Analysis

  • max time kernel
    592s
  • max time network
    562s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-06-2024 06:52

General

  • Target

    https://cdn.discordapp.com/attachments/1232825231312420997/1252503669698728087/PO-_RFL059210.zip?ex=66727471&is=667122f1&hm=5e1872bc711cb3f4269d51a83c5656aebd9a7168ce54a54e950f88b01d30196f&

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.skitz.com.ng
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    Kosyano1@

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.skitz.com.ng
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    Kosyano1@

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 36 IoCs
  • Suspicious use of SendNotifyMessage 26 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1232825231312420997/1252503669698728087/PO-_RFL059210.zip?ex=66727471&is=667122f1&hm=5e1872bc711cb3f4269d51a83c5656aebd9a7168ce54a54e950f88b01d30196f&
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4548
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd330ab58,0x7ffcd330ab68,0x7ffcd330ab78
      2⤵
        PID:1784
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:2
        2⤵
          PID:4156
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:8
          2⤵
            PID:2208
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2184 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:8
            2⤵
              PID:4684
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:1
              2⤵
                PID:3828
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:1
                2⤵
                  PID:4956
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:8
                  2⤵
                    PID:1608
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:8
                    2⤵
                      PID:4060
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:8
                      2⤵
                        PID:4960
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:8
                        2⤵
                          PID:4888
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4684 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:1
                          2⤵
                            PID:3736
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5164 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:1
                            2⤵
                              PID:4532
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5292 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:8
                              2⤵
                                PID:1076
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5448 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:8
                                2⤵
                                  PID:1040
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4852 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:1
                                  2⤵
                                    PID:5336
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2760 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:1
                                    2⤵
                                      PID:5832
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3232 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:1
                                      2⤵
                                        PID:6028
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3888 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:8
                                        2⤵
                                          PID:5312
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4412 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:8
                                          2⤵
                                            PID:1068
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3176 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:2
                                            2⤵
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:2092
                                        • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                                          "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                                          1⤵
                                            PID:3964
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4256,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1304 /prefetch:8
                                            1⤵
                                              PID:4428
                                            • C:\Windows\System32\rundll32.exe
                                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                              1⤵
                                                PID:3412
                                              • C:\Users\Admin\AppData\Local\Temp\Temp1_PO-_RFL059210.zip\PO- RFL059210.exe
                                                "C:\Users\Admin\AppData\Local\Temp\Temp1_PO-_RFL059210.zip\PO- RFL059210.exe"
                                                1⤵
                                                • Suspicious use of SetThreadContext
                                                PID:3464
                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Temp1_PO-_RFL059210.zip\PO- RFL059210.exe"
                                                  2⤵
                                                  • Command and Scripting Interpreter: PowerShell
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:5636
                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\boGqOzICn.exe"
                                                  2⤵
                                                  • Command and Scripting Interpreter: PowerShell
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:5516
                                                • C:\Windows\SysWOW64\schtasks.exe
                                                  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\boGqOzICn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4EC8.tmp"
                                                  2⤵
                                                  • Creates scheduled task(s)
                                                  PID:4808
                                                • C:\Users\Admin\AppData\Local\Temp\Temp1_PO-_RFL059210.zip\PO- RFL059210.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\Temp1_PO-_RFL059210.zip\PO- RFL059210.exe"
                                                  2⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:5680
                                              • C:\Program Files\7-Zip\7zG.exe
                                                "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\PO-_RFL059210\" -spe -an -ai#7zMap24235:88:7zEvent4481
                                                1⤵
                                                • Suspicious use of FindShellTrayWindow
                                                PID:2300
                                              • C:\Users\Admin\Downloads\PO-_RFL059210\PO- RFL059210.exe
                                                "C:\Users\Admin\Downloads\PO-_RFL059210\PO- RFL059210.exe"
                                                1⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Suspicious use of SetThreadContext
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:3068
                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads\PO-_RFL059210\PO- RFL059210.exe"
                                                  2⤵
                                                  • Command and Scripting Interpreter: PowerShell
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:2744
                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\boGqOzICn.exe"
                                                  2⤵
                                                  • Command and Scripting Interpreter: PowerShell
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:744
                                                • C:\Windows\SysWOW64\schtasks.exe
                                                  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\boGqOzICn" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB17A.tmp"
                                                  2⤵
                                                  • Creates scheduled task(s)
                                                  PID:5180
                                                • C:\Users\Admin\Downloads\PO-_RFL059210\PO- RFL059210.exe
                                                  "C:\Users\Admin\Downloads\PO-_RFL059210\PO- RFL059210.exe"
                                                  2⤵
                                                  • Executes dropped EXE
                                                  PID:868
                                                • C:\Users\Admin\Downloads\PO-_RFL059210\PO- RFL059210.exe
                                                  "C:\Users\Admin\Downloads\PO-_RFL059210\PO- RFL059210.exe"
                                                  2⤵
                                                  • Executes dropped EXE
                                                  PID:5928
                                                • C:\Users\Admin\Downloads\PO-_RFL059210\PO- RFL059210.exe
                                                  "C:\Users\Admin\Downloads\PO-_RFL059210\PO- RFL059210.exe"
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:2976
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k SDRSVC
                                                1⤵
                                                  PID:5432
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1392,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=3992 /prefetch:8
                                                  1⤵
                                                    PID:2724

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019

                                                    Filesize

                                                    203KB

                                                    MD5

                                                    99916ce0720ed460e59d3fbd24d55be2

                                                    SHA1

                                                    d6bb9106eb65e3b84bfe03d872c931fb27f5a3db

                                                    SHA256

                                                    07118bf4bbc3ba87d75cbc11ddf427219a14d518436d7f3886d75301f897edaf

                                                    SHA512

                                                    8d3d52e57806d1850b57bffee12c1a8d9e1a1edcf871b2395df5c889991a183a8d652a0636d5452068f5ef78d37e08ce10b2b2f4e05c3e3c0f2f2230310418a8

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                    Filesize

                                                    1KB

                                                    MD5

                                                    e325ed8b2b6f481ff9ddd25cd319bcca

                                                    SHA1

                                                    43a5c09036e482dd0bec2473f3cda9e431a97c1d

                                                    SHA256

                                                    b7e1ecdb4af427fd0bd4cb4dfa4d1dde4ab93ec680fb62eae2c051168e21c421

                                                    SHA512

                                                    ec51685f850f5ea68c5daa47c7aecdb225df89350a488131b285ecaf69484acfad770856dc89d3daed32a4af7c49d565b82b9ab6e7b6af188b0e584dd479d603

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                    Filesize

                                                    4KB

                                                    MD5

                                                    50cca2b201bf6a71a97b8015ec6c5799

                                                    SHA1

                                                    6ca2228478d71d13bdc159f72aa45b35726b204a

                                                    SHA256

                                                    3e5dd7c2623b2c052611598f0e45d6f9670b956dc1d5ec8b62f7adcc1565670b

                                                    SHA512

                                                    a02776b95440e3449242f63c3aa197a54a5f7f0b5fca478bbf2c0d179a563071720c9fec0431563dcb2f3a934cab21b3305715ae447cd9ecd81058070cb1d47c

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                    Filesize

                                                    3KB

                                                    MD5

                                                    d89b6aa6bd1d498f144a4c638db0640a

                                                    SHA1

                                                    b225c8e98792389d37bdecdde29e3444f7a4c7c2

                                                    SHA256

                                                    35a88c4042fac92aa351e15e4163afa68d684bf20691b3129b5d2b9a8c89ed18

                                                    SHA512

                                                    1b8abcb5a937e51d888519370cbb340bd9406ed68910459fe803a9d6c43312a6b0e2c248a36de74e5047ee71e09d34965152b23fd3c1b9e30298792ce9e902d0

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                    Filesize

                                                    4KB

                                                    MD5

                                                    ed65bd74c9f0b4fbb7a4cd6b877dd6cc

                                                    SHA1

                                                    657b67fcd4cbe2f3413c4997eba9144f8b2a709a

                                                    SHA256

                                                    201a90e4c379466d4e379e2cedf7d8749dddc3eaf26619b1585a25d3a35cdc1f

                                                    SHA512

                                                    b55f80d0519c2b928e4656ced0466ee81ba4a284c3668d329b03cd9b9ff1e0f4a61c38608dad36234b1a8eeb04998ca6f67e4511d9d7eca4d56ce3f49c9cd126

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                                    Filesize

                                                    2B

                                                    MD5

                                                    d751713988987e9331980363e24189ce

                                                    SHA1

                                                    97d170e1550eee4afc0af065b78cda302a97674c

                                                    SHA256

                                                    4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                    SHA512

                                                    b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                    Filesize

                                                    356B

                                                    MD5

                                                    464304413974aaee895b246226a34761

                                                    SHA1

                                                    e764a5cfcff725c40a299ee889be9d6dfca14e4e

                                                    SHA256

                                                    c4fe8a15d7e214397a750af74148222f4bc92402c28e6f2a2d8d6a06827f04eb

                                                    SHA512

                                                    f01a9d7090d620652d4fc81655981be67f24e09512626f96207a1b0fe82bff0aee3a1653475243eeb1198e0075e8ca2d07e73f198f25f85be3bb4b1d403b74f9

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                    Filesize

                                                    858B

                                                    MD5

                                                    856c7cbeacfec83167c21393f3846143

                                                    SHA1

                                                    d70ca560005b69a1ff1c47555dd92116eb5b2fdc

                                                    SHA256

                                                    2b6c2aa8d0af3d32910858384e6a5e82e2f531014eb5112f78dda5220b9efcd4

                                                    SHA512

                                                    96da349925389524c516b2ce7c8d5cd33e57b25a3110c2486e25b6f06857c55118a75a8cc4b45e043914a9ecb4af455a1527b67e593dc0064e04ead5a064f9c3

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                    Filesize

                                                    8KB

                                                    MD5

                                                    7af4d1d5c237c59cc57c859b636831de

                                                    SHA1

                                                    1e3ff39b32f26600137bac7265933682c444a786

                                                    SHA256

                                                    be14a1de226febfd5125b7733e0f90aa4632c7dd6fa7f699c74a1b559521b1ad

                                                    SHA512

                                                    aee7884afdf2895215c958171daf65311d95b03c3c9fec6abdd3c06cd755a881b2369fdc458339c2e37c6a9074400680ce57e59fa6b8f292a70a8b2ed7bd554b

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                    Filesize

                                                    8KB

                                                    MD5

                                                    2f44d52c824b1c43c020f02313f21355

                                                    SHA1

                                                    51add3095430187f66f447c9febfda7a8e8cc57b

                                                    SHA256

                                                    77604cc9e8a6ba57ed9b132c8e8db32d4461875835c7ffd62ee760ec1ddb6318

                                                    SHA512

                                                    8a97ecdd4d3ce8d3a65c3d0e4977fdd0be6b86400615354b9d9dd60842398fe329760f2ef0421b43d826eecc2e3f4e5438fe293f8c2c7b54a2d4c07b030d32cd

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                    Filesize

                                                    7KB

                                                    MD5

                                                    0c0dd795186ac6160e960459a050dea4

                                                    SHA1

                                                    e0d8feef411387040298aff8ef48d4ab19c4c3e7

                                                    SHA256

                                                    7870ab29f6406ccbfcf8b002da1ef363796595800b63ace8957f1107cab70600

                                                    SHA512

                                                    7db9ddd63d2654bfde8a77a1e5b644159ab2ca884fd55d45daaf9e844d7f978c699ac8e84fcda7c7722f925a28951e28e2e5abc863eff9e6e9dad4e3129cf62a

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                    Filesize

                                                    7KB

                                                    MD5

                                                    b4c495b0d0ab92a7ff87ac5bb3b63c4a

                                                    SHA1

                                                    cc1c40656e2e46108b26cf3f14fd26d6ba21eaf9

                                                    SHA256

                                                    e2c010f2334e231d639473357f676b676648377d70c4b222d07874c187628575

                                                    SHA512

                                                    26e1bb87e53ab9c676ac74511bf9addbd8c3d58154e435ab56b95a52c7d58cb93b7adedf94ddb884039e93cf89104b49cabc3f8198aa90c42e0ed26ba09f6baa

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                    Filesize

                                                    7KB

                                                    MD5

                                                    b307f441ee8ec07b4f3f9b9882ccb270

                                                    SHA1

                                                    39fe65d7116e1941f22e7779a932e6a5924220a0

                                                    SHA256

                                                    3d67998b0ddc4b76d0cbc165b6388720ca60b365141a70983555656929c26fb5

                                                    SHA512

                                                    73000bf2c4b88aa7d98353e004bb80b1a045557e98badbe5346b099e3215a417a03577a68891841a587bd765ee6b089c4a0d18c5e481e810cacd5809e6a05925

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

                                                    Filesize

                                                    72B

                                                    MD5

                                                    d055256ccacc6f48b2a8ea32b60cf816

                                                    SHA1

                                                    b28384912d57894993fbbe70a4223fcd469f8559

                                                    SHA256

                                                    b40fd73d84eb2ec93f7d23e7458dfb0896c4125d92ee90a47f79406216c4afe4

                                                    SHA512

                                                    dd2f1823d7ff2b0c4e67af40c406a2f733b1163eba328b387d588d606a78a13fc56690d2d2f6b12b4b9f8dcf3add7a7a3144a3fafcc227556c54d1940a4342ba

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58dacb.TMP

                                                    Filesize

                                                    48B

                                                    MD5

                                                    c6dfb2ff081edab20b2c95b3a184cd78

                                                    SHA1

                                                    ab6ee3c92d22978e05ab92f65da7f8d86580a19e

                                                    SHA256

                                                    5b5487d33b1bd4c1c0a6df73395a750357630117a0a0ac290ac93d12d83d6c4b

                                                    SHA512

                                                    7bdd1cecd1e66996a2d14a61928778c4c88d1326c690f9dfa6c3072f754b0d2eba538522c3434fbddcbfb15dd5f483f74f20e70df2aa327f9b590113c3166c08

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                    Filesize

                                                    255KB

                                                    MD5

                                                    7c35b2f0f52dbb4a604e9337d3090e95

                                                    SHA1

                                                    718ffef54414b56d5ed7cc8a64865517e1f6d233

                                                    SHA256

                                                    613d5d7979599b62e3c4a5fffec2dfc0d2feb203d540f1cadcf924e3a7b664ae

                                                    SHA512

                                                    5e8cb53b5b2fc243c042de0b9e009b7fe82b4a57070e399be4b1cb1f70128d0917aabe47cc017eb8f9ec08a056159b4b8c1b472c93be65b77e4257bb16fbe642

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                    Filesize

                                                    255KB

                                                    MD5

                                                    5081f23bc6aca7edf750cec772017d87

                                                    SHA1

                                                    e25969a6bb845c1a0b4379a13632275bdf5c69db

                                                    SHA256

                                                    c2adf454bd821cac948f52888824b56245e7a03c2ea03e80b2d5ce9d204771d6

                                                    SHA512

                                                    aec13e44f1895d5a1567707d835613cab5eaa79a8afb458f87071d1ac3ac6e264f270c0f07580faf7047574b7df2e495d56fa02ae953965c4fe1eb97a0793c3c

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

                                                    Filesize

                                                    97KB

                                                    MD5

                                                    8175b977f98677ec9735e242c94606e2

                                                    SHA1

                                                    53672cc225402a00fe17d50d458ac57b7a84a999

                                                    SHA256

                                                    372fa4fb8f48dfd4fc7419332df1ee6f831d79525b6251fb03995094542d66fd

                                                    SHA512

                                                    bd6e94b7116b18891eaad8cbe24d05be3dc10d7ef9add276604cd8cc66288e60f751e50f625814d6e3f89959d49851b0d1f76b7b81a0dec061fa380f4d7cd887

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

                                                    Filesize

                                                    97KB

                                                    MD5

                                                    177ddbfe0b0ef3be001242cbcbec772c

                                                    SHA1

                                                    9d026602d7e53ab3eabee76e4486bf46e9cf4bfa

                                                    SHA256

                                                    00a4b74b1fbb08c1c403a3e2b9cd7c3281566741d891d511cae02533604806e2

                                                    SHA512

                                                    77be55fac286485017d9d44df62cf479c38c2c046c3358c7a666954e2ef061c1595433743c9991ba7f110c72ba032b1567d24d2cbcb59646929623a6674f3e28

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe584b5c.TMP

                                                    Filesize

                                                    94KB

                                                    MD5

                                                    5878e5970fd60fffd67bfb9971e61eab

                                                    SHA1

                                                    ac53090fcfadab7fcef7efa1527f1f3c77968ae8

                                                    SHA256

                                                    fd2d027bb2b0ca5eaa34655982f064590a442318c8a6e32e29add1fd4b6d1f5b

                                                    SHA512

                                                    f080e7c97eda9cd1b10727b85e981632cf90b5be76ee657ee9d6c655147892a9a3780d7bfe350b6189df9b2b677e28bbef7c0bd0f0d4659dcb17b379200e3b83

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO- RFL059210.exe.log

                                                    Filesize

                                                    1KB

                                                    MD5

                                                    8ec831f3e3a3f77e4a7b9cd32b48384c

                                                    SHA1

                                                    d83f09fd87c5bd86e045873c231c14836e76a05c

                                                    SHA256

                                                    7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

                                                    SHA512

                                                    26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                                                    Filesize

                                                    2KB

                                                    MD5

                                                    3d086a433708053f9bf9523e1d87a4e8

                                                    SHA1

                                                    b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

                                                    SHA256

                                                    6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

                                                    SHA512

                                                    931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Filesize

                                                    18KB

                                                    MD5

                                                    ebc87807f9d066f289e76012f8284f9f

                                                    SHA1

                                                    9b44532a9f3dd1b2f8f3d6aab87ae9db232015a7

                                                    SHA256

                                                    6ef08f64dbeec0e9a1a516c4e539f60c87ba8a65003be0f8e8da48b423f4702f

                                                    SHA512

                                                    14296da0ea40f6db87c469dc57c618f1c318e5d160e92e58cbb3dfe55099a604a1be64a8e21c6ab80374a9c6c2eb66b8eff8cfa5c7fa67c2a74506f78ad1d689

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Filesize

                                                    18KB

                                                    MD5

                                                    817a31ea640717a7112b22bbfe475e95

                                                    SHA1

                                                    a7635094587e325ef9ed188e66bd2ffb0fe333bf

                                                    SHA256

                                                    3c98dd9525fae3da4c979eaa8bc85cf8155d824de2b373ba31c6a361fd0f9520

                                                    SHA512

                                                    9ec74fb262f71ce24f89e71c7d59646b08a55bd0a7b9892a32c0ae9b662e84954ac6defcd4600cbecf3c8c4023223c338dc619ffe11aee514dbdabdd8e0245b8

                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_50jdigc4.hn4.ps1

                                                    Filesize

                                                    60B

                                                    MD5

                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                    SHA1

                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                    SHA256

                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                    SHA512

                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                  • C:\Users\Admin\AppData\Local\Temp\tmp4EC8.tmp

                                                    Filesize

                                                    1KB

                                                    MD5

                                                    248832d758c1554cbb173eadabcad945

                                                    SHA1

                                                    55c7b88271317b0f3bdd8de9b0945dafd2e3ec64

                                                    SHA256

                                                    ac557fd0b28dafbd6e40b7fbf2b8c88e7b7418c95a4ddd4cb6d40dcac84be28e

                                                    SHA512

                                                    cfd569e8c5cfd318a1b11e7e2633a84a8677e7f14ce786926434031141f6dae2129899964a608ecbb6109532902569f719722e80334a91a27858d41b64bc518a

                                                  • C:\Users\Admin\AppData\Roaming\boGqOzICn.exe

                                                    Filesize

                                                    965KB

                                                    MD5

                                                    516082e6812f9dde63d4a71b009df547

                                                    SHA1

                                                    42cd1e677954aca055ea3115ee0fdfcbf16aeb55

                                                    SHA256

                                                    7b67c0f996e0269e247d02bc46dd38ee8c230945b534dea1c6e40bc3f9a32993

                                                    SHA512

                                                    7bede19f3280f9828df9429d5ecc379bcfbbc729b9fbfd2f9bd532ba40237aee9c103222ba4016b7fd1aae837c7a870f69dfc423c94144a2242687e9cd248128

                                                  • C:\Users\Admin\Downloads\PO-_RFL059210.zip.crdownload

                                                    Filesize

                                                    729KB

                                                    MD5

                                                    94cf5a54615a314eb96130936e16de9e

                                                    SHA1

                                                    c671ec37ab5a8d000cf4748c711c28b27e8d5b63

                                                    SHA256

                                                    13c0cb7baccd5901a55e3de5b5c3e1142b878dbded0df8ee088169510a35731d

                                                    SHA512

                                                    b69a0f5f9d23179b4872409be13fa0ce3e69f4ba881995b3d8dbcd368ca4db3f0438172708a9a5f765c9f87cb836882a57f705c4d5ba319cbc0977216f0769cd

                                                  • \??\pipe\crashpad_4548_TPECCQOSBZJRQEXB

                                                    MD5

                                                    d41d8cd98f00b204e9800998ecf8427e

                                                    SHA1

                                                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                    SHA256

                                                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                    SHA512

                                                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                  • memory/744-492-0x00000000716F0000-0x000000007173C000-memory.dmp

                                                    Filesize

                                                    304KB

                                                  • memory/2744-504-0x0000000007150000-0x0000000007164000-memory.dmp

                                                    Filesize

                                                    80KB

                                                  • memory/2744-482-0x00000000716F0000-0x000000007173C000-memory.dmp

                                                    Filesize

                                                    304KB

                                                  • memory/2744-460-0x0000000005510000-0x0000000005864000-memory.dmp

                                                    Filesize

                                                    3.3MB

                                                  • memory/2744-481-0x0000000005C70000-0x0000000005CBC000-memory.dmp

                                                    Filesize

                                                    304KB

                                                  • memory/2744-493-0x0000000006E50000-0x0000000006EF3000-memory.dmp

                                                    Filesize

                                                    652KB

                                                  • memory/2744-503-0x0000000007110000-0x0000000007121000-memory.dmp

                                                    Filesize

                                                    68KB

                                                  • memory/3068-454-0x0000000002CF0000-0x0000000002D02000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/3464-358-0x0000000007C00000-0x00000000081A4000-memory.dmp

                                                    Filesize

                                                    5.6MB

                                                  • memory/3464-380-0x0000000075000000-0x00000000757B0000-memory.dmp

                                                    Filesize

                                                    7.7MB

                                                  • memory/3464-362-0x0000000007950000-0x0000000007962000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/3464-359-0x0000000007730000-0x00000000077C2000-memory.dmp

                                                    Filesize

                                                    584KB

                                                  • memory/3464-363-0x000000000A090000-0x000000000A12C000-memory.dmp

                                                    Filesize

                                                    624KB

                                                  • memory/3464-361-0x0000000002C00000-0x0000000002C0A000-memory.dmp

                                                    Filesize

                                                    40KB

                                                  • memory/3464-366-0x00000000052D0000-0x0000000005354000-memory.dmp

                                                    Filesize

                                                    528KB

                                                  • memory/3464-364-0x0000000007A90000-0x0000000007A98000-memory.dmp

                                                    Filesize

                                                    32KB

                                                  • memory/3464-365-0x0000000007BC0000-0x0000000007BCC000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/3464-360-0x0000000075000000-0x00000000757B0000-memory.dmp

                                                    Filesize

                                                    7.7MB

                                                  • memory/3464-357-0x0000000000750000-0x0000000000842000-memory.dmp

                                                    Filesize

                                                    968KB

                                                  • memory/3464-356-0x000000007500E000-0x000000007500F000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/5516-376-0x0000000004C50000-0x0000000005278000-memory.dmp

                                                    Filesize

                                                    6.2MB

                                                  • memory/5516-433-0x0000000007040000-0x000000000704E000-memory.dmp

                                                    Filesize

                                                    56KB

                                                  • memory/5516-382-0x00000000053B0000-0x00000000053D2000-memory.dmp

                                                    Filesize

                                                    136KB

                                                  • memory/5516-418-0x0000000070BE0000-0x0000000070C2C000-memory.dmp

                                                    Filesize

                                                    304KB

                                                  • memory/5516-434-0x0000000007050000-0x0000000007064000-memory.dmp

                                                    Filesize

                                                    80KB

                                                  • memory/5516-431-0x0000000007090000-0x0000000007126000-memory.dmp

                                                    Filesize

                                                    600KB

                                                  • memory/5516-432-0x0000000007010000-0x0000000007021000-memory.dmp

                                                    Filesize

                                                    68KB

                                                  • memory/5636-405-0x00000000066A0000-0x00000000066D2000-memory.dmp

                                                    Filesize

                                                    200KB

                                                  • memory/5636-403-0x00000000060D0000-0x00000000060EE000-memory.dmp

                                                    Filesize

                                                    120KB

                                                  • memory/5636-435-0x0000000007740000-0x000000000775A000-memory.dmp

                                                    Filesize

                                                    104KB

                                                  • memory/5636-436-0x0000000007720000-0x0000000007728000-memory.dmp

                                                    Filesize

                                                    32KB

                                                  • memory/5636-428-0x0000000007A40000-0x00000000080BA000-memory.dmp

                                                    Filesize

                                                    6.5MB

                                                  • memory/5636-417-0x00000000072E0000-0x0000000007383000-memory.dmp

                                                    Filesize

                                                    652KB

                                                  • memory/5636-374-0x00000000027E0000-0x0000000002816000-memory.dmp

                                                    Filesize

                                                    216KB

                                                  • memory/5636-416-0x00000000072C0000-0x00000000072DE000-memory.dmp

                                                    Filesize

                                                    120KB

                                                  • memory/5636-406-0x0000000070BE0000-0x0000000070C2C000-memory.dmp

                                                    Filesize

                                                    304KB

                                                  • memory/5636-430-0x0000000007470000-0x000000000747A000-memory.dmp

                                                    Filesize

                                                    40KB

                                                  • memory/5636-404-0x0000000006110000-0x000000000615C000-memory.dmp

                                                    Filesize

                                                    304KB

                                                  • memory/5636-402-0x0000000005C60000-0x0000000005FB4000-memory.dmp

                                                    Filesize

                                                    3.3MB

                                                  • memory/5636-388-0x0000000005A10000-0x0000000005A76000-memory.dmp

                                                    Filesize

                                                    408KB

                                                  • memory/5636-429-0x0000000007400000-0x000000000741A000-memory.dmp

                                                    Filesize

                                                    104KB

                                                  • memory/5680-381-0x00000000055D0000-0x0000000005636000-memory.dmp

                                                    Filesize

                                                    408KB

                                                  • memory/5680-377-0x0000000000400000-0x0000000000442000-memory.dmp

                                                    Filesize

                                                    264KB

                                                  • memory/5680-442-0x0000000006D30000-0x0000000006D80000-memory.dmp

                                                    Filesize

                                                    320KB