latentbot | a2deefa26145a0ef56e012cb1020c6ba73d939a5deccd3088155d68c2995cbd1

Analysis

max time kernel
299s
max time network
303s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-es
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-eslocale:es-esos:windows10-ltsc 2021-x64systemwindows
submitted
21-11-2024 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

archivo2.vbs
Size

24KB
MD5

794acb71b278d769b345ae1128ba0c74
SHA1

33ae0fddd4a8d0db765f988006aeb53d2fc4abeb
SHA256

a2deefa26145a0ef56e012cb1020c6ba73d939a5deccd3088155d68c2995cbd1
SHA512

81d1b09832762b9201205f13c68bd4958f5f5ede713a287d86da7144c4c333809bfd0e85d624a462c6130eb14307cccae49eb691a2f8a4642d5502f291763be2
SSDEEP

384:E7EipzIp0YHdqR11111OiPNtj5oByRDjmvb0PZ/sRQO84uJSM8gJ/vHV:EoidI+Y9qX1tj5oPbS/sebLSM8gJ/vHV

Score

10^/10

latentbot collection discovery trojan

Malware Config

Extracted

Family

latentbot

the11industrious.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot

Detected Nirsoft tools 17 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral1/memory/2640-123-0x0000000000400000-0x0000000000A8B000-memory.dmp	Nirsoft
behavioral1/memory/2640-125-0x0000000000400000-0x0000000000A8B000-memory.dmp	Nirsoft
behavioral1/memory/2640-124-0x0000000000400000-0x0000000000A8B000-memory.dmp	Nirsoft
behavioral1/memory/2640-126-0x0000000000400000-0x0000000000A8B000-memory.dmp	Nirsoft
behavioral1/memory/2640-129-0x0000000000400000-0x0000000000A8B000-memory.dmp	Nirsoft
behavioral1/memory/2680-164-0x0000000000400000-0x0000000000A8B000-memory.dmp	Nirsoft
behavioral1/memory/2872-165-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral1/memory/2872-166-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral1/memory/2680-195-0x0000000000400000-0x0000000000A8B000-memory.dmp	Nirsoft
behavioral1/memory/1956-202-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft
behavioral1/memory/3364-201-0x0000000000400000-0x0000000000A8B000-memory.dmp	Nirsoft
behavioral1/memory/1956-203-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft
behavioral1/memory/2640-345-0x0000000000400000-0x0000000000A8B000-memory.dmp	Nirsoft
behavioral1/memory/2640-412-0x0000000000400000-0x0000000000A8B000-memory.dmp	Nirsoft
behavioral1/memory/3364-436-0x0000000000400000-0x0000000000A8B000-memory.dmp	Nirsoft
behavioral1/memory/3364-437-0x0000000000400000-0x0000000000A8B000-memory.dmp	Nirsoft
behavioral1/memory/3364-451-0x0000000000400000-0x0000000000A8B000-memory.dmp	Nirsoft

NirSoft MailPassView 15 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2640-123-0x0000000000400000-0x0000000000A8B000-memory.dmp	MailPassView
behavioral1/memory/2640-125-0x0000000000400000-0x0000000000A8B000-memory.dmp	MailPassView
behavioral1/memory/2640-124-0x0000000000400000-0x0000000000A8B000-memory.dmp	MailPassView
behavioral1/memory/2640-126-0x0000000000400000-0x0000000000A8B000-memory.dmp	MailPassView
behavioral1/memory/2640-129-0x0000000000400000-0x0000000000A8B000-memory.dmp	MailPassView
behavioral1/memory/2680-164-0x0000000000400000-0x0000000000A8B000-memory.dmp	MailPassView
behavioral1/memory/2872-165-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral1/memory/2872-166-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral1/memory/2680-195-0x0000000000400000-0x0000000000A8B000-memory.dmp	MailPassView
behavioral1/memory/3364-201-0x0000000000400000-0x0000000000A8B000-memory.dmp	MailPassView
behavioral1/memory/2640-345-0x0000000000400000-0x0000000000A8B000-memory.dmp	MailPassView
behavioral1/memory/2640-412-0x0000000000400000-0x0000000000A8B000-memory.dmp	MailPassView
behavioral1/memory/3364-436-0x0000000000400000-0x0000000000A8B000-memory.dmp	MailPassView
behavioral1/memory/3364-437-0x0000000000400000-0x0000000000A8B000-memory.dmp	MailPassView
behavioral1/memory/3364-451-0x0000000000400000-0x0000000000A8B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 15 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2640-123-0x0000000000400000-0x0000000000A8B000-memory.dmp	WebBrowserPassView
behavioral1/memory/2640-125-0x0000000000400000-0x0000000000A8B000-memory.dmp	WebBrowserPassView
behavioral1/memory/2640-124-0x0000000000400000-0x0000000000A8B000-memory.dmp	WebBrowserPassView
behavioral1/memory/2640-126-0x0000000000400000-0x0000000000A8B000-memory.dmp	WebBrowserPassView
behavioral1/memory/2640-129-0x0000000000400000-0x0000000000A8B000-memory.dmp	WebBrowserPassView
behavioral1/memory/2680-164-0x0000000000400000-0x0000000000A8B000-memory.dmp	WebBrowserPassView
behavioral1/memory/2680-195-0x0000000000400000-0x0000000000A8B000-memory.dmp	WebBrowserPassView
behavioral1/memory/1956-202-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView
behavioral1/memory/3364-201-0x0000000000400000-0x0000000000A8B000-memory.dmp	WebBrowserPassView
behavioral1/memory/1956-203-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView
behavioral1/memory/2640-345-0x0000000000400000-0x0000000000A8B000-memory.dmp	WebBrowserPassView
behavioral1/memory/2640-412-0x0000000000400000-0x0000000000A8B000-memory.dmp	WebBrowserPassView
behavioral1/memory/3364-436-0x0000000000400000-0x0000000000A8B000-memory.dmp	WebBrowserPassView
behavioral1/memory/3364-437-0x0000000000400000-0x0000000000A8B000-memory.dmp	WebBrowserPassView
behavioral1/memory/3364-451-0x0000000000400000-0x0000000000A8B000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 4 IoCs

Processes:

WScript.exe

flow pid process

9 236 WScript.exe
11 236 WScript.exe
13 236 WScript.exe
15 236 WScript.exe

flow	pid	process
9	236	WScript.exe
11	236	WScript.exe
13	236	WScript.exe
15	236	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 1 IoCs

Processes:

attrib.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ju.lnk attrib.exe
Executes dropped EXE 1 IoCs

Processes:

sauj7ai.exe

pid process

3600 sauj7ai.exe
Loads dropped DLL 2 IoCs

Processes:

attrib.exe

pid process

3364 attrib.exe
3364 attrib.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ju.lnk	attrib.exe

pid	process
3364	attrib.exe
3364	attrib.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

attrib.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	attrib.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

sauj7ai.exeattrib.exeattrib.exeattrib.exe

description	pid	process	target process
PID 3600 set thread context of 2640	3600	sauj7ai.exe	attrib.exe
PID 2640 set thread context of 2680	2640	attrib.exe	attrib.exe
PID 2640 set thread context of 3364	2640	attrib.exe	attrib.exe
PID 2680 set thread context of 2872	2680	attrib.exe	attrib.exe
PID 3364 set thread context of 1956	3364	attrib.exe	attrib.exe

Drops file in Windows directory 2 IoCs

Processes:

chrome.exechrome.exe

description ioc process

File opened for modification C:\Windows\SystemTemp chrome.exe
File opened for modification C:\Windows\INF\display.PNF chrome.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\INF\display.PNF	chrome.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

sauj7ai.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sauj7ai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

attrib.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	attrib.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	attrib.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133766998052837203"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1669812756-2240353048-2660728061-1000\{E2D844ED-76D3-4119-8C25-94D4D83AD762}	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

chrome.exeattrib.exeattrib.exechrome.exe

pid	process
3512	chrome.exe
3512	chrome.exe
1956	attrib.exe
1956	attrib.exe
1956	attrib.exe
1956	attrib.exe
3364	attrib.exe
3364	attrib.exe
3364	attrib.exe
3364	attrib.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

chrome.exe

pid process

3512 chrome.exe
3512 chrome.exe
3512 chrome.exe
3512 chrome.exe
3512 chrome.exe
3512 chrome.exe
3512 chrome.exe
3512 chrome.exe
3512 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe
Token: SeShutdownPrivilege	3512	chrome.exe
Token: SeCreatePagefilePrivilege	3512	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

WScript.exesauj7ai.exechrome.exe

pid	process
236	WScript.exe
236	WScript.exe
236	WScript.exe
3600	sauj7ai.exe
3600	sauj7ai.exe
3600	sauj7ai.exe
3600	sauj7ai.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe

Suspicious use of SendNotifyMessage 28 IoCs

Processes:

sauj7ai.exechrome.exe

pid	process
3600	sauj7ai.exe
3600	sauj7ai.exe
3600	sauj7ai.exe
3600	sauj7ai.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe
3512	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

attrib.exe

pid process

2640 attrib.exe
2640 attrib.exe

pid	process
2640	attrib.exe
2640	attrib.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exesauj7ai.exeattrib.exeattrib.exechrome.exe

description	pid	process	target process
PID 236 wrote to memory of 3600	236	WScript.exe	sauj7ai.exe
PID 236 wrote to memory of 3600	236	WScript.exe	sauj7ai.exe
PID 236 wrote to memory of 3600	236	WScript.exe	sauj7ai.exe
PID 3600 wrote to memory of 2640	3600	sauj7ai.exe	attrib.exe
PID 3600 wrote to memory of 2640	3600	sauj7ai.exe	attrib.exe
PID 3600 wrote to memory of 2640	3600	sauj7ai.exe	attrib.exe
PID 3600 wrote to memory of 2640	3600	sauj7ai.exe	attrib.exe
PID 3600 wrote to memory of 2640	3600	sauj7ai.exe	attrib.exe
PID 3600 wrote to memory of 2640	3600	sauj7ai.exe	attrib.exe
PID 3600 wrote to memory of 2640	3600	sauj7ai.exe	attrib.exe
PID 3600 wrote to memory of 2640	3600	sauj7ai.exe	attrib.exe
PID 3600 wrote to memory of 2640	3600	sauj7ai.exe	attrib.exe
PID 3600 wrote to memory of 2640	3600	sauj7ai.exe	attrib.exe
PID 3600 wrote to memory of 2640	3600	sauj7ai.exe	attrib.exe
PID 3600 wrote to memory of 2640	3600	sauj7ai.exe	attrib.exe
PID 3600 wrote to memory of 2640	3600	sauj7ai.exe	attrib.exe
PID 3600 wrote to memory of 2640	3600	sauj7ai.exe	attrib.exe
PID 3600 wrote to memory of 2640	3600	sauj7ai.exe	attrib.exe
PID 2640 wrote to memory of 3728	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 3728	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 3728	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 2808	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 2808	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 2808	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 2808	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 2420	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 2420	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 2420	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 2680	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 2680	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 2680	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 2680	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 2680	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 2680	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 2680	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 2680	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 2680	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 2680	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 2680	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 2680	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 2680	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 2680	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 2680	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 3364	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 3364	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 3364	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 3364	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 3364	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 3364	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 3364	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 3364	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 3364	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 3364	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 3364	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 3364	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 3364	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 3364	2640	attrib.exe	attrib.exe
PID 2640 wrote to memory of 3364	2640	attrib.exe	attrib.exe
PID 2680 wrote to memory of 2872	2680	attrib.exe	attrib.exe
PID 2680 wrote to memory of 2872	2680	attrib.exe	attrib.exe
PID 2680 wrote to memory of 2872	2680	attrib.exe	attrib.exe
PID 2680 wrote to memory of 2872	2680	attrib.exe	attrib.exe
PID 2680 wrote to memory of 2872	2680	attrib.exe	attrib.exe
PID 3512 wrote to memory of 2900	3512	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 8 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

2640 attrib.exe
3728 attrib.exe
2808 attrib.exe
2420 attrib.exe
2680 attrib.exe
3364 attrib.exe
2872 attrib.exe
1956 attrib.exe

pid	process
2640	attrib.exe
3728	attrib.exe
2808	attrib.exe
2420	attrib.exe
2680	attrib.exe
3364	attrib.exe
2872	attrib.exe
1956	attrib.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\archivo2.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:236
- C:\yqc76\sauj7ai.exe
  "C:\yqc76\sauj7ai.exe" sauj7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3600
- - \??\c:\windows\SysWOW64\attrib.exe
    "c:/windows/SysWOW64/attrib.exe"
    3⤵
    - Drops startup file
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - Views/modifies file attributes
    PID:2640
  - - \??\c:\windows\SysWOW64\attrib.exe
      c:\windows\SysWOW64\attrib.exe sauj7 ##1
      4⤵
      Views/modifies file attributes
      PID:3728
  - - \??\c:\windows\SysWOW64\attrib.exe
      c:\windows\SysWOW64\attrib.exe sauj7 ##1
      4⤵
      Views/modifies file attributes
      PID:2808
  - - \??\c:\windows\SysWOW64\attrib.exe
      c:\windows\SysWOW64\attrib.exe sauj7 ##1
      4⤵
      Views/modifies file attributes
      PID:2420
  - - \??\c:\windows\SysWOW64\attrib.exe
      c:\windows\SysWOW64\attrib.exe sauj7 ##1
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      Views/modifies file attributes
      PID:2680
    - - \??\c:\windows\SysWOW64\attrib.exe
        
        "c:\windows\SysWOW64\attrib.exe" /stext "WWy1"
        5⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2872
  - - \??\c:\windows\SysWOW64\attrib.exe
      c:\windows\SysWOW64\attrib.exe sauj7 ##3
      4⤵
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Views/modifies file attributes
      PID:3364
    - - \??\c:\windows\SysWOW64\attrib.exe
        
        "c:\windows\SysWOW64\attrib.exe" /stext "WWy0"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Views/modifies file attributes
        
        PID:1956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffa5d76cc40,0x7ffa5d76cc4c,0x7ffa5d76cc58
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,2317254995897112019,17785472100602128761,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:4636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2176,i,2317254995897112019,17785472100602128761,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2420 /prefetch:3
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,2317254995897112019,17785472100602128761,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2484 /prefetch:8
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,2317254995897112019,17785472100602128761,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,2317254995897112019,17785472100602128761,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4520,i,2317254995897112019,17785472100602128761,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4476 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4828,i,2317254995897112019,17785472100602128761,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  PID:1128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4976,i,2317254995897112019,17785472100602128761,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4972 /prefetch:8
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4384,i,2317254995897112019,17785472100602128761,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5472,i,2317254995897112019,17785472100602128761,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5596,i,2317254995897112019,17785472100602128761,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5804,i,2317254995897112019,17785472100602128761,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5908,i,2317254995897112019,17785472100602128761,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:1060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5972,i,2317254995897112019,17785472100602128761,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=6128,i,2317254995897112019,17785472100602128761,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6136,i,2317254995897112019,17785472100602128761,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  - Modifies registry class
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5464,i,2317254995897112019,17785472100602128761,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4796

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
7aa1a667e7d346b7503f8a1e0bab0b1d

SHA1
17a43f105b0880a980e77819310d9d4924ac93b9

SHA256
4b20a50378fdc91d7876168448969ec5c211a672117a388f2f39fe6ba3517858

SHA512
ed5420d269a0a6873c6d1136cde229e7aa836949c26033f0e3609961da882eb6895ada70167a1d7cde42245c95dc96e2fe68d695c680186ee20d7e6c7893aeb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
36e0dbc4251544612c51ffe696e3f6cd

SHA1
194e14a57cfcc1234a29fb1962fea42a911fdd2c

SHA256
915396563ffc97e893e1518b6b32f652c25e652f3bc823e86ea0939ed5d301d6

SHA512
825a5e5987113857c12db0f2e236190185b7133ea5b6c04d13fc0a3596b4ff5d62aada3c478233acc30ae6528c50de274e04a2cfcc34293bac67f5cc710ba3fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www2.personas.santander.com.ar_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www2.personas.santander.com.ar_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
eb350fb107a0e882c80a8a2d25ad392c

SHA1
e75cf63e1125289baea0fbc2085cbcf1c8fe2a10

SHA256
eb92a893ed533178c676b5db23130219397c7817078519e7e8309cc4b1c1b370

SHA512
50b53c1b748666a0c6674ccbd9d1eee915c99233d71ad56ad1a9dd34c52dade950f031f6c0c588de47759b5364d2aa09977cb15725f525b9bee0eecb43123358

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7ea3f8b189d9c7bc0ca616d3321fede6

SHA1
34af77b367750d9bc7500302a11884791c2f3a3e

SHA256
828bf4cfa90265f4133c14ef6a2cefd83c6549080b9f0e607d835e7735139f11

SHA512
a833353d2f41e3cff77a4e7e6b37fa9bd44ecffad65cafbe7ee4bafa8536ea887c635b4bd3329fa1c3e00c8016e3f1c117242e666c39741cfa2951439e17ada4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
438e7afdbab07342cdcb197bced698a6

SHA1
32b5b7e0c4d888a091c03041f9154838ae7ffc29

SHA256
c6a9f6e092e8c07d5f70bea9490333d714d840db87b88c8a4d7916592cdd8e3f

SHA512
f19bbc4b51745b2d338a46e3404ab47af801d6135fb08f397cdfb11a2cd75530cb88f0c9adf6d000e649c99d38dc58e30d393cf89595b192d2804e3f7019715f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
80abe7c24d49f596bac91fad3a9afa3f

SHA1
7b9c337a8312992e932ce0e5a23828c6197bdcd7

SHA256
5752693725e0c511e8303020c0755e05a8011d5aee5efbc493b633c0b8e844af

SHA512
15af952ec06340685cbf1160a08a4b81bf14396a2cfe402588285e4f941ae2be35b726161692bb8c20ea5c5e3a13f487b7cee813b2b2c2c37bde749eff9cb515

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
e347823f566491e7f0f7d11a44c6a807

SHA1
1d38082fdbca168791702446e180507622eecfb8

SHA256
ce241100963705c3fdd1bee90236b8702f315c4869d858d17e4804a1b3e9cd77

SHA512
f7219cf83c019e67df6b0c981dc4cb2754c4365503479c009d59e603983f43700c1df76aa213ffc48b03c20edc1c79fd9bb4120b0875dcab25a95e1eca4444f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
573d07a9180c33b6db3dde9f116cd5eb

SHA1
59d688b887b570241c368e103199963956aab3ce

SHA256
8e70d6265f9a6eb0fcd9ed98fe8f438710514a71ec90419e64db717728d65924

SHA512
588e29e4aad9ff096870a31d63d0453dd98df5f4ad1091b63f9b72a2c75b674a7202124e39048dcf55f38e5d855ec182a1fbf68aac48e7c3de75bd10fc25340b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1fe9d4e9e349da08e336192ecb5adb18

SHA1
b92601a727c2ae6ddd58cebe83710c7051cf0887

SHA256
34eac2bc3aa165b0260a5b1fc942d36ad22d4982e4410fe41ea847ce3748d0c9

SHA512
aa85393cd785597460b3af32baae7af860b82b6e78de1a72fab95c847e54895622faa35693de3e6caa65aff1b662641d00d4651570806d59616f2cd17a66c67f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9f131695fc31cf24792ff732f547969c

SHA1
35e5dcfdfb16166f18688d7413eb215764cdac85

SHA256
6dfe5b50be2cc16dcbde84f71433415dbd79e0d97147340488f5191e9b5242ee

SHA512
426398346ac6d12f50f53ece387c1a9339e5294c9e8e186ea2c3d218f6433d975b411db1a0c6c4cb7b3e3e644c862ccadec337cc1e97e1d7658d5e9bbdec36eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1c55c7a54d573e1b91ea40a23457b2b9

SHA1
8e0891d2b3e275a721afa8f60ab8210221109723

SHA256
bbaba20e42aca4662e25252651ed22fdbefcf4569dd03cfec87bf41511d8bf92

SHA512
b47e0bf862596137d566f132a4ba83a02f916d1767150d615432c4d60df6da0dffe0b523e1df4f182f7a4cbc6d1723db5cec68d23c58a88a5db31ab5d7b304c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
42568f21b0464720b5a7a51fb29975f3

SHA1
4e5b2a9f63c00511f504ddaae29b0ab9e70c49d3

SHA256
cf2bf850a07073dfdeed8c5f126bf73a2518aa1d8336b6e0f57068805d8dff3c

SHA512
d78812b65f4e0c90a0a5ee5514a01589d20596376b86aa8a8710749e4324da36e217c2d28636ca8cffeb5916b215773592b48074f29e380a9d7343dc2feaff45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3809115141fdbcd0deebd43de0612365

SHA1
bb7a28f4ba01186dc505791c4ed7ba4099f66044

SHA256
e5d29038543f2bc614877efb94bb9d26e5c4d8fee48b1cacdac1775623b4aa53

SHA512
2d5b34af3cef8303a3ce07fbae80b09cc20d7d3c0f14b7cc0659426d742bbbc14c483a446acd37ef94e7410c1278af38d4e9e17f35494015c4febaf49e41100c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ee32794f4fd83854be3c1b329ece5884

SHA1
ae5f44987c15e11d1b900b4c1ef66bd796026695

SHA256
988afa392bfc253a88c88a68b34b89f6cac4f8e5f36f50136f4b8396e271400c

SHA512
14a414797576f10a7c4456d7514fa72a38bc4b426b9bb1e36d26c74aae8be4404ea3d80bd472f6ea7c960aa8943a977c0b94014a1428a37de417213fa57490dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
15651d15aa7fa926beceb6ea6c41d495

SHA1
e14759b7b3a2bf2d0bbe091cb00c8dc6beb765ca

SHA256
e5304ce92a940b8a1f0e741b001e3cc586077c9fe4f0ae9923ea95976222a9f3

SHA512
32132171e5f40489a83c5033c3186ede99572ac0e9fb6f62c266159cf6bc97c0cc3310bc9586f54776f53f3e5fde2fd67eccf7a2f5ca76d2411bc00e11c1661b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
639f325ae119d7d2dec01fdd761190b2

SHA1
da089232ae670917e228f5d76ea9990a2a187398

SHA256
eedbf92737e7268da57afbc1c2c40842600308eb709da1278e263f7efdf709c6

SHA512
868d390ce8602c75c41ec35d112273a6bd9cd54b2b742c567328da080fa859ccb0f49f5d04eedd1c69d8d69a56bfe4872d90f6fd948a5413cc8636ab5cd70bc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dd52a168154675449feda52100737fbc

SHA1
dc15e20217a6c88fcbf8d3e78be03cc3cf64cfc0

SHA256
34ef081f34307531b3a4a1195635abacbab02f3eb6cb96552dbeddaa10fdd226

SHA512
5ef9fac4d3fcfce5fb4ff77040184df59da4ec307008be1d99e5c06f14258ab5f90b632e19a250d68af0187034703671fc1e66584b798b3bd531372a58c5d9f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f33579d8dd7d0c47b8a515b7cbad1316

SHA1
baa9bcc97176f0a4b9e2bca408a71ad2f5f0533d

SHA256
c777346d3c494185231ea754f30dc1178b6f33d118af996a03cfe5f6235f4525

SHA512
4bdb6f5c330c778736df8a87bf2dbaa47fa41d4e3ffca887d5aca75de23493fce7484051a5b9918b20fdf186e6e297a0c16f1c35890450d34b10e02120010992

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a0e2997b2c1933dddf427249512ee658

SHA1
79e63d199b2480a5959da9bb8b600b9a5f26c107

SHA256
6312fcecc1f15055890b2e2da97362e2db560b61a5e03e0f0198f6cc64ba5f2a

SHA512
dfc0bf887cd87c48d47d804c24ff3d7f62d203832d3cff8852bc00a53ef839e06d5c7e076afdf7311bd719b5341c15e2019bfbbc8d1c36db532d4beb8596fb60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
bef5090b48453a01b04c46f45d2321ba

SHA1
f9df439de21dc8ff111ff52a0f566ea7598fd499

SHA256
38304e7771f63d1e1a8dc1272d67c986991b2324053f6cd59e753e9f45837238

SHA512
f73a245a47dcfc75412a0edf010239c092e52df8b25558dfd35d2ef72d715ecebd18a243f8acd71a14992b63341f606043aba02dde4f4dba6fe41c3d87abfae5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
edc4a0855f85c99f293c984109752a38

SHA1
fc5ec5ca6d748f7b43b6c70b027fdf0c0fa9254a

SHA256
bf304515769aaf744c710d801808f3e5f0d46b77d76c7305c994688f96f1af19

SHA512
4335e7711254c3d6a753f3cc5cb46a785b95682c9e004737e05e6d7fe1ea27acd23b57cf35d6d69f65d474f8e050232ec3597474d8e08871a8339c7e1ddc5a8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
cc68e784fd43c3300cfd27e90be7a58d

SHA1
8fe7d0e10e373b5e267911be8a1c8a255051bc1c

SHA256
ec0e3bb291877262988272acc3b508b91f5acc95b1fb0d8400eae35235221707

SHA512
0baba208a47375428d8e5d9d3cc5aaacc28f7042ebdeff3eba069b3404df717fb28a747dd21e154a39f21af2210aac31848182459757c40773367be460fe5bd9

Download Submit
C:\Users\Public\M

Filesize
118B

MD5
94e1f9ed0b9ce1788a612e6a555a5c70

SHA1
c6430b79317b905ae3629f6e277eaa49504c930e

SHA256
f5bac19d3e99157b499322465face778a7efff879bae7210542781562484f63e

SHA512
2316305a37a994e66a505c28489cd36b2d63099db5e4422e5ed5c41d070788edf24ba434580e052552f5c8eaf74e1ca032bc22b0b823b72a0eb905dc050e8857

Download Submit
C:\Users\Public\M_

Filesize
3KB

MD5
dadd68b519a3344403ff181dd8ae7b84

SHA1
2e1426532918dc2056faaefb62b30a732142dc31

SHA256
5eb6b079cd85bfa151bd22bad5963936fc2fdfcc6a9f71bb8d30e1ee3c169297

SHA512
a045a1e49ba4f879e09ae3ab4cb2d83b3cd67790fe3a733c16c4c5067eda0ee48dd1a0a1074d5262e6f4040228b4647ecb7ba6eaf582ba9a4c43b11298f95d7f

Download Submit
C:\yqc76\WWy0

Filesize
4KB

MD5
74ca227fab253edf47c8f2b49cce54f8

SHA1
5ef4052d121533903ad033b761f9400e92915a82

SHA256
646b8caae96c84d0c233b8dc9a8be33f795c3b5c832486d1dc681509bf7deb47

SHA512
f907c3bb1193a1df83be0d04b7f9b97d1ffa991b833282a62e82626982625403d9de6823930b152dd34ea81e19798796b32c1bee835f8187ea8fe74a330a187c

Download Submit
C:\yqc76\libeay32.dll

Filesize
1.3MB

MD5
de484d5dafe3c1208da6e24af40e0a97

SHA1
3e27b636863fefd991c57e8f4657aded333292e1

SHA256
007342c6b9b956f416f556b4bd6f1077e25bd077cc4f4ac136e3fccb803746e3

SHA512
e871ba131965331dcd6e7ae0ef02734e157676c7d2bba791dae274395eaac90df3e0851bd67f1e12461287860281d488e7e82c9c11cbf4657052eec78f678c3d

Download Submit
C:\yqc76\sauj71.7ju

Filesize
6.5MB

MD5
74610db92b577b7cf450fc7f342ed893

SHA1
e89804298c31f1f10705456747d422750b7b8ca1

SHA256
528d9ce3547a516ef5ed26df867aa4c62bc25acb579da669f1c21475013dfe96

SHA512
53a239f13b820ee9e243e6159d402baad3b97ada7c72b0e0dd60ff6fb17a403516986d2aa72bfc6cb08e2899dc30e0c1031981b05b24aec9240f6cdde037d827

Download Submit
C:\yqc76\sauj74.zip

Filesize
267KB

MD5
03a26a8edd127c6e6ad6f236ba55d5dc

SHA1
3e24917a5498acc9bcba007c505be6b9e8f9221e

SHA256
d7213d6f61bdd50bab86418df637812ec70dea540487b2573f9b0b3be50c3a5b

SHA512
20ab2d7d2da87282751a1c9ed61d4849b764c20255393edb071a24a54053b3355f5da2e9e0184175b790f6616d684b493c43f4596a99ef71067a16097c36f325

Download Submit
C:\yqc76\sauj7a3.zip

Filesize
475KB

MD5
4ede770867bd4ecff58bc6c5f7674756

SHA1
6ead54cdf4d5a9fefeab4da924d2add935dd4da1

SHA256
b3f5dccbba26bffa2ee3568f336fd22e840c12c9822318b68d2211ce0df43ab3

SHA512
48551dff7d001bad772171c6b320d4f8ffdc3eea7fd0c13f535252adba91a8cd3493a678d6e097e6bc831e065a916d29ca9938de3a4b99aedb8e8a24137a87f8

Download Submit
C:\yqc76\sauj7ai.exe

Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
C:\yqc76\sauj7m1.zip

Filesize
4.6MB

MD5
f445fb71cf478a86aa1e8c7cbcff7ea6

SHA1
5f86ae87a935cc33f50e13446a672fd3bbcca883

SHA256
9b470561631da04868090f0414e2a714da42f4af9a6343d793e83deb27f24f96

SHA512
212deacd0cdb06490d46803b1379899cdc46eb8a05fb9894de6372387f113e07a1fdccb39c29dff1af63c54e49fe87f6ba35be84515d260bf6196c7304854f89

Download Submit
C:\yqc76\ssleay32.dll

Filesize
330KB

MD5
284e004b654306f8db1a63cff0e73d91

SHA1
7caa9d45c1a3e2a41f7771e30d97d86f67b96b1b

SHA256
2d11228520402ef49443aadc5d0f02c9544a795a4afc89fb0434b3b81ebdd28c

SHA512
9c95824a081a2c822421c4b7eb57d68999e3c6f214483e0f177e1066fe3c915b800b67d2008181c954ad0403af0fa1ade3e4ea11d53ab7e13f4a3def9f89cf4f

Download Submit
\??\c:\yqc76\sauj7

Filesize
267KB

MD5
436a4a86939d49bc5a06acdb45c9362b

SHA1
da618557aa66528a9c826ed4c3c0b98962c4802b

SHA256
e4988316cabd17af9087b6cb4c4979876450ce36582d5f553a0b2a3846d4c6dc

SHA512
dd67861763defb6dd5a54b0e19f0a5069abe05a3ed35871f31827b17ed3801224e81e53f3d7ac741958ed25721f35d66d59eb29d306f4ad6c24b789774f1bd9c

Download Submit
\??\pipe\crashpad_3512_MHGIZKAIONLKIWZQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1956-203-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1956-202-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2640-126-0x0000000000400000-0x0000000000A8B000-memory.dmp

Filesize
6.5MB

Download
memory/2640-123-0x0000000000400000-0x0000000000A8B000-memory.dmp

Filesize
6.5MB

Download
memory/2640-125-0x0000000000400000-0x0000000000A8B000-memory.dmp

Filesize
6.5MB

Download
memory/2640-412-0x0000000000400000-0x0000000000A8B000-memory.dmp

Filesize
6.5MB

Download
memory/2640-124-0x0000000000400000-0x0000000000A8B000-memory.dmp

Filesize
6.5MB

Download
memory/2640-345-0x0000000000400000-0x0000000000A8B000-memory.dmp

Filesize
6.5MB

Download
memory/2640-129-0x0000000000400000-0x0000000000A8B000-memory.dmp

Filesize
6.5MB

Download
memory/2680-164-0x0000000000400000-0x0000000000A8B000-memory.dmp

Filesize
6.5MB

Download
memory/2680-142-0x0000000000400000-0x0000000000A8B000-memory.dmp

Filesize
6.5MB

Download
memory/2680-145-0x0000000000400000-0x0000000000A8B000-memory.dmp

Filesize
6.5MB

Download
memory/2680-137-0x0000000000400000-0x0000000000A8B000-memory.dmp

Filesize
6.5MB

Download
memory/2680-138-0x0000000000400000-0x0000000000A8B000-memory.dmp

Filesize
6.5MB

Download
memory/2680-144-0x0000000000400000-0x0000000000A8B000-memory.dmp

Filesize
6.5MB

Download
memory/2680-195-0x0000000000400000-0x0000000000A8B000-memory.dmp

Filesize
6.5MB

Download
memory/2680-139-0x0000000000400000-0x0000000000A8B000-memory.dmp

Filesize
6.5MB

Download
memory/2680-141-0x0000000000400000-0x0000000000A8B000-memory.dmp

Filesize
6.5MB

Download
memory/2872-166-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2872-165-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3364-436-0x0000000000400000-0x0000000000A8B000-memory.dmp

Filesize
6.5MB

Download
memory/3364-437-0x0000000000400000-0x0000000000A8B000-memory.dmp

Filesize
6.5MB

Download
memory/3364-451-0x0000000000400000-0x0000000000A8B000-memory.dmp

Filesize
6.5MB

Download
memory/3364-201-0x0000000000400000-0x0000000000A8B000-memory.dmp

Filesize
6.5MB

Download
memory/3600-118-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download