hawkeye | 6a75dfbdcc675d767cfaf741b25ff3e2527c6e9336febe0fb5b5a737a17d2c8c

Resubmissions

30-08-2024 15:01

240830-secv3s1crm 10

30-08-2024 14:58

240830-scf5qa1cjn 10

30-08-2024 14:56

240830-sa1fks1bmr 7

30-08-2024 10:49

240830-mw2yms1gjr 10

Analysis

max time kernel
360s
max time network
315s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
30-08-2024 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

caaf6e830cfe28f4cc5b097ab52d853b_JaffaCakes118.exe
Size

328KB
MD5

caaf6e830cfe28f4cc5b097ab52d853b
SHA1

89bf48299ea7792e6891dfd267ad6013a34d307e
SHA256

6a75dfbdcc675d767cfaf741b25ff3e2527c6e9336febe0fb5b5a737a17d2c8c
SHA512

f5cf19ebf5a7ac7a14d8dc687df01d377653cab18d6c03228e0850485d0fb6d49d764eadef4ce7772a75655f62343f5776336ac42995edf592b597a69d45b451
SSDEEP

6144:pfe6Iq7LZgKRHNpfHb0AmhpJuxTQCIQHCZn5FBFOepDZzQJj/G4gx:JbZ7LZgSNpjsJPCIQo5jFR6jEx

Score

10^/10

hawkeye collection credential_access discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.gandi.net
Port:
587
Username:
[email protected]
Password:
@@yahoo.com@@

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Detected Nirsoft tools 7 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/5776-27-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral1/memory/4244-38-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/4244-37-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/4244-39-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1960-41-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1960-42-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1960-48-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/5776-27-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral1/memory/4244-38-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/4244-37-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/4244-39-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/5776-27-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral1/memory/1960-41-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1960-42-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1960-48-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Executes dropped EXE 2 IoCs

pid	Process
2592	svchost.exe
5776	svchost.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Load = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\DwiDesk\\svchost.lnk"	reg.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	whatismyipaddress.com
10	whatismyipaddress.com

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2592 set thread context of 5776	2592	svchost.exe	86
PID 2592 set thread context of 1384	2592	svchost.exe	87
PID 5776 set thread context of 4244	5776	svchost.exe	89
PID 5776 set thread context of 1960	5776	svchost.exe	92

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caaf6e830cfe28f4cc5b097ab52d853b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133695035820144328"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2592	svchost.exe
2592	svchost.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe
1384	MSBuild.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5776	svchost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2592	svchost.exe
Token: SeDebugPrivilege	5776	svchost.exe
Token: SeDebugPrivilege	1384	MSBuild.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5776	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 2592	4060	caaf6e830cfe28f4cc5b097ab52d853b_JaffaCakes118.exe	82
PID 4060 wrote to memory of 2592	4060	caaf6e830cfe28f4cc5b097ab52d853b_JaffaCakes118.exe	82
PID 4060 wrote to memory of 2592	4060	caaf6e830cfe28f4cc5b097ab52d853b_JaffaCakes118.exe	82
PID 2592 wrote to memory of 2204	2592	svchost.exe	83
PID 2592 wrote to memory of 2204	2592	svchost.exe	83
PID 2592 wrote to memory of 2204	2592	svchost.exe	83
PID 2204 wrote to memory of 5376	2204	cmd.exe	85
PID 2204 wrote to memory of 5376	2204	cmd.exe	85
PID 2204 wrote to memory of 5376	2204	cmd.exe	85
PID 2592 wrote to memory of 5776	2592	svchost.exe	86
PID 2592 wrote to memory of 5776	2592	svchost.exe	86
PID 2592 wrote to memory of 5776	2592	svchost.exe	86
PID 2592 wrote to memory of 5776	2592	svchost.exe	86
PID 2592 wrote to memory of 5776	2592	svchost.exe	86
PID 2592 wrote to memory of 5776	2592	svchost.exe	86
PID 2592 wrote to memory of 5776	2592	svchost.exe	86
PID 2592 wrote to memory of 5776	2592	svchost.exe	86
PID 2592 wrote to memory of 1384	2592	svchost.exe	87
PID 2592 wrote to memory of 1384	2592	svchost.exe	87
PID 2592 wrote to memory of 1384	2592	svchost.exe	87
PID 2592 wrote to memory of 1384	2592	svchost.exe	87
PID 2592 wrote to memory of 1384	2592	svchost.exe	87
PID 2592 wrote to memory of 1384	2592	svchost.exe	87
PID 2592 wrote to memory of 1384	2592	svchost.exe	87
PID 2592 wrote to memory of 1384	2592	svchost.exe	87
PID 5776 wrote to memory of 4244	5776	svchost.exe	89
PID 5776 wrote to memory of 4244	5776	svchost.exe	89
PID 5776 wrote to memory of 4244	5776	svchost.exe	89
PID 5776 wrote to memory of 4244	5776	svchost.exe	89
PID 5776 wrote to memory of 4244	5776	svchost.exe	89
PID 5776 wrote to memory of 4244	5776	svchost.exe	89
PID 5776 wrote to memory of 4244	5776	svchost.exe	89
PID 5776 wrote to memory of 4244	5776	svchost.exe	89
PID 5776 wrote to memory of 4244	5776	svchost.exe	89
PID 5776 wrote to memory of 1960	5776	svchost.exe	92
PID 5776 wrote to memory of 1960	5776	svchost.exe	92
PID 5776 wrote to memory of 1960	5776	svchost.exe	92
PID 5776 wrote to memory of 1960	5776	svchost.exe	92
PID 5776 wrote to memory of 1960	5776	svchost.exe	92
PID 5776 wrote to memory of 1960	5776	svchost.exe	92
PID 5776 wrote to memory of 1960	5776	svchost.exe	92
PID 5776 wrote to memory of 1960	5776	svchost.exe	92
PID 5776 wrote to memory of 1960	5776	svchost.exe	92
PID 228 wrote to memory of 1472	228	chrome.exe	96
PID 228 wrote to memory of 1472	228	chrome.exe	96
PID 228 wrote to memory of 2828	228	chrome.exe	97
PID 228 wrote to memory of 2828	228	chrome.exe	97
PID 228 wrote to memory of 2828	228	chrome.exe	97
PID 228 wrote to memory of 2828	228	chrome.exe	97
PID 228 wrote to memory of 2828	228	chrome.exe	97
PID 228 wrote to memory of 2828	228	chrome.exe	97
PID 228 wrote to memory of 2828	228	chrome.exe	97
PID 228 wrote to memory of 2828	228	chrome.exe	97
PID 228 wrote to memory of 2828	228	chrome.exe	97
PID 228 wrote to memory of 2828	228	chrome.exe	97
PID 228 wrote to memory of 2828	228	chrome.exe	97
PID 228 wrote to memory of 2828	228	chrome.exe	97
PID 228 wrote to memory of 2828	228	chrome.exe	97
PID 228 wrote to memory of 2828	228	chrome.exe	97
PID 228 wrote to memory of 2828	228	chrome.exe	97
PID 228 wrote to memory of 2828	228	chrome.exe	97
PID 228 wrote to memory of 2828	228	chrome.exe	97
PID 228 wrote to memory of 2828	228	chrome.exe	97
PID 228 wrote to memory of 2828	228	chrome.exe	97

C:\Users\Admin\AppData\Local\Temp\caaf6e830cfe28f4cc5b097ab52d853b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\caaf6e830cfe28f4cc5b097ab52d853b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\svchost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\svchost.exe" -n
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\svchost.lnk" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\svchost.lnk" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:5376
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5776
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
      4⤵
      Accesses Microsoft Outlook accounts
      System Location Discovery: System Language Discovery
      PID:4244
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1960
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1384

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd7d5dcc40,0x7ffd7d5dcc4c,0x7ffd7d5dcc58
  2⤵
  PID:1472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1788,i,11547238997200667559,8298927338907555353,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1784 /prefetch:2
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2100,i,11547238997200667559,8298927338907555353,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  PID:5472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2176,i,11547238997200667559,8298927338907555353,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2564 /prefetch:8
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,11547238997200667559,8298927338907555353,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:5164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,11547238997200667559,8298927338907555353,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4436,i,11547238997200667559,8298927338907555353,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4444 /prefetch:1
  2⤵
  PID:816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4728,i,11547238997200667559,8298927338907555353,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:5852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4780,i,11547238997200667559,8298927338907555353,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4856,i,11547238997200667559,8298927338907555353,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3552,i,11547238997200667559,8298927338907555353,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5252,i,11547238997200667559,8298927338907555353,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  PID:3108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3444,i,11547238997200667559,8298927338907555353,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:6132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3336,i,11547238997200667559,8298927338907555353,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4220 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3440,i,11547238997200667559,8298927338907555353,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4460 /prefetch:1
  2⤵
  PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5420,i,11547238997200667559,8298927338907555353,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5708,i,11547238997200667559,8298927338907555353,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3412,i,11547238997200667559,8298927338907555353,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4400 /prefetch:1
  2⤵
  PID:2380

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
2280449e271f05d9e232295beffb8a30

SHA1
86cd61f3e163d2d07e5a9c489a1806d1d9f8173e

SHA256
b7aa9ee43c6e15833e69faa09935a19fe998accf0df58a8d8329a4cde2f48761

SHA512
72ada4a52b19b3ec1d87e4ae816258d78435ae8741e189ef2b359be3e51f76b583766f9242dbb82f4dd5da04ab984bb36979523f0a41d64398e96853b9c03a18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
211KB

MD5
e7226392c938e4e604d2175eb9f43ca1

SHA1
2098293f39aa0bcdd62e718f9212d9062fa283ab

SHA256
d46ec08b6c29c4ca56cecbf73149cc66ebd902197590fe28cd65dad52a08c4e1

SHA512
63a4b99101c790d40a813db9e0d5fde21a64ccaf60a6009ead027920dbbdb52cc262af829e5c4140f3702a559c7ac46efa89622d76d45b4b49a9ce01625ef145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3664cc056ab8e2eb93ccf2a60a703175

SHA1
cbde2045a6ad00f64c9b7c42aa49bcf54e787d7e

SHA256
1c7fba209094748df12bc12e826528c1a7601e6a53e316715df3d4cb8db71dbc

SHA512
7cc63c9d44c581e76ea020e8675095a0b8fc807e01bb27deab3444fdc68971114115e1302e1c003a66f35c99a0f5a74d08ac1f7d78df434cf7c1f07627a85fc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
fafbdfb3757a16a2436f2f8d1a319b78

SHA1
e8942dd51047d9363635486b19ca365d28ee74df

SHA256
18d65e47a98645a8ffadac6e97995f803f6dda8c93f8b0f43c8e82e426c6edd0

SHA512
ef323e06c4f4d08966e49bddd0fbe5d1ceb4987375270595e99788b98c0e5b7b86d5d0ec4d6c555f461451de1576c5d0ee4921cdde2a2a792194cd32463634f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d3dcf96074c22dbd72bb5bec38e05f40

SHA1
64cbe1c1d8971f31802bd17d7e1362897aad659c

SHA256
c0480627432a4bbc804a92013e0c9ddaa817c7e5e910d83d8414b234fa6449b6

SHA512
2c906d985f05265d9f857585f6ab61fb99126fed8ce61eafec91b45de5d87ece17a40187e07987b6d8a18264018edb46c3fb47f729f81276440f6fe77bf3e7f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
687B

MD5
5438244cadf0a02dc0fa47473dc64539

SHA1
71c9a1320d92e38ca6b3febaa6e9e5226de45a60

SHA256
20ac7157a8fcdf25b63de2f6c2bddb24345d623c4a26168e2c126aa005b8a826

SHA512
f2445a6930ffcb5984a0e2c857c5ff4a105060b7eeee86667204837182282629e35d09866766e2cbd3edcdb208e0803395196a2b9cfb56c42acc453a4a789739

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1022B

MD5
1916d786660016ff26d72528cb40e40b

SHA1
e5279be659a9534bedaab3d371c373fe8422474c

SHA256
fb38e7749d747c653595b8e0cbf503a4942ebcbd3631dd0ffee11273f0e062a7

SHA512
0f323f51f4b372bd6853abfe101086235161df02213ab9e39391794ebebc8acd958d65cfd71921421b180351095033a84bbd11109905e070f3700139c3f73e4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1022B

MD5
b634be34802f19b095b195f58dc5461d

SHA1
2eb5240cfb608d5a9369070a1b22837465791801

SHA256
68e4dd01b28e991f8ca005ac8e5457be604010e2df95c1c3ba3a75d0bcdc69c4

SHA512
74130b3e899fd02487307190582696eccf7e5806c7034561dcb870ad06d2846d4e4b30e2747dcdf149249801e417244f47f395059870c442451f55f8be62cf39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1022B

MD5
e6f86136e2603fc6dbbb698e3ed88bca

SHA1
e2fcf7fdcb2644bfff3543a642f6ccc875e40016

SHA256
22cd759544c1c9d5d3bbbdda5069c3334af09f082d7eff4de6afa2e5d998782a

SHA512
8c65d72403591fdedbd7aadfc9102daaf2f16d5a6ccf3221e0b651a3b0f6561a9f4a973f5d2e071dcc157598ddf2849ed90b561c70c8fdc649f87b4fb59cb19f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ac6e58bb9e6809f5cc360bc1c31c1681

SHA1
6ae262e9fd18613c53028456e396da0af84ac55b

SHA256
5566d04360ad1978da2f8cec8a5eead553458ea2d2c475c03743fffd8a1cb9d1

SHA512
4625b70f70ca6e12fa6bcb7faefbb2330d39f36457acdd4896188b0b0907751f41466bfa44d93fc5e008ddf1d5a1d1222d93e226197130da6b85208046e08a0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6a73a82f7779884d370e454693fa3ae2

SHA1
1782c63110072c2f73a3ff6ad27745dee3b4a1fd

SHA256
f925873ffccc450ee5e754114927ecd49cc8a711240d13f84dbabbd37fe4ed21

SHA512
ec923e326c4289308186065714252af9750d85a1e5ba27c271ee9b962b633bddf06417b7a80ded5a0a18525efab672e06db4d36648f35036c8984a3b22e73532

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1fcac4c9b147efd1f5efca737f2ccc29

SHA1
cc2bf5e8282ec220498c623beafb5aa2673af9c2

SHA256
6b45dc732fcdff29f094dbc5422d6d16bc7008037c55a0cce851d6d6b6c4bde3

SHA512
8aae453f9802593630aef13704c5a7fcae434f4e0b4ad661eadd5f9277ce704a718dce84a2b8713aaead6c3e5e610de8ce754cac78e264b39e620ce73a743a2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
12c053e1c9287600d0eec631bd4dcb89

SHA1
167f696b464e96abbce39b136e4519294dc8608b

SHA256
969583278f0e0a55bcd06058d15e1698ecbc4efc51ba3eadef7a987dbf68643c

SHA512
0522062238e4da4a2457346c1066a5dab8b452d96ece31384c5350555642eb9458df88b265f55de7b2ca6b3e88005831dfe9d95f1c52c7d0251bb0a18aa6f0d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
43da5703e97cece789b81022e7c504b3

SHA1
e4bd1aade65024e1ee077999dcf034c38f98249c

SHA256
b102a18f28651988cdfa9dddf4a9bdfa79c11983cc7a5b099c5144b6dd218430

SHA512
b8638dec31fe803000f252f67dd2c6b310510e222497ed572075f1332f1474e1117020e779ae987a8c07bcbdda5904b0c3e8c4381380e66e7e3fa74119693760

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c4b4f0577d8a8219d1240867324875a6

SHA1
e2215d80226d6a9a04106b4bcbcfe075267040b5

SHA256
d206dd02358ec885d59498af39d894d37974eb2a7b8472b66e8374ffefa9446a

SHA512
75ac3e395b0c0f9f892f34d160a5ec2bbc0504d49066959fe267899d88961fc8ec4612542d15e79c7d8a214d9cf1516f316799c918a94edf45df484d54f2fc5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
87fea88678568342b179f45ac3208db6

SHA1
efbbb850a1b059caf04dcc62ad04476b0dd49243

SHA256
0a427ab6691616613562dcf23f897917bbbd5407bc411b537e168fdc7dbd0791

SHA512
6be1bc4a715de9255eb50d595cc40e0760cd83e0b811fef156883e2f327a33d6f203e9b91ab8fc403aef9439cf5b3c0e0227936753016cd195940b918cbdd210

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
2db40cea804688713a033c1b1e0effc7

SHA1
7be0b8905e25bdf9d397632da88ec2a6f53f898a

SHA256
be696129a9188200ad8e4d4482e9046101732fc1e516af3a97c254ddc172ce0a

SHA512
877245a2883651a14c683c2bef6c3b1a174f0dc1444de8cb29c58836df8ae276acb0ea711f9abe41dd66e316528ea3d8029e5ffa58c784fda148760db5c245ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
20378f099617cd800324007f4f6ef617

SHA1
84f43bd6940f1209c82670282287d5a25983e496

SHA256
b54a1cb9ea587e2cc340ef52f20b2c11636d94a2ec940968e49c23f556da00d3

SHA512
84553ad69bdd848a3f38e6ae0cc8cc739cb7bf7debda6010cf946349cb85fd94c792bed0d89270efca2ebc3e2f22874b792aad0a30f2321d7878eb01fad14aad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
09a3299e1b4a09521555a213795f9504

SHA1
7837b70586d73d034389ce36b9ef3b0b62566f6c

SHA256
a852eec4297ac879418bc20f7c5310184f296140cf94d5b739a107be7f1949a7

SHA512
3792f3944b5c09e528cddbe431c8e7edc8a25559ce4c9b9334d9927b308497f70b76ecddace1c821bdf6f944afd14f4156e35e4d52c4784f76347ada8f154c0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
539fe9aadbfed68afe596b3c6fd0e772

SHA1
66580221c88a91b603ce3c7ca048593096637098

SHA256
b98f56796c9a49ca2ec1a7b33aa47ce910585107cd88f15abac549f4f75e410b

SHA512
e23bd68615c9bc32462d9cd4ccd4c76c534d5669056b9c3805e3ed17917a818cd1811b2cc3d36cf4cc6ce96a7cbab328fd901d163668570fe5c3c07585992ca7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
1dc9ff44eb52891e254579d9bfc9b229

SHA1
d67b8c6816f136049b4e43c76e4ddc51c5ba7479

SHA256
c102c71b51442c0e2f0263a0165e0bf6b567d906e917bf3fe16395f377488171

SHA512
07c4ac18793bad7e97c3f67876d288a8e220f5181fe6a710f9c4c64a47621cd4cddd0c515a774395e19c4fad672979971028d2d80d067bcdc64a5496a7468705

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\fl.txt

Filesize
11B

MD5
d1c56374fff0243832b8696d133b7861

SHA1
f4d236fdec2fd03914189c3b26e5cb0dfea9d761

SHA256
8e8eab0b4bfdc35c5f238935b81298e43970ee6818e9629d725297ebf03838a6

SHA512
e74cbfc425b9779b79dfb6b53dbf3d1451f9f35a766cc5167932b95c9bdb5288b65f9886fbdf3c3b180bf3a8360bfa1ef577b63e3443cae04b49e7ece433c452

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\svchost.exe

Filesize
328KB

MD5
caaf6e830cfe28f4cc5b097ab52d853b

SHA1
89bf48299ea7792e6891dfd267ad6013a34d307e

SHA256
6a75dfbdcc675d767cfaf741b25ff3e2527c6e9336febe0fb5b5a737a17d2c8c

SHA512
f5cf19ebf5a7ac7a14d8dc687df01d377653cab18d6c03228e0850485d0fb6d49d764eadef4ce7772a75655f62343f5776336ac42995edf592b597a69d45b451

Download Submit
memory/1384-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1960-48-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1960-42-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1960-41-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2592-40-0x0000000074280000-0x0000000074A31000-memory.dmp

Filesize
7.7MB

Download
memory/2592-24-0x0000000074280000-0x0000000074A31000-memory.dmp

Filesize
7.7MB

Download
memory/4060-23-0x0000000074280000-0x0000000074A31000-memory.dmp

Filesize
7.7MB

Download
memory/4060-1-0x0000000000110000-0x0000000000168000-memory.dmp

Filesize
352KB

Download
memory/4060-0-0x000000007428E000-0x000000007428F000-memory.dmp

Filesize
4KB

Download
memory/4060-2-0x0000000004C20000-0x0000000004CB2000-memory.dmp

Filesize
584KB

Download
memory/4060-3-0x0000000004CC0000-0x0000000004D5C000-memory.dmp

Filesize
624KB

Download
memory/4060-4-0x0000000074280000-0x0000000074A31000-memory.dmp

Filesize
7.7MB

Download
memory/4060-5-0x00000000050E0000-0x0000000005138000-memory.dmp

Filesize
352KB

Download
memory/4060-6-0x00000000056F0000-0x0000000005C96000-memory.dmp

Filesize
5.6MB

Download
memory/4244-37-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4244-38-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4244-39-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5776-27-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/5776-29-0x0000000006100000-0x000000000610A000-memory.dmp

Filesize
40KB

Download
memory/5776-30-0x0000000006460000-0x00000000064B6000-memory.dmp

Filesize
344KB

Download
memory/5776-35-0x0000000008180000-0x00000000081E6000-memory.dmp

Filesize
408KB

Download
memory/5776-36-0x0000000008D20000-0x0000000008D28000-memory.dmp

Filesize
32KB

Download