea386bb048d9e1a0ff1bc007b8c32c974313288de2999742d6ddd839dc1f14c07a1f308749b39f9ffafbe8d540824532ec90b364d0b12060165a1f64774dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13331060127362000

Filesize
4KB

MD5
b8e1c2ebf52e509b2448538d2238b4c1

SHA1
bb552c3f245f8b8e08b1a1b1537d5967fc05113e

SHA256
c9a2045e2747a57040ed74cb46ae75aae98d5e344f688085fec6db3faec34e09

SHA512
8996ce51cd0f16b1002e5d67ac125ada3df183e87428af3a271ede21dbb33d57b9fcf53de0be82851b0f51a0ac1f8a2aed339fad0a61c988f22e1da6e0a2d849

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000005.ldb

Filesize
130B

MD5
0d30bb8b60f3c477b7f5bee76de87a5e

SHA1
754db054cc38503c0a7b261489b25208749dce50

SHA256
7d66803b525484d42d0699ed1a2370028b7aa21ce173ea3cb9331cb80d01b695

SHA512
fb43e45b6676ea12643127731a1d3fcd783c16b4b6aba0d31ea93af19020248d766ea877a7abfdfe484e70bd4c2ed8d66f44ac2c3da38885b3edbad41ef68c43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
249B

MD5
809de120af836d3496c2921e1bf23b81

SHA1
6a73d2a8974f0eb792750c935f4bc5173952422b

SHA256
d11307a95768a48f67813e4b9ae523b3092fc9ad48b83548d748cafa0ad492ff

SHA512
8007dba7c46db69e38d6e805f02d99c2ebe451d69340aee38898dd4e56b812188b29c2dc803bbf7e1953cddfff9187c0c9c7a60c23e1cf0895cbe05dacbf3a7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\MANIFEST-000004

Filesize
107B

MD5
f3a604cc1687a04eaabc91b49ed90eac

SHA1
507d0c1334e11f23da43bb9c8702652511893d03

SHA256
628a12f2ebfd6d19731a8a362956c95803f1d909293f6936542fb458d8be1a39

SHA512
a49c1632af45f2a938c2752aeb67e254e92a04bff91affe95952ba7960a60ec143639565790898d55a5ac4d5eb34c2dab1b93e295840d4e30cf3b16d913a7806

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000005.ldb

Filesize
136B

MD5
fe382e791274914bee5950777e4f1fd3

SHA1
53b523b5fc87e66f2520a0b5f9ea080072668f4d

SHA256
935d36c021d0e08a5648c622f3f6fde376e3310013680ae598c0e22dc943d132

SHA512
a5f608fb4f0a1dbc4c5d1b739b1a5b6f50cac1d6a61312b19abf9f601882a291d73524ac55bbe183e4e64db8dcc203d4bf3cedc734fd04bd448cb825d98d1e67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
249B

MD5
ba50a6cc359e0b97459de28f5704aa15

SHA1
46a30c7ec07007b2914d6538132ebe1af3b5c9f4

SHA256
719dc88124d6286e1f0d5b3f873c5f1bedd4e51ef17936ed54527b2e79052cc8

SHA512
937e512af250d502da01dd67d49d484c0b5173222f4ee56fdcaa7d7ad563a6b44d5b391ceb651d62dc13b7ea4c86f57295f91597d52ee9c44120f1f870221be2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000004

Filesize
117B

MD5
63d832bd47d6e550eaef754596d8fdaa

SHA1
3b11fd4048f84fe5143057e7e90a42c4220e1807

SHA256
4dd9ab33b9f8a5aa6b190ee3a88133be4d10b5dfdeff0c3ca060b825ff6420dd

SHA512
586287b26249591e5ae5ba0847bfcb3c3c4bbfb0cef433ecfb2052bbf0f37527bb72ddc57447c37c6879f50a28c96575b911fd121c3f145a061ff57ccacf479c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f0c715bf-6cbc-429b-ae88-066e83776454.tmp

Filesize
4KB

MD5
f5de6564865e33e3509a5caee3268d4c

SHA1
791804d89b2d8c5dabe5d30f8f5df88cfa1ab6c7

SHA256
e4d776d69718e39b5d7e89d2dc2ec51779337a7ee38a045f31cacffd251bd434

SHA512
017bd2578307d918475917b6327a9ebdd23f42d2d842128f27869f6332477ccb613b76ca669e25af716ed63f07309fc8ba8438e752df8fdf0d9e788a0dcc306f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

Filesize
247B

MD5
01c5a52d02c991bd0f24e4366ce7a438

SHA1
2fb9196f341fa593530ce429810eae7b3cbba89d

SHA256
167348021137035b25e8dd046cf8f39d95d9e8bf9f0d7694329e11c34ee42a50

SHA512
c92304bf6f52e126174c9606a89b5efdfcb33a6fd3416cefaa7970c401ab3e979b342b8890923e3edb4dfc75ae21b9681f4bf2d05f82b3ef363c4aeaf54ed7bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\MANIFEST-000004

Filesize
50B

MD5
494e626a5079642efed0f0c7f38bd4ef

SHA1
0cbead74a33ad551eae3b25c213d3b080535589b

SHA256
9ce8bd68fe0b86c0bf2067d549e7b93bc1c24f12bdfd227aba521e9d7e704436

SHA512
659bc9699799757dec5b257d78949d378caf03001890f7ae24d28055cff7175d85f8ea14393048aab1c0ba460082f568e5f4bfacdb8921f006f98989293fe78d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000006.log

Filesize
637B

MD5
ccd3a290c5924443292079a0d52ba3ba

SHA1
e4fae1916d170c7e87ea8c10b00d0af02d6be302

SHA256
89acd81f3f60c320528239ce4b5a5461e2f73e3bdc853f083c32612fcbe58aca

SHA512
44876e8158924480bad2f6cd17152cb12216cff40470912f81ac650da67756b1bfd833abe352d3d2792397a05bf4a1fee97b1b91e1dccea4f2c70792fb58537d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
249B

MD5
1941fac5b57da4fe4fdfbd6e5c2cea7e

SHA1
cd3f17137656d0dd7a250d77ef973e300b1a62a4

SHA256
bd26b259f531d216ebd0440152b5921df78f376713f92403765a60bc997166ff

SHA512
31627b537cee7e4aa158ca423a63b39cdd9e091ba1bf8374aa7e6ba6636b8cb442b594eb532e2ad76cc7eed9ea78e52409f4548c43412d8272857ea0d7013ace

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000004

Filesize
84B

MD5
be2a12b06745bb5de6254b2592d8ab20

SHA1
19a3dc035140689628e54095af6c4b4dae44b55d

SHA256
29e140732c7fc2d81fb1f506cc94386ce55f27446f9277e66236080cdf6f5944

SHA512
fad84027f46c0d4e4fb0357c15d77f7a86c941042ce538e0e89e5b8c477ed3cb46e262e3a3da186eadbb266c9288965c7299b4dc2a7ae1b346230dc48a7ecdba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
159KB

MD5
aa9105cb099d08fe621005815cfb610d

SHA1
5a25e1cdd110b3db19922c5b0c604f938d98b188

SHA256
a0119e8ad11db3f378d52af852aaa91f7abde2afab0b841e88dee0a305561025

SHA512
6a04c1f14907c502a651c783138790e7ae2d134639407f622649097fd46d5806d830bd8351001b01f87578cfbf3235da1bbf435bc32d9b4def5cf30a48deb3ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
159KB

MD5
a64f5b2b943b513510f783d3c0b763d8

SHA1
f4bf375980b8b0f21661a8466fefed71d954ad31

SHA256
014efa20b8d30091057d3b2ebda0660a94ee5bc28f600e96908ed808710473f1

SHA512
526fb7c8560cec3cedb08694c72f59be632e1f5a9fbf4d5cd9f3466e7d770d1faae89f0e7f0e9fe906c7e3461366883646a636d536905a834fdc24f45bccc17f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
3b4869460d84233c7a6df207a62c6cce

SHA1
c218f1b7144bcf0dd3dad61045fc8cf942bdf734

SHA256
f8d69447daffd654d77f05b491e496d27bbce1ea5ad771b5e09dd3e4dea9f2fe

SHA512
d5cd96b1c8c09f48d2ab5d381c45c8f8eac3a8e717132864c970a8f31d415eb96ff61e4b38f762ab3636321b620be62c9cab6bb6eeafd0bf50e26978d4a37cf7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\d0faa98f-636d-46e0-a874-c748d73f3ab6.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC610.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC720.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\msagentsessionruntimemonitor\Q2YeCqE8qxd61K1ktFeXh5Nj.vbe

Filesize
233B

MD5
9719764b189e753dd43947095a6f02b7

SHA1
33e872f83f5370d00a3a462df8c273d23c11ccb0

SHA256
0dff1318f84f87d552e7e01a08de8da13ef87f048aa58ef6d5ce5d8fd3bc52d9

SHA512
7fd88d9f96bc9c26ef007c872f4221b2b2a0a04db505fbaaa89148be8720d65fc6edd7a5ffc411db58bb218f098158889874a1e19f0ba9b7511107220c512e03

Download Submit
C:\Users\Admin\AppData\Roaming\msagentsessionruntimemonitor\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\Users\Admin\Desktop\AnonFileApi.dll

Filesize
293KB

MD5
7a2d5deab61f043394a510f4e2c0866f

SHA1
ca16110c9cf6522cd7bea32895fd0f697442849b

SHA256
75db945388f62f2de3d3eaae911f49495f289244e2fec9b25455c2d686989f69

SHA512
b66b0bf227762348a5ede3c2578d5bc089c222f632a705241bcc63d56620bef238c67ca2bd400ba7874b2bc168e279673b0e105b73282bc69aa21a7fd34bafe0

Download Submit
C:\Users\Admin\Desktop\CHEAT and Bypass Matrix.exe

Filesize
2.8MB

MD5
642032685b8048204bf59668a7ed48c9

SHA1
910555e0aa8b52cc5210f6523bde469f0f3e90fc

SHA256
5ad5e035ba717e1db0bf6b1dde36d4da4a25d6156c3f51ca8c44ed075b57c043

SHA512
91cc4c1c41dab2442b9b73b4e3196c780738aca8d2a186c4d6c3e7b63c7d9bfafce56962ffb395d070c1b7ec1e3b709bcb59c14fb9f513d5106310f6bd77b20c

Download Submit
C:\Users\Admin\Desktop\CHEAT and Bypass Matrix.exe

Filesize
2.8MB

MD5
642032685b8048204bf59668a7ed48c9

SHA1
910555e0aa8b52cc5210f6523bde469f0f3e90fc

SHA256
5ad5e035ba717e1db0bf6b1dde36d4da4a25d6156c3f51ca8c44ed075b57c043

SHA512
91cc4c1c41dab2442b9b73b4e3196c780738aca8d2a186c4d6c3e7b63c7d9bfafce56962ffb395d070c1b7ec1e3b709bcb59c14fb9f513d5106310f6bd77b20c

Download Submit
C:\Users\Admin\Desktop\DotNetZip.dll

Filesize
448KB

MD5
6d1c62ec1c2ef722f49b2d8dd4a4df16

SHA1
1bb08a979b7987bc7736a8cfa4779383cb0ecfa6

SHA256
00da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c

SHA512
c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2

Download Submit
C:\Users\Admin\Desktop\Matrix Bypass.exe

Filesize
632KB

MD5
9238be200dbf0dbe0466ebff4db56301

SHA1
c1f411c2b8ff7b7bbb77b03340364d54247f99c9

SHA256
0758146425c10208d3c8000b444e5f3d1ef203918e1b60a9f9f01214564fb9c5

SHA512
daa98e642df2dd60a4c00384aa8ac77c5474264c55392e8aa07156f717a38bddd51bb882b90dfa9da9ff2e9cbd9b235a05d278119b7492027bf18e5530b41d38

Download Submit
C:\Users\Admin\Desktop\VapeInstaller.exe

Filesize
632KB

MD5
9238be200dbf0dbe0466ebff4db56301

SHA1
c1f411c2b8ff7b7bbb77b03340364d54247f99c9

SHA256
0758146425c10208d3c8000b444e5f3d1ef203918e1b60a9f9f01214564fb9c5

SHA512
daa98e642df2dd60a4c00384aa8ac77c5474264c55392e8aa07156f717a38bddd51bb882b90dfa9da9ff2e9cbd9b235a05d278119b7492027bf18e5530b41d38

Download Submit
C:\Users\Admin\Desktop\Пароли Microsoft Edge.csv

Filesize
244B

MD5
e8f9fa7a9211e7554f027bf328784229

SHA1
f78cbb1914f0184e2070283db8b3e783e864cefb

SHA256
52f531d5314dd9c1f1c213fb74718e314c2376b3e8221c58e32cf680c0a9a30c

SHA512
4efd377338cf6bd03479feb188160258df800f52d587f1d33aea12ea6c152921ec5f61a84cd3e255d8612ef51bbd89d649e28084623243cf279f6852c3343702

Download Submit
\Users\Admin\Desktop\MatrixHackByFilard.exe

Filesize
309KB

MD5
05c3624435fda6bddfd80b5d337eb2a4

SHA1
cab9431c6a2bf87a909e435731992708dc508034

SHA256
96a14d1422dc0f5889cdb4d2e110b5dac6c638167509ddf728b9c84f3af40aae

SHA512
f6f79c95c84c812e8a4112f63d49e896e1034d6cfb56bad598188d47a2dd2e5b3dc29f858b25b4a69136fec890e8faf6803954b5b6259b632da7145b7e5405f7

Download Submit
\Users\Admin\Desktop\MatrixHackByFilard.exe

Filesize
309KB

MD5
05c3624435fda6bddfd80b5d337eb2a4

SHA1
cab9431c6a2bf87a909e435731992708dc508034

SHA256
96a14d1422dc0f5889cdb4d2e110b5dac6c638167509ddf728b9c84f3af40aae

SHA512
f6f79c95c84c812e8a4112f63d49e896e1034d6cfb56bad598188d47a2dd2e5b3dc29f858b25b4a69136fec890e8faf6803954b5b6259b632da7145b7e5405f7

Download Submit
\Users\Admin\Desktop\MatrixHackByFilard.exe

Filesize
309KB

MD5
05c3624435fda6bddfd80b5d337eb2a4

SHA1
cab9431c6a2bf87a909e435731992708dc508034

SHA256
96a14d1422dc0f5889cdb4d2e110b5dac6c638167509ddf728b9c84f3af40aae

SHA512
f6f79c95c84c812e8a4112f63d49e896e1034d6cfb56bad598188d47a2dd2e5b3dc29f858b25b4a69136fec890e8faf6803954b5b6259b632da7145b7e5405f7

Download Submit
\Users\Admin\Desktop\RussiaHack.exe

Filesize
311KB

MD5
65faddab9784289f8ba392f328871227

SHA1
77899e516c9025c0dff0e66127b1cfe00c20131b

SHA256
f250bc5734ffad4a59e2cb017f85e495fc8070056c01c5002470567b7179f62d

SHA512
9792de8310e1b87289a5503a2f49f3604d64fae72392d72913cd446f7382be5ba28e8e53558b706fabc424e4f2febd56bd508a327a8e735ac981ac51891f7699

Download Submit
\Users\Admin\Desktop\RussiaHack.exe

Filesize
311KB

MD5
65faddab9784289f8ba392f328871227

SHA1
77899e516c9025c0dff0e66127b1cfe00c20131b

SHA256
f250bc5734ffad4a59e2cb017f85e495fc8070056c01c5002470567b7179f62d

SHA512
9792de8310e1b87289a5503a2f49f3604d64fae72392d72913cd446f7382be5ba28e8e53558b706fabc424e4f2febd56bd508a327a8e735ac981ac51891f7699

Download Submit
\Users\Admin\Desktop\RussiaHack.exe

Filesize
311KB

MD5
65faddab9784289f8ba392f328871227

SHA1
77899e516c9025c0dff0e66127b1cfe00c20131b

SHA256
f250bc5734ffad4a59e2cb017f85e495fc8070056c01c5002470567b7179f62d

SHA512
9792de8310e1b87289a5503a2f49f3604d64fae72392d72913cd446f7382be5ba28e8e53558b706fabc424e4f2febd56bd508a327a8e735ac981ac51891f7699

Download Submit
memory/1664-439-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/1664-417-0x0000000000600000-0x0000000000656000-memory.dmp

Filesize
344KB

Download
memory/1664-436-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/1664-437-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/1664-430-0x000000001B020000-0x000000001B0A0000-memory.dmp

Filesize
512KB

Download
memory/1664-413-0x0000000000F90000-0x0000000001220000-memory.dmp

Filesize
2.6MB

Download
memory/1664-414-0x00000000001D0000-0x00000000001EC000-memory.dmp

Filesize
112KB

Download
memory/1664-415-0x00000000001F0000-0x0000000000206000-memory.dmp

Filesize
88KB

Download
memory/1664-416-0x0000000000140000-0x0000000000150000-memory.dmp

Filesize
64KB

Download
memory/1664-435-0x0000000000320000-0x0000000000332000-memory.dmp

Filesize
72KB

Download
memory/1664-427-0x0000000000210000-0x000000000021C000-memory.dmp

Filesize
48KB

Download
memory/1664-440-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/1664-438-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/1668-447-0x000000013FDE0000-0x000000013FE30000-memory.dmp

Filesize
320KB

Download
memory/1668-476-0x000000001B8A0000-0x000000001B920000-memory.dmp

Filesize
512KB

Download
memory/1668-451-0x0000000000550000-0x0000000000556000-memory.dmp

Filesize
24KB

Download
memory/1668-450-0x00000000021B0000-0x0000000002224000-memory.dmp

Filesize
464KB

Download
memory/2188-620-0x000000001AFC0000-0x000000001B040000-memory.dmp

Filesize
512KB

Download
memory/2188-496-0x0000000000CF0000-0x0000000000F80000-memory.dmp

Filesize
2.6MB

Download
memory/2188-588-0x000000001AFC0000-0x000000001B040000-memory.dmp

Filesize
512KB

Download
memory/2188-594-0x000000001AFC0000-0x000000001B040000-memory.dmp

Filesize
512KB

Download
memory/2188-619-0x000000001AFC0000-0x000000001B040000-memory.dmp

Filesize
512KB

Download
memory/2188-521-0x000000001AFC0000-0x000000001B040000-memory.dmp

Filesize
512KB

Download
memory/2188-497-0x000000001AFC0000-0x000000001B040000-memory.dmp

Filesize
512KB

Download
memory/2584-648-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/2584-672-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/2592-516-0x000000001BD50000-0x000000001BDD0000-memory.dmp

Filesize
512KB

Download
memory/2592-492-0x000000001BD50000-0x000000001BDD0000-memory.dmp

Filesize
512KB

Download
memory/2592-487-0x0000000000540000-0x0000000000546000-memory.dmp

Filesize
24KB

Download
memory/2592-486-0x0000000000590000-0x0000000000604000-memory.dmp

Filesize
464KB

Download
memory/2592-485-0x000000013F2F0000-0x000000013F340000-memory.dmp

Filesize
320KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads