9c0e95c7c80f6c07ea48109802a28bc9c3adfbcf7ed99018b21c2b3290f285ba

Analysis

max time kernel
150s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KRLN/KRLN.exe
Size

677KB
MD5

19f761c741774d9108d818beedf3b17e
SHA1

a866aafc66806286dbf94cbf7bba4c38578ed8aa
SHA256

3a16818503da9d146eb2eedb303589dc6f3bdf58b1eeba9a6bd7c1e7e3151f0a
SHA512

9c274c800901b9a1f57bd01f2f4613569c86612bd6f8dcd5fac07f57b43359e543068fecd4c5d0ff546d8163bd3ea27763eada80be8bb297b4874b5e5c7e6987
SSDEEP

3072:d4WMR9b4C9jdh559dJ12QcVXqLRY3pClghBCWyyCzn8sZL3l4gxHC2E+JQLujdzH:yWTCvL9d2VaLa3pClghtyV8sug5IuV

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	KRLN.exe

Network Service Discovery 1 TTPs 11 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
444	CefSharp.BrowserSubprocess.exe
3432	CefSharp.BrowserSubprocess.exe
1536	CefSharp.BrowserSubprocess.exe
3500	CefSharp.BrowserSubprocess.exe
3396	CefSharp.BrowserSubprocess.exe
4152	CefSharp.BrowserSubprocess.exe
2644	CefSharp.BrowserSubprocess.exe
1148	CefSharp.BrowserSubprocess.exe
1268	CefSharp.BrowserSubprocess.exe
3536	CefSharp.BrowserSubprocess.exe
1340	CefSharp.BrowserSubprocess.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	KRLN.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	KRLN.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\TT	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\PG	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\LV	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\CM	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\AS	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\SV	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\PK	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\NI	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\MW	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\UA	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\MQ	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\BG	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\AL	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\SA	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\MZ	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_1337325485\crs.pb	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_1337325485\_metadata\verified_contents.json	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_1337325485\manifest.fingerprint	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\KE	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\CC	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\UZ	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\VG	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\KY	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\GG	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\AO	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\XK	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\TG	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\KG	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\ET	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\DE	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\CD	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\LR	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\ZA	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\YT	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\RS	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\PS	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\LI	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\IN	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\HU	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\FR	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\ST	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\SB	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\RW	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\KR	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\BO	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\BY	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\TM	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\SY	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\LC	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\KN	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\IS	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\GT	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\VU	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\SH	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\JM	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\EG	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\NZ	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\BT	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\BS	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\TH	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\SM	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\NU	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\MD	KRLN.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\GM	KRLN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	KRLN.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	KRLN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	KRLN.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133764417738326122"	KRLN.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	KRLN.exe

Modifies registry class 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	KRLN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 500031000000000047598c55100041646d696e003c0009000400efbe47598e48725901b22e00000050e10100000001000000000000000000000000000000c1d31d01410064006d0069006e00000014000000	KRLN.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	KRLN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4e00310000000000725905b2100054656d7000003a0009000400efbe47598e48725905b22e0000006fe10100000001000000000000000000000000000000127e6900540065006d007000000014000000	KRLN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	KRLN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0\NodeSlot = "1"	KRLN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	KRLN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	KRLN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	KRLN.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	KRLN.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	KRLN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	KRLN.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	KRLN.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	KRLN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 5000310000000000725904b210004c6f63616c003c0009000400efbe47598e48725904b22e0000006ee101000000010000000000000000000000000000005e2bb8004c006f00630061006c00000014000000	KRLN.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0	KRLN.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	KRLN.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	KRLN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	KRLN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 780031000000000047598e481100557365727300640009000400efbe874f7748725901b22e000000c70500000000010000000000000000003a000000000094f4210055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	KRLN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = 4e00310000000000725903b210004b524c4e00003a0009000400efbe725901b2725903b22e0000009a3c020000000700000000000000000000000000000075dafa004b0052004c004e00000014000000	KRLN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	KRLN.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	KRLN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	KRLN.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	KRLN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	KRLN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	KRLN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	KRLN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0\MRUListEx = ffffffff	KRLN.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	KRLN.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	KRLN.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	KRLN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	KRLN.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0	KRLN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	KRLN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	KRLN.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	KRLN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0 = 5600310000000000725903b210007363726970747300400009000400efbe725903b2725903b22e000000103d02000000070000000000000000000000000000005b69fc007300630072006900700074007300000016000000	KRLN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	KRLN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	KRLN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 560031000000000047598e4812004170704461746100400009000400efbe47598e48725901b22e0000005be1010000000100000000000000000000000000000097a613004100700070004400610074006100000016000000	KRLN.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
444	CefSharp.BrowserSubprocess.exe
444	CefSharp.BrowserSubprocess.exe
1148	CefSharp.BrowserSubprocess.exe
1148	CefSharp.BrowserSubprocess.exe
1148	CefSharp.BrowserSubprocess.exe
1268	CefSharp.BrowserSubprocess.exe
1268	CefSharp.BrowserSubprocess.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3432	CefSharp.BrowserSubprocess.exe
3432	CefSharp.BrowserSubprocess.exe
3432	CefSharp.BrowserSubprocess.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3536	CefSharp.BrowserSubprocess.exe
3536	CefSharp.BrowserSubprocess.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
1536	CefSharp.BrowserSubprocess.exe
1536	CefSharp.BrowserSubprocess.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3500	CefSharp.BrowserSubprocess.exe
3500	CefSharp.BrowserSubprocess.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3396	CefSharp.BrowserSubprocess.exe
3396	CefSharp.BrowserSubprocess.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3132	KRLN.exe
Token: SeDebugPrivilege	444	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	3132	KRLN.exe
Token: SeCreatePagefilePrivilege	3132	KRLN.exe
Token: SeDebugPrivilege	1148	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	1268	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	3432	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	3536	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	3132	KRLN.exe
Token: SeCreatePagefilePrivilege	3132	KRLN.exe
Token: SeDebugPrivilege	1536	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	3500	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	3132	KRLN.exe
Token: SeCreatePagefilePrivilege	3132	KRLN.exe
Token: SeShutdownPrivilege	3132	KRLN.exe
Token: SeCreatePagefilePrivilege	3132	KRLN.exe
Token: SeShutdownPrivilege	3132	KRLN.exe
Token: SeCreatePagefilePrivilege	3132	KRLN.exe
Token: SeShutdownPrivilege	3132	KRLN.exe
Token: SeCreatePagefilePrivilege	3132	KRLN.exe
Token: SeDebugPrivilege	3396	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	3132	KRLN.exe
Token: SeCreatePagefilePrivilege	3132	KRLN.exe
Token: SeShutdownPrivilege	3132	KRLN.exe
Token: SeCreatePagefilePrivilege	3132	KRLN.exe
Token: SeShutdownPrivilege	3132	KRLN.exe
Token: SeCreatePagefilePrivilege	3132	KRLN.exe
Token: SeShutdownPrivilege	3132	KRLN.exe
Token: SeCreatePagefilePrivilege	3132	KRLN.exe
Token: SeShutdownPrivilege	3132	KRLN.exe
Token: SeCreatePagefilePrivilege	3132	KRLN.exe
Token: SeShutdownPrivilege	3132	KRLN.exe
Token: SeCreatePagefilePrivilege	3132	KRLN.exe
Token: SeShutdownPrivilege	3132	KRLN.exe
Token: SeCreatePagefilePrivilege	3132	KRLN.exe
Token: SeShutdownPrivilege	3132	KRLN.exe
Token: SeCreatePagefilePrivilege	3132	KRLN.exe
Token: SeShutdownPrivilege	3132	KRLN.exe
Token: SeCreatePagefilePrivilege	3132	KRLN.exe
Token: SeShutdownPrivilege	3132	KRLN.exe
Token: SeCreatePagefilePrivilege	3132	KRLN.exe
Token: SeShutdownPrivilege	3132	KRLN.exe
Token: SeCreatePagefilePrivilege	3132	KRLN.exe
Token: SeShutdownPrivilege	3132	KRLN.exe
Token: SeCreatePagefilePrivilege	3132	KRLN.exe
Token: SeShutdownPrivilege	3132	KRLN.exe
Token: SeCreatePagefilePrivilege	3132	KRLN.exe
Token: SeShutdownPrivilege	3132	KRLN.exe
Token: SeCreatePagefilePrivilege	3132	KRLN.exe
Token: SeShutdownPrivilege	3132	KRLN.exe
Token: SeCreatePagefilePrivilege	3132	KRLN.exe
Token: SeShutdownPrivilege	3132	KRLN.exe
Token: SeCreatePagefilePrivilege	3132	KRLN.exe
Token: SeShutdownPrivilege	3132	KRLN.exe
Token: SeCreatePagefilePrivilege	3132	KRLN.exe
Token: SeShutdownPrivilege	3132	KRLN.exe
Token: SeCreatePagefilePrivilege	3132	KRLN.exe
Token: SeShutdownPrivilege	3132	KRLN.exe
Token: SeCreatePagefilePrivilege	3132	KRLN.exe
Token: SeShutdownPrivilege	3132	KRLN.exe
Token: SeCreatePagefilePrivilege	3132	KRLN.exe
Token: SeShutdownPrivilege	3132	KRLN.exe
Token: SeCreatePagefilePrivilege	3132	KRLN.exe
Token: SeShutdownPrivilege	3132	KRLN.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe
3132	KRLN.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 1148	3132	KRLN.exe	88
PID 3132 wrote to memory of 1148	3132	KRLN.exe	88
PID 3132 wrote to memory of 444	3132	KRLN.exe	89
PID 3132 wrote to memory of 444	3132	KRLN.exe	89
PID 3132 wrote to memory of 1268	3132	KRLN.exe	90
PID 3132 wrote to memory of 1268	3132	KRLN.exe	90
PID 3132 wrote to memory of 3536	3132	KRLN.exe	91
PID 3132 wrote to memory of 3536	3132	KRLN.exe	91
PID 3132 wrote to memory of 3432	3132	KRLN.exe	92
PID 3132 wrote to memory of 3432	3132	KRLN.exe	92
PID 3132 wrote to memory of 1536	3132	KRLN.exe	94
PID 3132 wrote to memory of 1536	3132	KRLN.exe	94
PID 3132 wrote to memory of 3500	3132	KRLN.exe	95
PID 3132 wrote to memory of 3500	3132	KRLN.exe	95
PID 3132 wrote to memory of 3396	3132	KRLN.exe	98
PID 3132 wrote to memory of 3396	3132	KRLN.exe	98
PID 3132 wrote to memory of 4152	3132	KRLN.exe	103
PID 3132 wrote to memory of 4152	3132	KRLN.exe	103
PID 3132 wrote to memory of 2644	3132	KRLN.exe	104
PID 3132 wrote to memory of 2644	3132	KRLN.exe	104
PID 3132 wrote to memory of 1340	3132	KRLN.exe	105
PID 3132 wrote to memory of 1340	3132	KRLN.exe	105

C:\Users\Admin\AppData\Local\Temp\KRLN\KRLN.exe
"C:\Users\Admin\AppData\Local\Temp\KRLN\KRLN.exe"
1⤵
- Checks computer location settings
- Checks system information in the registry
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Users\Admin\AppData\Local\Temp\KRLN\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\KRLN\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --start-stack-profiler --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2760,i,12318258551189129628,39835552732343219,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=2764 --mojo-platform-channel-handle=2756 /prefetch:2 --host-process-id=3132
  2⤵
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Users\Admin\AppData\Local\Temp\KRLN\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\KRLN\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --start-stack-profiler --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=2692,i,12318258551189129628,39835552732343219,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=2776 --mojo-platform-channel-handle=2768 /prefetch:3 --host-process-id=3132
  2⤵
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:444
- C:\Users\Admin\AppData\Local\Temp\KRLN\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\KRLN\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=2860,i,12318258551189129628,39835552732343219,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=3044 --mojo-platform-channel-handle=3040 /prefetch:8 --host-process-id=3132
  2⤵
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1268
- C:\Users\Admin\AppData\Local\Temp\KRLN\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\KRLN\CefSharp.BrowserSubprocess.exe" --type=renderer --start-stack-profiler --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --no-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3960,i,12318258551189129628,39835552732343219,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=4012 --mojo-platform-channel-handle=4008 --host-process-id=3132 /prefetch:1
  2⤵
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3536
- C:\Users\Admin\AppData\Local\Temp\KRLN\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\KRLN\CefSharp.BrowserSubprocess.exe" --type=renderer --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --no-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3968,i,12318258551189129628,39835552732343219,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=4024 --mojo-platform-channel-handle=4016 --host-process-id=3132 /prefetch:1
  2⤵
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3432
- C:\Users\Admin\AppData\Local\Temp\KRLN\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\KRLN\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --start-stack-profiler --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=2772,i,12318258551189129628,39835552732343219,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=4508 --mojo-platform-channel-handle=2752 /prefetch:2 --host-process-id=3132
  2⤵
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Users\Admin\AppData\Local\Temp\KRLN\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\KRLN\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --start-stack-profiler --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=disabled --field-trial-handle=4320,i,12318258551189129628,39835552732343219,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=4516 --mojo-platform-channel-handle=2756 /prefetch:2 --host-process-id=3132
  2⤵
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3500
- C:\Users\Admin\AppData\Local\Temp\KRLN\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\KRLN\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=5280,i,12318258551189129628,39835552732343219,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=5304 --mojo-platform-channel-handle=5300 /prefetch:8 --host-process-id=3132
  2⤵
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3396
- C:\Users\Admin\AppData\Local\Temp\KRLN\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\KRLN\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=5704,i,12318258551189129628,39835552732343219,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=6128 --mojo-platform-channel-handle=6132 /prefetch:8 --host-process-id=3132
  2⤵
  - Network Service Discovery
  PID:4152
- C:\Users\Admin\AppData\Local\Temp\KRLN\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\KRLN\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=1992,i,12318258551189129628,39835552732343219,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=7200 --mojo-platform-channel-handle=7148 /prefetch:8 --host-process-id=3132
  2⤵
  - Network Service Discovery
  PID:2644
- C:\Users\Admin\AppData\Local\Temp\KRLN\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\KRLN\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=7896,i,12318258551189129628,39835552732343219,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=7532 --mojo-platform-channel-handle=7536 /prefetch:8 --host-process-id=3132
  2⤵
  - Network Service Discovery
  PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping3132_1337325485\manifest.json

Filesize
73B

MD5
cee5b0bf41db27e17701d7406fbaddea

SHA1
7b4115272cbd12e321f9a8052ee14d490c57d1ee

SHA256
e6007244e2efeacf935373b3bff1f2ae5c3158f40bcafc7f0d50109bab4d15f5

SHA512
f0f91d670f5d0237850f58fa3e5b5ffe65d92568ef8896739a29191ac8e55852003d55760387c9b1d0cd02323ec7fce068b5d99507f6b23add9038028db3bdcc

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3132_197288967\manifest.fingerprint

Filesize
66B

MD5
ae8d23bb83c6aef1ab9e157fad925b7f

SHA1
9f752d070637555e88867cb5031b911114c6fe62

SHA256
edb859f9d5a8ef52535d5936d6773f5757dc6f26093d27df52170bb55a213881

SHA512
8d5b668d8a1575d2c44740317f0b8dfef9db8173db19e9bb8c3aa9abab288c600b87008e8ba9955caabea5b20058677ea7bd3d8344e653ca6c4d2634373c41bb

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3132_197288967\manifest.json

Filesize
98B

MD5
077c1cb909989e849866f22c69eba3c9

SHA1
462905d1b38648f6fc4280b8ec3e80392296f1be

SHA256
2488bd71bef68ffb312259e30c7d22751df34d05099d03b71d14a2d51ea943fc

SHA512
8f1457c6e006474f0433374403bf96577bcb12170938cb2bcfa631bbc87c2b56f1d616de9fda8cc4d063b803a701de92ce0f31b5091bd66f749f7385ece17f3d

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3132_337808095\manifest.json

Filesize
98B

MD5
05c5976d715ddd3cd7c7cfb35ed3ef25

SHA1
814895d5d1b3e221dd20fc175aac0214ada6f83f

SHA256
a5f3d847ebeea9c9e21bc1640672ba84c0f15f0010758a50e384780f337eb119

SHA512
3951a45638e6f615eb022dd65b5e00fe5d4d77b79c18fc4cc5714a59053125b3b14ec7655b3405193ae27a035f2b3dc9e98bb76d7da6fba1266549ec709506fd

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\4ed7d545-b4ac-417b-af80-2a62b9ba7cec.tmp

Filesize
5KB

MD5
45d7f69a8ace87a2e6112a106ffd939d

SHA1
79fce798899ef3bd638818136171752337bd770c

SHA256
369a52fe43249e2b8d1e4dd0f9ecb9c427b9338f1efc48b69e224f96fcc76dc8

SHA512
ba9c667e197ed649b4e0d563b8c70e6f743c635491e8b4a6ca4128f62cbd483f3c16d78e30f4ef25ab0311814596715cdcd857f5129e14798818a024db72e0db

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\Cache\Cache_Data\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\Cache\Cache_Data\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\Cache\Cache_Data\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\Extension Rules\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\Extension Rules\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\Network\Network Persistent State

Filesize
845B

MD5
8e8a6f611ec9b21886079eed097522a4

SHA1
59c6b780dffbe7e4ee62604762d199e899d44e0c

SHA256
086985ba6fe2488a12d517cbb379fa299f78d885ee5ebc1519c0b06b1b248d6f

SHA512
0858fd057eca81a3013cbd3cf8cf9e413a7f6fc1f924da71dd9cc30806c43fe9d257e561484e4efd48f9313c9f729e454acd7cc443bfe27025edc3822af134c1

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\Network\Network Persistent State~RFe58e54a.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\Network\TransportSecurity

Filesize
353B

MD5
f95a8fb04fa64c8e50238a94e5421f05

SHA1
20bd3e17a8df31f387a6cd7cc688aa9a69a49f86

SHA256
f05c81e4bb544fed9e2b842dc4d0520d0b56fae68cb3e3a38310b0471547f976

SHA512
d139364986260d106df376465edcc3b734a10f9f71b866bb1215b7ab809d305eb6cacccfa3f32a68a4712978f9642d82b0f9dfb17d3df3251fe972fdff92d585

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\Network\TransportSecurity~RFe58f400.TMP

Filesize
355B

MD5
e51bcbb7863086714bf0415d1f4e4fd1

SHA1
ae456d0cf5f73c18d8ab18e227fefadb31ff95f6

SHA256
27bd13f36de95ef4a004364a161267e014798f912e7ff6077f864a4502c18960

SHA512
fa786e85abcdadb28eb9455a71216c3f3e41e819c3d78712f25ea26899afdd835c2125e3e7533930bc72dbc420998f97adb7d14029f18d6acb2e4e4bdc9f68ce

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\Preferences

Filesize
6KB

MD5
66637fab48841fa23d19b0001347f441

SHA1
895e1e386224ac875ccf99459ea15d659d5a7ac1

SHA256
4ae008b7e983645602fb6f3cc152466ec18c16de0df09e5e6f4957ba7b1da510

SHA512
4da5208b05347213fa0863995da7dafb2a54cbab13d1947feab20b5f15773fe22766c905908c256ef8f441cd40fbf207dc0c30f856e810ee92addb3114415973

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\Preferences~RFe586acb.TMP

Filesize
6KB

MD5
3f329289412a0953d587ec56bd062eda

SHA1
c54010c4a779496d79b3394f54bdd8167f28ef45

SHA256
69c702e871d2ccbcf4b22d1042a19cb5c74f0f2cdf3aca1176edf7ea0a10e5c0

SHA512
856603d8c66e23df4f0923a6ab84f9e90918a4e85ae647c0a33d65627f69b9d0bb0de38729df0089e91894ab48fec7ecdcf7128cfcef50c8768a9b2bd3f1173e

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Local State

Filesize
5KB

MD5
01ee17a3d57dfac3a4b53998563c2f1b

SHA1
bc12b8d900bf5de45b2cafc3431a2727f98b6215

SHA256
1afc31e0bba23c8ac90069ca88ae97373ddef14809a4ddd0f73fd9cbd277a669

SHA512
d1e393251785b37114b7b98bbace15776e5f795af9efebf0805f8cd884bcf2f48bd3c189c18918dc067aa3db9177fa0b10defe135552c7a500334e635a367204

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Local State

Filesize
1KB

MD5
b5d41826d27579cd117eaf2323f634ca

SHA1
b09648a59ec8c8786612f72634ed3eaa69e53281

SHA256
c91576293d41189c0d3381dc1d0adc2dbd6be67d83bb7ef20d218b8cbd68fe75

SHA512
6137f6fc5c0cf103e82ee3528b42b060391382b4a9a39325f5ac0db08cab2ceff1b4e636ee7c9810dc36eed89eeacd31ebd796ee339511fcd21eac450e47231f

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Local State

Filesize
5KB

MD5
e8e83eca8a3e2aca8b53032f6dc840ed

SHA1
1c7d57769ae346712b0048831a4488df19099b61

SHA256
2589ef0b0814db2f40538c09ea18e3e98bca3840dc11b6aa558ffcbd4c28e12f

SHA512
fc6a1b553fb014d7b4bbf7dbca1ea9ebba3b15746997a15fd83b9e6496a12ab06e779b48203862975ef68988a0b37398e43ba310d49269273d14911d857c1738

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Local State

Filesize
2KB

MD5
16dea092fc5dd2413b9920aad82ce3a4

SHA1
e5e23d88cc48c3f5b0baae7abf8cb6a2cfd37e30

SHA256
edd839f41da81c5a215e118a634d57c49e886e4dc24327b6027d9732f6f086b7

SHA512
21a0c34520b4eabc739e915f103ff66b2c76f53787c450b680e190ce52223f924341c6832b92cbef0637f5384b7e5c5d75b4adfafb852d0ce87b8db074b31450

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Local State~RFe57cf56.TMP

Filesize
890B

MD5
deff5f85315de8e26eb52ad8df91ecdb

SHA1
8af7a029f78350ffaec8619b3f64ba75ca38a645

SHA256
0d91cf2daf73b1947e446a37ebeb9c9ce0d0d42ee3910ea2563e80fa8b9dd400

SHA512
521c2039426a387cf979f2816a38f63b0e70b2a13cc9ab75c0fb72491592b1bcb6bae4fa7a8bf950a7c598b73a8d17529e6946ccb4126699df30d4f077074975

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\PKIMetadata\1133\crs.pb

Filesize
141KB

MD5
57086b02f74c3fe7b79a5e2e3d852322

SHA1
6420387225ddcd5210175de4f3fdb0ab2be8ee9c

SHA256
a1b5be8d4aab349aff58ed34e1f3bc6647cf440830da0a12a8bd5a1c976c6407

SHA512
b195eb9a9129863e75be603b00b85ecfe46360910529fb38513af6940f9d17efd56f234b47963452329cd85b16bebb5a85ab5d304743e57d33bafd5b59900468

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\PKIMetadata\1133\kp_pinslist.pb

Filesize
11KB

MD5
b17572c069b858ddec1cbcd618171e60

SHA1
7765c792ca9671eb3bfc5d393a9f944270612191

SHA256
b6dd2f4da516310be9e70bfd75998d920c01e21072116b9b629347f0278f5189

SHA512
2b819b2ed01c8ea35b362de310e5a80cb95544037d18dfef49cf0c9e23fb604149dfddfed9fe9440b8369bf76859b903779784f0ed31209f5a83d4aca0b0d56f

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\PrivacySandboxAttestationsPreloaded\2024.11.13.0\privacy-sandbox-attestations.dat

Filesize
7KB

MD5
09bdbfeee8aa46e678a2763ad4541770

SHA1
65728c6ac0ed41de13557ff0d1d1ec2e4c83cee3

SHA256
485dd2ac8a405e603cd73d581a4dc90c8bcb26d2a2ff68cef0d9e9324e5838d6

SHA512
12c3c6f7456a1a259f68a28890185d9166e2e39da94963ae1b125345157a13a832ca96b4d82e02e1d84af0204edbadf6418c33f744ba7bbde5cb16c4bd09cd38

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\chrome_debug.log

Filesize
664B

MD5
cf640a0dc5d8eabca8d7cab28f1b56f6

SHA1
a65ec193a51e95e1441cd99359e1e267925516c8

SHA256
9a8a9cdac59163a9415118ba039cf44bf32b9242f28ee594bd112b04b10fb9e7

SHA512
a78d1ac2f9cef96b20173c37bdf4fca3b75f7ce9afa21afad90911b25f18a1712bb15687da07536733fa7f00e1d15b1a6319f8b291b5fe3ac15f94c64580e23d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CefSharp.BrowserSubprocess.exe.log

Filesize
425B

MD5
fff5cbccb6b31b40f834b8f4778a779a

SHA1
899ed0377e89f1ed434cfeecc5bc0163ebdf0454

SHA256
b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76

SHA512
1a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9

Download Submit
memory/444-231-0x0000022CE6C90000-0x0000022CE7C90000-memory.dmp

Filesize
16.0MB

Download
memory/444-19-0x0000022CE6B60000-0x0000022CE6C81000-memory.dmp

Filesize
1.1MB

Download
memory/1148-17-0x0000021BD12F0000-0x0000021BD12F6000-memory.dmp

Filesize
24KB

Download
memory/1148-120-0x0000021BEB960000-0x0000021BEC960000-memory.dmp

Filesize
16.0MB

Download
memory/1268-232-0x00000182402F0000-0x00000182412F0000-memory.dmp

Filesize
16.0MB

Download
memory/1536-175-0x000001B1B9690000-0x000001B1BA690000-memory.dmp

Filesize
16.0MB

Download
memory/2644-408-0x000001CDAFB20000-0x000001CDB0B20000-memory.dmp

Filesize
16.0MB

Download
memory/3132-9-0x000001D980000000-0x000001D9801C4000-memory.dmp

Filesize
1.8MB

Download
memory/3132-3-0x000001D9FD1E0000-0x000001D9FD222000-memory.dmp

Filesize
264KB

Download
memory/3132-13-0x00007FF9886B0000-0x00007FF989171000-memory.dmp

Filesize
10.8MB

Download
memory/3132-212-0x00007FF9886B3000-0x00007FF9886B5000-memory.dmp

Filesize
8KB

Download
memory/3132-1-0x000001D9E2B70000-0x000001D9E2C1E000-memory.dmp

Filesize
696KB

Download
memory/3132-6-0x000001D9FD4B0000-0x000001D9FD4C4000-memory.dmp

Filesize
80KB

Download
memory/3132-5-0x000001D9E30C0000-0x000001D9E30CA000-memory.dmp

Filesize
40KB

Download
memory/3132-0-0x00007FF9886B3000-0x00007FF9886B5000-memory.dmp

Filesize
8KB

Download
memory/3132-235-0x00007FF9886B0000-0x00007FF989171000-memory.dmp

Filesize
10.8MB

Download
memory/3132-11-0x00007FF9886B0000-0x00007FF989171000-memory.dmp

Filesize
10.8MB

Download
memory/3132-4-0x00007FF9886B0000-0x00007FF989171000-memory.dmp

Filesize
10.8MB

Download
memory/3132-215-0x00007FF9886B0000-0x00007FF989171000-memory.dmp

Filesize
10.8MB

Download
memory/3132-7-0x000001D9FF8B0000-0x000001D9FF8FA000-memory.dmp

Filesize
296KB

Download
memory/3132-213-0x00007FF9886B0000-0x00007FF989171000-memory.dmp

Filesize
10.8MB

Download
memory/3132-8-0x000001D9FFE80000-0x000001D9FFF6C000-memory.dmp

Filesize
944KB

Download
memory/3132-214-0x000001D9801D0000-0x000001D9811D0000-memory.dmp

Filesize
16.0MB

Download
memory/3132-2-0x000001D9E2FC0000-0x000001D9E2FC8000-memory.dmp

Filesize
32KB

Download
memory/3132-10-0x00007FF9886B0000-0x00007FF989171000-memory.dmp

Filesize
10.8MB

Download
memory/3396-209-0x000001F480000000-0x000001F481000000-memory.dmp

Filesize
16.0MB

Download
memory/3432-234-0x000001ABE8CD0000-0x000001ABE9CD0000-memory.dmp

Filesize
16.0MB

Download
memory/3500-240-0x0000019D2C9F0000-0x0000019D2D9F0000-memory.dmp

Filesize
16.0MB

Download
memory/3536-233-0x0000020DEADA0000-0x0000020DEBDA0000-memory.dmp

Filesize
16.0MB

Download
memory/4152-341-0x0000015FB7580000-0x0000015FB8580000-memory.dmp

Filesize
16.0MB

Download