nanocore | hxxps://t[.]ly/Dol17

Resubmissions

13-05-2024 13:04

240513-qbcpssge34 10

13-05-2024 12:52

240513-p4js5sfc6v 1

Analysis

max time kernel
598s
max time network
601s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://t.ly/Dol17

Score

10^/10

nanocore execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

december2nd.ddns.net:65024

december2n.duckdns.org:65024

Mutex

2c009a56-c28c-48f4-8875-acf9e1222e9f

Attributes

activate_away_mode
false
backup_connection_host
december2n.duckdns.org
backup_dns_server
buffer_size
65535
build_time
2024-02-17T09:12:36.211032636Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
65024
default_group
NO GREE
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
2c009a56-c28c-48f4-8875-acf9e1222e9f
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
december2nd.ddns.net
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

4008 powershell.exe
3308 powershell.exe

pid	process
4008	powershell.exe
3308	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

63HiIJrDNvEfDcl.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	63HiIJrDNvEfDcl.exe

Executes dropped EXE 3 IoCs

Processes:

63HiIJrDNvEfDcl.exe63HiIJrDNvEfDcl.exe63HiIJrDNvEfDcl.exe

pid process

4948 63HiIJrDNvEfDcl.exe
3564 63HiIJrDNvEfDcl.exe
208 63HiIJrDNvEfDcl.exe

pid	process
4948	63HiIJrDNvEfDcl.exe
3564	63HiIJrDNvEfDcl.exe
208	63HiIJrDNvEfDcl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files (x86)\\DDP Service\\ddpsv.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

63HiIJrDNvEfDcl.exe

description pid process target process

PID 4948 set thread context of 3176 4948 63HiIJrDNvEfDcl.exe RegSvcs.exe

description	pid	process	target process
PID 4948 set thread context of 3176	4948	63HiIJrDNvEfDcl.exe	RegSvcs.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File created	C:\Program Files (x86)\DDP Service\ddpsv.exe	RegSvcs.exe
File opened for modification	C:\Program Files (x86)\DDP Service\ddpsv.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2212 schtasks.exe
4044 schtasks.exe
2376 schtasks.exe

pid	process
2212	schtasks.exe
4044	schtasks.exe
2376	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133600791121035717"	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

chrome.exechrome.exe63HiIJrDNvEfDcl.exepowershell.exepowershell.exeRegSvcs.exe63HiIJrDNvEfDcl.exe

pid	process
4356	chrome.exe
4356	chrome.exe
2848	chrome.exe
2848	chrome.exe
4948	63HiIJrDNvEfDcl.exe
4948	63HiIJrDNvEfDcl.exe
4948	63HiIJrDNvEfDcl.exe
4948	63HiIJrDNvEfDcl.exe
4948	63HiIJrDNvEfDcl.exe
4948	63HiIJrDNvEfDcl.exe
4948	63HiIJrDNvEfDcl.exe
3308	powershell.exe
3308	powershell.exe
4008	powershell.exe
4008	powershell.exe
4948	63HiIJrDNvEfDcl.exe
3308	powershell.exe
4008	powershell.exe
3176	RegSvcs.exe
3176	RegSvcs.exe
3176	RegSvcs.exe
3176	RegSvcs.exe
3176	RegSvcs.exe
3176	RegSvcs.exe
3176	RegSvcs.exe
3176	RegSvcs.exe
3176	RegSvcs.exe
3176	RegSvcs.exe
3176	RegSvcs.exe
3176	RegSvcs.exe
3176	RegSvcs.exe
3176	RegSvcs.exe
3176	RegSvcs.exe
3176	RegSvcs.exe
208	63HiIJrDNvEfDcl.exe
208	63HiIJrDNvEfDcl.exe
208	63HiIJrDNvEfDcl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

3176 RegSvcs.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exe

pid process

4356 chrome.exe
4356 chrome.exe
4356 chrome.exe
4356 chrome.exe
4356 chrome.exe
4356 chrome.exe
4356 chrome.exe

pid	process
3176	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7zG.exe

description	pid	process
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeRestorePrivilege	2900	7zG.exe
Token: 35	2900	7zG.exe
Token: SeSecurityPrivilege	2900	7zG.exe
Token: SeSecurityPrivilege	2900	7zG.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

Processes:

chrome.exe7zG.exe7zG.exe7zG.exe

pid	process
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
2900	7zG.exe
4356	chrome.exe
4356	chrome.exe
4016	7zG.exe
1944	7zG.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe

Suspicious use of SendNotifyMessage 36 IoCs

Processes:

chrome.exe

pid	process
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

OpenWith.exe

pid process

3564 OpenWith.exe
3564 OpenWith.exe
3564 OpenWith.exe
3564 OpenWith.exe
3564 OpenWith.exe
3564 OpenWith.exe
3564 OpenWith.exe

pid	process
3564	OpenWith.exe
3564	OpenWith.exe
3564	OpenWith.exe
3564	OpenWith.exe
3564	OpenWith.exe
3564	OpenWith.exe
3564	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4356 wrote to memory of 396	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 396	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 1204	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 4032	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 4032	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3756	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3756	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3756	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3756	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3756	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3756	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3756	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3756	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3756	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3756	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3756	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3756	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3756	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3756	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3756	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3756	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3756	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3756	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3756	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3756	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3756	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3756	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3756	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3756	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3756	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3756	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3756	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3756	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3756	4356	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://t.ly/Dol17
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb0c0fab58,0x7ffb0c0fab68,0x7ffb0c0fab78
2⤵
PID:396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1824 --field-trial-handle=1836,i,2874449111321721696,8065507534511244947,131072 /prefetch:2
2⤵
PID:1204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1836,i,2874449111321721696,8065507534511244947,131072 /prefetch:8
2⤵
PID:4032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1836,i,2874449111321721696,8065507534511244947,131072 /prefetch:8
2⤵
PID:3756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1836,i,2874449111321721696,8065507534511244947,131072 /prefetch:1
2⤵
PID:5108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1836,i,2874449111321721696,8065507534511244947,131072 /prefetch:1
2⤵
PID:1720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 --field-trial-handle=1836,i,2874449111321721696,8065507534511244947,131072 /prefetch:8
2⤵
PID:1548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 --field-trial-handle=1836,i,2874449111321721696,8065507534511244947,131072 /prefetch:8
2⤵
PID:3288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1836,i,2874449111321721696,8065507534511244947,131072 /prefetch:8
2⤵
PID:2796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=1632 --field-trial-handle=1836,i,2874449111321721696,8065507534511244947,131072 /prefetch:1
2⤵
PID:1836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5076 --field-trial-handle=1836,i,2874449111321721696,8065507534511244947,131072 /prefetch:1
2⤵
PID:4744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5044 --field-trial-handle=1836,i,2874449111321721696,8065507534511244947,131072 /prefetch:8
2⤵
PID:3804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5228 --field-trial-handle=1836,i,2874449111321721696,8065507534511244947,131072 /prefetch:8
2⤵
PID:1548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5044 --field-trial-handle=1836,i,2874449111321721696,8065507534511244947,131072 /prefetch:1
2⤵
PID:3744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2432 --field-trial-handle=1836,i,2874449111321721696,8065507534511244947,131072 /prefetch:1
2⤵
PID:4692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3292 --field-trial-handle=1836,i,2874449111321721696,8065507534511244947,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4376 --field-trial-handle=1836,i,2874449111321721696,8065507534511244947,131072 /prefetch:8
2⤵
PID:5008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 --field-trial-handle=1836,i,2874449111321721696,8065507534511244947,131072 /prefetch:8
2⤵
PID:1288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=1160 --field-trial-handle=1836,i,2874449111321721696,8065507534511244947,131072 /prefetch:1
2⤵
PID:2592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4284 --field-trial-handle=1836,i,2874449111321721696,8065507534511244947,131072 /prefetch:8
2⤵
PID:180

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4460,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=4356 /prefetch:8
1⤵
PID:5000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2352

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3564

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\nje91q\" -spe -an -ai#7zMap9122:74:7zEvent31942
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2900

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\nje91q\" -spe -an -ai#7zMap15135:74:7zEvent23347
1⤵
- Suspicious use of FindShellTrayWindow
PID:4016

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\nje91q\" -spe -an -ai#7zMap8164:74:7zEvent516
1⤵
- Suspicious use of FindShellTrayWindow
PID:1944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4508,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=1392 /prefetch:8
1⤵
PID:4996

C:\Users\Admin\Downloads\nje91q\63HiIJrDNvEfDcl.exe
"C:\Users\Admin\Downloads\nje91q\63HiIJrDNvEfDcl.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads\nje91q\63HiIJrDNvEfDcl.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3308

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vrwJUPrQkQA.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4008

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vrwJUPrQkQA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9C49.tmp"
2⤵
- Creates scheduled task(s)
PID:4044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:3176

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9F37.tmp"
3⤵
- Creates scheduled task(s)
PID:2376

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA080.tmp"
3⤵
- Creates scheduled task(s)
PID:2212

C:\Users\Admin\Downloads\nje91q\63HiIJrDNvEfDcl.exe
"C:\Users\Admin\Downloads\nje91q\63HiIJrDNvEfDcl.exe"
1⤵
- Executes dropped EXE
PID:3564

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:3908

C:\Users\Admin\Downloads\nje91q\63HiIJrDNvEfDcl.exe
"C:\Users\Admin\Downloads\nje91q\63HiIJrDNvEfDcl.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:208

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011
Filesize
199KB

MD5
585ac11a4e8628c13c32de68f89f98d6

SHA1
bcea01f9deb8d6711088cb5c344ebd57997839db

SHA256
d692f27c385520c3b4078c35d78cdf154c424d09421dece6de73708659c7e2a6

SHA512
76d2ed3f41df567fe4d04060d9871684244764fc59b81cd574a521bb013a6d61955a6aedf390a1701e3bfc24f82d92fd062ca9e461086f762a3087c142211c19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index
Filesize
1KB

MD5
718378d8d58deec1587d6ddbffb9617d

SHA1
74c4e4774fd0cee9a9113a1d2992816d6ce5b6b8

SHA256
2ab0bc004443f0d1366ad4ec33d08221d61a7e7bbe38aadc35506082b911494d

SHA512
5b7bbdebad1a25f77a199ab475d7742c6aed157a8bf555897ba1e50f66e27bf997fa7c2192c4f427c74bff2f68a3265206fed1f0c44fc05714072fe17ef9fdd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
552B

MD5
1ba870dfe5f388050ed8b19ff806eea0

SHA1
68c8aa93c117e4aad3b3d9779b6a9824cffea9e7

SHA256
e466e2491a74248ecbd641ac2ab1ed90eeab9c4319106ad769a50f36e1cebc0b

SHA512
35935d20b4ee0236c023f6b7cef5639b9137392fe9f667ac786bb8026291085d51175d2857bde652a1417f8e6eb02f032a980cc5eb7572e6cfe9e3959f359c75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
2f2a908b0543716e7a0018b8d69b72e9

SHA1
5781227a291d7eecdf41c1e92a0e34dd36250e84

SHA256
7ebb048a26eb0a5e888c5c51d9369d08b13e119d306fdaf6928949e528b89f1c

SHA512
3b9c1e1bcb6ba9d3462a62991634a01268200f7ab7e0f5d326049cde54dc62dfe9e6c7f4e1a2ee22f76d72740a414b4881846c1c4302fc340796ce8df6d377db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
1738df39aae18019d1b86318401c1516

SHA1
5246dfa468731a702ae7de2b59f5749d1f23fe48

SHA256
9759c3b67ed0bb781e3cfb8001bcce3170bb4e4954b412fb5431df5648b65580

SHA512
632b9bcb2aec68a9eb6e4ee443c04bc85410946fa44357da50eb53e387e658d73ceb467df90e5f00141333e60d030027ced93830954585ecdffd74ca31ffa0ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
94ab9390d0b60e64e594f5384b5dcc28

SHA1
6a408a895aa1d5005d7f77cf42f03a79b8446c53

SHA256
43093a253df7a2c358f29434d79f2169cb89baa0b1b696c097c26d3c1bf2d701

SHA512
716df14183f9312b77da06c46b85f52b6d241cfb5369385a1bdaa93ff7a6cd51a14e597920df6956d475d933ee23a433e68d679a22c2b884800f51d1bbe105f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
5KB

MD5
973d33cda45006eda4bf9f924e1572ca

SHA1
2a1d9d74e90892bd548b6503719eddbc62cb86b3

SHA256
944e468e4d8b3ec12ca90b99c22cafd659a76437b2db296f7d07dca368a32dbe

SHA512
12711eaf27494c4bb71e76a49a413f5ae8e0155f0b29f9f8de5a5316ad57d9df33047ebf5d85322764bc5e0b00c3e56ec28245bf2f86a8226e318e42dc646713

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
bd261b2657bf0e5bb0e78677de818a7c

SHA1
e22376ac1ffc26cd7cb40b71bdeffd91b9f16bae

SHA256
d893eaca5a09d82799709bc88bca36e2da2f27823bdfc9c583f90e2dd17f9a96

SHA512
c11000e50ea2ca79a653e42d820d903af1d4ffb46853cea28fe248dbe51626b5f755035949352a8db1aeae0226c9ef93edcf2623e08f29dc36d7948f60707ddf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
4933c064048f61e2d0b5d8e9a95d859a

SHA1
9ea6a5f765312c4e29e3aab59a8484f632c64693

SHA256
6b1a2e66561bca87a737a86a8591abe6ffa047804604894c376473c0fe1f3925

SHA512
6b19aabd084f4ba5433ec55ef05b082e62d43afdd216ddb6a0c8bdc8df2e56087582ca558e911ce7569e5e487f2d0eb933a34dd9df9593f1b31931680189ecfd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
64e680658811a4827ff2e924b70d41e6

SHA1
a88120de5791da7d194ac26829ed0ecb6cd49fab

SHA256
91edf2665ef6c2968b4dc69da224b8347574764d0d33b204a467b74fcdf11f8c

SHA512
c77c7756f96a10f7b17ffb052b374c078c03a65ad9cd8fcf412c705091a42d05535e2ad3bb7dcbe0a434be6048e37ea89a47f4bdd183058212b2a4a1eed461bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
523B

MD5
ffc299cb3d30ec486dc260b9c38de0ee

SHA1
5a5a9577e694e94659ae00fc359246ef83b6b2e2

SHA256
9fe15a73378386ea9608ab5bf10c49f60660721d39b91cc129d308e20c9e37ae

SHA512
540d75759cab2e12ef6060925be3fd4c00e8bed6a4db675f0443d64b4da3b6aec1265fc50bafa3eb7fe18134d3b6761a0dc12e1fa66fedf5dd3d0fb4b40e23a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
d0d129a34a72aa3b55e6ee256eff4536

SHA1
b1e67581d848b2e26a5d26f95e041846af26a5d3

SHA256
98a070baee7b9852e4f536861f50ede31727b8d19c2e9a1253cc15412715d91b

SHA512
65a729adcf1c220a4e533e8bc33330390ae66ecaa91bdc705e58d7d4983046c04f43ea9e168f012c002176e49f184725f4fa4c12e41b109b6cc103c0b41cb07c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
3b2f03cfac29a020534d0e8a57ea0e36

SHA1
b2d9d7af3970dae07859d42e3ea1807232cc891d

SHA256
ab9e103e6eacd4940e73b8ec05578420ee5b9fccb85008d5af75efbc9df335c2

SHA512
d109ad0a5391462c5523967ecd2b4f4c212f9c5664bc5eb5cb05ceb925e7753857d9a6712324a46bf2d3838fc11dd4c1e1fc381dc84a48a20a2f41182cf4688c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
4d8a60e8698d9cabc6ede18acd8e06ca

SHA1
d32261b454458891d7390cb4d921b7647c2a3ab2

SHA256
7657a04f40103117b4b13ff57478fab5ff0858b81638698d239d73221821e1b6

SHA512
083c4efc5ef4849646182e4c39ae84faad22f88f08d552e1eb3b70baed5e24cab599663b482877ea0e7ff96522f9abe4d631bf923e8c166105faa6f67b864ab2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
4913582b52dcc0b77393705c004cd4f0

SHA1
39632501804a394897bc631b93b4dbd151fc9819

SHA256
ecbdcf6213258d45d29da050dc227de16f0e7a2c23511615ee0b4a43473d5963

SHA512
128116d550fdfaecf9f606a627b963c5f759e84d063398632566e65bfe9ac2c82642f5c69d9a7c72176bd30b2a4c64de1960d9fdd281b43aafc67febac4235c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
77aa793b992d3e5e6eafea6450de190d

SHA1
7cd0cb8f16907713fa48a7dff084e6ac5a40ed88

SHA256
89bdb63189d1aa1d2d356f8a1bd8a0254c746c671a9e6d6eed0b4a9c4b21e56f

SHA512
575c4c5e042c13b673d7f791831477f5124011cc7a867f9f13d954c836d52f56f66b6a8b601c25a453a4c41574e66e6947372a9d7536eb9e5a7a771d13cdf339

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
25949483a1beeb4099dec78b75a68a32

SHA1
65d9a9b600ec640e6cea8de30992a9c85ac47933

SHA256
5a6b48cef6ede550d4d8276dfffa32088c6761d02ebd0b47ea52e67d60f14268

SHA512
664c6309cbd1ff77f2102f0483a521ab806a56fbb7c57e793837006086b50d377856379c46557d41827f17bed455721b9dfed823e1b32d1e8d752d3878213194

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
989cc35410c54ffa2aff5be1726d8afa

SHA1
7a17863a24f6a3004481bbd554b233f6b2de2805

SHA256
85131b44c1725f0a0f0bd008c77b1f08195aa41b043a0bbe08b3bd993e9e9f8a

SHA512
8bc49add16fa4b81e6dff5768807a1beb800665b8c7d6f4a063ae01ab7cb0e33e3909b2c2591a810540c25f8be09c658ed5ad39d469b1b2b5c4eb6ab2becdc6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a0ea7.TMP
Filesize
48B

MD5
56782896c7cf0fd5a0d6ff0b59abfc0a

SHA1
76280a51fb9e171fcfa0be58a1cc5f9e90fe0520

SHA256
ddf757e4828e5fc9d0fcdb6cf55ecce2ef6cd80b4786f6f724c54ae1b3abc6ff

SHA512
b0998141d78dc38029699cb76e86c1f4ce78c2ff264113c28d7b3e57e83b1323f17d3a250556f8f64dd9ed4af61f35478febbc9562c2361203f3efde382ba0af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\dc44f0cf-8dbf-4751-bcea-ec7b2e13738c.tmp
Filesize
7KB

MD5
e24fbc729e90727aababc30a8d7a576c

SHA1
edda61b4ea4501a5c530b59fd236837211580e36

SHA256
34983f41eaf7f88d84ff68f5c6ba763c83d6d9aecf3351cca6fbf005ee6f08d6

SHA512
c452a82364e0396f8c0a714cee46f680d1aa49582c65819ff4eb6e4bd29fa91b4a1cd73fead0dde991dcc4627cbdcbc68fc65c5137e428e4a48e4f13bdd9bc3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
c47046c001511110f3b7b925d2422abe

SHA1
975422e8a3f50e18e501f2c94288f1742654e862

SHA256
060f2bda953c9020cd91768fcdfa8577b8511d340c55d8bd9ae1883b7d94f636

SHA512
59663abf4ee00ed74eda6d2099cb796fa7eac68e12cf15b3ea8fd590b35b14d6858d75ecc641d99eab3cddd4ae856e3058cddb87476f25264b9720989038623f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
9fcbc4816cf21bdd5291d02aa83706b0

SHA1
7d8c84e348bf4d55799ad9846e2c4e52328cfc74

SHA256
21d1438f3b10f928f394e92f73a3a639c985d378e5d75974b243d6065bedb999

SHA512
8070668f2bee2eaaa312522062e507e8e46a432a2784fabf0f9a691f75149d3c0dbc4fc89ee28dd17df2f70fff113eae7ed4dfd75a65d79d419984a103fdfaa4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
fd5f39b963d88c9a7c651d3a1f735d34

SHA1
35dc677dcc93c6432092bb55cab9c2377e1a04fa

SHA256
c6d370dcd0b837d0eeb3cb26b63efe7b44cd69025d38de83ecbe8e060586ecce

SHA512
3bd36825692f92b9a79aa62fad3deaea0969e42053c342bec05e7b407a7f14438401da6298ad30994ea0809570e2be2c6c6aea7dbec7293a10bd78ebe56e4d74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
103KB

MD5
5c75178989e97ee8422e991fe1a4d698

SHA1
6fb94238c356d173a7d1806b3257ff773fae9a72

SHA256
e77068dec4f2ba81d1f37c2ab2c9d25b22f2136fd488d6e7b0c16dc139b5fa9e

SHA512
d5a872e7dd440a9657f6e71ec33db16fd7ba409e0cb272de582120bf7e449640770e192f6dd61b02631b35b935e7b68979f614090858d7055698194dd4367add

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
99KB

MD5
04952c28ac57f48d0ba07e8b0a10dde9

SHA1
1b2178caaabcf4d5872ff213ac78b76b16898b1e

SHA256
ce8ff85e29653426af03c5838f67c807061e3dfbd3fc9b223864b372ec211cd4

SHA512
aa4612cba3cdcd7d9b8ba14c79f1b06b99254528a48a04d80bbdc26107d99f5a883acde4699be3ce570befbd841e5cc5d3217fe8fe7851749485899212ef022d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5a4874.TMP
Filesize
98KB

MD5
7af8ca7fb19c35e6b24770c5b3d4d941

SHA1
195b8574afc0a866e96ac3667a6d0fdf956ed808

SHA256
fc86d5cd405bd9fc98a6ea43c996d36531b0b0e9d1b60a8360cda17a455d5d79

SHA512
8785ee7e8bc940571d13eb2700d56292080e154f77d0c8fe231ff7e75b77f5136b65a000d9f7c2a0c503eb3939dbcfc2e9f30d7cd05588247247c96569e2147e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\63HiIJrDNvEfDcl.exe.log
Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
4269aa3fa3432ca0bfb704965f4db18f

SHA1
c89ae7d377fb10b91898022bde68b23d20ed72ed

SHA256
e776c2f5ce460c35e96b42794f67ee2c7b151daf27579181c5ef69f744b3f4a5

SHA512
c5e4d4516655065a169a0976dc5703daaefd8676ad8c3b5191aefdc32fb6de085ca920ecb8992a3eff80b1b0c9762311bc560f45ecc1e8fe592813e30afbae40

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fdlp5sit.lbp.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C49.tmp
Filesize
1KB

MD5
55a3b1d108f0c9c405e75a74ceda3b42

SHA1
fe020275ba5c61e05d3201d1bc925f809915c99d

SHA256
88977ecf46d706f852cd9d68ce17d8762baaa334a5958eb5524a4ef5b95593a7

SHA512
22f6ea526c8e5327c7387131048aa2dff92db64d7b570f1cec852fb5d289a553670ef681a46f158fe0aa44ed2d6d391500fd3549749587e52982a26294f21729

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9F37.tmp
Filesize
1KB

MD5
8cad1b41587ced0f1e74396794f31d58

SHA1
11054bf74fcf5e8e412768035e4dae43aa7b710f

SHA256
3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c

SHA512
99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA080.tmp
Filesize
1KB

MD5
93d357e6194c8eb8d0616a9f592cc4bf

SHA1
5cc3a3d95d82cb88f65cb6dc6c188595fa272808

SHA256
a18de0ef2102d2546c7afd07ad1d7a071a0e59aff0868cf3937a145f24feb713

SHA512
4df079387f6a76e0deb96ab4c11f6cffa62a8b42dc4970e885dab10351fade2d9e933663c141b76409657f85f1bf9dbb533d92dce52dc62598aafc4793743f7f

Download Submit
C:\Users\Admin\Downloads\nje91q.rar
Filesize
632KB

MD5
f85c33dc9b710080b0691cb9170a0924

SHA1
a5ffe397ce816453a59992da2d545aefb53cdd23

SHA256
14f41e52e85831bb42d9122b038fe76e86bc084e10636d086a4bd9f7f26abc97

SHA512
ed126ca04306853ba28e298fe890829932406cc376c2460e5def5695b59bf79b9981222333d8a168af4c753603f6813a7533776324aa33f402369fc9ae928a76

Download Submit
C:\Users\Admin\Downloads\nje91q\63HiIJrDNvEfDcl.exe
Filesize
660KB

MD5
e47509572ea188a78326872fda99fe64

SHA1
61445d5ea22042336963a7a1060e6049c5d52fc1

SHA256
ef2c040076c60b1c9dbe49868b75a036073d4e3d4d9d20d911e0166ffe1317f5

SHA512
98b9c9822008bff777797b4346df430fdb97516539b423984b709db878353cf4b8d20d53a1110507abafe94920468387f381e32f056493244f41ddbd37129c90

Download Submit
\??\pipe\crashpad_4356_FGRFXJGWWPUUQVCC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3176-622-0x00000000054E0000-0x00000000054FE000-memory.dmp

Filesize
120KB

Download
memory/3176-609-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3176-621-0x00000000054B0000-0x00000000054BC000-memory.dmp

Filesize
48KB

Download
memory/3176-623-0x00000000057E0000-0x00000000057EA000-memory.dmp

Filesize
40KB

Download
memory/3176-620-0x00000000054A0000-0x00000000054AA000-memory.dmp

Filesize
40KB

Download
memory/3308-648-0x0000000006E60000-0x0000000006E7A000-memory.dmp

Filesize
104KB

Download
memory/3308-612-0x0000000006090000-0x00000000060DC000-memory.dmp

Filesize
304KB

Download
memory/3308-664-0x0000000007180000-0x0000000007188000-memory.dmp

Filesize
32KB

Download
memory/3308-599-0x0000000005490000-0x00000000057E4000-memory.dmp

Filesize
3.3MB

Download
memory/3308-649-0x0000000006ED0000-0x0000000006EDA000-memory.dmp

Filesize
40KB

Download
memory/3308-584-0x0000000002260000-0x0000000002296000-memory.dmp

Filesize
216KB

Download
memory/3308-611-0x0000000005B20000-0x0000000005B3E000-memory.dmp

Filesize
120KB

Download
memory/3308-631-0x00000000713F0000-0x000000007143C000-memory.dmp

Filesize
304KB

Download
memory/3308-647-0x00000000074A0000-0x0000000007B1A000-memory.dmp

Filesize
6.5MB

Download
memory/3308-662-0x00000000070A0000-0x00000000070B4000-memory.dmp

Filesize
80KB

Download
memory/3308-661-0x0000000007090000-0x000000000709E000-memory.dmp

Filesize
56KB

Download
memory/3308-659-0x00000000070E0000-0x0000000007176000-memory.dmp

Filesize
600KB

Download
memory/3308-660-0x0000000007060000-0x0000000007071000-memory.dmp

Filesize
68KB

Download
memory/3308-585-0x0000000004DF0000-0x0000000005418000-memory.dmp

Filesize
6.2MB

Download
memory/4008-587-0x0000000004D10000-0x0000000004D32000-memory.dmp

Filesize
136KB

Download
memory/4008-624-0x0000000006C60000-0x0000000006C92000-memory.dmp

Filesize
200KB

Download
memory/4008-636-0x0000000006C20000-0x0000000006C3E000-memory.dmp

Filesize
120KB

Download
memory/4008-625-0x00000000713F0000-0x000000007143C000-memory.dmp

Filesize
304KB

Download
memory/4008-646-0x0000000006EA0000-0x0000000006F43000-memory.dmp

Filesize
652KB

Download
memory/4008-588-0x0000000004DB0000-0x0000000004E16000-memory.dmp

Filesize
408KB

Download
memory/4008-663-0x0000000007320000-0x000000000733A000-memory.dmp

Filesize
104KB

Download
memory/4008-589-0x0000000005460000-0x00000000054C6000-memory.dmp

Filesize
408KB

Download
memory/4948-573-0x0000000005980000-0x000000000599E000-memory.dmp

Filesize
120KB

Download
memory/4948-570-0x0000000005630000-0x00000000056C2000-memory.dmp

Filesize
584KB

Download
memory/4948-571-0x00000000056D0000-0x00000000056DA000-memory.dmp

Filesize
40KB

Download
memory/4948-577-0x0000000006C90000-0x0000000006D0C000-memory.dmp

Filesize
496KB

Download
memory/4948-572-0x00000000059B0000-0x0000000005A4C000-memory.dmp

Filesize
624KB

Download
memory/4948-575-0x00000000059A0000-0x00000000059B0000-memory.dmp

Filesize
64KB

Download
memory/4948-576-0x0000000005B70000-0x0000000005B86000-memory.dmp

Filesize
88KB

Download
memory/4948-569-0x0000000005CF0000-0x0000000006294000-memory.dmp

Filesize
5.6MB

Download
memory/4948-568-0x0000000000B90000-0x0000000000C3C000-memory.dmp

Filesize
688KB

Download