lokibot | hxxps://bazaar[.]abuse[.]ch/sample/5156add523f08eb7eabb51f3ce648d6f93c646bec4c6cee7dd59d95e5b50b2b3/

Analysis

max time kernel
161s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bazaar.abuse.ch/sample/5156add523f08eb7eabb51f3ce648d6f93c646bec4c6cee7dd59d95e5b50b2b3/

Score

10^/10

lokibot collection credential_access discovery spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://94.156.66.169:5888/shtfgdfgd/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	5156add523f08eb7eabb51f3ce648d6f93c646bec4c6cee7dd59d95e5b50b2b3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	jdfjdfgj.sfx.exe

Executes dropped EXE 5 IoCs

pid	Process
2692	5156add523f08eb7eabb51f3ce648d6f93c646bec4c6cee7dd59d95e5b50b2b3.exe
1516	jdfjdfgj.sfx.exe
2300	jdfjdfgj.exe
1608	jdfjdfgj.exe
4740	jdfjdfgj.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	jdfjdfgj.exe
Key opened	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	jdfjdfgj.exe
Key opened	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	jdfjdfgj.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2300 set thread context of 1608	2300	jdfjdfgj.exe	107
PID 2300 set thread context of 4740	2300	jdfjdfgj.exe	108

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdfjdfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdfjdfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdfjdfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5156add523f08eb7eabb51f3ce648d6f93c646bec4c6cee7dd59d95e5b50b2b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdfjdfgj.sfx.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 44 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "3"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	chrome.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1544	chrome.exe
1544	chrome.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
4504	chrome.exe
4504	chrome.exe
2388	taskmgr.exe
2388	taskmgr.exe
4504	chrome.exe
4504	chrome.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
3348	7zG.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4332	chrome.exe
1756	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 392	1544	chrome.exe	82
PID 1544 wrote to memory of 392	1544	chrome.exe	82
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 3728	1544	chrome.exe	84
PID 1544 wrote to memory of 4488	1544	chrome.exe	85
PID 1544 wrote to memory of 4488	1544	chrome.exe	85
PID 1544 wrote to memory of 4692	1544	chrome.exe	86
PID 1544 wrote to memory of 4692	1544	chrome.exe	86
PID 1544 wrote to memory of 4692	1544	chrome.exe	86
PID 1544 wrote to memory of 4692	1544	chrome.exe	86
PID 1544 wrote to memory of 4692	1544	chrome.exe	86
PID 1544 wrote to memory of 4692	1544	chrome.exe	86
PID 1544 wrote to memory of 4692	1544	chrome.exe	86
PID 1544 wrote to memory of 4692	1544	chrome.exe	86
PID 1544 wrote to memory of 4692	1544	chrome.exe	86
PID 1544 wrote to memory of 4692	1544	chrome.exe	86
PID 1544 wrote to memory of 4692	1544	chrome.exe	86
PID 1544 wrote to memory of 4692	1544	chrome.exe	86
PID 1544 wrote to memory of 4692	1544	chrome.exe	86
PID 1544 wrote to memory of 4692	1544	chrome.exe	86
PID 1544 wrote to memory of 4692	1544	chrome.exe	86
PID 1544 wrote to memory of 4692	1544	chrome.exe	86
PID 1544 wrote to memory of 4692	1544	chrome.exe	86
PID 1544 wrote to memory of 4692	1544	chrome.exe	86
PID 1544 wrote to memory of 4692	1544	chrome.exe	86
PID 1544 wrote to memory of 4692	1544	chrome.exe	86
PID 1544 wrote to memory of 4692	1544	chrome.exe	86
PID 1544 wrote to memory of 4692	1544	chrome.exe	86
PID 1544 wrote to memory of 4692	1544	chrome.exe	86
PID 1544 wrote to memory of 4692	1544	chrome.exe	86
PID 1544 wrote to memory of 4692	1544	chrome.exe	86
PID 1544 wrote to memory of 4692	1544	chrome.exe	86
PID 1544 wrote to memory of 4692	1544	chrome.exe	86
PID 1544 wrote to memory of 4692	1544	chrome.exe	86
PID 1544 wrote to memory of 4692	1544	chrome.exe	86
PID 1544 wrote to memory of 4692	1544	chrome.exe	86

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	jdfjdfgj.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	jdfjdfgj.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://bazaar.abuse.ch/sample/5156add523f08eb7eabb51f3ce648d6f93c646bec4c6cee7dd59d95e5b50b2b3/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9ff64cc40,0x7ff9ff64cc4c,0x7ff9ff64cc58
  2⤵
  PID:392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1600,i,4666570933188434967,12805098821920337361,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1592 /prefetch:2
  2⤵
  PID:3728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2124,i,4666570933188434967,12805098821920337361,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,4666570933188434967,12805098821920337361,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2244 /prefetch:8
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,4666570933188434967,12805098821920337361,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,4666570933188434967,12805098821920337361,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4512,i,4666570933188434967,12805098821920337361,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3728 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4816,i,4666570933188434967,12805098821920337361,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3196,i,4666570933188434967,12805098821920337361,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3736 /prefetch:8
  2⤵
  PID:3760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5348,i,4666570933188434967,12805098821920337361,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5344,i,4666570933188434967,12805098821920337361,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4892,i,4666570933188434967,12805098821920337361,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3516,i,4666570933188434967,12805098821920337361,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=724,i,4666570933188434967,12805098821920337361,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3828 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4440,i,4666570933188434967,12805098821920337361,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4416 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5152,i,4666570933188434967,12805098821920337361,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4320,i,4666570933188434967,12805098821920337361,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3176 /prefetch:8
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5824,i,4666570933188434967,12805098821920337361,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5888 /prefetch:8
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5788,i,4666570933188434967,12805098821920337361,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5776 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1756

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2552

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1212

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap24248:186:7zEvent19246
1⤵
- Suspicious use of FindShellTrayWindow
PID:3348

C:\Users\Admin\Desktop\5156add523f08eb7eabb51f3ce648d6f93c646bec4c6cee7dd59d95e5b50b2b3.exe
"C:\Users\Admin\Desktop\5156add523f08eb7eabb51f3ce648d6f93c646bec4c6cee7dd59d95e5b50b2b3.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jystsdf.cmd" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1108
- - C:\Users\Admin\AppData\Local\Temp\jdfjdfgj.sfx.exe
    jdfjdfgj.sfx.exe -pluklhpfbsnrsyethnymkdesppodtyuhngfszafugyRhvqxsdfHbgnmeG -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\jdfjdfgj.exe
      "C:\Users\Admin\AppData\Local\Temp\jdfjdfgj.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2300
    - - C:\Users\Admin\AppData\Local\Temp\jdfjdfgj.exe
        
        C:\Users\Admin\AppData\Local\Temp\jdfjdfgj.exe
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        outlook_office_path
        outlook_win_path
        
        PID:1608
    - - C:\Users\Admin\AppData\Local\Temp\jdfjdfgj.exe
        
        C:\Users\Admin\AppData\Local\Temp\jdfjdfgj.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4740

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
34d5f753bb13744c8dbc6fef1a6518f9

SHA1
c7c5d802e1ba258d9dbff7d1c526fbb4de903fcc

SHA256
8932393213556e7c6a68060d76c2b9ceb0cd10dd8b1c5846f15e0d5ccaeca10f

SHA512
ffdec2ef3bc47ad5c889af3d178e8478aafb7a08746e5bc3925ee1553535afe49f2ccc074b5724449f9cae71c5e86fe4dc2310602e20c486dc90fff038cc6e7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
1c8e2298d4e63ac1056643cb75e23299

SHA1
15e2295b0430a3792fcfddf9ad028f1c09e2d72a

SHA256
f49722a868e21ec8b2c8d7606f824a28e33048209117a1cdf643a399de56bc7f

SHA512
95c9f627234e36823f3303d0ad6250b9d22420bd4b38ccc081f82bea0ff355b33e10abbfe35f1e937e466d9672c03f85aa0710cbab9b007595bae1084ecac01e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
22d37f17a3df3668599408127a5c275a

SHA1
83d6177260533393553b8d25ddfea8fa8d614ff3

SHA256
cc8c8b03a73c46c7aaa0fa6b052fe887754c7a9073783d818a5d58e8b7441518

SHA512
e6462eab37ba11cef0eb872995a6b58d194851bb184e1d55c6e2bdb1c957b94d4f5688f74806655beb85550f0d0c9575975779fdc7ec6af67155a1bee61a4ec7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
e20b0fc74bc14bf4524541e60ab1f8d9

SHA1
cb16d286446c844fdf85648bf19e88583ba71cef

SHA256
baf8830e217cbaa849eae9c8e761237875ec81932c3e8c42d62189823bed2b38

SHA512
cb6f96909261a7d650df32aa88a1dd5f77a8efe3763e42f14948feb7c8d105efd3381415d5a19d60d25eaa83847a276a36dc06182d85fb9d1e0b153ecc5fbfb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
f2d5cf8e570224ed4953894ec946dfd0

SHA1
9ca644a157691373c4418152868a73b9fddf3b4d

SHA256
3fbdfdd48a94699a801265bd83ed7ac30a5f3749e6ba221fef73bbb4779a4702

SHA512
d599ee50e38156b21e7c8728b7678fb62315571fffdf7da248dc648cd7544a3e13e75f8712bf6d5d0e48e2e08b068d87bc46bbb5b55814395e1052ea7aeb09be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
490b73a3ab8b20a75c9d97149ddfd265

SHA1
10446b79608c16c163d15be4fe4c22c29df347d2

SHA256
62992981ccff1b7cd638bde107caa28fd9966be75693bb51f54bfe9cdb27e4cd

SHA512
76f293e05ad822297c8ff00df10abd4f0c5fabb10e172ab3b4c7881dd8282e781ddaf8a333a491bb913b09da4c2e7ab92f6b1a0fdb84f5f701448919b71bd247

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
c7a83139404c3e177064a7151778badc

SHA1
cd1de5b1858a8f654b6618db120f7595070b14dc

SHA256
fa3da3c920eff5f75cefb24605493dddbfc5fb54cc8786f8bb84392f12eff527

SHA512
44fb605cd68e5ab05fdaccb8f01a4359110bbf7ece3b79d8e0b3d6a89b1d85348ceeaa7056f04f1d7ddf367a72a5f29f1685ad8150d53513cbede23cefa51c79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
9f151b787afce8e204232cfa33512056

SHA1
6e23b63b4c573f10be77e43556212f70b19779bb

SHA256
fb6641fa42d86220fbac4828e6e54ad88500ad687e9b8701a8debdb9c4f88c55

SHA512
b00ef30c94ebaf30b8af4a023fb7750faffbf15f1b9245b603a7d39b1c7927352623304f6f750861d310893d1d2d4a4c0ba14640da9a25d045fa246f11f17bc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
293a54b387e563275168fcfd8bd3c7e5

SHA1
8b6186b58bdaf54663c2dd4aa8a045226e5c07e9

SHA256
d90481168101544a44d5d4b850075037ba5d890ddd0237b3978a4b41db9ba3ef

SHA512
2df5ad4a4e0077babcd70d6c1ed8fe810e6eb423cdc50339d3b1c06f895e5a0099b50b4436a09d9bc14ea13501396e8bdd92bc125037197e6302815ba65545b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
16ce84a49219ac0e92b9194306adb675

SHA1
7a003e2784bddf2e524d37a9793c9078fe55ec0b

SHA256
e0da070feee48daf2458df6780af06a9b3bc6f0d643654478e6853044527091f

SHA512
245607a5f9e702baec2ed4c8585f0fef527ae5aeb6fa873180110635e189620d22bba175e1720484bb55321ab17c4f9bd46a3fcb8878a183df6c7e8aba418097

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
bfad072a347bcd57849a59a5132ba0a2

SHA1
7e250eb1ac4e26ab0d957eb7bcef6db27010a3ce

SHA256
3a7f0562841987f49e3aabf1d18366824f350dbbb89888ba5896856ab72dd1fc

SHA512
8bcb2dce95a84753895a2ccadc4ba8fe3efddc07fe1d6b02181be05f7d30972b50e715e14d986d1f7229573e074276a242161f7f606215825fd6f89ac03872c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b098fa6e8a7846ee2fca20e99df55047

SHA1
eb4ce7e1ac2ca1305e1a2540b4d1b8e728920520

SHA256
82356dabd6bbe691539925c7b072123f5ea6dd167383670500b91a74a6593fa7

SHA512
9dc5e405ed2e6b1116ff1afd29a9785d9083ee2bbeaeece33ff501d4e1e182c35bcb1cc0c2ea847825a5d741a0c8fbac2e87ed7333dac9faacc8fc534155af02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
cc9ac72101a4436582679732a81ae121

SHA1
7117e0ef9b4437bc07072c74df1c8699d6ed6baf

SHA256
cfd90382ba33b427a3184065d461a0b72a55d882af697d948b21507229ba17b2

SHA512
7d5afdfeebef1d17b9e55bcdaea763547be15e1a331eb25d9a7fd7ce38f1c5f0b2fb6f29f5d1e594223e8eb5a5321fa1431a4f96c4e5a36d89476c0743267c4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
64a5f71d36b18fcb6c9040aa9da9a655

SHA1
d58aad83f9919ff95ca7606277433bd56209d36b

SHA256
e8ffc25cf43ddf661ce568f66fa00c8c9fab053c73ce2419cc6757e4cb4c41f2

SHA512
d9a4dff9dd20a662b0f177ad195de09765d974dd490b11fbd47226c5604af179ea24bcd66a08fd635755549a038132c8259fa9a4409777c6fdde3ad12ed4d7b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ccca3ef70455618abf3ecaacca016e2f

SHA1
beee9091c5646a4f70fefdef8926e83020bf3f04

SHA256
0b81b2c3c5c06da1a0d24d4f46599813555f4788a7d93e27d442d13c4317c413

SHA512
cf12b7174c5f6a4ebc5e511998c649100d9960a66d9496b3f229e9f1d78e764fb8d00744aea7f90806e9bdd507651a8b91ad2369556f0e9db9d1f114ffb5a97b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aaa9b436f4a907445e93bcb1a17b0409

SHA1
f23404d5fddb87ce557cd4b5ce12102da32680bb

SHA256
9c22fa490d01c244cb9ae7b076981dfb52399fdeb2d92ecabdef57aa0cdabbf0

SHA512
bc55b0680497026c45266d25cefa97c10594d592bbfde47022e84fafbebf3f0d1fdca8727d541cb59d82605bce6ad05763b75afc377760b1974a82db2b05658e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6bc862da44482a70048d94787b25335d

SHA1
94123356c36a171ee6b2792bf92ece2ff5c36a5a

SHA256
c76ba43d590d5de99378e8eba5ab385f3d7403c7f93f1682af0836afd9695294

SHA512
01847a120a6e93edc7d06ea983729104795280d7400cca1bdfcf96d403a04174a7004f7c3cc3782d857c7794e9f729068ede478c331201ea59c13cbb6de33cc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
3755b604987be2fbff1fd4f201d169dc

SHA1
3e20abf9c971c0304435e375daa654b49a466fcc

SHA256
ea96261889dd87307174b4ff1394a6b1e0df6b3d5f69c6fe6eaf26ec07d24eb8

SHA512
ab732064c380111936f9644b9946f718a1a7a3054de1173b1b25971f638ec0667d835582c873a32d2d3b96d486b21fa2f2bc6ddfcc245c5295ce02bed7c82d5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6a130769c2cee208498aea7fe805f27a

SHA1
b4b108f136d9ce524d2a9a0755cf64e9c1642d7c

SHA256
9337431018c6d889b049461c6a280d8afb23f4b6a23aeb5131cb2a0e7adf4a94

SHA512
91ec4fb2277d3e414e1e67db14225ef4e288e8fe7148f726026259247ce4ec8ec162f1c2d85403046dcc88b35d6e594f56e47578238567316a2171c1f922db09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a2768bbc78932d5dfdcccc818e680ac8

SHA1
3896e66b48954b37003f04b60cbffa63a31c6e05

SHA256
9f979315a1c94f2067310d1dc8b05c1632ce73ec72286ba13ca65d6400c2e1e6

SHA512
bc7e56c2bf42719ec24a6de201aace970b170bfd43105d90b5f4ac2f9a36e2b1bd3f4423d4081081e95dd901fa3d72f1fa88636a7100286aab3fd1ef546d011c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
0f8e36d8cdbe98beda8eda4013d1adf6

SHA1
f7ef55efa93893fb45b8e6e91a5810c92d222bdc

SHA256
65b8055ae46ec25a819e7475f32169d91bd3a5ec2caef1bcd23ff7c2cdbb0704

SHA512
2b40b620fa86e02f42a808c7202a055d01289524943067192c1050cb496044e834f9d318689156f3eb21a408827c97bc65c96534781824d381f7149f9a2ffc03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
d50b7928e7975c58307c3d58f2388b6b

SHA1
8ddd6077313930611bbe8af181a555b6ebb0cf01

SHA256
bba6d8e233fb481c5d1979d1c0cbc35d69905d4fc2339f78958ad86bbd06771c

SHA512
8ee5af11a031030b6f015398255f36f1b646e2992a1b90fc8b96e30e394742c87e023b56cdea81b8b80ebf757ea314dfd943e9540519db7d37b6d83ac1a8cd3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
7067d49d4295b9f6eb1e89563010f3a2

SHA1
88fb8c92b32abdcc860b5846fe36857ced990604

SHA256
0d5d1fbc58f1a315db58f3722f2076dc37563e1ce45c3b129b4eda8e2ea52b93

SHA512
103bfea6f02a2a7f18d82f350b902fc0c5111237501ade2f7cddb6314ffe643f7619f87b2680c1965a574a04dc26084eae03a838fda56f7b0cd38e3c5fc797dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jdfjdfgj.exe

Filesize
365KB

MD5
03ac3991dbdb18d73bda731e1f9cdf7c

SHA1
96ab8e03593bf0591bae31487e89ac6b6e3c3a91

SHA256
14294dff13988ad3efe1ef9ca884b98d554a2c94bab76671e8a724d489785059

SHA512
1d76a3e1b9e0396bfc9b7a0772c4974161eb215f934cba6e6bc0dddb1c4e67f8e24c68262cadebb591b4ff0743822b001e4afa5d7d3e79cbf2900d3245cbe8a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jdfjdfgj.sfx.exe

Filesize
591KB

MD5
9aa2e1f4bd4d6919c533aec18e0c47e9

SHA1
62225abcd9442ec735e4a049f5765e514b6be651

SHA256
7da2b4bacf0927f5510aee39c8122872f52367dfab528cc77176ee19b70e9fd1

SHA512
588ad8b4677f75d319808c167ed1d57a962776d71667f08c0e2373dc153375f2dcf931e0655f1e3fdef1027ba918c742a6b49c06377575ea60a6376e48ffa810

Download Submit
C:\Users\Admin\AppData\Local\Temp\jystsdf.cmd

Filesize
18KB

MD5
7e3bf51c4c3a36b47e11430547e25cde

SHA1
7a0ee686431fa4580341973c3731ebaaf9a1b86a

SHA256
ff026f8db90e85004687be818e5f7479292631773cd032d6fdcc69ff7030b3c5

SHA512
05052c720ed921cac145672fc037ac85fa53b70ff6093e53156b8bd45d14cec8ccc65428ab09f89dfaba51d8c2961b02e3c9cf9b5f983d88cd2bf04c5f998a1e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-355097885-2402257403-2971294179-1000\0f5007522459c86e95ffcc62f32308f1_30dd1cc1-5c25-4745-b2f5-cffa52b1a886

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-355097885-2402257403-2971294179-1000\0f5007522459c86e95ffcc62f32308f1_30dd1cc1-5c25-4745-b2f5-cffa52b1a886

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\Desktop\5156add523f08eb7eabb51f3ce648d6f93c646bec4c6cee7dd59d95e5b50b2b3.exe

Filesize
730KB

MD5
2360bb0b42650f2feb47a0e988ccc3ea

SHA1
0712817e7fabe68e34d67ce4151728d9f2eb8cba

SHA256
5156add523f08eb7eabb51f3ce648d6f93c646bec4c6cee7dd59d95e5b50b2b3

SHA512
d95afaa69795cfa63bed2e22f98bc37eca17402c92a83f062b04b5883ac1cd5be49b6e5653dc8d0e6fb7127e573397ca62f518045795536912526ec4bfd9744d

Download Submit
C:\Users\Admin\Desktop\5156add523f08eb7eabb51f3ce648d6f93c646bec4c6cee7dd59d95e5b50b2b3.zip

Filesize
623KB

MD5
e1bc98b8dfae03b0153558a853770542

SHA1
d74482e50fc61b84feb9fe5704861f0deace532d

SHA256
4ae7b4809b8ea2088b4185550ba0e16f11f304a497d9261eab1dfa06ca37e93e

SHA512
129bca22b47631c4a6d8959901a6bb828bccdb6907bcff1844751a44ccd9271eba0729f4f2ed1c7bf3d0a3f11812dfa43c73aed150d5ef8c08229c5186d609db

Download Submit
memory/1608-224-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1608-221-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2300-219-0x000000000E1C0000-0x000000000E25C000-memory.dmp

Filesize
624KB

Download
memory/2300-220-0x0000000002F40000-0x0000000002F46000-memory.dmp

Filesize
24KB

Download
memory/2300-216-0x0000000000B00000-0x0000000000B64000-memory.dmp

Filesize
400KB

Download
memory/2300-217-0x0000000001540000-0x0000000001546000-memory.dmp

Filesize
24KB

Download
memory/2300-218-0x0000000005670000-0x00000000056D8000-memory.dmp

Filesize
416KB

Download
memory/2388-293-0x0000026C6E6F0000-0x0000026C6E6F1000-memory.dmp

Filesize
4KB

Download
memory/2388-292-0x0000026C6E6F0000-0x0000026C6E6F1000-memory.dmp

Filesize
4KB

Download
memory/2388-290-0x0000026C6E6F0000-0x0000026C6E6F1000-memory.dmp

Filesize
4KB

Download
memory/2388-283-0x0000026C6E6F0000-0x0000026C6E6F1000-memory.dmp

Filesize
4KB

Download
memory/2388-282-0x0000026C6E6F0000-0x0000026C6E6F1000-memory.dmp

Filesize
4KB

Download
memory/2388-281-0x0000026C6E6F0000-0x0000026C6E6F1000-memory.dmp

Filesize
4KB

Download
memory/2388-291-0x0000026C6E6F0000-0x0000026C6E6F1000-memory.dmp

Filesize
4KB

Download
memory/2388-287-0x0000026C6E6F0000-0x0000026C6E6F1000-memory.dmp

Filesize
4KB

Download
memory/2388-288-0x0000026C6E6F0000-0x0000026C6E6F1000-memory.dmp

Filesize
4KB

Download
memory/2388-289-0x0000026C6E6F0000-0x0000026C6E6F1000-memory.dmp

Filesize
4KB

Download