flawedammyy | ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

Analysis

max time kernel
390s
max time network
384s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2024 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AA_v3.exe
Size

798KB
MD5

90aadf2247149996ae443e2c82af3730
SHA1

050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256

ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512

eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be
SSDEEP

24576:Uj0JJ4p/A4npt3XojeQG5EtzRtO7GvmDguXd:UjoJ4u4zojegylDN

Score

10^/10

flawedammyy bootkit discovery persistence trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Blocklisted process makes network request 2 IoCs

flow	pid	Process
54	3484	rundll32.exe
84	2024	rundll32.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	AA_v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	AA_v3.exe

Loads dropped DLL 2 IoCs

pid	Process
3484	rundll32.exe
2024	rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	AA_v3.exe
File opened for modification	\??\PhysicalDrive0	AA_v3.exe
File opened for modification	\??\PhysicalDrive0	AA_v3.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A82946818BB0433A7DC1AFD2189B16AF	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	AA_v3.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A82946818BB0433A7DC1AFD2189B16AF	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	AA_v3.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v3.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 13 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	AA_v3.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133673700721020252"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 5c2125debba81d4ad005834c0054bf3a3e24d6463b8378ff231edff9c7abdc9d214c2356c593d3f3e3388b941c59b20744866cd9eab8afa0605147402aab4143381af76ce7a31a2c16bd5d	AA_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	AA_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	AA_v3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	AA_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	AA_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	AA_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	AA_v3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	AA_v3.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AA_v3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	AA_v3.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1700	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
2908	chrome.exe
2908	chrome.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
2644	chrome.exe
2644	chrome.exe
3484	rundll32.exe
3484	rundll32.exe
2644	chrome.exe
2644	chrome.exe
2024	rundll32.exe
2024	rundll32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3484	rundll32.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
4832	AA_v3.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
4832	AA_v3.exe
2380	AA_v3.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
4832	AA_v3.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
4832	AA_v3.exe
2380	AA_v3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 4832	3428	AA_v3.exe	86
PID 3428 wrote to memory of 4832	3428	AA_v3.exe	86
PID 3428 wrote to memory of 4832	3428	AA_v3.exe	86
PID 4832 wrote to memory of 3484	4832	AA_v3.exe	89
PID 4832 wrote to memory of 3484	4832	AA_v3.exe	89
PID 2908 wrote to memory of 1412	2908	chrome.exe	95
PID 2908 wrote to memory of 1412	2908	chrome.exe	95
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 464	2908	chrome.exe	96
PID 2908 wrote to memory of 2888	2908	chrome.exe	97
PID 2908 wrote to memory of 2888	2908	chrome.exe	97
PID 2908 wrote to memory of 532	2908	chrome.exe	98
PID 2908 wrote to memory of 532	2908	chrome.exe	98
PID 2908 wrote to memory of 532	2908	chrome.exe	98
PID 2908 wrote to memory of 532	2908	chrome.exe	98
PID 2908 wrote to memory of 532	2908	chrome.exe	98
PID 2908 wrote to memory of 532	2908	chrome.exe	98
PID 2908 wrote to memory of 532	2908	chrome.exe	98
PID 2908 wrote to memory of 532	2908	chrome.exe	98
PID 2908 wrote to memory of 532	2908	chrome.exe	98
PID 2908 wrote to memory of 532	2908	chrome.exe	98
PID 2908 wrote to memory of 532	2908	chrome.exe	98
PID 2908 wrote to memory of 532	2908	chrome.exe	98
PID 2908 wrote to memory of 532	2908	chrome.exe	98
PID 2908 wrote to memory of 532	2908	chrome.exe	98
PID 2908 wrote to memory of 532	2908	chrome.exe	98
PID 2908 wrote to memory of 532	2908	chrome.exe	98
PID 2908 wrote to memory of 532	2908	chrome.exe	98
PID 2908 wrote to memory of 532	2908	chrome.exe	98
PID 2908 wrote to memory of 532	2908	chrome.exe	98
PID 2908 wrote to memory of 532	2908	chrome.exe	98
PID 2908 wrote to memory of 532	2908	chrome.exe	98
PID 2908 wrote to memory of 532	2908	chrome.exe	98
PID 2908 wrote to memory of 532	2908	chrome.exe	98
PID 2908 wrote to memory of 532	2908	chrome.exe	98
PID 2908 wrote to memory of 532	2908	chrome.exe	98

C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:4608

C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
  "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
  2⤵
  - Checks computer location settings
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Windows\SYSTEM32\rundll32.exe
    rundll32.exe "C:\ProgramData\AMMYY\aa_nts.dll",run
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff3753cc40,0x7fff3753cc4c,0x7fff3753cc58
  2⤵
  PID:1412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1804,i,12065259662948401693,2582193193030359234,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1800 /prefetch:2
  2⤵
  PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2008,i,12065259662948401693,2582193193030359234,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2052 /prefetch:3
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2108,i,12065259662948401693,2582193193030359234,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2120 /prefetch:8
  2⤵
  PID:532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,12065259662948401693,2582193193030359234,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3300,i,12065259662948401693,2582193193030359234,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3716,i,12065259662948401693,2582193193030359234,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4728,i,12065259662948401693,2582193193030359234,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:3408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4736,i,12065259662948401693,2582193193030359234,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3584,i,12065259662948401693,2582193193030359234,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2644

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4848

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:436

C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
PID:4264
- C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
  "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
  2⤵
  - Checks computer location settings
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2380
- - C:\Windows\SYSTEM32\rundll32.exe
    rundll32.exe "C:\ProgramData\AMMYY\aa_nts.dll",run
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2024

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\AA_v3.log
1⤵
- Opens file in notepad (likely ransom note)
PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\aa_nts.dll

Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
C:\ProgramData\AMMYY\aa_nts.log

Filesize
30KB

MD5
dfaf4dd820cfa6e7d630c691d259f83c

SHA1
96b6d319a8c1ee9d2f096e974d555f7edbe9bf0d

SHA256
de4efbea12b059a523864f86af7a5486f1ce79b16956839dad3270039bcd52eb

SHA512
82b70acd3c8645af77765adbaa9e90b9a39d44da2b170af2acaac0ce5c7d99970fda95cdefd53ce78194d08ae28b65ac55b5af2a812332bc4a7bb7373764867a

Download Submit
C:\ProgramData\AMMYY\aa_nts.log

Filesize
4KB

MD5
2acd910f55c1ad33367c0fbc177780dc

SHA1
b3c61063fcc1c9e3bd4e04ca5419f82a7ec51139

SHA256
efebf7af0030ef7ab044f36a5c78a8e4bca62bf47b9bc72aece5395c69d4ca57

SHA512
4d4d53c9ce73d51bedd657408fa0ec3789ebdb4996161eec91dbf8b167243f249daaf47e92415050ba2da886402e49a83e8cac350e56ecf05e13c10a1603b248

Download Submit
C:\ProgramData\AMMYY\aa_nts.msg

Filesize
46B

MD5
76038623e270f399769df67a3ed15c16

SHA1
ebf7d7537f45738be48e6f64d59c846b13fb4334

SHA256
4dbdf4f709d50f9521e92ce5f7d4f305e2384bcda387fb2b325ff17d205bb687

SHA512
a5316694d844e5b10c589f58fdf65645568b3909b2914f85c99195f9625e4124f787bc0980cff98f1e8289ff84824620a03f32cdab18e5bbcb2e59b33f397aec

Download Submit
C:\ProgramData\AMMYY\access.log

Filesize
330B

MD5
61ac42c4c70e2bc194b7f76342efd1ae

SHA1
dc532e1020d23ec64bf0d2859fb6eb7a61e6763e

SHA256
d912636e72209ecb6ed8615db98438ad9a5f6fde3e0697be0472e11caa5fd226

SHA512
2f5b594a188aa8040ce9942a6aec85bbc6596d61bc9f4938052a77f4d531144c0fdd93869371b69b5d7d2d98be20782aeb6ace9c60591b83ea97bfadadd0d6d9

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
334B

MD5
50efa7fdb51c22c52b19842d38440921

SHA1
60e6479dd6a97581be1b8834d57f6cf58cb43508

SHA256
bf2afc8f0fa88252352bb97f028aece439671a2833f68676580e82767aa44868

SHA512
03d6a514f4bb281b058f30574f25abf51819fa9d7f1e685093991096d8f74a4e7b5a43c951a03a2f9f5826fd84c643550e15c7ac21ad8c6db9c0c06747d72ff8

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
334B

MD5
722ffcf5c7e39904828a38c55a4ec6e3

SHA1
9a6377ace8c9d832e9c97a99195d23fa020d9d9e

SHA256
86fb72a72b281abe94328280d04215a98ef2f404afe4cde0da261feb25dabb2b

SHA512
25ede442a14fb4c46c91fb54b0e90203debc479e59f145a11926e793ae00422bc694d688d6e1508708edf20c06f951718ffe6b22f24dc9b9d05a41a81092e38e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\55a01c76-5e19-43a6-9e60-21c9853a5a3d.tmp

Filesize
8KB

MD5
0d935e85125c0f81b72be176cd47d80a

SHA1
5bac6587cfc4f7ead55cdc4e494ea1bc437a7958

SHA256
51b901a5fa34da9a18cfc8554caf637a3fa7613cf2ac1b099b058417d46b8078

SHA512
d8da69c5a07fa503b26a6fc64f428d7f7d64f04772d7f59e3dec48e6d460f6eb563b60e543ef7b1e6a0fe7bcda3e5279c0c94aace2d47ed65ab44eb6b53cacf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6de585e2-83e8-4a0d-9e8f-ab0c8233ccc7.tmp

Filesize
8KB

MD5
2742b50b61fb3d3f86303ea204edadbb

SHA1
5f2b78ead11e8ad38c45ec93795a233bb0d2d394

SHA256
0badccc03bad92518e734bc4ab6479a171d90a9c98e0bfef859bfb16d5d9928f

SHA512
3c74b79976acf9bbccda98b4e7b77831112f4e4d10d8dcd005f2d07866d39fdeccb15f3e3ce8d62a870ea8a61d4d7decc734844a2bf22f9961ac961d4398f6f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b095122759d36f69d688b3c0de9c8685

SHA1
ef82feecf355ca0fd5f6ca0cf4cd788e4f8124f2

SHA256
b0208bb35b5c0519e5fef5f06ccd1dff85474ae0a0e04c868c79cc1bc9f920d2

SHA512
bc634985abe176c61be431b95ca7bef95ac7628d21bd72fdba340860ef4f54f49b7397e7c81cd4c3ab4e9141285f355667c89eced10bbf8a049090fa23eb7632

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0404dcd5388fb519101295c03d0fe4d0

SHA1
bb390035e2cda7ba0db1c3389795c013e992be4e

SHA256
40b92fc9a760f4910a5fa50f7791789aa64eb1c890a3b4380e78099ecfd4dffd

SHA512
82a4b765a221021f4a497445fefd90d70d25c284516f2c8c6c78d457fbb4b58decf3031ce04f0bb768bb1173e69277c6886f52272c63f41dcae7dcaafd14d667

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
bfd342ffc6c9cc42d9e37a297bc1830b

SHA1
e25918c6a52042297d1a9ab269d7fe08b2e70a7a

SHA256
e87ebe4cdb2ebec31a27540e0aba87708ef384235b54e6b7420bddfc194a3476

SHA512
be1d7bae38464cc0143d422850e63d16b757bcb6d7ca8d94189e9b783e7fb3325df82c57fdc712a45d5781a547b145fab3fdadd9a4e8689c0108a17fc3bedb40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7be62861ac46931efc8dedb5098548d5

SHA1
5e62d0025b6e5e458c4fae0534326776768ae905

SHA256
ba2cfe6fb46583db1fb69f87219942af68368ea47373fa4ca379dde8bd10727f

SHA512
bc13f302b23beb9b5b69f005eac508033530827e2697719becd497e745299394ffa05fcc5052d35bb0818658d7b5ce53db6cc5d103293d887cd1ae4e3c621b41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d9e7636c7a6908fff7393a5878bd29b1

SHA1
82a8653ebe3361e38b61215da9ca8030ae7957fd

SHA256
f7c71202a1fb509437470dd70a52212381c0bd6d8f7ec7cfdce51abc20c115f4

SHA512
85aa1fba7f9f08c60f76dbc7bcde4689bd982318ae491e19d6b0c5fdca8741c4313b6cf391129abc2a572a9eec67589648ac890e65cd04e6594b81ee87f19aa4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
461abcb328f266ccd1926c4a50d9cbd7

SHA1
fde43465f7a9680eedf279309727bfaa0d783f95

SHA256
782a51b029e47fa318ab5f775da721250580077bc4cead3d48d3328a8e9e28b1

SHA512
7c4cfc126271540e5670761f19268a0b2a3d5783b9cdb8fd86687b8bb108e5a3304f2aa22857e238d75a4431f84f2d9254da1bee478de76512349c2f388bc62e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fe051138848e74bfc9c9d2fec4ce4797

SHA1
718b9dd639fc8d0f6d5c9e0b97ac74edd6d61b16

SHA256
3990f87df9a53a7d15a5981404c8e7039a5f2f4518a537efb2451698467bc41e

SHA512
b2e58e5152306a74aa7de14e81f5b7e135973184a616a9bc2c2c3542b451293252774df29045292f638c37c966e772480fe17ed1cab57505f619488b73abfd83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4e6175bcb4220f80775ed68d0f12261c

SHA1
f0cdacf874e5db0983b4e9c2c878aff3f1ae2375

SHA256
c199f3fdac7c9462049ff5cf4dff167ca2101a1d05b31c85652e94c7c6c9a435

SHA512
e64f652d74e33118ec204d30bb3da7e4e08f26395ad962b0a9e87303cd952c0224cdd424d886ca5895bcd13c97dc0f0c85cca88384aff39d4eb449aae29a455b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
22ae11abf365d30b8a84dfd497e63dba

SHA1
f50a1a7af560bf91cafba1b6efcafb779a3d85a3

SHA256
0fdabce9af785f96cba6c9d0bd27f151eb5b537d755b789d07b46f178282e7c7

SHA512
aad4f6d549d2f02589c9e37b9a46995e8bb0009777d5e4fc210381f3724ecc334393013e11030dd9652eed7bae2c644d118f7e6933a4f2b190432e1c738eb0c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1dcffb0cd9d85ca7168baae197db4291

SHA1
5ae96a013bf8980d3675fa5be076e346958d9a68

SHA256
f86b55525a7ecf7bf1629a525d5076d15cc96058765b17e4ee7d83542eef2a54

SHA512
df0e1aec992184267025e6c4cce1dbde0ee1d7485968d5dab490c5794d470a22bf2de32dbe938cad2af8b24bf919828b6b1964f2f0b2515494371cbd82d58ecf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
adf0316b7797e42221a1c49c1e1449fc

SHA1
406c9508f2d092491569102a1804e60358a3c964

SHA256
c3b50dcbbffdec31651814660fc27eb89f184ee77055ba8c8ac727407e9be1fb

SHA512
ae0539659c5ae53958bdb43dc81acb8a9cac80ea52c3ed53c6ad75721b1582907dc2dc0f630fe8ded116b5f74cd8d3da53d3d089ba17399d71e32264ab8ba961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
57ea135dbaf29a4ebe391422e33d0afa

SHA1
bbce9d20e1dc31aab5eeab33acf3909d5eed37bd

SHA256
2e7625d1c05ac4cbad241c629242fdf7f556e62a24ed6ca505523f761c613092

SHA512
a26c8aee29df25b1604a1ced0a027aeb96018917016cae6ed7c1e529164695b83d7469c0ae2416528e84ef0f4886257666ce5e7db84f95f78a7277b87ac0eff1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
507ab213f82ced23ca7447163365557f

SHA1
fee5efefae62a2b31929392645c3c41ad0c7c0bb

SHA256
91b6327f784e5ce81f9a2489bbe9622b7e3cd32a6692772047a65e3311c32277

SHA512
daf61ac83278fea37eda05bd3eb58c4c6ceba5068f16611376d7917645ec40ce1d6af597feaef599343a698838007b6364f71be688a9b5ed7dd22996356201bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7af35f0e810e514814731c30d27be1d9

SHA1
fb08018eb96f7573ae7c173a8d38cf4ee51565ec

SHA256
14a0ce189c0b936b3efab0a20eb28f43df37356ed896031be9dd64fbf0498f0a

SHA512
d4b33be002dbcc83499eb4a78c31dfc19af49df3baa09c49959549c06a2a91f73659af2ea1f2504810b0c2a91a7f897b2acd2bbd1a302fc7449d0a7376b2c4ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
25f1cce55e236c3b55076e8781b06ff6

SHA1
c013c1b937c646ee958a4b26892ad4813559d643

SHA256
849b83052c328845d0ec0b6347a835122324ffd95a4fdceb002ebbcf260b42b9

SHA512
fcc88ef58f6578b14d74b661c9f35a30f2d4beada2f9381e495a48426b0baec30e35dd47337314fb81961d337517c829317b00b89c159fbbeee2cec181ad45a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
be3d869bf98a905096097d24dfc93ec4

SHA1
32d7e377bfd3b6c3d801f3d88798a9e6c5d8f638

SHA256
9b7253dc1d046ffc2ac35644ce065245bcca5f5699369e6c741d6d4f4364fae1

SHA512
dbb04972960bc8c373ab92dd552436b4e09e973a5130dfe6bbe3ff4b36f2db8be08324223899beef57523ba2e4d9ddb56dd696fa04f3ff5871eab96cf93f630e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
65ce07dbad7ee220984f877e8605f667

SHA1
ce096b7122abb01d6afdf896a9f8ecbd8259086c

SHA256
20e1e5ab41737f04ed42550e30728855f9295002e5d62e84276d10fe8735ce9e

SHA512
9174c6638d3f1f6deff9909224ce393a717801943084f955c2ed122315ee28f78e462f1fde4b70ace6d88fb092196d8096ea1bed219055ea5b0d7245b4a53809

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
20d7c95841aef4026aca4b15dbf8f5b7

SHA1
b688e87e904ee421522fcb46342fa0d53136091c

SHA256
56e2e788f6ffaddadaea027800ec7ec1b9e75287c94c5ab5d60b1f841b60887d

SHA512
4c298f17e1d5dadea78565e00f1eb95859c1f4f001e8a030ab30030bc5004a4d2832daf1b9f188cba4fdbd91996dec7f8271b38871f074f28d08c7cb08e68f95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
c5a7d7765257b0067fba54224d20d5e9

SHA1
9788916e91cd57156037459d9de38b8881233f10

SHA256
56b6896207a307231e831f77e043bc5cebd5452f58ff11a1c21865c5ce1ccf4d

SHA512
d93a843d76af58fd9a9ad64f0a4810ed6669db9288d27f959b9ad173e799d328b691f863678e50cf0416c90f93768d02e13baf77305287465fab00adfcbd3ea1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
40e9ba5cfc9067597c074d78717e4200

SHA1
bcfb0c6bebf2990463950908c04aa1b14740f037

SHA256
047cfd00badd012940ee8e3ab8cf427b32d259ed03e717c0ef28e6835460a886

SHA512
c886f4ec15010d361a42309fca7b66f09bf234be6409fa5239b42dfe4a68e8b25c3424f7b3de4240f477050372a7c4071bbd9f7452916e0944a6cbebd46ce84c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d6dafcea148baf17e438894b84189457

SHA1
d39403c49d8bf6cb23dbae806fa614435b8804b0

SHA256
aaaaa7d5e35445c13b644a56787509c759c8dfe67146893b68472cfc7c3e5491

SHA512
560cea7f460f43e253b5deac09cd4cdd421fd3c34638d6402fca89f04fabed4878a894e723b0914f2d4a06f6a56b9e6f60ab201de93dc1d0da081d33ae1750e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
d4cdb2ed604a8275098c112674a0c4e3

SHA1
62472ef5ea79bae5626ec22fe111f5300f3e34be

SHA256
188d008889f2d23de4de6a0965156cec94dcbd9c1ccd150e3eba0dd38f26f4dc

SHA512
daf0438a888c4bf28154e318bb6ed9541d56ee57aba9cc842a51122738fced12be9c9c690912df8f4005d908ac9633fba605b228b77581dbfcd782037af95a17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
b152a1a956de53bbd80166627a3cac2c

SHA1
b20dd0917233048158f47fea82e387ee69fe5150

SHA256
06a9dacb93cd60eebdbaacb1fbf329ec1005ee032fcd2c5b2064f89f8bf820fb

SHA512
3217ab98f40c2d6e00d4ba78b373408b219602eab1f9b8dbc3937128713e108282dd050b6355be60712fcf70e3776aacd99c19d5c462748697b029415bfd4579

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
720c82760c6481459e97db40b2b96618

SHA1
f40d92902f126d857f1d260f5662e24ec8e3f3b6

SHA256
3c70fb8149f646db9b485369cc510531e47fb344f93f14b0acbf66da8a5dc6c9

SHA512
695c809cfe8c391b0b77394834d6443d8b3da9d99509b0bb05862d670844d88a355a1daba30d55d8780b19eaae7d061895d776d3f02a95787615741139342ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA_v3.log

Filesize
171B

MD5
06628dd9c5b11940ff00d9441b8d9bf9

SHA1
8de5a66c38aa1bd11b2d6e02faf6f45cdfca88bd

SHA256
a7c9c25dc6c38ab792aa8556402ebbad7e1998e560f6bef486c0e792642e60dc

SHA512
3f908b01d118f766bc6f8c599edccd3b155caf2429f0e7620fd56859adb50059c72a0e72b6c20a0439bfb53157303f5c59563137369c656269ea8454d37f819e

Download Submit
memory/2024-688-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/2024-591-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/2024-623-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/2024-643-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/2024-669-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/2024-469-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/2024-535-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/2024-720-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/2024-563-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/2024-749-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/2024-515-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/3484-433-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/3484-17-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/3484-42-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/3484-89-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/3484-132-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/3484-160-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/3484-179-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/3484-266-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/3484-405-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/3484-377-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/3484-216-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/3484-345-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/3484-236-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/3484-317-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/3484-299-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download