dcrat | hxxps://mega[.]nz/file/PRlUUC6b#XUmOjNkb5nmzSndkf-yfWPlwopt7nd83viM54cw7W8g

Analysis

max time kernel
68s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/PRlUUC6b#XUmOjNkb5nmzSndkf-yfWPlwopt7nd83viM54cw7W8g

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\bridgeHypercomComponentHost\\RuntimeBroker.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\bridgeHypercomComponentHost\\RuntimeBroker.exe\", \"C:\\bridgeHypercomComponentHost\\fontdrvhost.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\bridgeHypercomComponentHost\\RuntimeBroker.exe\", \"C:\\bridgeHypercomComponentHost\\fontdrvhost.exe\", \"C:\\bridgeHypercomComponentHost\\dllhost.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\bridgeHypercomComponentHost\\RuntimeBroker.exe\", \"C:\\bridgeHypercomComponentHost\\fontdrvhost.exe\", \"C:\\bridgeHypercomComponentHost\\dllhost.exe\", \"C:\\Windows\\bcastdvr\\spoolsv.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\bridgeHypercomComponentHost\\RuntimeBroker.exe\", \"C:\\bridgeHypercomComponentHost\\fontdrvhost.exe\", \"C:\\bridgeHypercomComponentHost\\dllhost.exe\", \"C:\\Windows\\bcastdvr\\spoolsv.exe\", \"C:\\Users\\Admin\\Downloads\\AIMWARE CS 2\\winlogon.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\bridgeHypercomComponentHost\\RuntimeBroker.exe\", \"C:\\bridgeHypercomComponentHost\\fontdrvhost.exe\", \"C:\\bridgeHypercomComponentHost\\dllhost.exe\", \"C:\\Windows\\bcastdvr\\spoolsv.exe\", \"C:\\Users\\Admin\\Downloads\\AIMWARE CS 2\\winlogon.exe\", \"C:\\bridgeHypercomComponentHost\\mscontainerWindll.exe\""	mscontainerWindll.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	3964	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	3964	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	3964	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	3964	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	3964	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	3964	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	3964	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	3964	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	3964	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	3964	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	3964	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	3964	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	3964	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	3964	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3484	3964	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	3964	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	3964	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	3964	schtasks.exe	87

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	mscontainerWindll.exe

Executes dropped EXE 3 IoCs

pid	Process
1348	loader.exe
1104	mscontainerWindll.exe
4528	fontdrvhost.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\bridgeHypercomComponentHost\\fontdrvhost.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\bridgeHypercomComponentHost\\dllhost.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\bcastdvr\\spoolsv.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Admin\\Downloads\\AIMWARE CS 2\\winlogon.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Admin\\Downloads\\AIMWARE CS 2\\winlogon.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mscontainerWindll = "\"C:\\bridgeHypercomComponentHost\\mscontainerWindll.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mscontainerWindll = "\"C:\\bridgeHypercomComponentHost\\mscontainerWindll.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\bridgeHypercomComponentHost\\RuntimeBroker.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\bridgeHypercomComponentHost\\RuntimeBroker.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\bridgeHypercomComponentHost\\fontdrvhost.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\bridgeHypercomComponentHost\\dllhost.exe\""	mscontainerWindll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\bcastdvr\\spoolsv.exe\""	mscontainerWindll.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCC914A9E0698C45418AEC6CE9EFED991.TMP	csc.exe
File created	\??\c:\Windows\System32\-63gkj.exe	csc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1348	loader.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\bcastdvr\spoolsv.exe	mscontainerWindll.exe
File created	C:\Windows\bcastdvr\f3b6ecef712a24	mscontainerWindll.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133757041100771427"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	mscontainerWindll.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	loader.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5016	schtasks.exe
1608	schtasks.exe
3484	schtasks.exe
4356	schtasks.exe
756	schtasks.exe
1004	schtasks.exe
876	schtasks.exe
756	schtasks.exe
4248	schtasks.exe
3188	schtasks.exe
2940	schtasks.exe
788	schtasks.exe
4732	schtasks.exe
1780	schtasks.exe
3792	schtasks.exe
2632	schtasks.exe
5016	schtasks.exe
4112	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1280	chrome.exe
1280	chrome.exe
1348	loader.exe
1348	loader.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe
1104	mscontainerWindll.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1280	chrome.exe
1280	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: 33	3112	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3112	AUDIODG.EXE
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeRestorePrivilege	3028	7zG.exe
Token: 35	3028	7zG.exe
Token: SeSecurityPrivilege	3028	7zG.exe
Token: SeSecurityPrivilege	3028	7zG.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
3028	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
1348	loader.exe
4428	OpenWith.exe
4428	OpenWith.exe
4428	OpenWith.exe
4428	OpenWith.exe
4428	OpenWith.exe
4428	OpenWith.exe
4428	OpenWith.exe
4428	OpenWith.exe
4428	OpenWith.exe
4428	OpenWith.exe
4428	OpenWith.exe
4428	OpenWith.exe
4428	OpenWith.exe
4428	OpenWith.exe
4428	OpenWith.exe
4428	OpenWith.exe
4428	OpenWith.exe
4428	OpenWith.exe
4428	OpenWith.exe
4428	OpenWith.exe
4428	OpenWith.exe
4428	OpenWith.exe
4428	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 4092	1280	chrome.exe	83
PID 1280 wrote to memory of 4092	1280	chrome.exe	83
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 4080	1280	chrome.exe	84
PID 1280 wrote to memory of 2768	1280	chrome.exe	85
PID 1280 wrote to memory of 2768	1280	chrome.exe	85
PID 1280 wrote to memory of 4660	1280	chrome.exe	86
PID 1280 wrote to memory of 4660	1280	chrome.exe	86
PID 1280 wrote to memory of 4660	1280	chrome.exe	86
PID 1280 wrote to memory of 4660	1280	chrome.exe	86
PID 1280 wrote to memory of 4660	1280	chrome.exe	86
PID 1280 wrote to memory of 4660	1280	chrome.exe	86
PID 1280 wrote to memory of 4660	1280	chrome.exe	86
PID 1280 wrote to memory of 4660	1280	chrome.exe	86
PID 1280 wrote to memory of 4660	1280	chrome.exe	86
PID 1280 wrote to memory of 4660	1280	chrome.exe	86
PID 1280 wrote to memory of 4660	1280	chrome.exe	86
PID 1280 wrote to memory of 4660	1280	chrome.exe	86
PID 1280 wrote to memory of 4660	1280	chrome.exe	86
PID 1280 wrote to memory of 4660	1280	chrome.exe	86
PID 1280 wrote to memory of 4660	1280	chrome.exe	86
PID 1280 wrote to memory of 4660	1280	chrome.exe	86
PID 1280 wrote to memory of 4660	1280	chrome.exe	86
PID 1280 wrote to memory of 4660	1280	chrome.exe	86
PID 1280 wrote to memory of 4660	1280	chrome.exe	86
PID 1280 wrote to memory of 4660	1280	chrome.exe	86
PID 1280 wrote to memory of 4660	1280	chrome.exe	86
PID 1280 wrote to memory of 4660	1280	chrome.exe	86
PID 1280 wrote to memory of 4660	1280	chrome.exe	86
PID 1280 wrote to memory of 4660	1280	chrome.exe	86
PID 1280 wrote to memory of 4660	1280	chrome.exe	86
PID 1280 wrote to memory of 4660	1280	chrome.exe	86
PID 1280 wrote to memory of 4660	1280	chrome.exe	86
PID 1280 wrote to memory of 4660	1280	chrome.exe	86
PID 1280 wrote to memory of 4660	1280	chrome.exe	86
PID 1280 wrote to memory of 4660	1280	chrome.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/PRlUUC6b#XUmOjNkb5nmzSndkf-yfWPlwopt7nd83viM54cw7W8g
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9ed28cc40,0x7ff9ed28cc4c,0x7ff9ed28cc58
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1872,i,7581011123630097261,14636898888727762492,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1868 /prefetch:2
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2104,i,7581011123630097261,14636898888727762492,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,7581011123630097261,14636898888727762492,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2340 /prefetch:8
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,7581011123630097261,14636898888727762492,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,7581011123630097261,14636898888727762492,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:3320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4548,i,7581011123630097261,14636898888727762492,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4556 /prefetch:8
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4848,i,7581011123630097261,14636898888727762492,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4856 /prefetch:8
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5104,i,7581011123630097261,14636898888727762492,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  PID:2588

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3764

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4cc 0x308
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1936

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap21858:88:7zEvent32409
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3028

C:\Users\Admin\Downloads\AIMWARE CS 2\loader.exe
"C:\Users\Admin\Downloads\AIMWARE CS 2\loader.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1348
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\bridgeHypercomComponentHost\u95boq3b7HFvqr.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\bridgeHypercomComponentHost\AAJff1lG8RICXs2A4EYTaC5p7dZ23zLFBkqYwYWng.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4416
  - - C:\bridgeHypercomComponentHost\mscontainerWindll.exe
      "C:\bridgeHypercomComponentHost/mscontainerWindll.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:1104
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ogdv5png\ogdv5png.cmdline"
        5⤵
        Drops file in System32 directory
        
        PID:3100
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED0.tmp" "c:\Windows\System32\CSCC914A9E0698C45418AEC6CE9EFED991.TMP"
        6⤵
        
        PID:3032
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LT5HHXrSxU.bat"
        5⤵
        
        PID:1780
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5016
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1608
      - C:\bridgeHypercomComponentHost\fontdrvhost.exe
        
        "C:\bridgeHypercomComponentHost\fontdrvhost.exe"
        6⤵
        Executes dropped EXE
        
        PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\bridgeHypercomComponentHost\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\bridgeHypercomComponentHost\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\bridgeHypercomComponentHost\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\bridgeHypercomComponentHost\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\bridgeHypercomComponentHost\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\bridgeHypercomComponentHost\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\bridgeHypercomComponentHost\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\bridgeHypercomComponentHost\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\bridgeHypercomComponentHost\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\bcastdvr\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\bcastdvr\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\bcastdvr\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Downloads\AIMWARE CS 2\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\AIMWARE CS 2\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Downloads\AIMWARE CS 2\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mscontainerWindllm" /sc MINUTE /mo 14 /tr "'C:\bridgeHypercomComponentHost\mscontainerWindll.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mscontainerWindll" /sc ONLOGON /tr "'C:\bridgeHypercomComponentHost\mscontainerWindll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mscontainerWindllm" /sc MINUTE /mo 8 /tr "'C:\bridgeHypercomComponentHost\mscontainerWindll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4428
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\AIMWARE CS 2\cc11b995f2a76d
  2⤵
  PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
75ed57d801b955cd1302345518f7a5f2

SHA1
786a686e7fcd8e28f304109cd72978278e170a9b

SHA256
cfbd3dac265974c0cc4b91fde0c5e5dac046c8058c7b25f7f200347919b1e463

SHA512
26f136371fbd105480cb7efdd80f24af5e9e409946db4b8af5add62c0a75211a3ec33d380c74a1c6458acaffa6c801bab0dc8eade0bf7ccf7cc558aeb2ec29b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
f9da3cf2c22e0a0cfb75a1ad84f56860

SHA1
6cca352f2f2785a14ec533cd7cff12bbbc1874e8

SHA256
af152c306e986c05e4848535a329b8b9c05134370dfe3bb4f6f5f5480c1ac6c0

SHA512
774bdecc784e4723a2bfe78d39060a819759057ee3ad1ef48956b761ed43c2f8cb55ae807665cf97f82c91f3ee3f8ec2ad15b8b5be72b61288e49841466471e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
519B

MD5
7c911da070bfdb87c1408135af7bbc30

SHA1
f9af436bf79f26f4a4a946c6ad0e66046062a431

SHA256
78046a96639f443b617d50fbc5d07f18afe925d18d3b83b7916fb429ea7c999f

SHA512
468cd85ef4d7b4d52d36a94c60772d36b1303e1e69679f4b1cd164dcd25038854edbb4c0cce9ec098913ddf780355a94006476e060fc4b163422c2a377ce1942

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
eafe0b9073c542a7f7601829c354338e

SHA1
a4a58bef79e19913341d935ed892cfc4ecb7096b

SHA256
f8788e95de7584e418c11c4ef33ad2d624806a07c17cc274dbbf4d730fd9471a

SHA512
9addfe606910f14dd3ddf35ba7beddb4b0b2aaa819567f6c55e7d2d04057718403f290e460acfb2d1fea9c921e924be45b6a1f835c2a254553ad60dc6fd052d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b9b808d209564fc792c274b1cce0eae6

SHA1
10da72c2068f71b094a085aab81f720fe40565ff

SHA256
208a650cdf1cd36d00434abd0090422efee110418198b040bb6c90f144184029

SHA512
e9402a600ae744b1bc01adf16a2e654a30bf1f61593574e00006ecdc415778565ea917727c39aa6ddf5f7917efee747f2b5bbf11ec9ab29ad57f8389f8167f51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4c07b4b48f612c1d1a2e4301475f8134

SHA1
6953a74ce02b9bd3922741e201096319893d3f64

SHA256
6e3383de2d3c7b9febb86b47703ff404027a61f9ef0fb0d46ba84edc0bed3df2

SHA512
f17846513b9e223995dab2d0f767925690c9ebc4efcedbac4686528b590fcad1f329de16d1a5142106cc205f1a4905dcb4d98832c23fbe02ee8e8e5ba499eb8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7a69bfe3c9f35a1dcaeb35101ac6b9c8

SHA1
b0e00cc27b22dc9f48a873304ff34a1467dc9dd6

SHA256
cd803bfda39701a40e4b13fc0915e7fb1751e13a81d334835b259dd86fbdf4dd

SHA512
0c0e6619a3b8b836b632fd381c38d328a831d6e0bf49a409313bc34edef19605542647c5a5c6260bbbc0c97e5f05cc400bde49faaa0763ec2f9cfd1471a34bb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
b58ea9c3c34a71c9e14d4f2c741d3aac

SHA1
057e5982716456f5a62111e4ed457e7cb75eb988

SHA256
4b85d8bbc2265111cb8c3ebdd5b6ac3a384cc01efe1d82551bd13e516e8f2f76

SHA512
a89e2a2498debdc9d6c99a8f20673a36bf8ad6a8e61c702cce334fffa974699a367fb40f43f7b42aac709fe945da127b16b21e2c45dd02c1710f35ba420fc3bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
d500fad617b212513be5d25964cb870d

SHA1
fd78a2c2eb2c4cfddc575d7e55c2e8bff6cb9140

SHA256
c7b524bd05b5c8d3834be9b6f3d42bdf617ebf623bf35a1cd35c4bf42e13004a

SHA512
2bb2bb16bfed518a980149daf4d2c4f315a10293106f70ebeaf52a3a6a0c4b713f0c38791c754202b49495ac4a0df07c8943c68f6a39c3b2e9dea15deec10075

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
f7e4e900eb2dbee26fa32956ce97c6f2

SHA1
52ac44bf26bbac67e1e0bfddf3767392cbfd39ff

SHA256
f2f3630b976078d0e3ee6b3510b27de133f03a34268b63cf996351a224c38172

SHA512
1074e18071c8f2da784448041bd5315f0fa112c2ad0460e5fb161166dd1bd80157406a74a09fcefd1108b15a2d22089263612ddb534b98af70ab8eeeca02dfdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\LT5HHXrSxU.bat

Filesize
222B

MD5
5f31dab3ffcf939997b08d679a579b7a

SHA1
ce22d204a6b161fcaa3f245aa54a36daf38b92e4

SHA256
b8fc480669a0395f95d5a2f5ec8b861fe1874875a038adf314c7ca39495046f8

SHA512
91f39145e602746e78da0153151c81518f2582dc40473633c07f484645d83597eac92a1e1d4e721957ef9746a11b6f8dcff3494bdb209ca1fa6d037bde06d7fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESED0.tmp

Filesize
1KB

MD5
b3f3383cfb1f222185701c823184ef0b

SHA1
d9ef22dbe914d691d6f6743c046816963fbd86ec

SHA256
73972fbb064adfb105f7fb169d5a243463a634231711e349f26e1c83d27bd3ac

SHA512
b7ed7755a32d0f865f9ce71bf126eedd9450af651bb1ff54a75d99b69f3253e7ba30fdb841defa6b048884d47cb5760139aae6dc391725e9c24cf284dc04e7a1

Download Submit
C:\Users\Admin\Downloads\AIMWARE CRACK.rar

Filesize
2.7MB

MD5
00bfb1d264e1295c908722d6d4777022

SHA1
b1e884783e94f712d56e073e50b172444eb113c9

SHA256
5ea5bb52bdce2d2a903fcfcaa65b02725700e279377dad1ba80303dfc375f4f0

SHA512
e618851adae1942b5b2057b67ae3946fd1e3ef48e2da44a81756eaa5e2c412412e7d4990686a42ac4f2f9b15d0a5574fa029357849400ecc2ae0a5409005b936

Download Submit
C:\Users\Admin\Downloads\AIMWARE CS 2\cc11b995f2a76d

Filesize
673B

MD5
dc05e777485d678f51295aeb5071e0ca

SHA1
d1d53d6ff56f4303b0657e6f4118bf7d9652d91a

SHA256
2e3081bf38b9eddb5382fe8d6be965c4a927c1939ab70cbd859eee5eda8f5950

SHA512
91042e1617ce30713646a4d7a1143ccd34b9f0ffbbfc449f6584edb2d4c3ae89c5900305242dc84bdbc2e5aa929783273af0b01608b6173cc05a268ac132f0cd

Download Submit
C:\Users\Admin\Downloads\AIMWARE CS 2\loader.exe

Filesize
3.2MB

MD5
8faa9e2bbcb1f98cb3971b94f9feda41

SHA1
ab03732cdbc58c752057f2dd3c39e164e222476f

SHA256
026825e9ca81fe52b1833a5e2c838336bc645778da89ff5c266c65c9d750a490

SHA512
5a660bddaf58c15503861663d018e3444c40fc9a62cc2953a60e41c78561014db4911d4f1da80f70a492d6ff912765d93e08c3c39fce921580b034dfcc47d358

Download Submit
C:\bridgeHypercomComponentHost\AAJff1lG8RICXs2A4EYTaC5p7dZ23zLFBkqYwYWng.bat

Filesize
108B

MD5
836fc705ac99bb9e9c32457cd334e13e

SHA1
ebbb2cfd6a3260e482447d1c7871391ea8c75551

SHA256
e0446f377405745b3712c210adeda645441bc9f6b987756b53aa05ed167fbf9c

SHA512
ae2915671fee13ce19947eed0733d3de5b462ca8ef55b422259814004cc51df54a1ea58a6659a36a886103e84191f93fee5d7a134a50439a81c856645f88cc90

Download Submit
C:\bridgeHypercomComponentHost\mscontainerWindll.exe

Filesize
1.9MB

MD5
5a7bf976e09d1835a65809093075a1bc

SHA1
d2de32c02c3d6e79f185b6b5f91e95144ae5a033

SHA256
20ea6e36a40896c99a0549118ac01b9508dd72b484050c9b2ce4fb5ac805a950

SHA512
60c6f582e29415186d2fef58a469a6bd87e84daf084d8705f09605f331d015abb1a825d06343a797532561915e754015692e745de21c55ed6e52cb5ba47129c6

Download Submit
C:\bridgeHypercomComponentHost\u95boq3b7HFvqr.vbe

Filesize
246B

MD5
a672021e4678a1cee46a924baa63411c

SHA1
c4c27bf73768a3cc97d070e3d560e4f45affe9b4

SHA256
65a576bed74898f83fd527be9a715aaac80609066d01e8b16a691c5287bd15b5

SHA512
ea08511f0859767abdbc080e7dcbad20bced260cfb2b58ba51cc8d48d544fb36256f56887c25763f25d799fa225674d487d6f5826f835fb8462c0c6441c64b67

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ogdv5png\ogdv5png.0.cs

Filesize
380B

MD5
a77bec6f6ae2d66775e08af05e8b1b20

SHA1
c73e2479cba174218bcc7eeecb3595da55c1a47a

SHA256
e44ed065a90c37b97238c22e0b9ebe4746120d3eebc1b13e1304088a4760111e

SHA512
aa0771113246afdc25f7b24770d2cb2899d5407922b1f033ceb1ee4125c8050c27ae1922cfc4890d8148a1e326ef99f34ebc992abd863d9d256ccb408d012a0c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ogdv5png\ogdv5png.cmdline

Filesize
235B

MD5
1b50de6bc4c9ef7ec08aef37e3a0f70f

SHA1
501a9f1f4265da383eb847ecf5386d1a572ad74c

SHA256
3ae81a6c466c28b3294ddd181533a3eeac8579ff71235612d705dfb426d0f4ec

SHA512
02bc066e6381639391f135f2e8689901d0dbc5dc03a6fe0b9a8effeae834b1e6b4139335f100be47ff38850cc06f2d22887bed2c35a22b1ccd3e2f341630c893

Download Submit
\??\c:\Windows\System32\CSCC914A9E0698C45418AEC6CE9EFED991.TMP

Filesize
1KB

MD5
82a7b8ef3bc275711e3b27c6df93c7ff

SHA1
bdac909f26475c94c74145576bcf22adb0f8203c

SHA256
582921e5e6617cb736006c46c9c8576d8fdefb8763469bdbf305d52d298f6124

SHA512
f2100bca60280f6ad93f40254d6fe69bd9917a44973516874aa54c28042796503daac5c51869924f5ecd17615f461dda6441f479e1201c44ad07f5a7728af248

Download Submit
memory/1104-227-0x000000001B870000-0x000000001B87C000-memory.dmp

Filesize
48KB

Download
memory/1104-225-0x000000001B860000-0x000000001B86E000-memory.dmp

Filesize
56KB

Download
memory/1104-223-0x000000001B8A0000-0x000000001B8B8000-memory.dmp

Filesize
96KB

Download
memory/1104-216-0x0000000000750000-0x0000000000936000-memory.dmp

Filesize
1.9MB

Download
memory/1104-221-0x000000001B8F0000-0x000000001B940000-memory.dmp

Filesize
320KB

Download
memory/1104-218-0x000000001B500000-0x000000001B50E000-memory.dmp

Filesize
56KB

Download
memory/1104-220-0x000000001B880000-0x000000001B89C000-memory.dmp

Filesize
112KB

Download
memory/1348-210-0x0000000000E60000-0x0000000001256000-memory.dmp

Filesize
4.0MB

Download
memory/1348-200-0x0000000000E60000-0x0000000001256000-memory.dmp

Filesize
4.0MB

Download
memory/3100-250-0x0000015393B30000-0x00000153945F1000-memory.dmp

Filesize
10.8MB

Download