socelars | ded8995ef3dc7ea298fa16e1733b033e06261a76e1639430d4808600884c7467

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 09:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Size

1.7MB
MD5

7bb46178f57f6ea01347b1790d7bfa27
SHA1

bad79fb2e79f12feabd5249636537842e45b9bef
SHA256

ded8995ef3dc7ea298fa16e1733b033e06261a76e1639430d4808600884c7467
SHA512

86ea26f7f142020e1738de929b6de90400cfa7a1e7b8f69aa62c46b98c220e8f9966eb319bae04fef5c23cea21935d4f10c944e16e4bce4e2e47e5d7c30d9da5
SSDEEP

24576:DKAgpBGV2HpWHuREjDnI2AuADZ8KvqC75H2dtDPc/ExKFY/fwg:vgpG57R8InDPcsxKC/fwg

Score

10^/10

socelars aspackv2 credential_access discovery spyware stealer

Malware Config

Extracted

Family

socelars

https://sa-us-bucket.s3.us-east-2.amazonaws.com/jhvre24/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1436-0-0x0000000000EE0000-0x00000000010A3000-memory.dmp	family_socelars
behavioral2/memory/1436-80-0x0000000000EE0000-0x00000000010A3000-memory.dmp	family_socelars

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MDSxhU.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MDSxhU.exechrome.exechrome.exechrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	MDSxhU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	chrome.exe

Executes dropped EXE 13 IoCs

Processes:

MDSxhU.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeelevation_service.exechrome.exechrome.exechrome.exechrome.exe

pid	process
3988	MDSxhU.exe
368	chrome.exe
4284	chrome.exe
3992	chrome.exe
5060	chrome.exe
2680	chrome.exe
2904	chrome.exe
1624	chrome.exe
1048	elevation_service.exe
2704	chrome.exe
4644	chrome.exe
1824	chrome.exe
4648	chrome.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

Processes:

2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aieoplapobidheellikiicjfpamacpfd\11.23.45_0\manifest.json	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

34 iplogger.org
35 iplogger.org

flow	ioc
34	iplogger.org
35	iplogger.org

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	chrome.exe

Drops file in System32 directory 2 IoCs

Processes:

chrome.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Drops file in Program Files directory 64 IoCs

Processes:

MDSxhU.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE	MDSxhU.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.exe	MDSxhU.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	MDSxhU.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	MDSxhU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe	MDSxhU.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\codecpacks.heif.exe	MDSxhU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	MDSxhU.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msotd.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoia.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe	MDSxhU.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe	MDSxhU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE	MDSxhU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	MDSxhU.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	MDSxhU.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-App.exe	MDSxhU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	MDSxhU.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe	MDSxhU.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	MDSxhU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe	MDSxhU.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	MDSxhU.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	MDSxhU.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	MDSxhU.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{81C44847-CFD4-4467-BC43-4620F6C2BDBD}\chrome_installer.exe	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE	MDSxhU.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE	MDSxhU.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Time.exe	MDSxhU.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exe2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exeMDSxhU.execmd.exetaskkill.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MDSxhU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4428 taskkill.exe

pid	process
4428	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133663746858546322"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

368 chrome.exe
368 chrome.exe
4648 chrome.exe
4648 chrome.exe
4648 chrome.exe
4648 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

368 chrome.exe
368 chrome.exe
368 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exetaskkill.exechrome.exe

description	pid	process
Token: SeCreateTokenPrivilege	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: SeAssignPrimaryTokenPrivilege	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: SeLockMemoryPrivilege	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: SeIncreaseQuotaPrivilege	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: SeMachineAccountPrivilege	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: SeTcbPrivilege	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: SeSecurityPrivilege	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: SeTakeOwnershipPrivilege	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: SeLoadDriverPrivilege	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: SeSystemProfilePrivilege	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: SeSystemtimePrivilege	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: SeProfSingleProcessPrivilege	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: SeIncBasePriorityPrivilege	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: SeCreatePagefilePrivilege	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: SeCreatePermanentPrivilege	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: SeBackupPrivilege	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: SeRestorePrivilege	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: SeShutdownPrivilege	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: SeDebugPrivilege	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: SeAuditPrivilege	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: SeSystemEnvironmentPrivilege	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: SeChangeNotifyPrivilege	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: SeRemoteShutdownPrivilege	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: SeUndockPrivilege	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: SeSyncAgentPrivilege	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: SeEnableDelegationPrivilege	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: SeManageVolumePrivilege	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: SeImpersonatePrivilege	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: SeCreateGlobalPrivilege	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: 31	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: 32	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: 33	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: 34	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: 35	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
Token: SeDebugPrivilege	4428	taskkill.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.execmd.exeMDSxhU.exechrome.exe

description	pid	process	target process
PID 1436 wrote to memory of 3988	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe	MDSxhU.exe
PID 1436 wrote to memory of 3988	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe	MDSxhU.exe
PID 1436 wrote to memory of 3988	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe	MDSxhU.exe
PID 1436 wrote to memory of 1596	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe	cmd.exe
PID 1436 wrote to memory of 1596	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe	cmd.exe
PID 1436 wrote to memory of 1596	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe	cmd.exe
PID 1596 wrote to memory of 4428	1596	cmd.exe	taskkill.exe
PID 1596 wrote to memory of 4428	1596	cmd.exe	taskkill.exe
PID 1596 wrote to memory of 4428	1596	cmd.exe	taskkill.exe
PID 3988 wrote to memory of 2312	3988	MDSxhU.exe	cmd.exe
PID 3988 wrote to memory of 2312	3988	MDSxhU.exe	cmd.exe
PID 3988 wrote to memory of 2312	3988	MDSxhU.exe	cmd.exe
PID 1436 wrote to memory of 368	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe	chrome.exe
PID 1436 wrote to memory of 368	1436	2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe	chrome.exe
PID 368 wrote to memory of 4284	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 4284	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 3992	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 5060	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 5060	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 2680	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 2680	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 2680	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 2680	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 2680	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 2680	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 2680	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 2680	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 2680	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 2680	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 2680	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 2680	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 2680	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 2680	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 2680	368	chrome.exe	chrome.exe
PID 368 wrote to memory of 2680	368	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-25_7bb46178f57f6ea01347b1790d7bfa27_avoslocker_wapomi.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Users\Admin\AppData\Local\Temp\MDSxhU.exe
  C:\Users\Admin\AppData\Local\Temp\MDSxhU.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3eea3aaa.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2312
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Checks system information in the registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbbbe4cc40,0x7ffbbbe4cc4c,0x7ffbbbe4cc58
    3⤵
    - Executes dropped EXE
    PID:4284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,12598188286059041329,703898373844434130,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1824 /prefetch:2
    3⤵
    - Executes dropped EXE
    PID:3992
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1844,i,12598188286059041329,703898373844434130,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2172 /prefetch:3
    3⤵
    - Executes dropped EXE
    PID:5060
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,12598188286059041329,703898373844434130,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2276 /prefetch:8
    3⤵
    - Executes dropped EXE
    PID:2680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,12598188286059041329,703898373844434130,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3128 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:1624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,12598188286059041329,703898373844434130,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3176 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:2904
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4524,i,12598188286059041329,703898373844434130,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3112 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:2704
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4696,i,12598188286059041329,703898373844434130,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4816 /prefetch:8
    3⤵
    - Executes dropped EXE
    PID:4644
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4956,i,12598188286059041329,703898373844434130,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4660 /prefetch:8
    3⤵
    - Executes dropped EXE
    PID:1824
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3972,i,12598188286059041329,703898373844434130,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4816 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4648

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
1.6MB

MD5
2c99645742665024db8e389c2870bcb9

SHA1
6e556ee19a2a1731ac56b69d0e83257e439a818f

SHA256
ab708ef464fa5e8222459d786512279840efa919b05e66b0f2c473d8db4becee

SHA512
25a7f8434e83341d9f8d68e2f8c7f088f2e84a707fc6db3f18bc1c098a2511380f92d8efde768f5113bc52734f640a08ba356f9a31d551da6ddf58d4884170a5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.6MB

MD5
c0e615c4c4f31cc9d9c8e1f7db1fd19e

SHA1
e561a25b4d70209d6f9a98fc6755b7bcbebbfad1

SHA256
bcbb6c63044144a41ced7051ddcd55e60439c72d2de9a230a4c5d5696ba5601d

SHA512
f345c22444c7e3e67fcf4d604b750a44a849881f173e1912ffc5526fc21c3ed9c03aa68a7f3f0c01f6793588fd183319824871fc9d118e4af03ee77a87ca2ae3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b73fa0d2edea0d63b9e0f77f1a6bc0ea

SHA1
4c5d79b3ff270d2e75a6cca3b640e0810da1681e

SHA256
358b40f137c2e9b8d9659fc7de3133e18e1e9a12c1289e065594738c512ecb87

SHA512
52a19719f8a0ae4989682d979a458da7ba623fb024456c667db307620b189081d7c20d87aff9e9e2788460113f7c7446d1f5e5683c537d2f8dd1a593dbbf40b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
afac9acde8832aeb5dea934b8f071046

SHA1
4467844b9726d36203197295f2744c283710919f

SHA256
eff8822975410d70ed6d4e1878f6179159bd0cb00fb835d31bde10fc5d26363c

SHA512
5f15b7250dd1a2531b59c6309bdba80d7e896f70f27fc3d7f00ecd73abf329c7f84f0b7afc6171558a1aa687adebcc8a4d6b64242bddd6530034b2fb90baef53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
24c3a4c1b9996c03a30df784db305cbf

SHA1
cb5a38a168a2876d787520b8e60771467f20089a

SHA256
a75258becda29000cda950d02439fcb4824343f09968aa0043c1d96b3d6dc5e8

SHA512
74c0f54f9d6dc6aeaae0df9f4e457e75ca06f6b16b4dd9a7698ba8e3ca50db8db482f9525e838c66734bb9ff6fa070683bacffc5f2e1adf0a0c5463a1921ccd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8db6371ea60a57056c4ee4fe36b50ab3

SHA1
fd634a8fcb0785616f6165927eec7f4bdfba8a9b

SHA256
032cfebcca160cb2069c5526d501253631966b740d3f09b54d08976c588e913c

SHA512
04e3cc825a837a391f213de1700e1fd4ad6bb95e129188bcb1f67f9cba8ecd82aa00ac829cc7a802182b121edb494ceefff4fef794cde51a61ed78903f8fe3a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
59fdae9ff79208abe778564c2b42bbad

SHA1
2ee5a54e7c69d89543887551bfc528901d48a927

SHA256
51230a1db808adc65c467f7222daa2d231531112a11f8fe4759f9d16e33970d5

SHA512
e6b59669aa8e8d2788adf20837059b1dc7ca48eeecc67d3bf63a095116fff52ab9ff6d32bbafdb0afbfe144b400730a1a4464b924f9a9e9c73fa9d5297fcb6cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c77f1a17e98988320ef28e56530b6548

SHA1
b0608613824646d20c4697d67231cb2fbd6b7a3f

SHA256
314a166ddb0ad3414fcd3207bcefb49ce5d2b58ef561c8eaeef9c761a2bddd42

SHA512
10e77fca146e665b7232ed08810da81c84439f519eebd8fa8f2121ae80569415818e46571c4ed066bdf84df757010a74dbd6b44559d4767760923728b41118c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ab6c5af6b819e76cd21a25b9badb50a3

SHA1
d03239f25a4ffac83264b6f1ceaf63f7a0207738

SHA256
b0fe774118a562de17f1fe4f198b4cce5864cc98be85ecc15ca281e314cdafea

SHA512
204caba29567866b4cd626501187e540ed6521b63b67e4a512abae2fe43c449f9b485f6d50132fc5efde774e8ee52da8987ce78745f16938fd6f068da1ee8eb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3047704e71441e7f51a00e78881ebebf

SHA1
b832ea532cf306b24933c6f7eb6ff698120ae55c

SHA256
935d083f0a8275b155639944c5f5af99d1657c8ee390993e28feb70ee0b2008a

SHA512
03221a70eacb2ba10baed0ee0deea4f634beb96db755c5c6c06dbf260bd15292617829401e0aff88d943f77fa75b6d49aac429f259cb6dd64c1185af6b6225d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
0fad47fd84da7f0571db0544233c929d

SHA1
0afa0f391878c9c268d3ced7adf6cef10e1af8f5

SHA256
307baa8af72b6b314ebf1a9165bae58de2b4c41b7af54092cb8055cf749abfcf

SHA512
095de2e64b86c870346214e18052ac9bd530379b36f15845b5f13d1d8192ac1b64f0495f418106adb1f5651510c65e8580cacb48f6aba298733a6ab3bf572892

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b092d6e368ed18f2acbc6d6d412ad564

SHA1
676f2f0e4ee4be4e2a9084aac11891460fa8f00c

SHA256
e680ce7ae030a725b336885227cbe1872d2f6fa6959e7c5c26c7a4bfd551284f

SHA512
4e373fa5061874583ca39539277781821e11a9cee4ac6b8c626f355f89082e4f0f8bab4dc8689a692a5854c7501e3b1a68b5447c6b55058004d5787c53b3ae02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
392d3a491d83a71e1a8ef849bb1b193e

SHA1
4a08df5f000b13b9d8aff8b41e709223ab3f3046

SHA256
40d8862cfadddfa4fe4c5cf8d25c988e43489a8da7e7ff69b9a807a601a4888b

SHA512
9dcc14166f08dfb76f364fd73094559525ecc29da5499960cf661b640638fff6f20af939cf63e2eba94b6e0b261c58c6a09ff5a69a4da43e2b3d5d6b1356db30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
51fc93e1ed95951ce48b275076c02274

SHA1
66855637234de4c17b0eca3a8d75e1ce18ec9ef6

SHA256
21d4f685e28cdc1a1fe642ac8de470fc5ab6225c7432672430bff419865041e4

SHA512
dad84560cc3b7750eab2e06abaf85fbf175405599d6d63f6a4880100669bcf454213a84436b3f4be31bcc3c1c51cd5bcc66b365f1e61f7dd8dcf7e3e40a6d852

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
188KB

MD5
93c4b3d21ac70477dda2889e5af64644

SHA1
7c23d8c1f52e0f37e440650c489a9a619d6f640d

SHA256
ca9f5465c51099289c8c0c932b3863ce9b62f311f7e77d8233483c17c5e559aa

SHA512
e30e19b1919b6c70c1f6c6db60b376221d4b8224acec29372da633feab86541c2356ef6b5b36e4694aadeaace9dedffb37fa17d8a653857a6e8d0cd1ae20886a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
188KB

MD5
f24740384cd398d1ac754ff22dd80964

SHA1
21b5066797089542a2a30171b27754999ecd0ec2

SHA256
ae5747a351529ce2d94bd8d5d5f3fa9691610c7b76de4b150017ef371d1d574b

SHA512
c3d90d7a8e035f46d4918f0fc2d68f224df4b1ddce8630a0e9a450a0edc9464ae9f50db9b2f8ed549b1c131611679dd415162eed756ddfe931594a6ed0a05510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MDMHN06X\k2[1].rar

Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3eea3aaa.bat

Filesize
187B

MD5
7af474aeba83050992d3532a758fe84e

SHA1
51e62f6cdb56cd6617c8c709e37cf0458fd7ccf4

SHA256
295cf6ba22256aa523522e62bdfdea74b41334f59ef1366b819349d49ec02c02

SHA512
f6bfc8c1de3d8a3e9b14b206748dffdb5d8e2222d69affe156bd4d6b75730a0d3b82d6750c89a8494378ae0f895a6b4cf902b5c2254604badde607b0a9f2714b

Download Submit
C:\Users\Admin\AppData\Local\Temp\41CB3B5D.exe

Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MDSxhU.exe

Filesize
15KB

MD5
f7d21de5c4e81341eccd280c11ddcc9a

SHA1
d4e9ef10d7685d491583c6fa93ae5d9105d815bd

SHA256
4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

SHA512
e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

Download Submit
\??\pipe\crashpad_368_HLYTAMPQYMOSXBGZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1436-0-0x0000000000EE0000-0x00000000010A3000-memory.dmp

Filesize
1.8MB

Download
memory/1436-80-0x0000000000EE0000-0x00000000010A3000-memory.dmp

Filesize
1.8MB

Download
memory/3988-5-0x00000000008E0000-0x00000000008E9000-memory.dmp

Filesize
36KB

Download
memory/3988-59-0x00000000008E0000-0x00000000008E9000-memory.dmp

Filesize
36KB

Download