socelars | 8c28fb5d64ea3cbbcb5da19eb30e6ec8f2acb4c16e0f935275117f49ec4b4b19

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Size

1.5MB
MD5

f1f70ba64226076ff5ccc297301d7c93
SHA1

68cfbd7f5888c0a89671a350db95d7b7b9dc8e26
SHA256

8c28fb5d64ea3cbbcb5da19eb30e6ec8f2acb4c16e0f935275117f49ec4b4b19
SHA512

f2de772227274695756afae89fa9fdbeb8c313ca5f3a7f365cbb7c9d070ea7e001ac2c75f8063219ec0ff9d086b3000ca6e6d23e9f18b6aed9cd331c7a8e3809
SSDEEP

24576:Mwpk4V9rRM1oDb+enGs2Q6E9ZBJRPHJTrFSJ84ufAQKF2fJmg:5pRc1OMcV/sJjAAQKYfYg

Score

10^/10

socelars aspackv2 credential_access discovery spyware stealer

Malware Config

Extracted

Family

socelars

https://sa-us-bucket.s3.us-east-2.amazonaws.com/jhvre24/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3912-0-0x0000000000B30000-0x0000000000CB1000-memory.dmp	family_socelars
behavioral2/memory/3912-80-0x0000000000B30000-0x0000000000CB1000-memory.dmp	family_socelars

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\hvDQNG.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exehvDQNG.exechrome.exechrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	hvDQNG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	chrome.exe

Executes dropped EXE 13 IoCs

Processes:

hvDQNG.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeelevation_service.exechrome.exechrome.exechrome.exechrome.exe

pid	process
4500	hvDQNG.exe
2156	chrome.exe
784	chrome.exe
1272	chrome.exe
4384	chrome.exe
2924	chrome.exe
620	chrome.exe
2904	chrome.exe
4124	elevation_service.exe
4576	chrome.exe
1132	chrome.exe
2064	chrome.exe
3300	chrome.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

Processes:

4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aieoplapobidheellikiicjfpamacpfd\11.23.45_0\manifest.json	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

40 iplogger.org
42 iplogger.org

flow	ioc
40	iplogger.org
42	iplogger.org

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	chrome.exe

Drops file in System32 directory 2 IoCs

Processes:

chrome.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Drops file in Program Files directory 64 IoCs

Processes:

hvDQNG.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe	hvDQNG.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msotd.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe	hvDQNG.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	hvDQNG.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotshubApp.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	hvDQNG.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	hvDQNG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	hvDQNG.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	hvDQNG.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE	hvDQNG.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe	hvDQNG.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoev.exe	hvDQNG.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	hvDQNG.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	hvDQNG.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	hvDQNG.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE	hvDQNG.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.exe	hvDQNG.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.exe	hvDQNG.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE	hvDQNG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	hvDQNG.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoia.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe	hvDQNG.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	hvDQNG.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe	hvDQNG.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe	hvDQNG.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	hvDQNG.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	hvDQNG.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	hvDQNG.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exe4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exehvDQNG.execmd.exetaskkill.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hvDQNG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4100 taskkill.exe

pid	process
4100	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133663033482387617"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

2156 chrome.exe
2156 chrome.exe
3300 chrome.exe
3300 chrome.exe
3300 chrome.exe
3300 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

2156 chrome.exe
2156 chrome.exe
2156 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exetaskkill.exechrome.exe

description	pid	process
Token: SeCreateTokenPrivilege	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: SeAssignPrimaryTokenPrivilege	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: SeLockMemoryPrivilege	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: SeIncreaseQuotaPrivilege	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: SeMachineAccountPrivilege	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: SeTcbPrivilege	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: SeSecurityPrivilege	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: SeTakeOwnershipPrivilege	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: SeLoadDriverPrivilege	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: SeSystemProfilePrivilege	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: SeSystemtimePrivilege	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: SeProfSingleProcessPrivilege	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: SeIncBasePriorityPrivilege	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: SeCreatePagefilePrivilege	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: SeCreatePermanentPrivilege	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: SeBackupPrivilege	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: SeRestorePrivilege	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: SeShutdownPrivilege	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: SeDebugPrivilege	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: SeAuditPrivilege	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: SeSystemEnvironmentPrivilege	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: SeChangeNotifyPrivilege	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: SeRemoteShutdownPrivilege	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: SeUndockPrivilege	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: SeSyncAgentPrivilege	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: SeEnableDelegationPrivilege	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: SeManageVolumePrivilege	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: SeImpersonatePrivilege	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: SeCreateGlobalPrivilege	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: 31	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: 32	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: 33	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: 34	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: 35	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
Token: SeDebugPrivilege	4100	taskkill.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.execmd.exehvDQNG.exechrome.exe

description	pid	process	target process
PID 3912 wrote to memory of 4500	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe	hvDQNG.exe
PID 3912 wrote to memory of 4500	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe	hvDQNG.exe
PID 3912 wrote to memory of 4500	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe	hvDQNG.exe
PID 3912 wrote to memory of 4668	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe	cmd.exe
PID 3912 wrote to memory of 4668	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe	cmd.exe
PID 3912 wrote to memory of 4668	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe	cmd.exe
PID 4668 wrote to memory of 4100	4668	cmd.exe	taskkill.exe
PID 4668 wrote to memory of 4100	4668	cmd.exe	taskkill.exe
PID 4668 wrote to memory of 4100	4668	cmd.exe	taskkill.exe
PID 4500 wrote to memory of 5080	4500	hvDQNG.exe	cmd.exe
PID 4500 wrote to memory of 5080	4500	hvDQNG.exe	cmd.exe
PID 4500 wrote to memory of 5080	4500	hvDQNG.exe	cmd.exe
PID 3912 wrote to memory of 2156	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe	chrome.exe
PID 3912 wrote to memory of 2156	3912	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe	chrome.exe
PID 2156 wrote to memory of 784	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 784	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 1272	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 2924	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 2924	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 4384	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 4384	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 4384	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 4384	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 4384	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 4384	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 4384	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 4384	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 4384	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 4384	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 4384	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 4384	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 4384	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 4384	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 4384	2156	chrome.exe	chrome.exe
PID 2156 wrote to memory of 4384	2156	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe
"C:\Users\Admin\AppData\Local\Temp\4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Users\Admin\AppData\Local\Temp\hvDQNG.exe
  C:\Users\Admin\AppData\Local\Temp\hvDQNG.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\55837256.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5080
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Checks system information in the registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff98e06cc40,0x7ff98e06cc4c,0x7ff98e06cc58
    3⤵
    - Executes dropped EXE
    PID:784
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1972,i,4486261198969460611,12559796560974036240,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1968 /prefetch:2
    3⤵
    - Executes dropped EXE
    PID:1272
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1932,i,4486261198969460611,12559796560974036240,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2028 /prefetch:3
    3⤵
    - Executes dropped EXE
    PID:2924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,4486261198969460611,12559796560974036240,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2440 /prefetch:8
    3⤵
    - Executes dropped EXE
    PID:4384
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,4486261198969460611,12559796560974036240,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3140 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:620
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,4486261198969460611,12559796560974036240,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3180 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:2904
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4596,i,4486261198969460611,12559796560974036240,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4568 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:4576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4816,i,4486261198969460611,12559796560974036240,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4836 /prefetch:8
    3⤵
    - Executes dropped EXE
    PID:1132
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4860,i,4486261198969460611,12559796560974036240,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4848 /prefetch:8
    3⤵
    - Executes dropped EXE
    PID:2064
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5028,i,4486261198969460611,12559796560974036240,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=208 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3300

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
1.6MB

MD5
2c99645742665024db8e389c2870bcb9

SHA1
6e556ee19a2a1731ac56b69d0e83257e439a818f

SHA256
ab708ef464fa5e8222459d786512279840efa919b05e66b0f2c473d8db4becee

SHA512
25a7f8434e83341d9f8d68e2f8c7f088f2e84a707fc6db3f18bc1c098a2511380f92d8efde768f5113bc52734f640a08ba356f9a31d551da6ddf58d4884170a5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.6MB

MD5
c0e615c4c4f31cc9d9c8e1f7db1fd19e

SHA1
e561a25b4d70209d6f9a98fc6755b7bcbebbfad1

SHA256
bcbb6c63044144a41ced7051ddcd55e60439c72d2de9a230a4c5d5696ba5601d

SHA512
f345c22444c7e3e67fcf4d604b750a44a849881f173e1912ffc5526fc21c3ed9c03aa68a7f3f0c01f6793588fd183319824871fc9d118e4af03ee77a87ca2ae3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4de38ce924aaa5cd0e43134ec72f4b82

SHA1
6970af8f2f0dce824973b519db15eccba71abebc

SHA256
c4f7d17390c4f827a9f9b45270257cc37a4897e89cd1c6f04dd2e77b172f484b

SHA512
22b7f41df97ec0fcdad73521c3e36cc245dca31a7f6923c397b3f274792e5575178aeb067d7e280ba83f9bb06aa2d6667ca827be119a7f088e32cb358723fe92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0ffbced75ea5a72400107f7933271d26

SHA1
371bdf0968fb224929d266300db570f95eaa8303

SHA256
9902ea6978cf97b86e3f0db6f1ac2de98120d226df3849f4c336a60def0545f0

SHA512
fee8d687d2ca344a513642a2d80faa0df305b0c30fdaad92947981cbfcd13bdbea76de7134ab3c4c846c4866c9b990b6e39b726b65e293f50ae87c258a1dc6eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
ddeba50822559b3a1b54ede990f8b3fb

SHA1
95867fb9f15c8dc48af91ce7e0e763558e442d90

SHA256
046c66f9b3107a183412560d08424c75a3944bbd0253e708cebca104c2b556b7

SHA512
d2bf2804ced61ead4fcfbb339c6ffb0d78b30ee12138e68748e8214ece0fb0f90c8921546c1611759dbf55b40635dbe1b41f6910c278abba16f22b5789431454

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
43ff7c5c3158f831c48378335603654e

SHA1
2102e5abc5be71a2b3840ffd56a6b8da42987370

SHA256
1ab1e35b5c2d4da6b128f35cf1bfd44759dceb0654c90aaeae35e3d4520b9c78

SHA512
9f636b2adb9b3a6db02b4cbd9c4d1c658ee7d701d415d6da6f4987f81e87d157854b19904e3bef6cb74651ef080998ded355057979768ecd3155545cce5fd185

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
684c29db137b858146763978d1eea97f

SHA1
4ecb0164896c6ae453b06353ea6f5048658f3f47

SHA256
e56174793d612b4ee1e6d712d120c5c3fb96bf3be84b46b132b7baecff3fd754

SHA512
1b4c19cc1e6e7765ca3b56e720768ea80e4a30671868c8933ecc1406c6493159d18b47e4e180be5d790e1ab88ed3f6b626d5d7c95b16d486f438f276006a7882

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
507a3f611a39ace914943b5481727640

SHA1
d4f509b1e6cd39ac15a149cf6e6de3faf72318a2

SHA256
68a9d442fd581538b8f73d7ad6d74399d5089d8cac08f1d62353381349108811

SHA512
8c3f43a94bfdaeb7c5d836a9128057b8a28f183535d045fa177355435e01ab445f04f613587eb0c1b764b63f5f85f03d5db3d392d32f166e4abbdfee7548adad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
94b71b00ca90aa209be1e07dfa582515

SHA1
d398244b596342e0d446e458f8a0e459a89fb290

SHA256
5bffc314fcd910f0ed70ee6f1f74364bc4c2aa46fa8273d8ced28e96f4a81fb1

SHA512
8095dcc93b51aab42c1f280166b8640cbbbd04e21f78fbafe5def452a8f09bbb75d0f7b9dac092ba10a558e9640691ecfc84c66dc325c0028a32bbe66ded6b7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ab2b7b54a8ce745b510474e1ee7ff9b7

SHA1
9338817d810f4c1c5180cb77c1a43810f2bedad4

SHA256
57e31363aa192f19a2880b163e6e5778c2bf2378d9b7108f96c357d863e0672c

SHA512
d7bc9dceb568c0e49c23e8d2bfa971a116b0745669f052bd28939fe7a7dfb4c3d4138639c7bb974e2340b9390622d045510e7fb36824838a7475eba746152fe3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fa4d72c0b2b02e05d3417248bc91b94b

SHA1
ff895a44cbdee4958167e259fccd7654bd9cd972

SHA256
1534555b84e672868234f4379421aae3f1af1048df615f617de28065402353c2

SHA512
bbe167ff33e9bb839564f2595aa4754784aa5399496a7a0d8f930636712024f7f5e1b74041ba1b16e9a5ee32bf140b9ef402bfad353248fceaeceae8b96ac74c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d6043d1587e376084c6fff4684a03bc1

SHA1
6526555ac411e065a83d2c45c0fead9dbc526317

SHA256
9c13b1aac983a13ae48b99858f25eaee996e09be363317aa7b0b155a17c36b33

SHA512
c6d0039b92e3c85178fa0a3bf07feb6559071804b9aa1cc762add7f8a3873235b42b1c2bfbe51a117783b85de5e448c476f13f89043078f2316c0ecaa7998c1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
29aeaf5a9e2ead754055f323331312c8

SHA1
908c1b93d22eeb97f1023aa664273306cfff27c4

SHA256
48e5772b0eee99ba1381792483bebe4a4d9160df07af6f10fd8915e9175d8054

SHA512
ac2f7a1b830fddb7de3d237ba5a883395d1e06c13c343993b3521aee633de563269f2c71352cd5ebfc66a9bec135b0748b733c03b45d8a4bccf53b0e84bace3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
3d143616ca631f0353ff76db963e0b8c

SHA1
0ac28132cbf56028b81b6531aa0c496bb8327c3d

SHA256
d229a21bb1e2e245e10d6b08e52f19c7780194b504cbb0b1679fce75e30aaf67

SHA512
0aa76ae20c6e4b1a25cf03db82651232f0560779bb662f3f01370db3bd68b38d2ae3db748b462557f71b4297302ccab1b113fb66742f9adfd853bff611c1993b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
187KB

MD5
bbfdd30a1622de7d1ca046be2b680f25

SHA1
ac2e72d45d7c9a5dd039d6749d666036cd7b9aac

SHA256
615bed6e47689fe2619c996d40e75b277df843eed28de7c1872d2bce0681aca0

SHA512
2e839b4506d339a23464c178237b26ec288d800716429348d92deac8244a21ed6d3c70b5cbe2231856888e8bef952ca8ae299c7365c49c0c29e7525e00ffd968

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
187KB

MD5
ccfc782dbf57b62f6adc7c563a7431f4

SHA1
c7deb2d352f10da483a548e221be01e6bc92c65d

SHA256
bf7a7d0724736dd5cb8626045358e53242c05cfe121606fdd98ba874f805940e

SHA512
535474c0d660193107c8dc4dc7d469e05d9c20281f73bdf2e8c756b504d0aba5fedf2a446e33ef2b8cf7e98e31210ba643b7c2ea06d0a33f1bd0f7c868b2df99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5G8JI3LV\k2[1].rar

Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\106826B2.exe

Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\55837256.bat

Filesize
187B

MD5
8c365cb9126c03b6135baba361415df6

SHA1
36cf6fd50c616b1d3c0900e80c1996b3a3a75802

SHA256
1e94a937c6a3de762e93e8fb400172e8acd11e0f0fb2d120ddf85738f0d143da

SHA512
5016adaf68e063e3ef3cf57f28578ff861b1fcb028ea558f2aab537238d431d73e8ea433552608d44068bb12865897286e0c449ec3d862683049e162c8ad6557

Download Submit
C:\Users\Admin\AppData\Local\Temp\hvDQNG.exe

Filesize
15KB

MD5
f7d21de5c4e81341eccd280c11ddcc9a

SHA1
d4e9ef10d7685d491583c6fa93ae5d9105d815bd

SHA256
4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

SHA512
e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

Download Submit
\??\pipe\crashpad_2156_GZJKQVCVYBJIJICT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3912-0-0x0000000000B30000-0x0000000000CB1000-memory.dmp

Filesize
1.5MB

Download
memory/3912-80-0x0000000000B30000-0x0000000000CB1000-memory.dmp

Filesize
1.5MB

Download
memory/4500-59-0x0000000001000000-0x0000000001009000-memory.dmp

Filesize
36KB

Download
memory/4500-4-0x0000000001000000-0x0000000001009000-memory.dmp

Filesize
36KB

Download