blacknet | 58c9a0462180ac23497f469c0eb5cdd07939b3a7655ab11d0273b25b4d49e584

Analysis

max time kernel
509s
max time network
428s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
18-09-2024 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.exe
Size

197KB
MD5

6612bcb3e74a6e0441a7745c9330469a
SHA1

81fd5bfcf6744ebe55d6a44ff57f0ec48e30eb1d
SHA256

58c9a0462180ac23497f469c0eb5cdd07939b3a7655ab11d0273b25b4d49e584
SHA512

4bbd910754a4a3c7d975c6274e58d4dec450aa64aef0a2e726f707b62b8e9fcb47f3faa1b0e489cda1bff64445a88f406a95eeec1e8449bb93b64e8de9a69d2a
SSDEEP

3072:2p2woC4ftIt4cTYB+eztx3be/EKymFnaT:0BO6S0YB+eztlboQ

Score

10^/10

blacknet pwned defense_evasion discovery evasion trojan

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

Pwned

https://taxiforyou.org.uk/blackbot

Mutex

BN[]

Attributes

antivm
true
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
e162b1333458a713bc6916cc8ac4110c
startup
false
usb_spread
false

aes.plain

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 2 IoCs

resource	yara_rule
behavioral1/memory/4120-1-0x00000000004F0000-0x0000000000526000-memory.dmp	family_blacknet
behavioral1/files/0x000100000002aa3a-131.dat	family_blacknet

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/4120-1-0x00000000004F0000-0x0000000000526000-memory.dmp	disable_win_def
behavioral1/files/0x000100000002aa3a-131.dat	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Client.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Client.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Client.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Client.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4464	Client.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Client.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2532	cmd.exe
2632	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133711740031287587"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Client.exe:Zone.Identifier	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2632	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3096	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1604	chrome.exe
1604	chrome.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
668	powershell.exe
668	powershell.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeCreatePagefilePrivilege	1604	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4120	Client.exe
4120	Client.exe
4464	Client.exe
4464	Client.exe
4464	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 4052	1604	chrome.exe	87
PID 1604 wrote to memory of 4052	1604	chrome.exe	87
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4908	1604	chrome.exe	88
PID 1604 wrote to memory of 4792	1604	chrome.exe	89
PID 1604 wrote to memory of 4792	1604	chrome.exe	89
PID 1604 wrote to memory of 1952	1604	chrome.exe	90
PID 1604 wrote to memory of 1952	1604	chrome.exe	90
PID 1604 wrote to memory of 1952	1604	chrome.exe	90
PID 1604 wrote to memory of 1952	1604	chrome.exe	90
PID 1604 wrote to memory of 1952	1604	chrome.exe	90
PID 1604 wrote to memory of 1952	1604	chrome.exe	90
PID 1604 wrote to memory of 1952	1604	chrome.exe	90
PID 1604 wrote to memory of 1952	1604	chrome.exe	90
PID 1604 wrote to memory of 1952	1604	chrome.exe	90
PID 1604 wrote to memory of 1952	1604	chrome.exe	90
PID 1604 wrote to memory of 1952	1604	chrome.exe	90
PID 1604 wrote to memory of 1952	1604	chrome.exe	90
PID 1604 wrote to memory of 1952	1604	chrome.exe	90
PID 1604 wrote to memory of 1952	1604	chrome.exe	90
PID 1604 wrote to memory of 1952	1604	chrome.exe	90
PID 1604 wrote to memory of 1952	1604	chrome.exe	90
PID 1604 wrote to memory of 1952	1604	chrome.exe	90
PID 1604 wrote to memory of 1952	1604	chrome.exe	90
PID 1604 wrote to memory of 1952	1604	chrome.exe	90
PID 1604 wrote to memory of 1952	1604	chrome.exe	90
PID 1604 wrote to memory of 1952	1604	chrome.exe	90
PID 1604 wrote to memory of 1952	1604	chrome.exe	90
PID 1604 wrote to memory of 1952	1604	chrome.exe	90
PID 1604 wrote to memory of 1952	1604	chrome.exe	90
PID 1604 wrote to memory of 1952	1604	chrome.exe	90
PID 1604 wrote to memory of 1952	1604	chrome.exe	90
PID 1604 wrote to memory of 1952	1604	chrome.exe	90
PID 1604 wrote to memory of 1952	1604	chrome.exe	90
PID 1604 wrote to memory of 1952	1604	chrome.exe	90
PID 1604 wrote to memory of 1952	1604	chrome.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80b2acc40,0x7ff80b2acc4c,0x7ff80b2acc58
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1840,i,14906038143938691677,9260950329162662705,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1836 /prefetch:2
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,14906038143938691677,9260950329162662705,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,14906038143938691677,9260950329162662705,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2228 /prefetch:8
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,14906038143938691677,9260950329162662705,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,14906038143938691677,9260950329162662705,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4456,i,14906038143938691677,9260950329162662705,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4468 /prefetch:8
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4544,i,14906038143938691677,9260950329162662705,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4536 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4380,i,14906038143938691677,9260950329162662705,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4504 /prefetch:8
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4868,i,14906038143938691677,9260950329162662705,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4720,i,14906038143938691677,9260950329162662705,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5064,i,14906038143938691677,9260950329162662705,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5316,i,14906038143938691677,9260950329162662705,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5332 /prefetch:8
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5324,i,14906038143938691677,9260950329162662705,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4940,i,14906038143938691677,9260950329162662705,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3416 /prefetch:8
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3436,i,14906038143938691677,9260950329162662705,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5492 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4956,i,14906038143938691677,9260950329162662705,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5724 /prefetch:8
  2⤵
  PID:32
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3332,i,14906038143938691677,9260950329162662705,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4996 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5920,i,14906038143938691677,9260950329162662705,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5332 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1012

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5056

C:\Users\Admin\Videos\Client.exe
"C:\Users\Admin\Videos\Client.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:668
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /delete /tn "WindowsUpdate.exe" /f
  2⤵
  PID:3572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 1.1.1.1 -n 5 -w 5000 > Nul & Del "C:\Users\Admin\Videos\Client.exe"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2532
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 5 -w 5000
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2632
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "WindowsUpdate.exe" /sc ONLOGON /tr "C:\Users\Admin\Videos\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\0efed710-ed43-4813-9148-8db43d46dc01.tmp

Filesize
9KB

MD5
06789d64c04a03e628fbf13c66d7c557

SHA1
52127c815623ea06d4a26140e674e1947b932901

SHA256
b9a7713f0bc6546b43bc2b05b97176bbb77892095b526d829c0d2e4a09d5a75f

SHA512
6a5c4d71f2cdd3e47c898d291cbcb689e05eca6f7d6d3345cce4cd1369d64acf139f49b435356e23524e9ba688b5db9b425db4768ebae91a6539dca7ee2194fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\148f0692-565b-4674-ad36-4ecbfc6b4004.tmp

Filesize
9KB

MD5
74817f45576748c8c91a573d40df9a25

SHA1
0e9d9bfe3e6570f44adfaa0eb63e6975583cfa27

SHA256
c0676d411be3e956b84cacc5f52ea66292bd7c9828820fd68b180169e166bfe3

SHA512
18fcfb62a046c94e23d215e9b74b0c3e3d9dbb3c92415168af24e2c16ca05a9d58aaeb6048b6c077b61033776ffbf896660910b7918818352c49aeef56e11d7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
76f5e21f19fd6bcdff630e7a5f94f764

SHA1
09be5b4a285bb4a31e5700de8c8467455c7b40f9

SHA256
7ae9e5e753185f06922bb81091c6dc728c782de0f18ed12c2b39390c7a51991a

SHA512
8a1b83c094732f72665cead8a7e15d067d7ad44805f384c1ace14336b850212d7eda99b39c598f3610849f72f9ac2ce680c8d68652e3dbe2802c01cf1824d5e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
3e8edbb76c4cf6d1cd8e3ad4b6082a8e

SHA1
28762e3943e31d1760c39b40cf9c997d8c06ae98

SHA256
050e1e393572d6cf2843c23540f8d6618a401ba2d58f02d64fa5a200997876d4

SHA512
bf201f4ac77c9384ca205775ef521e4b08f1a9741130c10d17acbd3f42afd391cf38ab3117e1e8fc72fd24c96cbd343fa11396cd39ae07fe0da4cc4921a0985b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
adab24358f5ab0647ee43899d0690bfc

SHA1
bfa1701b335d9509469abf5e9708bc77372b1650

SHA256
d68c138012d44f01d8d134f0fa23cb3cbae722097c80d0907b8c56f97f315406

SHA512
fac52a347c88ac485c3fca0fb57f82ceb620d018f2d18bde79dbc194d7842967bd463803e5ffe124afe8807d50ce08c350a390920b4cda19f6a38e68557f372f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8eaf8578784221354da5ef9b8de3e071

SHA1
a4a365d163caadd02b9cc7ec13208ce6ca2782f7

SHA256
58be8aa22eeab62fb14cf600ad8ae87fbe5a32c0ea304d98c97ff522ff439915

SHA512
7262aec5a58908289357fe71d16c3b46007a5fe478840ac74f5419347dc452f1d12f9a3d713214e60ac7194f2c24c8bc2bc0559f9835226a414128dda8f9b115

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a2e769bfb96c722e69e0f1a1f0d85c48

SHA1
5ae45d82e1cdbfe6b69135873b53228860aca625

SHA256
d1244343636c0e5332d8a31ae12005d037a9fa5aa4d853635fc5592f38706659

SHA512
e046a7b2f8d91f2cfd397acf0ba5ae5b079512b2b2bd19089e9d5841588a1b6101fc12d0c73db8b1e86ca6e7c5706d4d44e892664ea0ca95bd89562494c07de1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
de65b49812c3f3ec2b57b490fc699d99

SHA1
5790cf9bb03512f3a609caf8a74e3e946bf988b3

SHA256
f46fa7a86e780315988ad56fdbc70f8064c5b0523ff0d52e5d704138f1d79159

SHA512
dd2b8db3147dd287cfd817586f0b3b4542fee6a9b6c750201fad492357479a354d2c6c6d04fad322e6588ac258591fd708def07d6c08d3b9b39e38038621dbc3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
eeea0ff8f07a7ac37d0d06c2d54ad44b

SHA1
fe8d48029c515c17d1905ce55d0331818df45f77

SHA256
225b0370705b3639aed26dd418838cc51bbedc8b3c6ddd33caecde658dd433cc

SHA512
bae044e8eb820f24c38b6391a1769b362ce1fee213133291f5bdf9db18de31c6f8b68677d4cbc5d8fc61ef9279c681b2eb876ef4b5e4fff270c33801ab39b154

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
254821229e739932155cadace88d8ec3

SHA1
7c540ebee61a1235f4a1d5e900233b055d8870f4

SHA256
39e7dadb679cb8ff8da3694f9e3f80062a85f452387070d9b5134d676ad773bd

SHA512
566462626e888198b173dc66d3c4e821fb7c9bb5f0ef76e648f53f23e74109518a7761033f374ea225c6ee508755f54bf0d9c16a8b475e7366e235459eccf8fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f31365eade6453482c8352873032ef6a

SHA1
16417428d9fb9ecf6368c8cd7f336bf4a8e92d6b

SHA256
32cdcd7cd065cb00a5501b934555e43e835c0c6e078d57d4e16d2a49cd73455f

SHA512
af6da00261919feb4409405d42643328f687ebcb81a569e6b2cc3edcdb1b2fa34b3415d3c3489e059bf801bbd23e48f2baf3f15e5710832c6fe0f79c5a59a86f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6243e13095ff68da99ea9575cb6b788a

SHA1
4d2ea0599d0aa6c1875d02ce51375c49d26ba2f9

SHA256
4689202e4ad2d1fa848afdbbf947d104dce538b92bd1979c4e095d82e4ef252e

SHA512
4621bff0fb6d68d21c6ca20802ecf5ca8450bbe6da62c6239b3a8f1509403e500c5ba881689d0e01dcdb6af504c57a02698313fb155e25fb362d535f74ff7006

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ddc1caca73a9d4b7e8c07c9b33b7d732

SHA1
fa8cc8e21fed110eed54a8448c05a94ccd50bbbe

SHA256
32b67aea22c8ca986f6fb8aced448e2c65792bba3c04eab8f2a9349aff7c7ac2

SHA512
5af4c77a17cb488cc6f9873b8e0db7636b211b02de514e6544d524b064728c827801b74bbcc660a65c596ddd21d04c4c73452a6bc59dda29cce77aac8531eb85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
769ff10e73a57ceff1af3b80023d4b6a

SHA1
47b05a318271972bef5f12652a297f957efa093c

SHA256
7e6e38f8a44f4c2fc82008621b0ccff08bdb04795bce11cefa76f9cdedc6f264

SHA512
7df86e3411d77508a05969692ae794b871e6e50d37ffa7bcc4febbee1b83edf2b163688dcccc6631ff85a269e931a3980543cad1f74d0017188c251d6dd24a16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ccf66a2404ad2df91ecdded8ff60a565

SHA1
476c60dcce2d0c041d14b64f527b01e312906533

SHA256
253acfbaeb1af924cefff43f752dbe471511cffd3ccc8fed9386fd119ddf2866

SHA512
21e5cc097695e6e2e98847b4aac780f2662c432ba42c890b50bac9bc57939f589341151ce7306d13adc6b098ea5388b83815c45f8ca5ab6ade17049a3b78bc57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1e1f37cb509237d8ef8cbffd11b99b9a

SHA1
2cd0608cfc96b66abc1dfc239c63d5a2d06c4371

SHA256
821f316246d5b37e6a34c6af9601b06ede003f6a1f59270495cc401e73bd438b

SHA512
bfda17fe1da3d7e60b09672c86bcd30f51f8e4380b6eaf3f98cf18bd272f0fa4d964ef068be055d65ca4b00437b23a5b46f032bac8d8ca2a3286a205b89171b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
357896e9784173a18d144f22147b88d0

SHA1
7e00792f8d967d692bab2720b99750e12730708d

SHA256
83494e56bc1f78f0fc4c6a7325afd7dc623941487a38938e71dc02e9c0207e41

SHA512
57c185fe5b7ac575b2c24c45c8b061c634a7a1489b07a76fde3f1cdf38f26a4f67032a0478e003e12c210537d5055b47e7af9e8155cd25b9dc933aaf59ea0787

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
012b317f3095edfc50f6caa20aefdbb3

SHA1
ce7e1cd6809d05e2d02ef475fed14a1cacbb4b1f

SHA256
4c4cad240c32fbbfc205b18efc120176ac3751799d3e5037c16719020f431ec1

SHA512
f8157fb9b9cb2e88dfa658cd207af42f9747c5823d6efced833dca998615b26a77e71ee083656308e7bcc754ae4b1784db67cff7c6916e75f85c139595d31754

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ca96efd9d217ea464e9994b96e9f65d8

SHA1
419b7c0629c0d0f4510956f23b3517ed66d78c6a

SHA256
2122fab600cd6d8116d0cff89d2008c7acbb41fb246a13aec29ed677a1a2153f

SHA512
76f66d7793b7bc0253fa9ba1d8574884bad59f38e09090e7e9972355f8e62e56f09452c3c017dce35214a39c878fd75faae63a9b0bc0f4c25d7dc3b3f2098843

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8af210fd325fa94ac0df469b229ef93e

SHA1
08a77bc37b3d9830ce2aca0ac43d7ed03c43de83

SHA256
464b8abfb61029f159f46ce76f79637b575c0c29d46a03061cd506c855c97fac

SHA512
345d632ce37f01d240bb1066674748d461ce82fd059d7785121aa76afe141e24ddcfb37cee3d4f6c0e5cfa1af707cd5f80de62432436bc2174121644323c9596

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0f92b551402992103cc428423ee2a917

SHA1
184bb32b75c59dd57191cabb4ad77134c062ed46

SHA256
be830c3411b869fdcdfef34a073fdca45c21a4a3e7da8a6b0888ecc5e59debd1

SHA512
5b1b2b3a97d8059c856e17fa56f42e0d2cb1205e2d05ecfec15112787224311bc704829cfd6ee6a22daf6f19b4627c7e1e9a71ae9d4143afdc7958eac7dba102

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f557ac0be6420bbc791d3f8fb6c6b961

SHA1
1ad35a8463e5ef94f2a6b809b10d89c4280ac8be

SHA256
dc4d87821faa557f651e3d619582b19923424dd91469233c2b0aa2fece2a71c9

SHA512
9745dd0ef604d1b71010c5c9f0c5a09d42d0eb9f3faf587d62f3b66a43e0535a121394c4a859468f1f3e82f65bc8d53880a9416102d4a440c7b49c0c427353b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d5e71bc33e3da6703caeb9e607ea917d

SHA1
8c1e6ed4f2f2ad47e7b917f96240abcff8ea355c

SHA256
d87a97c04bab8adf1240e22aad1806c804f6dbd950d22c082887f362a29ea12f

SHA512
1cfaca49f192d0df065b90851a627a2ea0084a9c32866177be8a58e2033ee714378c3ba42721a09217ea19c77769864d199a9a1315df8b94f3b6e9710702081e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bf7c3ae4d360064b50c226738f2c1b4e

SHA1
2978173eae41e0646efbbe89846411bf27d40df7

SHA256
55711213778e71604a69c057061805e84c790a0c6d53f0a1cf9c9a3dd0181979

SHA512
f28dfeea4303c4887f155ab75ec9e77a3719db487f626e675ccacc4bd44263fe59790d00be86ead8d7fba60babc5e47b0881537aea92051ba177d50509d3ae0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
54d250d82ab6d38a8ee84a6cd00f6dc9

SHA1
ca05c5848f1dfd97ee07490d09381e73ad1211e6

SHA256
56e555d72c53f1a2c639ac92c87ce9ca6bbf7f7dc27474ccd2cdf8b523dbcb8c

SHA512
ac781670130086ad2c2623d4b097eb7349a621e9d43bb93d965e91865cbce0677bd8c01572e486f3d38a105882e19ddf87a346d5557882ca0b3dd3655b692c54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f392cf349f405fd2e9e8953276cfb218

SHA1
432fa6efb0f0a291562c4e9333cda30edc252b67

SHA256
080e068809fd102c6916f01a4dd0441934af80cc941a5bea716f5bcee3196a92

SHA512
f56ebd4d368588bad4073216cb0263d852a7740ed14d03beee588bf5cdf22ed636e688245ffcf108b291556985598903ca63a93b678b6bb3f69e926e6626eeb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c56e94ca1f6c9c4f41c9e067a815b38b

SHA1
4978528e980a11de3dfd306a6b9a925d41395769

SHA256
1529e5f261180dbb8bbfe65805c1c7b230417a758eccbcc9cdb22e1e4c44c110

SHA512
408e23fa0776d0d4c3d7c23aa1f8239f3f1863c8ad7f435a3615cdd73f37867cb4f8a62df5669a689b6cf0e407794b68ae119e7456e89ad275c5c1acbc2e2a3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d332bb5a1656232476c8db037010d8ff

SHA1
6460b354c0c037ccfcf6aebda7a92a70249ebdc8

SHA256
8d8ddc2bfe5d795cc193d3cf4c8b5f10879f0b0f45e5f06c51924a6344c4d505

SHA512
f117403d648705b9dc1d77875bb902fe586e62c23e509bffde597d348839e19a47b9976022cd1108af38921d816cb160eb6c6540042e268b105358727fcceebf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
c55defbff07d2c69a72bdaebfd29501b

SHA1
9dbe912299138b6f7402eb45183ed9482744fd49

SHA256
631e1f78265f822d69e5b5b45417404f7b96a7f5848d37a433ee053c11e46b21

SHA512
bdf92a9d622e185de7e024de3696ca80579d2fcc3f707c69d01404641ef673552b8ea4447f7b92455c68fa8ce957abb1c240333f70bbe29b2117d831daef2a40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
208KB

MD5
ff6085893e99cf4dc85db8761da4e9a1

SHA1
7e007fb507133f1c2c60f34771840542cb68e573

SHA256
5ed84b4ce76f41e7b78b661037b0fa1004e03a1f29b8112052e34d5337facec1

SHA512
855f8f8a599382984b077baa64ab530004d324b0b219d34a56d60a0dc4098a4861549736c96bfd28b5f7c58e409650166289a1b2e0ebc9eac0f7f57439b3a395

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
208KB

MD5
72709eef26a734678045ce1ad5f89214

SHA1
9baf63a8c6e32ca96ba7f6eaeb648f07f4902305

SHA256
aea095d7a67e98ec93b805ab942f3e26a4f990c5c3c788d0116767f73afda099

SHA512
6385ce699feb85e5d0412be16e4552cfe29331f7b11cfd6d5264953be7d9a869a1e80647bf54f9a637446ba92b4b87588dbf18730aed3abbf8a13ac8afcb1cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zlzdysu4.2dx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Client.exe:Zone.Identifier

Filesize
153B

MD5
818a8b7a5d3c883cae75aedbab0f37d1

SHA1
a659ad5c51d2b5d5895598d3490a87080a669140

SHA256
cb69480efdee7da66af5dcc775bee197f1b0c1c782091629554ab9434c84804b

SHA512
b82b092829e3719b70c1e7758d7eedd302d5bdf24a332ea7dc6afd4bfb9446cd4a275f38910a8376e85d41fc652510269525b3c8502514927a6092f26c726183

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 641575.crdownload

Filesize
197KB

MD5
6612bcb3e74a6e0441a7745c9330469a

SHA1
81fd5bfcf6744ebe55d6a44ff57f0ec48e30eb1d

SHA256
58c9a0462180ac23497f469c0eb5cdd07939b3a7655ab11d0273b25b4d49e584

SHA512
4bbd910754a4a3c7d975c6274e58d4dec450aa64aef0a2e726f707b62b8e9fcb47f3faa1b0e489cda1bff64445a88f406a95eeec1e8449bb93b64e8de9a69d2a

Download Submit
memory/668-200-0x0000029EF7320000-0x0000029EF7342000-memory.dmp

Filesize
136KB

Download
memory/4120-0-0x00007FFFF9AF3000-0x00007FFFF9AF5000-memory.dmp

Filesize
8KB

Download
memory/4120-3-0x00007FFFF9AF0000-0x00007FFFFA5B2000-memory.dmp

Filesize
10.8MB

Download
memory/4120-2-0x00007FFFF9AF0000-0x00007FFFFA5B2000-memory.dmp

Filesize
10.8MB

Download
memory/4120-1-0x00000000004F0000-0x0000000000526000-memory.dmp

Filesize
216KB

Download