latrodectus | 77193958e40ce9825a99c53a1c5b3c90e72b0cedeee3e23b0282e27d6ebdaddd

Analysis

max time kernel
270s
max time network
272s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1625ac230aa5ca950573f3ba0b1a7bd4c7fbd3e3686f9ecd4a40f1504bf33a11.dll
Size

885KB
MD5

74143402c40ac2e61e9f040a2d7e2d00
SHA1

4053dc85bb86c47c63f96681d6a62c21cd6342a3
SHA256

1625ac230aa5ca950573f3ba0b1a7bd4c7fbd3e3686f9ecd4a40f1504bf33a11
SHA512

4aa55b859f15be8b14c4a0ff6f3971f49b47c1c8c8427f179eb4ab0c76e321441adfd173469facb12aae1e81e25f1328fd621214b42e66f690ba4e9ee1e54cf9
SSDEEP

12288:gfPSAAUHV4fZUv/TrguVTax7hNRu18VA8JFoxMk/wYeDKDMyAmp:qPSAAUHV4fZUvfgmaxpu1F8J6xMYHMBS

Score

10^/10

latrodectus microsoft loader persistence phishing

Malware Config

Extracted

Family

latrodectus

https://jarinamaers.shop/live/

https://wrankaget.site/live/

Signatures

Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Detect larodectus Loader variant 2 6 IoCs

loader

resource	yara_rule
behavioral2/memory/3216-0-0x00000284FC730000-0x00000284FC744000-memory.dmp	family_latrodectus_v2
behavioral2/memory/3216-5-0x00000284FC730000-0x00000284FC744000-memory.dmp	family_latrodectus_v2
behavioral2/memory/1612-6-0x0000025DB1E00000-0x0000025DB1E14000-memory.dmp	family_latrodectus_v2
behavioral2/memory/1612-7-0x0000025DB1E00000-0x0000025DB1E14000-memory.dmp	family_latrodectus_v2
behavioral2/memory/5456-505-0x000002A136700000-0x000002A136714000-memory.dmp	family_latrodectus_v2
behavioral2/memory/5456-506-0x000002A136700000-0x000002A136714000-memory.dmp	family_latrodectus_v2

Blocklisted process makes network request 1 IoCs

flow	pid	Process
406	1612	rundll32.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	procexp64.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	procexp64.exe

Deletes itself 1 IoCs

pid	Process
3216	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
2260	procexp64.exe

Loads dropped DLL 2 IoCs

pid	Process
1612	rundll32.exe
5456	rundll32.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	procexp64.exe
File opened (read-only)	\??\H:	procexp64.exe
File opened (read-only)	\??\I:	procexp64.exe
File opened (read-only)	\??\K:	procexp64.exe
File opened (read-only)	\??\Q:	procexp64.exe
File opened (read-only)	\??\S:	procexp64.exe
File opened (read-only)	\??\V:	procexp64.exe
File opened (read-only)	\??\W:	procexp64.exe
File opened (read-only)	\??\J:	procexp64.exe
File opened (read-only)	\??\M:	procexp64.exe
File opened (read-only)	\??\N:	procexp64.exe
File opened (read-only)	\??\P:	procexp64.exe
File opened (read-only)	\??\E:	procexp64.exe
File opened (read-only)	\??\G:	procexp64.exe
File opened (read-only)	\??\L:	procexp64.exe
File opened (read-only)	\??\O:	procexp64.exe
File opened (read-only)	\??\R:	procexp64.exe
File opened (read-only)	\??\Z:	procexp64.exe
File opened (read-only)	\??\B:	procexp64.exe
File opened (read-only)	\??\T:	procexp64.exe
File opened (read-only)	\??\U:	procexp64.exe
File opened (read-only)	\??\X:	procexp64.exe
File opened (read-only)	\??\Y:	procexp64.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	procexp64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	procexp64.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	procexp64.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133585522085618173"	chrome.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	procexp64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	procexp64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	procexp64.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5552	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3216	rundll32.exe
3216	rundll32.exe
3216	rundll32.exe
3216	rundll32.exe
1612	rundll32.exe
1612	rundll32.exe
1612	rundll32.exe
1612	rundll32.exe
4164	chrome.exe
4164	chrome.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
1016	msedge.exe
1016	msedge.exe
2260	procexp64.exe
2260	procexp64.exe
2796	msedge.exe
2796	msedge.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
1956	taskmgr.exe
1956	taskmgr.exe
1956	taskmgr.exe
2260	procexp64.exe
1956	taskmgr.exe
2260	procexp64.exe
3688	chrome.exe
3688	chrome.exe
1956	taskmgr.exe
2260	procexp64.exe
1956	taskmgr.exe
1956	taskmgr.exe
2260	procexp64.exe
1956	taskmgr.exe
2260	procexp64.exe
1956	taskmgr.exe
2260	procexp64.exe
1956	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5552	vlc.exe
1956	taskmgr.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2260	procexp64.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
2796	msedge.exe
2796	msedge.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3216	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
5552	vlc.exe
5552	vlc.exe
5552	vlc.exe
5552	vlc.exe
5552	vlc.exe
5552	vlc.exe
5552	vlc.exe
5552	vlc.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2260	procexp64.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5552	vlc.exe
2260	procexp64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 1612	3216	rundll32.exe	84
PID 3216 wrote to memory of 1612	3216	rundll32.exe	84
PID 4164 wrote to memory of 1664	4164	chrome.exe	109
PID 4164 wrote to memory of 1664	4164	chrome.exe	109
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 5076	4164	chrome.exe	110
PID 4164 wrote to memory of 4756	4164	chrome.exe	111
PID 4164 wrote to memory of 4756	4164	chrome.exe	111
PID 4164 wrote to memory of 2816	4164	chrome.exe	112
PID 4164 wrote to memory of 2816	4164	chrome.exe	112
PID 4164 wrote to memory of 2816	4164	chrome.exe	112
PID 4164 wrote to memory of 2816	4164	chrome.exe	112
PID 4164 wrote to memory of 2816	4164	chrome.exe	112
PID 4164 wrote to memory of 2816	4164	chrome.exe	112
PID 4164 wrote to memory of 2816	4164	chrome.exe	112
PID 4164 wrote to memory of 2816	4164	chrome.exe	112
PID 4164 wrote to memory of 2816	4164	chrome.exe	112
PID 4164 wrote to memory of 2816	4164	chrome.exe	112
PID 4164 wrote to memory of 2816	4164	chrome.exe	112
PID 4164 wrote to memory of 2816	4164	chrome.exe	112
PID 4164 wrote to memory of 2816	4164	chrome.exe	112
PID 4164 wrote to memory of 2816	4164	chrome.exe	112
PID 4164 wrote to memory of 2816	4164	chrome.exe	112
PID 4164 wrote to memory of 2816	4164	chrome.exe	112
PID 4164 wrote to memory of 2816	4164	chrome.exe	112
PID 4164 wrote to memory of 2816	4164	chrome.exe	112
PID 4164 wrote to memory of 2816	4164	chrome.exe	112
PID 4164 wrote to memory of 2816	4164	chrome.exe	112
PID 4164 wrote to memory of 2816	4164	chrome.exe	112
PID 4164 wrote to memory of 2816	4164	chrome.exe	112
PID 4164 wrote to memory of 2816	4164	chrome.exe	112
PID 4164 wrote to memory of 2816	4164	chrome.exe	112
PID 4164 wrote to memory of 2816	4164	chrome.exe	112
PID 4164 wrote to memory of 2816	4164	chrome.exe	112
PID 4164 wrote to memory of 2816	4164	chrome.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1625ac230aa5ca950573f3ba0b1a7bd4c7fbd3e3686f9ecd4a40f1504bf33a11.dll,#1
1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Windows\system32\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_f31395a8.dll", #1
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ff86d44ab58,0x7ff86d44ab68,0x7ff86d44ab78
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1980,i,15112222464336103163,6738762259235080518,131072 /prefetch:2
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1980,i,15112222464336103163,6738762259235080518,131072 /prefetch:8
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2248 --field-trial-handle=1980,i,15112222464336103163,6738762259235080518,131072 /prefetch:8
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1980,i,15112222464336103163,6738762259235080518,131072 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1980,i,15112222464336103163,6738762259235080518,131072 /prefetch:1
  2⤵
  PID:896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4320 --field-trial-handle=1980,i,15112222464336103163,6738762259235080518,131072 /prefetch:1
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3604 --field-trial-handle=1980,i,15112222464336103163,6738762259235080518,131072 /prefetch:8
  2⤵
  PID:5452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4612 --field-trial-handle=1980,i,15112222464336103163,6738762259235080518,131072 /prefetch:8
  2⤵
  PID:5464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4560 --field-trial-handle=1980,i,15112222464336103163,6738762259235080518,131072 /prefetch:8
  2⤵
  PID:5560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4792 --field-trial-handle=1980,i,15112222464336103163,6738762259235080518,131072 /prefetch:8
  2⤵
  PID:5620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 --field-trial-handle=1980,i,15112222464336103163,6738762259235080518,131072 /prefetch:8
  2⤵
  PID:5660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4812 --field-trial-handle=1980,i,15112222464336103163,6738762259235080518,131072 /prefetch:1
  2⤵
  PID:6036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3200 --field-trial-handle=1980,i,15112222464336103163,6738762259235080518,131072 /prefetch:1
  2⤵
  PID:5808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3248 --field-trial-handle=1980,i,15112222464336103163,6738762259235080518,131072 /prefetch:1
  2⤵
  PID:5304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4184 --field-trial-handle=1980,i,15112222464336103163,6738762259235080518,131072 /prefetch:8
  2⤵
  PID:5456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1596 --field-trial-handle=1980,i,15112222464336103163,6738762259235080518,131072 /prefetch:8
  2⤵
  PID:4064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1920 --field-trial-handle=1980,i,15112222464336103163,6738762259235080518,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3688

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1948

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5572

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\StepConnect.ADTS"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5552

C:\Users\Admin\Downloads\ProcessExplorer\procexp.exe
"C:\Users\Admin\Downloads\ProcessExplorer\procexp.exe"
1⤵
PID:5772
- C:\Users\Admin\AppData\Local\Temp\procexp64.exe
  "C:\Users\Admin\Downloads\ProcessExplorer\procexp.exe"
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: LoadsDriver
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.virustotal.com/about/terms-of-service
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff86f7246f8,0x7ff86f724708,0x7ff86f724718
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,11012061699382832325,1256658598886653318,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2008 /prefetch:2
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,11012061699382832325,1256658598886653318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,11012061699382832325,1256658598886653318,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,11012061699382832325,1256658598886653318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,11012061699382832325,1256658598886653318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:5756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4172

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1956

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_f31395a8.dll", #1
1⤵
- Loads dropped DLL
PID:5456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\4ded0baf-390a-408c-8d2b-eedbfb25c148.tmp

Filesize
253KB

MD5
20f8899c4857a15101914d87608eafc5

SHA1
96ecb23925235a411b8f03273eac4b5dcd4e49db

SHA256
111aa33dfec967b3e33a5e3f22d98b76a3ef22923406ba3e32b580a9c19bae53

SHA512
a93d32a49661f0510409e70d960f27a0278b70fc9f8ba03226aaec72b2234ac4ab8eba0c62a54b89fe3898fe6ba0a67d1139966a5a1add85d275ea95804d375c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
48bbf2dd4aca2802d57741f39d572606

SHA1
9678cd174c8a4a63af12d12a8f84818e00ee3fcb

SHA256
01437c5fc04aff40660ddf4a226fbb2bfc052a16fe0400c6c41aa2ced78ded63

SHA512
43d599f27259d6242ccd00a6d1f6e9272f2c5c4ee3f8404976e0d58e98479e4e7c0844ef4ce78893338deb81352fc4b1737374e742169c3ca538dca0794071da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\6449a575-de3a-4b67-8480-21b858511470.tmp

Filesize
3KB

MD5
3ae8ef8292add781a34f7ea4e11788ef

SHA1
ee1101ecc55eacdf3e810cd984f6b589a9760efd

SHA256
e1bf9194dc7e29dc55c133604276de1634d368885d4e6777e80a9843aa179cc6

SHA512
da0ea6585125aa7631d17d1e70d9a33bbf249595ff1d05229abe26c3e71e7a46b7bb5261b07831fad7007a5c62ddfa42966133d2b98fb6506ca99ad53ff1e70f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7badd1a567fd90941496b348fddc9028

SHA1
392a8a10723a436b0b9b1c1740a10567da297871

SHA256
20d4385b85fbcde15dfc88f28c3fefffe191ffd1d5f89764df97ad24587b2be3

SHA512
40c7cc38f654a7d5c96c7e4462b0059006611c1b18cab4ae1fc937549bb8726a544a06fe93fbc83c91583d60b04fb2918807dd67b4f5edfa635e31d878873e80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
e970ecb63f394c0551ab20cf41c914f2

SHA1
7f5b0fa3383a470d6ae8cb45e4cc36ce3f77a148

SHA256
bb7cb17d273a2a15d511e0eb8ab811a94b0851d7db7750243a23212091d07b49

SHA512
b237131c27c2d92f835134f979ac2b64e31f25397ff5a89b05506d0cc22c390b85c18ce907da4d7c8a372cb25742096617b2abdebeca4f9000bb8a0676d22627

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
b3e5d53504522b795388f74f6e9bef81

SHA1
aa417fe08c8c7bea70544cff463284ff0ba8a7d2

SHA256
f7ee228b96205f323917359a628855b4ea50cb92d6abdc6203b11bf7891d7c3b

SHA512
abaea39df7c170862f71c35463bb7e7c9af9e9dc3e07e5e63335c0b1475dd592dc20f5b42ddb7c90a1f08117bfdda456313d8adc7f334d090b7ff5865d7805d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
102189fc5b25a6746c257e6958b7878a

SHA1
d737b9759492fd526a506eddc5766aa28127c2f9

SHA256
7eeac0245ba58b672463b641efca33cd60181f920755f5759e5ec38b3c99bcf6

SHA512
17fdb8e6dc01ed65164dd42dc0c35b3be9261d0f7be0b512fbab0725431b340a5676fa4220d3dcf16112d2737220e5a02836fa41b33c50cb29741fed14738b3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
187905ce602137a9cad368780ba96faa

SHA1
5148c7af7593ac467e84b55915f20577eac12c97

SHA256
ab67f2de7149e6097d5988846af991d6e73c97ccbb40c2558d2c20063fcd54f8

SHA512
d9f88bc35876b7043cdd4e2d8b42efe9a60848bf6c3135dc8afe24daf2e187e7cecdd3ae04e751e82f9f7e3befd5c28a02229e514a3bc1dd5887dc7f868718bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
2b209642d5822e394933c5984b634f14

SHA1
1a8b8414f457eb316f0c538a8e21e6670867b335

SHA256
a37aca21155ea2638f358a4c371e58b43d0fa0980fe88a4746e1c062bd29dd8b

SHA512
bdfc3d94d4dbab7753ebc7ee7e8f486b151972e8d0b1d493b53fa31ed4283bc8afa0f09aa0ac9e2825db3cf555592186ffcdeca18f160efa56cbbf3a9e7f26f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5d566983ac2c6bac6437d645c5a77413

SHA1
6760a0e25a980010f9fe814a1ab6db34b1b465af

SHA256
031cf60ba28958cdb14d02b0868213edf3c06a0e758fcf8b7141ef7a628b9c91

SHA512
3a5cc0b402c6b1a0c2e0339aeee1546001afe7590c6ada7ea2fe59840945e903a610489bc3b68681186a86ea6d7d1e49ae70f48305dd69121d26d6824cde1d8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d3618557b592d32f0b7216270a5eaba2

SHA1
559ae3a83eec1309e62e5597da0f8ac063eec1b5

SHA256
137b36e27b27994b51032690397debaac89a7f344a2ff026a96ab198be9b9cc2

SHA512
b3ef2c498f398a5a405e3bdcfac474ac8a36940cf03962c6ef79f449cb26c83f9ef7191fd886736a9434f233f51b588d32c99223418d3c212e4d911ec41e12c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ecb92cdb54506dc895b323d36d0426b7

SHA1
43db8b0e3db7a50bb08dcebcc14aea7aa7e3b1fb

SHA256
57316138cd0cf5087884d348f6a64c91a4dd6f8d9bfacf4726f04b052226b814

SHA512
c7fd800e3f19454d7e225efdacac0795f00bbc82d3423aab83fbe733784c1bf68bc8071d5175e8a7f971b779130c2ddcf530d38609525e28955147ba53568e80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
6b2fc1eb0e629dcd683c9421c9b73bd3

SHA1
ce581874ee4a6b83c8d41f433cc8fcf8cf01bea5

SHA256
e1ec5f1640881c1034ed9e8c78055d44a585656789e5269060f2d9af635d7eb0

SHA512
18aa4b92295747d67f78e28bc89004aa8551e13f5e915b2d6f00e95931398047a735d16784fb57ef82f1d7ccb9ca505532ec279abd5471a3018ad55a26cdb788

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
94KB

MD5
f459b4bab1fe6f950490148cb77ab882

SHA1
6ec99e888fef68d357595700fb8aa68f8dc68b17

SHA256
53fe63a38eeb094d7ed6cd52e603ff3d2b33d1c700c4054aad81e345335c6686

SHA512
3260a96c960c80845e9a927b90e4ad15a639bd20ad22e8e906cd9cff8b2687ddb38f7f7033095cb9f38185aa8cd6cd5aa8fcb1fc7c7dd2dc80cfd1ba8d39012d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe589e7d.TMP

Filesize
89KB

MD5
f6e3512170161aa2268127cad4c348c8

SHA1
cd1cb9c1e39e9d57cfdba930de6cf2b7065294e1

SHA256
08c55ae5d974e1826fcaf5575ca70d0ee9c02c0d86618e4a3815ca287e4132cc

SHA512
3374f4221565f52afc98cebedfe2d18b54162f2cab8fd0ac8b622ae086c0a2ffb51e5c861b5697a8049a5a19feb0fd0f4c34a716e7435003e0dcb93fe8bc507d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7e0880992c640aca08737893588a0010

SHA1
6ceec5cb125a52751de8aeda4bab7112f68ae0fe

SHA256
8649a39877c190ec740a5422284ec5f9ff509b30b2d7896635476873dd8824e2

SHA512
52bd0a38ca7f43b26731966035045b1cbd8b60b2d81bdf9aad791cf444da8af8b722ebf3cb364a6e660bebdf23084eb0e30bc23562575b704801669817549f8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5e2f0fe48e7ee1aad1c24db5c01c354a

SHA1
5bfeb862e107dd290d87385dc9369bd7a1006b36

SHA256
f13b3ebe8d71bd0086d5bb82364c35f59a95d32b39753af251e8639360e291a9

SHA512
140d026437fd5e8a874cd00b03950c8f010e1a0732a0a1cc5bdde477e7f8315ccb95790bb4c15b8dbaab9468ad532eb885b6c429300a64e39412d976d079324e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
384B

MD5
c6db153587537309a6dead1d484433f6

SHA1
8bb82b1e201a9a00906f9933ab28ea632ca9644f

SHA256
b67d7fbf7d30b966ac562f29d0719c895ccc8135d0444e359651bb0ed487a43a

SHA512
349af7710a1f3c861aae4a7fc48d2239bed9dda2b8297b321c50519092e1180644ca53f5ad35efc2a6dff709d01c912c2a8479cf6007f87e91e5d2b8dd794fc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
29857b07ca5e653a6cfa6a1cdfcace56

SHA1
33c6ccc604d478338c32f8bff51256e5b4087a73

SHA256
a66d18dc363ec6158338d5b570e63f9c6e26bba9ea79f863b73db65807561a79

SHA512
4ad1b790ca0dc1dc0e938edf808f6878fcaf923eb8c827ed2520a68ac9cf42a9f04fd69e097c371c8281aed30d4d7d1154334476162e1b9f7cd2c45adad133a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8264875728096e713077923c46b3464a

SHA1
581642f1a600823750ff0c4d13fc446ba6a5737d

SHA256
3e1acac4b1ffc69a3cca4b65e7d16c7eb297f059e46a2de86e21fae058d18a8d

SHA512
56612d0202b155b34dea51e58bf8d75982dc6da6a17f1080c7b1eac99bf113ea3ee6b9f28188b1a5820dcca9a437decf9a66cc03c8a6ba100492fa622ae556ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5a685c15acadff819334bb4d7c0eb749

SHA1
8b2b6861b6679b16b5ab12cbd4876e9144cd5999

SHA256
0b854479168289822a154c55ab97c0cc31f793a961e9ad9bb1f903d71d76ce0f

SHA512
0e01ddbe73632c4fed37adc2cd70d8236a2ff9359f9351c0feb25a9e340febb8c2ee42633485911ee784f77c2e1477bfa557b32e280ae788cc8e37db6336db79

Download Submit
C:\Users\Admin\AppData\Local\Temp\procexp64.exe

Filesize
2.3MB

MD5
a0773a1a0102cfe56855b95b654ff400

SHA1
809fc843f89a49f3a56c8d8552e3fd6d1fa1bebe

SHA256
35bd4e71b67655192a2b5159e7a7303d8332cd81df2842bf2679d92adbf57e25

SHA512
9ff45c55338300f0f47219732a0252a856f305000f22955f1e6207ec131d8896f7564c621864ecec4228a488e786cad5e1a127230e60f031a83072c988c73d47

Download Submit
C:\Users\Admin\AppData\Roaming\Custom_update\Update_f31395a8.dll

Filesize
885KB

MD5
74143402c40ac2e61e9f040a2d7e2d00

SHA1
4053dc85bb86c47c63f96681d6a62c21cd6342a3

SHA256
1625ac230aa5ca950573f3ba0b1a7bd4c7fbd3e3686f9ecd4a40f1504bf33a11

SHA512
4aa55b859f15be8b14c4a0ff6f3971f49b47c1c8c8427f179eb4ab0c76e321441adfd173469facb12aae1e81e25f1328fd621214b42e66f690ba4e9ee1e54cf9

Download Submit
C:\Users\Admin\Downloads\ProcessExplorer.zip.crdownload

Filesize
3.4MB

MD5
0102edc43a54dd4185e86c0a22e7b3d8

SHA1
3570e09220b011435518e37b73407a905517f2e8

SHA256
c50bddaaacb26c5654f845962f9ee34db6ce26b62f94a03bb59f3b5a6eea1922

SHA512
d0121f68dd4e311e0220c9fa92430dba0a202f5a8b9f7839681f4b4418015a01bd8f5d71b5c229b6768b05bcf5eb0f33f3e51f70c0a8d7be688a744df60bdcbf

Download Submit
memory/1612-6-0x0000025DB1E00000-0x0000025DB1E14000-memory.dmp

Filesize
80KB

Download
memory/1612-7-0x0000025DB1E00000-0x0000025DB1E14000-memory.dmp

Filesize
80KB

Download
memory/1956-477-0x000002B44BA90000-0x000002B44BA91000-memory.dmp

Filesize
4KB

Download
memory/1956-485-0x000002B44BA90000-0x000002B44BA91000-memory.dmp

Filesize
4KB

Download
memory/1956-488-0x000002B44BA90000-0x000002B44BA91000-memory.dmp

Filesize
4KB

Download
memory/1956-487-0x000002B44BA90000-0x000002B44BA91000-memory.dmp

Filesize
4KB

Download
memory/1956-486-0x000002B44BA90000-0x000002B44BA91000-memory.dmp

Filesize
4KB

Download
memory/1956-484-0x000002B44BA90000-0x000002B44BA91000-memory.dmp

Filesize
4KB

Download
memory/1956-483-0x000002B44BA90000-0x000002B44BA91000-memory.dmp

Filesize
4KB

Download
memory/1956-476-0x000002B44BA90000-0x000002B44BA91000-memory.dmp

Filesize
4KB

Download
memory/1956-482-0x000002B44BA90000-0x000002B44BA91000-memory.dmp

Filesize
4KB

Download
memory/1956-478-0x000002B44BA90000-0x000002B44BA91000-memory.dmp

Filesize
4KB

Download
memory/3216-0-0x00000284FC730000-0x00000284FC744000-memory.dmp

Filesize
80KB

Download
memory/3216-5-0x00000284FC730000-0x00000284FC744000-memory.dmp

Filesize
80KB

Download
memory/3216-3-0x0000000180000000-0x0000000180184000-memory.dmp

Filesize
1.5MB

Download
memory/5456-505-0x000002A136700000-0x000002A136714000-memory.dmp

Filesize
80KB

Download
memory/5456-506-0x000002A136700000-0x000002A136714000-memory.dmp

Filesize
80KB

Download
memory/5552-326-0x00007FF8808C0000-0x00007FF8808F4000-memory.dmp

Filesize
208KB

Download
memory/5552-329-0x00007FF868000000-0x00007FF86810E000-memory.dmp

Filesize
1.1MB

Download
memory/5552-325-0x00007FF65AA00000-0x00007FF65AAF8000-memory.dmp

Filesize
992KB

Download
memory/5552-327-0x00007FF869440000-0x00007FF8696F6000-memory.dmp

Filesize
2.7MB

Download
memory/5552-328-0x00007FF8579F0000-0x00007FF858AA0000-memory.dmp

Filesize
16.7MB

Download