strrat | e4bc1b6f2e541e90a1ed736284d2e383fcb739f10466b1fdd390211e01ed4dae

Resubmissions

21-06-2024 17:49

240621-wea82ayeph 10

09-06-2024 09:22

240609-lb4fasgf3w 10

Analysis

max time kernel
141s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
21-06-2024 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4bc1b6f2e541e90a1ed736284d2e383fcb739f10466b1fdd390211e01ed4dae.jar
Size

123KB
MD5

6a6bcf5dbe9ee0e68969958ca3565122
SHA1

c515cd6309bdff8f1b7b996f0846eae3ea27b768
SHA256

e4bc1b6f2e541e90a1ed736284d2e383fcb739f10466b1fdd390211e01ed4dae
SHA512

2dc5021ce4e033a1ae67ec2905b3acb7b237c3a00bebe54b030f461675ceb570e738743348a889ea3400b7d01e6261edb5d835c4759914960ae29cbba98a00a6
SSDEEP

3072:4+1ksmuRo+BmpH7Rx/inqhzlE0EP5vdRGXVIJeouw:2sHbmpRgnqhzPEP5vbGXiuw

Score

10^/10

strrat discovery execution persistence stealer trojan

Malware Config

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation wscript.exe
Drops startup file 1 IoCs

Processes:

java.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tjwcocmrm.txt java.exe
Loads dropped DLL 2 IoCs

Processes:

java.exejava.exe

pid process

2664 java.exe
4936 java.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3224 icacls.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tjwcocmrm.txt	java.exe

pid	process
2664	java.exe
4936	java.exe

pid	process
3224	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

java.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tjwcocmrm = "\"C:\\Users\\Admin\\AppData\\Roaming\\tjwcocmrm.txt\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tjwcocmrm = "\"C:\\Users\\Admin\\AppData\\Roaming\\tjwcocmrm.txt\""	java.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service
T1102

Processes:

flow ioc

117 bitbucket.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

45 ip-api.com
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
117	bitbucket.org

flow	ioc
45	ip-api.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133634658237262880"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

Processes:

7zFM.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	OpenWith.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2288 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2900 chrome.exe
2900 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

7zFM.exe7zFM.exe

pid process

4528 7zFM.exe
4488 7zFM.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

2900 chrome.exe
2900 chrome.exe
2900 chrome.exe
2900 chrome.exe
2900 chrome.exe
2900 chrome.exe

pid	process
2288	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1276	WMIC.exe
Token: SeSecurityPrivilege	1276	WMIC.exe
Token: SeTakeOwnershipPrivilege	1276	WMIC.exe
Token: SeLoadDriverPrivilege	1276	WMIC.exe
Token: SeSystemProfilePrivilege	1276	WMIC.exe
Token: SeSystemtimePrivilege	1276	WMIC.exe
Token: SeProfSingleProcessPrivilege	1276	WMIC.exe
Token: SeIncBasePriorityPrivilege	1276	WMIC.exe
Token: SeCreatePagefilePrivilege	1276	WMIC.exe
Token: SeBackupPrivilege	1276	WMIC.exe
Token: SeRestorePrivilege	1276	WMIC.exe
Token: SeShutdownPrivilege	1276	WMIC.exe
Token: SeDebugPrivilege	1276	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1276	WMIC.exe
Token: SeRemoteShutdownPrivilege	1276	WMIC.exe
Token: SeUndockPrivilege	1276	WMIC.exe
Token: SeManageVolumePrivilege	1276	WMIC.exe
Token: 33	1276	WMIC.exe
Token: 34	1276	WMIC.exe
Token: 35	1276	WMIC.exe
Token: 36	1276	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1276	WMIC.exe
Token: SeSecurityPrivilege	1276	WMIC.exe
Token: SeTakeOwnershipPrivilege	1276	WMIC.exe
Token: SeLoadDriverPrivilege	1276	WMIC.exe
Token: SeSystemProfilePrivilege	1276	WMIC.exe
Token: SeSystemtimePrivilege	1276	WMIC.exe
Token: SeProfSingleProcessPrivilege	1276	WMIC.exe
Token: SeIncBasePriorityPrivilege	1276	WMIC.exe
Token: SeCreatePagefilePrivilege	1276	WMIC.exe
Token: SeBackupPrivilege	1276	WMIC.exe
Token: SeRestorePrivilege	1276	WMIC.exe
Token: SeShutdownPrivilege	1276	WMIC.exe
Token: SeDebugPrivilege	1276	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1276	WMIC.exe
Token: SeRemoteShutdownPrivilege	1276	WMIC.exe
Token: SeUndockPrivilege	1276	WMIC.exe
Token: SeManageVolumePrivilege	1276	WMIC.exe
Token: 33	1276	WMIC.exe
Token: 34	1276	WMIC.exe
Token: 35	1276	WMIC.exe
Token: 36	1276	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2988	WMIC.exe
Token: SeSecurityPrivilege	2988	WMIC.exe
Token: SeTakeOwnershipPrivilege	2988	WMIC.exe
Token: SeLoadDriverPrivilege	2988	WMIC.exe
Token: SeSystemProfilePrivilege	2988	WMIC.exe
Token: SeSystemtimePrivilege	2988	WMIC.exe
Token: SeProfSingleProcessPrivilege	2988	WMIC.exe
Token: SeIncBasePriorityPrivilege	2988	WMIC.exe
Token: SeCreatePagefilePrivilege	2988	WMIC.exe
Token: SeBackupPrivilege	2988	WMIC.exe
Token: SeRestorePrivilege	2988	WMIC.exe
Token: SeShutdownPrivilege	2988	WMIC.exe
Token: SeDebugPrivilege	2988	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2988	WMIC.exe
Token: SeRemoteShutdownPrivilege	2988	WMIC.exe
Token: SeUndockPrivilege	2988	WMIC.exe
Token: SeManageVolumePrivilege	2988	WMIC.exe
Token: 33	2988	WMIC.exe
Token: 34	2988	WMIC.exe
Token: 35	2988	WMIC.exe
Token: 36	2988	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2988	WMIC.exe

Suspicious use of FindShellTrayWindow 43 IoCs

Processes:

7zFM.exechrome.exe7zFM.exe

pid	process
4528	7zFM.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
4488	7zFM.exe
4488	7zFM.exe
4488	7zFM.exe

Suspicious use of SendNotifyMessage 36 IoCs

Processes:

chrome.exe

pid	process
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe

Suspicious use of SetWindowsHookEx 29 IoCs

Processes:

OpenWith.exe

pid	process
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

java.exewscript.exejavaw.exejava.execmd.exejava.execmd.execmd.execmd.execmd.exechrome.exe

description	pid	process	target process
PID 3532 wrote to memory of 3224	3532	java.exe	icacls.exe
PID 3532 wrote to memory of 3224	3532	java.exe	icacls.exe
PID 3532 wrote to memory of 324	3532	java.exe	wscript.exe
PID 3532 wrote to memory of 324	3532	java.exe	wscript.exe
PID 324 wrote to memory of 2052	324	wscript.exe	javaw.exe
PID 324 wrote to memory of 2052	324	wscript.exe	javaw.exe
PID 2052 wrote to memory of 2664	2052	javaw.exe	java.exe
PID 2052 wrote to memory of 2664	2052	javaw.exe	java.exe
PID 2664 wrote to memory of 2244	2664	java.exe	cmd.exe
PID 2664 wrote to memory of 2244	2664	java.exe	cmd.exe
PID 2664 wrote to memory of 4936	2664	java.exe	java.exe
PID 2664 wrote to memory of 4936	2664	java.exe	java.exe
PID 2244 wrote to memory of 2288	2244	cmd.exe	schtasks.exe
PID 2244 wrote to memory of 2288	2244	cmd.exe	schtasks.exe
PID 4936 wrote to memory of 3980	4936	java.exe	cmd.exe
PID 4936 wrote to memory of 3980	4936	java.exe	cmd.exe
PID 3980 wrote to memory of 1276	3980	cmd.exe	WMIC.exe
PID 3980 wrote to memory of 1276	3980	cmd.exe	WMIC.exe
PID 4936 wrote to memory of 4228	4936	java.exe	cmd.exe
PID 4936 wrote to memory of 4228	4936	java.exe	cmd.exe
PID 4228 wrote to memory of 2988	4228	cmd.exe	WMIC.exe
PID 4228 wrote to memory of 2988	4228	cmd.exe	WMIC.exe
PID 4936 wrote to memory of 624	4936	java.exe	cmd.exe
PID 4936 wrote to memory of 624	4936	java.exe	cmd.exe
PID 624 wrote to memory of 4908	624	cmd.exe	WMIC.exe
PID 624 wrote to memory of 4908	624	cmd.exe	WMIC.exe
PID 4936 wrote to memory of 2928	4936	java.exe	cmd.exe
PID 4936 wrote to memory of 2928	4936	java.exe	cmd.exe
PID 2928 wrote to memory of 5100	2928	cmd.exe	WMIC.exe
PID 2928 wrote to memory of 5100	2928	cmd.exe	WMIC.exe
PID 2900 wrote to memory of 1376	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 1376	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 4480	2900	chrome.exe	chrome.exe
PID 2900 wrote to memory of 3524	2900	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\e4bc1b6f2e541e90a1ed736284d2e383fcb739f10466b1fdd390211e01ed4dae.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:3224
- C:\Windows\SYSTEM32\wscript.exe
  wscript C:\Users\Admin\pzsjuirnnn.js
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:324
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\tjwcocmrm.txt"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Program Files\Java\jre-1.8\bin\java.exe
      "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\tjwcocmrm.txt"
      4⤵
      Drops startup file
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\tjwcocmrm.txt"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2244
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\tjwcocmrm.txt"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2288
    - - C:\Program Files\Java\jre-1.8\bin\java.exe
        
        "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\tjwcocmrm.txt"
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:4936
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
        7⤵
        
        PID:4908
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
        7⤵
        
        PID:5100

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4580

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\e4bc1b6f2e541e90a1ed736284d2e383fcb739f10466b1fdd390211e01ed4dae.jar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcf77eab58,0x7ffcf77eab68,0x7ffcf77eab78
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1924,i,7585457847347557855,12797982426526397610,131072 /prefetch:2
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1924,i,7585457847347557855,12797982426526397610,131072 /prefetch:8
  2⤵
  PID:3524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2152 --field-trial-handle=1924,i,7585457847347557855,12797982426526397610,131072 /prefetch:8
  2⤵
  PID:3088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3116 --field-trial-handle=1924,i,7585457847347557855,12797982426526397610,131072 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3136 --field-trial-handle=1924,i,7585457847347557855,12797982426526397610,131072 /prefetch:1
  2⤵
  PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4384 --field-trial-handle=1924,i,7585457847347557855,12797982426526397610,131072 /prefetch:1
  2⤵
  PID:832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4560 --field-trial-handle=1924,i,7585457847347557855,12797982426526397610,131072 /prefetch:8
  2⤵
  PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4684 --field-trial-handle=1924,i,7585457847347557855,12797982426526397610,131072 /prefetch:8
  2⤵
  PID:1804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 --field-trial-handle=1924,i,7585457847347557855,12797982426526397610,131072 /prefetch:8
  2⤵
  PID:1228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 --field-trial-handle=1924,i,7585457847347557855,12797982426526397610,131072 /prefetch:8
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4928 --field-trial-handle=1924,i,7585457847347557855,12797982426526397610,131072 /prefetch:8
  2⤵
  PID:3148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4808 --field-trial-handle=1924,i,7585457847347557855,12797982426526397610,131072 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4032 --field-trial-handle=1924,i,7585457847347557855,12797982426526397610,131072 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3980 --field-trial-handle=1924,i,7585457847347557855,12797982426526397610,131072 /prefetch:8
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4128 --field-trial-handle=1924,i,7585457847347557855,12797982426526397610,131072 /prefetch:1
  2⤵
  PID:1388

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2480

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\e4bc1b6f2e541e90a1ed736284d2e383fcb739f10466b1fdd390211e01ed4dae.jar"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4488

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3928
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO8818E1F8\sezsvgerdl
  2⤵
  PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
af3f16fe623dd1e807675c34bfe398b2

SHA1
ecb4c152fa0d69a6d0be98fc4ef34901010b30dc

SHA256
bd9782b5d435369d40847f6386448de75c4236a5f9b9a4068ae98cdc85a0f127

SHA512
9157a47f4c9f6e227c1b813c8c26c60f54ea7645024e8fbe83a770e6103ad3e5ec3859535142759d2ea6efe623711800903c0ed6826049b921e7756233a479dd

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
78a1c4067e48784f3daec2d49cdd929b

SHA1
02f41770320b88bf16396555c6ced5c6325fe133

SHA256
bf7f791ea6e6865b7adf73cd1ba36a983aae3713e86f807784a7fde259158be7

SHA512
c3d79479d7b4e3e923e9c329de6b9a5e153c783258c5920e1dba950c7793913f7b7d6ccf74e9010b3b4e9241d8b102a248d2f58c47ab6ba93fbf00a5eb0dcca9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001d

Filesize
204KB

MD5
081c4aa5292d279891a28a6520fdc047

SHA1
c3dbb6c15f3555487c7b327f4f62235ddb568b84

SHA256
12cc87773068d1cd7105463287447561740be1cf4caefd563d0664da1f5f995f

SHA512
9a78ec4c2709c9f1b7e12fd9105552b1b5a2b033507de0c876d9a55d31678e6b81cec20e01cf0a9e536b013cdb862816601a79ce0a2bb92cb860d267501c0b69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000021

Filesize
87KB

MD5
f0c6430163499576e2c588e07869e1c8

SHA1
6d2c1ece5ae726031a768826e2a52729bd13594e

SHA256
bc49463dce95ac9b13118c033055aa33b989af56adf370ef9cc0ab8e92799019

SHA512
f56fd2a77f755e02e7bee14575b9d815aeb160253b4dfc8744564ab888367772f22b920a505ae4ee9b8f8db7e62e74284e22f57fd4093a38961c57b5ed1d554a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000022

Filesize
71KB

MD5
2ece133a0bc00b555385e33321368ab6

SHA1
021472f8cab5bcb84fab2363b7d50e84fcc59031

SHA256
a3ac24f218686fbe3419ed5bc9d5110044cdc314d3819671d65cb4043f968950

SHA512
22540d0c5efc1469f5928296bca9c042bef2b394114e262bb15cf71cd4ea903cf1af071042bfef4252b6f73f161e97e0f5766ea2c8bfe9a632307c12b9bc92c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000024

Filesize
69KB

MD5
57e2cfe5a7b6cafb1faa00ce5fb0a413

SHA1
4122b483d564db05d7ca696ad6270ed19ac03f04

SHA256
ca704d0e776064802327ff7aca267a1eac54f8cc2c01115af5db5c5943cdf8f7

SHA512
031490b45e93830583e6af3634aaeeb01341c6e588cfb0b535a0c566bc58139e41dcddd718ac7ec6c89757dd8fd10c447a569f378f4d8d09f297f0006b48ebbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
984B

MD5
2d2c4ae16d31e854075d8d6bc968ce97

SHA1
d8def26fc4b16de255f42ba55856b6f400683c16

SHA256
adadd550e6f708a245c6947534dfdab7dc42e2dc0ac9dc08010e5738e213c9f1

SHA512
09a89a5e4c68bec4a59c1a0c5f0d38d6f68d573c288ed55267a6708b328fa04344d879d7d066d51c9c605883bdb839311a127f675bd382c0ae35952c62977ee5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
290a4e1c51ff30a4367cb6064b1514b8

SHA1
aebceec52525b6b6144e90b84aa79b69092a76c7

SHA256
f1eca2b3f9bd906c42e08f3f5da1cd7732ad2d17bf74749fa766d8e8fb034677

SHA512
fd1c711529a52fc8d722ee99f083bfbe02694b9b6585a50f163a7ef415008c923d8ed0cbd666337fc73a5b8ae54379a5094540fffb7fd6267aefaca38b284d5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\7670aba1-4663-4ad1-af84-185413c6fd4f.tmp

Filesize
1KB

MD5
41491c0af9c50f22e8d697d6bce4c5cf

SHA1
ef683db97364097d64fea9d16d1336b3654742d4

SHA256
e56656bb715545d71bc35dd6ee96eb705c84addd998e0c401abf5e6cbb466307

SHA512
75dd55ad48b9351099a4525bd5f81464a54c65f71523185b4fe44850ac07479c04557c70219bcaee50b6a78d636b77aa3a20ab04376a696a48544ee9221d7c37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
47ab813145625a1806006c2a933fb30c

SHA1
b4d9d8b05a7f2026a1d9fbb44fea055904da9be1

SHA256
bc09182b0e6c5616d8be32b7e212bb3f2b655acf53fe4a5fc7748af4739985ca

SHA512
785c23f7b68777dfe2e116368cab85bccd096ed10d0ece92497b8df93535482317fb09221c2b3b710b63698e979fa647b48d46190413455d869e91d7e9124779

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
f38703238d44751626d310f7cd1964fa

SHA1
bb990018a69365fadf95a1092d730f9da78603e5

SHA256
ef2414f2ce48a7b2fa8eedb1983505d760e37d4fe69d43f97104aea1fe247446

SHA512
860307544af8d3ab48c45e6d11c3f8f84c2c1efc049d556b78f20795e982847a3083bb4ca3224fe7989559679834678dc52d121994bc30aadb6b2f25c4d542da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1024B

MD5
28ac947d3fd74b999b6054b72d8e1139

SHA1
42943b2b8355e68c6151184c5ad9017f374bc4ca

SHA256
7501820aa21186535d14f2bdeba13b1c58655ce74425f4b7e64d0fb3d73cf911

SHA512
be70fce5891a3aaae6a378fcec9ed9e6ff38c0d762907e21be302ab4d20ae1334027f9e07c6b755d9b5ab54796e45469fa33b681ad759774638e4455d250c24a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b0a22e942087e81ebca15fd3444e42e7

SHA1
048af521726041f7a3773ba3a86dacbe670ba307

SHA256
644fdce6af460b66c73233a9e7cbd3cdc95958279aa24430f1aad08f181433e3

SHA512
e863b2505fb92f70df4c2022963fdcb0e0f79004f8772054384331108726e33ad7e3f2837b7781bbea651740c38ef88fa8ac1d360a1974edc23a8c31db629e06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e1c6e5dafd321f06b2207a91598bd074

SHA1
e96d0a4ac89963ce682c11bbd1cf3d4b0737fe54

SHA256
a4b13b0765e3e7ff38febcdaf9f72c19b4a1d114753693dc0029c8e09fc3fda7

SHA512
8389e2fe9e3ef937d207adc3ffcd6d860d57ec58f45620b0d204b13918e5c5bffb1990f951d66b8d4af19ddbb0835a74d6c693914702c99f0bb9a30ce6700bbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
5ea209595bbe5779c7034b874f03d914

SHA1
525c222a922e4d2e24ad398794ebb8fa56186057

SHA256
c9e09bb7bfd7503489a4008208a690b4244fa0d026a87bdfb92de4895bc16601

SHA512
3ea7c25a20ec73252c870dea8a46cd9e4e04131b8b763517a5a88c9a84cc0c2b7140d63ea817c4b07fb32d94c11bbb72c9fa150a328a014e956dc04169df808f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d433e5a511ebd3555ae2d805135c63a0

SHA1
7674003bd026733a8f3ce79dd68e6ebd74a0d4dd

SHA256
eb336ed026292231b2749ea02aba9cf67a7799201d11541ad9cb01441e6f780c

SHA512
8fe5d82d6505a55272d9bd9cd97007de68c8660ba0d8e9b5f92f1dd41c055d01dd356c21e1ccdad0e73662082579599c0749a435f158ed9050f103715a2d62b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3705c910194da78f4706ea1e94bc103a

SHA1
f7ef521101740e58a81d557181b88bee747b6ed4

SHA256
e9521afcd1d5081738cccd89c66a2bb595cd5b05139e440e8c8feecd5c954658

SHA512
5c2b9c4a9b9e4b621dc10f1a41c09b462ed95a999d45267636a47c2b98637ea6040f2f4a1ccd39f6d7aba5200632a4f9284cd927d929221c676d58643887450d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
3ef3877a7e938ae602821742cfc4da58

SHA1
587261c5ac6891629008c98bb8c3baf64e79c5c5

SHA256
8766c45bc3fc09afbfb62e4a21a134b5e577299d0ffb4e2fa1077af22d355181

SHA512
5a077ba61d2ea739bef25086e48fd8bcbb53a3b8243b1ff2ae718d251ae30e8afbfc1fc9b6b6e8c054f31e642980370623dce8abd07b7b46516d77b230a81f34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
2d0fd7665b5d7920ac75cd355d5158c8

SHA1
d67d89b8e1ef2e54ee1ec1de74f106c0cb086cc0

SHA256
af4b94e6124a5f912ed64fede59a1b885d36946c0a2bb517c1263fdb090638cc

SHA512
6044af240a6fb29fbc84b5348ff0f4772e14f6793babd30f5d7473a2e78cfc5df19e24ea924eb32f5d5e78707222f2028c0cb38abfc39207cbfd4e0ea616148e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
2b22186c1f676a453a4cada2697816d7

SHA1
209e21ebdf54cbb4f746c8893ae97d04eae8d233

SHA256
a5f245a747407d5fb933006eee9256b2dd875a99b5395f96efc415517634ca1a

SHA512
16ffb9ef6d967c4f755c6bfdbeb0212b62539e4580eec1bdaa9344c4df7d1a90ccb00e50be0ce6de36f4ec5d3fbf3d719876dae9c53c37e3f19d2789b1ce4482

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6e05b46e0d482b8406bf96422fbb50e4

SHA1
9df7ca1c917bbb157eb841d25b3e0a699d7e4c07

SHA256
0041f3c83fad48da098cb7085446e4a8ba99ea42267fa9c0ab5c1dceb59ebc5f

SHA512
d90eb2d30db37f791023b92ac1d9c52fcb4e908bf682f218d00692cc4b1d6aafb4741b656dcb61a2598d87ffe400533313b0f0d1bb20512339f2502b726ab9a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c46ef1efb8367753dd4664b4b4814729

SHA1
08c0764fa3e96c748056a1a46a1967aa325a981c

SHA256
e06b240ea6c65d19a20310a17541902579df8ec0be6348c5c4f8e0a8c6f47a46

SHA512
13f2562e58bea9b066f24b7afe2f7d5bab86d26d3ad268c87536498ba96c28f827d55273cf497c9421badf07a23e5fdd77533735dee94d25438582463f7a43e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
961a6e6ba66a5bdaf0f89fe03e81883e

SHA1
574bae3569c972ed68a901aa5b347ce678a3985f

SHA256
f3743cd95bb779cf159d25bc1418fe22c5cff952e47d165cfe62d7a330a61e5a

SHA512
9d60329f83b903fc05ef4f40eee886193b9b9b5c85207ae028df522fa078e72d967f4e26d174e769d18fe6a611fb867e80701cdcb1be4a2303a3ed327d7e41e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
279KB

MD5
beaa483e9a6c2ba89cd74b34909db22b

SHA1
df4de2b85461acd733e2b3f8f0406fbb5b3c231f

SHA256
5cbe69f1a189822347ce20cd1491f0a39d2bc416dd4ef7c171c228c9d5fa6b30

SHA512
d2f10a7ebdd928538d9bbe9db954eafc7840699d7a9d81fbb496c01ef5693720242fbc54112f3a06ffd43af571e799e8599e253f12ea55dfbbf77b0652ff2972

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
90KB

MD5
10dc9a25a11b8b50c7665eda3f5abc79

SHA1
b19277a75dd74411bd0e72228450c0121d750c11

SHA256
418b761b6911eb62ff80150013735eecd86979d443b39615dd4dea4601b0df74

SHA512
552a68a9b912b88dad2083882cf20234d3ace3445018084d58a8d65cb92eeb10077397da909327935feba5e5e2639590fcaa7ca2f329e949566f377dd4b4e1fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58462c.TMP

Filesize
89KB

MD5
5dac1bf780d24e4f3cbca8eb318254c1

SHA1
6193eeebe588b9bdd4d4c73a21599933526ecea8

SHA256
cf4406b79ac3705f6681c0ad0f13a99b1a1ee235117a454a7dfa7100b6c30a1e

SHA512
a6ce746f1b02e5812a993fa2527536c01bcc05014515c9179f1db830a8085166b2ac36294d2765b362d403aa7b9cf8e91c53e26a105c372d7118aeedfd3b05cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8818E1F8\sezsvgerdl

Filesize
204KB

MD5
3132f7ecdb8dc571c5183d175f7f4886

SHA1
46abff53ce4b89468883bb3904cd6cdf0fd3b33e

SHA256
fc641e15fadb5db174769aea544615c986a50d1ccc4aed59afd5e218c056c5c6

SHA512
5d43844f77f064fc9507739b747f46218b8e346eb7c33c7d3fc6a1c02b0ec11906a2f3e199b60fb7ce5d01e7ccb81efcc6880b1547a1fa243ce8f7045f35345f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna7765586523006374245.dll

Filesize
241KB

MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2080292272-204036150-2159171770-1000\83aa4cc77f591dfc2374580bbd95f6ba_50b25195-d6c8-43bb-b2ca-a8bd616967ef

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\tjwcocmrm.txt

Filesize
92KB

MD5
40324e4190ca694d65c17b8142490c1e

SHA1
14f8a7fbd6580cc1146a04af95c37b6772bb5215

SHA256
943a982c65ebf476f6f454a95e4f8105f6c89d3e90d638113f718a208aa51db0

SHA512
885107f66e0441f1d14ae4f193bcacea831f46872ec74501d82f29af7e51731714acf8a63fce72dac557c20c6cd15d1e77734e3fa443bc28dd3cda5aca22f5b7

Download Submit
C:\Users\Admin\lib\jna-5.5.0.jar

Filesize
1.4MB

MD5
acfb5b5fd9ee10bf69497792fd469f85

SHA1
0e0845217c4907822403912ad6828d8e0b256208

SHA256
b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e

SHA512
e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

Download Submit
C:\Users\Admin\lib\jna-platform-5.5.0.jar

Filesize
2.6MB

MD5
2f4a99c2758e72ee2b59a73586a2322f

SHA1
af38e7c4d0fc73c23ecd785443705bfdee5b90bf

SHA256
24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5

SHA512
b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

Download Submit
C:\Users\Admin\lib\sqlite-jdbc-3.14.2.1.jar

Filesize
4.1MB

MD5
b33387e15ab150a7bf560abdc73c3bec

SHA1
66b8075784131f578ef893fd7674273f709b9a4c

SHA256
2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491

SHA512
25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

Download Submit
C:\Users\Admin\lib\system-hook-3.5.jar

Filesize
772KB

MD5
e1aa38a1e78a76a6de73efae136cdb3a

SHA1
c463da71871f780b2e2e5dba115d43953b537daf

SHA256
2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609

SHA512
fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

Download Submit
C:\Users\Admin\pzsjuirnnn.js

Filesize
204KB

MD5
df07d5680a1bcd9a5af8a5a1b6b52598

SHA1
b070b44d630ae454c34419e65d38850ee2ca6bfb

SHA256
1d10f4534674ce86f17ec22da471f3d472da1f6a15348238e4e289f0e0e4c0e0

SHA512
e1f742db062e02773a9cde941607b512bc97ac68f09bb2e249492303f28011116bcfab10c84f596cef45c7fd39da01f2715ba3ea6f8f429c984ac896ed821ee6

Download Submit
memory/2052-71-0x0000023B9AA60000-0x0000023B9AA61000-memory.dmp

Filesize
4KB

Download
memory/2052-43-0x0000023B9AA60000-0x0000023B9AA61000-memory.dmp

Filesize
4KB

Download
memory/2052-100-0x0000023B9C2C0000-0x0000023B9C530000-memory.dmp

Filesize
2.4MB

Download
memory/2052-95-0x0000023B9AA60000-0x0000023B9AA61000-memory.dmp

Filesize
4KB

Download
memory/2052-83-0x0000023B9AA60000-0x0000023B9AA61000-memory.dmp

Filesize
4KB

Download
memory/2052-80-0x0000023B9AA60000-0x0000023B9AA61000-memory.dmp

Filesize
4KB

Download
memory/2052-21-0x0000023B9C2C0000-0x0000023B9C530000-memory.dmp

Filesize
2.4MB

Download
memory/2052-73-0x0000023B9AA60000-0x0000023B9AA61000-memory.dmp

Filesize
4KB

Download
memory/2664-134-0x0000028579750000-0x0000028579751000-memory.dmp

Filesize
4KB

Download
memory/2664-150-0x0000028579750000-0x0000028579751000-memory.dmp

Filesize
4KB

Download
memory/3532-2-0x0000029DC8080000-0x0000029DC82F0000-memory.dmp

Filesize
2.4MB

Download
memory/3532-16-0x0000029DC8080000-0x0000029DC82F0000-memory.dmp

Filesize
2.4MB

Download
memory/3532-14-0x0000029DC66A0000-0x0000029DC66A1000-memory.dmp

Filesize
4KB

Download
memory/4936-183-0x0000014E49370000-0x0000014E49371000-memory.dmp

Filesize
4KB

Download
memory/4936-193-0x0000014E49370000-0x0000014E49371000-memory.dmp

Filesize
4KB

Download