socelars | ded8995ef3dc7ea298fa16e1733b033e06261a76e1639430d4808600884c7467

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Size

1.7MB
MD5

7bb46178f57f6ea01347b1790d7bfa27
SHA1

bad79fb2e79f12feabd5249636537842e45b9bef
SHA256

ded8995ef3dc7ea298fa16e1733b033e06261a76e1639430d4808600884c7467
SHA512

86ea26f7f142020e1738de929b6de90400cfa7a1e7b8f69aa62c46b98c220e8f9966eb319bae04fef5c23cea21935d4f10c944e16e4bce4e2e47e5d7c30d9da5
SSDEEP

24576:DKAgpBGV2HpWHuREjDnI2AuADZ8KvqC75H2dtDPc/ExKFY/fwg:vgpG57R8InDPcsxKC/fwg

Score

10^/10

socelars aspackv2 credential_access discovery spyware stealer

Malware Config

Extracted

Family

socelars

https://sa-us-bucket.s3.us-east-2.amazonaws.com/jhvre24/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1140-0-0x0000000000AC0000-0x0000000000C83000-memory.dmp	family_socelars
behavioral2/memory/1140-80-0x0000000000AC0000-0x0000000000C83000-memory.dmp	family_socelars

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MDSxhU.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MDSxhU.exechrome.exechrome.exechrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	MDSxhU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	chrome.exe

Executes dropped EXE 13 IoCs

Processes:

MDSxhU.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeelevation_service.exechrome.exechrome.exechrome.exechrome.exe

pid	process
4416	MDSxhU.exe
1692	chrome.exe
1620	chrome.exe
628	chrome.exe
3780	chrome.exe
512	chrome.exe
5016	chrome.exe
3664	chrome.exe
4772	elevation_service.exe
3796	chrome.exe
5112	chrome.exe
4424	chrome.exe
4360	chrome.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

Processes:

65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aieoplapobidheellikiicjfpamacpfd\11.23.45_0\manifest.json	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

45 iplogger.org
46 iplogger.org

flow	ioc
45	iplogger.org
46	iplogger.org

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	chrome.exe

Drops file in System32 directory 2 IoCs

Processes:

chrome.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Drops file in Program Files directory 64 IoCs

Processes:

MDSxhU.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	MDSxhU.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe	MDSxhU.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	MDSxhU.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	MDSxhU.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	MDSxhU.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\fmui.exe	MDSxhU.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.exe	MDSxhU.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\SoundRec.exe	MDSxhU.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE	MDSxhU.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	MDSxhU.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE	MDSxhU.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-App.exe	MDSxhU.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.exe	MDSxhU.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe	MDSxhU.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe	MDSxhU.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.exe	MDSxhU.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	MDSxhU.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe	MDSxhU.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	MDSxhU.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe	MDSxhU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	MDSxhU.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE	MDSxhU.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	MDSxhU.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE	MDSxhU.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE	MDSxhU.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	MDSxhU.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exeMDSxhU.execmd.exetaskkill.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MDSxhU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4452 taskkill.exe

pid	process
4452	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133663076026839748"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

1692 chrome.exe
1692 chrome.exe
4360 chrome.exe
4360 chrome.exe
4360 chrome.exe
4360 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1692 chrome.exe
1692 chrome.exe
1692 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exetaskkill.exechrome.exe

description	pid	process
Token: SeCreateTokenPrivilege	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: SeAssignPrimaryTokenPrivilege	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: SeLockMemoryPrivilege	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: SeIncreaseQuotaPrivilege	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: SeMachineAccountPrivilege	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: SeTcbPrivilege	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: SeSecurityPrivilege	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: SeTakeOwnershipPrivilege	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: SeLoadDriverPrivilege	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: SeSystemProfilePrivilege	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: SeSystemtimePrivilege	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: SeProfSingleProcessPrivilege	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: SeIncBasePriorityPrivilege	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: SeCreatePagefilePrivilege	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: SeCreatePermanentPrivilege	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: SeBackupPrivilege	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: SeRestorePrivilege	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: SeShutdownPrivilege	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: SeDebugPrivilege	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: SeAuditPrivilege	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: SeSystemEnvironmentPrivilege	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: SeChangeNotifyPrivilege	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: SeRemoteShutdownPrivilege	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: SeUndockPrivilege	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: SeSyncAgentPrivilege	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: SeEnableDelegationPrivilege	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: SeManageVolumePrivilege	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: SeImpersonatePrivilege	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: SeCreateGlobalPrivilege	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: 31	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: 32	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: 33	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: 34	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: 35	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
Token: SeDebugPrivilege	4452	taskkill.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.execmd.exeMDSxhU.exechrome.exe

description	pid	process	target process
PID 1140 wrote to memory of 4416	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	MDSxhU.exe
PID 1140 wrote to memory of 4416	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	MDSxhU.exe
PID 1140 wrote to memory of 4416	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	MDSxhU.exe
PID 1140 wrote to memory of 3496	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	cmd.exe
PID 1140 wrote to memory of 3496	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	cmd.exe
PID 1140 wrote to memory of 3496	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	cmd.exe
PID 3496 wrote to memory of 4452	3496	cmd.exe	taskkill.exe
PID 3496 wrote to memory of 4452	3496	cmd.exe	taskkill.exe
PID 3496 wrote to memory of 4452	3496	cmd.exe	taskkill.exe
PID 4416 wrote to memory of 852	4416	MDSxhU.exe	cmd.exe
PID 4416 wrote to memory of 852	4416	MDSxhU.exe	cmd.exe
PID 4416 wrote to memory of 852	4416	MDSxhU.exe	cmd.exe
PID 1140 wrote to memory of 1692	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	chrome.exe
PID 1140 wrote to memory of 1692	1140	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	chrome.exe
PID 1692 wrote to memory of 1620	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1620	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 628	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3780	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3780	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 512	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 512	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 512	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 512	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 512	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 512	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 512	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 512	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 512	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 512	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 512	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 512	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 512	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 512	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 512	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 512	1692	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe
"C:\Users\Admin\AppData\Local\Temp\65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Users\Admin\AppData\Local\Temp\MDSxhU.exe
  C:\Users\Admin\AppData\Local\Temp\MDSxhU.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\67c25484.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:852
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Checks system information in the registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd72b9cc40,0x7ffd72b9cc4c,0x7ffd72b9cc58
    3⤵
    - Executes dropped EXE
    PID:1620
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2040,i,5547711871770438539,4221661179769063365,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2036 /prefetch:2
    3⤵
    - Executes dropped EXE
    PID:628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1872,i,5547711871770438539,4221661179769063365,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2268 /prefetch:3
    3⤵
    - Executes dropped EXE
    PID:3780
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2152,i,5547711871770438539,4221661179769063365,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2652 /prefetch:8
    3⤵
    - Executes dropped EXE
    PID:512
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,5547711871770438539,4221661179769063365,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3152 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:5016
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,5547711871770438539,4221661179769063365,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3440 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:3664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3656,i,5547711871770438539,4221661179769063365,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4576 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:3796
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3868,i,5547711871770438539,4221661179769063365,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4860 /prefetch:8
    3⤵
    - Executes dropped EXE
    PID:5112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4864,i,5547711871770438539,4221661179769063365,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4388 /prefetch:8
    3⤵
    - Executes dropped EXE
    PID:4424
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4988,i,5547711871770438539,4221661179769063365,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5316 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4360

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
1.6MB

MD5
2c99645742665024db8e389c2870bcb9

SHA1
6e556ee19a2a1731ac56b69d0e83257e439a818f

SHA256
ab708ef464fa5e8222459d786512279840efa919b05e66b0f2c473d8db4becee

SHA512
25a7f8434e83341d9f8d68e2f8c7f088f2e84a707fc6db3f18bc1c098a2511380f92d8efde768f5113bc52734f640a08ba356f9a31d551da6ddf58d4884170a5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.6MB

MD5
c0e615c4c4f31cc9d9c8e1f7db1fd19e

SHA1
e561a25b4d70209d6f9a98fc6755b7bcbebbfad1

SHA256
bcbb6c63044144a41ced7051ddcd55e60439c72d2de9a230a4c5d5696ba5601d

SHA512
f345c22444c7e3e67fcf4d604b750a44a849881f173e1912ffc5526fc21c3ed9c03aa68a7f3f0c01f6793588fd183319824871fc9d118e4af03ee77a87ca2ae3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\419e255d-b16e-4da8-b0a5-c21705aa5d42.tmp

Filesize
8KB

MD5
5f7114e398afa0df476891f6f62c0908

SHA1
d4dbb609867fe3c96ef14f1f70c1ed0efcf6273f

SHA256
869cef9d6aad43bc0a2cb5a8bb0c885e39b33f196643c064686db3e1951160d8

SHA512
255378d3553b2fab6b1c094599a3ccbd8cd2bea52aa263f560ec3da83abdf7fc07456abdee91fafd8f866a3bcf0d5e2699d651bbb87d05c0956aaeeea8f58583

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
f71005443418620bfad3a058fa223fe9

SHA1
eaab65656e3354fa24debf9771d3b1357e377029

SHA256
c75d1ab575f18cad6ca9499f34701a6efa6485625df06d31c378d8010baab468

SHA512
732799b7b859b657c87ab80bf5e1b6cd17cd7b2c389b915c79c46a4c11a685c8a8634ce6777738981dca598cf03385983d2aaa8a8d24ecad8866e5c89d4917d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f3e4c727f2000623f3f041562c336450

SHA1
9c1aa168ca7658b587ea8543f425dfaa49424b3a

SHA256
f962ce13bb02b751de1d1486dbb77ac382cb489d802d0f12541da167fa5b9224

SHA512
4c902d821388278aaf92dde8b710545f9efb20702689f9137eaac09d632b7c2c9a2ca8cd3c7f39ececbb45deed8691a6c6120930c62119e8d6b22512535d1f35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
97354165b316635b5d11712cf73cd6dd

SHA1
f1f7d2f0f0ebc01a7f6f53c5ea9e2d6f1c665e8d

SHA256
7de87fedc52243c199c82c56db9a38c92c4b18992ae027c299cb13011e6a32bb

SHA512
32746fe8d2cc97b8df11419d54e6b04be22bc37c20a203e6b22e8001dc69a3e93af245e920f2c541d6bb0258616869a89480dd8d7772e3b3a691c3f5893e4ad1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1567c7579d9dac294afadc244df09a4f

SHA1
37e2ffc89eed53dc7bcf5dd90bd93671372d31f3

SHA256
2ceec7c526361700eba0f834d54d2841dd7480ce9f121da4cd060323ec02ff8d

SHA512
0a7e1ecc5c1b61cec1f2d52cd31680d82308694876975c1b140e302ff0cbe916dc6455304645bc731a3af2972a6f90f1f156fed4f90ed518e7c9a8278e879528

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b39cd7ae2cf46fa4166e1c38bfa345b4

SHA1
64aa28270dd9dbfeb1a5304a24a8af0595f580f5

SHA256
ae7e674d3f368bacce9c9d80866ab2fce24acf172cf4df5f2ca09f6a7903653a

SHA512
5ef1c6e057709617fcd10680f9523eb297997ae2c78848a0adf2d0b3d1daff77a2c430bea7cd477dce768302876e02937b25c4da30f82cf19570ad0f55a49043

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1d9bdeeacd3ba5eecbf4e9d3cfb00106

SHA1
4d3950ac4e72d6a5530416467a49c6f715579d64

SHA256
35716c1cff9946eb5ba3e23f0856bcb34f9d80ea3b6997d67ee2e7d8d773364f

SHA512
d252494bed995ec856daa48987334be7981323b27e1d5161fe8c36360c5f79da83b98a627bcf2b3d5fade40ceb7feade519e6987883ebf6041f20673a55450ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
3d143616ca631f0353ff76db963e0b8c

SHA1
0ac28132cbf56028b81b6531aa0c496bb8327c3d

SHA256
d229a21bb1e2e245e10d6b08e52f19c7780194b504cbb0b1679fce75e30aaf67

SHA512
0aa76ae20c6e4b1a25cf03db82651232f0560779bb662f3f01370db3bd68b38d2ae3db748b462557f71b4297302ccab1b113fb66742f9adfd853bff611c1993b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
b61952c615a05570abbec385ebd6af12

SHA1
7206cb53a3f59e03cad824ddc3fb223f8332eaae

SHA256
1deff96397bbf0f00caa3c4fec40fa3b1987573666f07b77846d05c2c3b04c01

SHA512
12156b6ba7cc99eed83a5ad9e59079288043cd1955b7259cd934327f6926ef3e259b2c57a7b2b52f9b79cf094a38de50bb81a57ef6bf54d8bd8d3e7524d1ec1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
187KB

MD5
8272aeae49d9acdd5c928c1ab2355899

SHA1
2db079e38619f9e0d86c2bebfdb27ef76f4903ad

SHA256
574f3ecc5417d31db6ef0205b3efda22053ea07e1ffe29ca90930eb5bcf9d5ed

SHA512
ac3b5adec6da215219836264f35c787793a40f22eb41e3db7402c1ba04c9d6afde6dd5b6c57cad1b04f9d8ba39c7f4aade58a253f1d3d1b8a73bdc8d731086f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
187KB

MD5
4c94c1e7f72689a41e82878d001485f6

SHA1
c6ab9c91db9a75310b1865bcbfbae9affbe18c5d

SHA256
664fc611e68bc5d3200ef7744b9e107e8f63e523ba5c083e7d5974bb374c3c7e

SHA512
5d2f6efb9951a920a9a3a1480a7ca64bf84677a42d0e3d3e32b47b8867cddc8aa98bb85631c35cd3f177f3c9c554d51ee3fc1b72b24f1e942de39d7ab5a59de8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5G8JI3LV\k2[1].rar

Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2E15397C.exe

Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\67c25484.bat

Filesize
187B

MD5
7ec3f47fefb866a8c4aff2ee73b83f9c

SHA1
9ee4780846b0efc93d8d7898faf08dc6b71868a5

SHA256
faf67a9c991622c2ddb86d321fc830a0c00190c6df31bae8b47293f8879d7dd3

SHA512
2266384e611b5b7e8de75e6e9e9f4945ee250d1322aaf91844ceb52e974fe9aec354be849e13dfa04122af2156f08b3e2f8457223e3e175a579ec629779ed142

Download Submit
C:\Users\Admin\AppData\Local\Temp\MDSxhU.exe

Filesize
15KB

MD5
f7d21de5c4e81341eccd280c11ddcc9a

SHA1
d4e9ef10d7685d491583c6fa93ae5d9105d815bd

SHA256
4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

SHA512
e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

Download Submit
\??\pipe\crashpad_1692_GUHYHMNGBXYXLXTI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1140-0-0x0000000000AC0000-0x0000000000C83000-memory.dmp

Filesize
1.8MB

Download
memory/1140-80-0x0000000000AC0000-0x0000000000C83000-memory.dmp

Filesize
1.8MB

Download
memory/4416-59-0x0000000000B70000-0x0000000000B79000-memory.dmp

Filesize
36KB

Download
memory/4416-5-0x0000000000B70000-0x0000000000B79000-memory.dmp

Filesize
36KB

Download