dcrat | 51890bfc6f223014ff16f4bfa6ace8e2d2ec3c81eb6965406813b9ca32b08508

Analysis

max time kernel
39s
max time network
65s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
04-12-2024 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

client.exe
Size

2.1MB
MD5

bf4f13d82d217ed69d80124c50d9441c
SHA1

b7ee7d109f61371342e924e6a0c3505347dd318f
SHA256

51890bfc6f223014ff16f4bfa6ace8e2d2ec3c81eb6965406813b9ca32b08508
SHA512

1ba17e55d6d1f6fda99daffe3f11f995d5e8434901b2aea9105728ccbff1b81727d96bf8811a62e8367fca0ec23bdea331165b001088b183281164269668d2f4
SSDEEP

49152:IBJzOZxI4F2vH8tr79p4MUm96NqpbJEQS8M0fPqnG9c:yBOZxI4Fftr79fkNqS07u

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	404	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	404	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	404	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	404	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	404	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	404	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	404	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	404	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	404	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	404	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	404	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	404	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	404	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	404	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	404	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	404	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	404	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	404	schtasks.exe	86

Executes dropped EXE 2 IoCs

pid	Process
2004	chainreviewwinrefSvc.exe
1072	SearchHost.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\uk-UA\chrome.exe	chainreviewwinrefSvc.exe
File opened for modification	C:\Program Files\Windows Media Player\uk-UA\chrome.exe	chainreviewwinrefSvc.exe
File created	C:\Program Files\Windows Media Player\uk-UA\7a73b78f679a6f	chainreviewwinrefSvc.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\SearchHost.exe	chainreviewwinrefSvc.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\cfa885d449487c	chainreviewwinrefSvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2088	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133777993453166555"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings	client.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2088	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5068	schtasks.exe
756	schtasks.exe
2864	schtasks.exe
2312	schtasks.exe
760	schtasks.exe
2084	schtasks.exe
1564	schtasks.exe
3124	schtasks.exe
1720	schtasks.exe
2596	schtasks.exe
4824	schtasks.exe
1648	schtasks.exe
5112	schtasks.exe
4528	schtasks.exe
2544	schtasks.exe
1376	schtasks.exe
3184	schtasks.exe
3400	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1560	chrome.exe
1560	chrome.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe
2004	chainreviewwinrefSvc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeDebugPrivilege	2004	chainreviewwinrefSvc.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeDebugPrivilege	1072	SearchHost.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 784	3596	client.exe	78
PID 3596 wrote to memory of 784	3596	client.exe	78
PID 3596 wrote to memory of 784	3596	client.exe	78
PID 1560 wrote to memory of 2324	1560	chrome.exe	82
PID 1560 wrote to memory of 2324	1560	chrome.exe	82
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 3032	1560	chrome.exe	83
PID 1560 wrote to memory of 2812	1560	chrome.exe	84
PID 1560 wrote to memory of 2812	1560	chrome.exe	84
PID 1560 wrote to memory of 2924	1560	chrome.exe	85
PID 1560 wrote to memory of 2924	1560	chrome.exe	85
PID 1560 wrote to memory of 2924	1560	chrome.exe	85
PID 1560 wrote to memory of 2924	1560	chrome.exe	85
PID 1560 wrote to memory of 2924	1560	chrome.exe	85
PID 1560 wrote to memory of 2924	1560	chrome.exe	85
PID 1560 wrote to memory of 2924	1560	chrome.exe	85
PID 1560 wrote to memory of 2924	1560	chrome.exe	85
PID 1560 wrote to memory of 2924	1560	chrome.exe	85
PID 1560 wrote to memory of 2924	1560	chrome.exe	85
PID 1560 wrote to memory of 2924	1560	chrome.exe	85
PID 1560 wrote to memory of 2924	1560	chrome.exe	85
PID 1560 wrote to memory of 2924	1560	chrome.exe	85
PID 1560 wrote to memory of 2924	1560	chrome.exe	85
PID 1560 wrote to memory of 2924	1560	chrome.exe	85
PID 1560 wrote to memory of 2924	1560	chrome.exe	85
PID 1560 wrote to memory of 2924	1560	chrome.exe	85
PID 1560 wrote to memory of 2924	1560	chrome.exe	85
PID 1560 wrote to memory of 2924	1560	chrome.exe	85
PID 1560 wrote to memory of 2924	1560	chrome.exe	85
PID 1560 wrote to memory of 2924	1560	chrome.exe	85
PID 1560 wrote to memory of 2924	1560	chrome.exe	85
PID 1560 wrote to memory of 2924	1560	chrome.exe	85
PID 1560 wrote to memory of 2924	1560	chrome.exe	85
PID 1560 wrote to memory of 2924	1560	chrome.exe	85
PID 1560 wrote to memory of 2924	1560	chrome.exe	85
PID 1560 wrote to memory of 2924	1560	chrome.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\client.exe
"C:\Users\Admin\AppData\Local\Temp\client.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ComponentCrt\sBEZl9whlNx1coUjXXPbcOghFKEeD7haTOPQzUr4aUDA.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ComponentCrt\1lvoZv4qBcC2Me4L.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3016
  - - C:\ComponentCrt\chainreviewwinrefSvc.exe
      "C:\ComponentCrt/chainreviewwinrefSvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2004
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TNFCFwmMVN.bat"
        5⤵
        
        PID:3864
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4256
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2088
      - C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\SearchHost.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\SearchHost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7fff5d01cc40,0x7fff5d01cc4c,0x7fff5d01cc58
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1804,i,5843997527113133915,5206319509978870886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1800 /prefetch:2
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,5843997527113133915,5206319509978870886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,5843997527113133915,5206319509978870886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2224 /prefetch:8
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,5843997527113133915,5206319509978870886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,5843997527113133915,5206319509978870886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3588,i,5843997527113133915,5206319509978870886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4788,i,5843997527113133915,5206319509978870886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4484,i,5843997527113133915,5206319509978870886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5004,i,5843997527113133915,5206319509978870886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4604 /prefetch:8
  2⤵
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4864,i,5843997527113133915,5206319509978870886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4996 /prefetch:8
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4804,i,5843997527113133915,5206319509978870886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4792,i,5843997527113133915,5206319509978870886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  PID:3096
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:2252
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6b5f94698,0x7ff6b5f946a4,0x7ff6b5f946b0
    3⤵
    - Drops file in Windows directory
    PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4848,i,5843997527113133915,5206319509978870886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4348 /prefetch:2
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4304,i,5843997527113133915,5206319509978870886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5272,i,5843997527113133915,5206319509978870886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3512,i,5843997527113133915,5206319509978870886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:3960

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\SearchHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\SearchHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\SearchHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainreviewwinrefSvcc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\chainreviewwinrefSvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainreviewwinrefSvc" /sc ONLOGON /tr "'C:\Users\Default User\chainreviewwinrefSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainreviewwinrefSvcc" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\chainreviewwinrefSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\uk-UA\chrome.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\uk-UA\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\uk-UA\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainreviewwinrefSvcc" /sc MINUTE /mo 10 /tr "'C:\ComponentCrt\chainreviewwinrefSvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainreviewwinrefSvc" /sc ONLOGON /tr "'C:\ComponentCrt\chainreviewwinrefSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainreviewwinrefSvcc" /sc MINUTE /mo 6 /tr "'C:\ComponentCrt\chainreviewwinrefSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ComponentCrt\1lvoZv4qBcC2Me4L.bat

Filesize
98B

MD5
4dafd9e9509ac96be6aa5baec659da4d

SHA1
a091552663ddea89536560f232b8339f318c9cbc

SHA256
0c53b640295abd25e8387957941e29f5c4e765376365409164ac39e3365a6ccf

SHA512
d290c162347e236e0e197c52afc4f4b33f1eba2498dfe2ad86c414c87ab70c9fbbd2132cd08bfb4137e8555a095ca9acb6675727a4a5f65ccc46141c16698132

Download Submit
C:\ComponentCrt\chainreviewwinrefSvc.exe

Filesize
1.8MB

MD5
11cca9e2c6dc9c2a728b89e7314ec26a

SHA1
58aec3b662a1c4e8b43cc454d90813ac89b5e612

SHA256
300072795259e7b2baa69a7a3d19ffea1844dffc391e710c654aa1b66b0e2197

SHA512
fb1fcff1c94e73b1227f65b237639e25604d614cfe365f2108bbbfdb489b97410fdc17411b8f00fc5b8f57d51080b4496010537a6a4ff9b15b7bdd24f89d0df7

Download Submit
C:\ComponentCrt\sBEZl9whlNx1coUjXXPbcOghFKEeD7haTOPQzUr4aUDA.vbe

Filesize
207B

MD5
b292d233456b16f26abc1aa07c9f5de0

SHA1
7b025705136101b5618d81d8ebf472335eebde43

SHA256
e75d13d4b079fafbd413fa8182c270f1f0f41b1b19b3469db12de226fed67b2d

SHA512
1c9c3846ab0e392dc6833de2a9238c91b6042b5095521196a3ceae8830edf7fb6d73118ed023b2e2daf287a48084fa8ee40241248a231cf668d5cc5e8f947ee4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
297a96320fef8247cd58b85f8f4a2ff6

SHA1
0c3226cedb8d4bb2311619e49048eca03fbe64b2

SHA256
ba9d71a02c1c25af2747e527a37cac1fd468438e97d8f88f889f651321b7e7ab

SHA512
ebd078303e36aef8f8182061bb1fa7c2f74b404e304220e3fb554cac2854749ad0c5311dedc58fe934565ab8da50a0d87df43e2c3a0a80fbee1b6130f2405fa9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f41e3f4ed52dd607d52facf5b345e61d

SHA1
df5a39b7b8c1aad0a617ba0e7624e2352e9d2088

SHA256
b12cd2fd0d249f35d45a34582720dd0521fa2bb3a43042ea51d3da738ed1d3d6

SHA512
7bb5e8c9641c5bf0a2bac60ffb20958ad8ea9d3030dd37ee788254bd806d4174c56eef4291191099164083deae54092d0b5583b32c6df0ebec43fd061fb1ceda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a974a62ed5512401a4bdd6ae188aac88

SHA1
d8adaecbbb808021f4d5a52e7d0a3822517372fb

SHA256
ff8f6af1965315eff4c8e8f0cad93d1781ccb090af748f4443b85289269b03d6

SHA512
b7f622eeadee5f6250fb865ed036e6ae12c1902837df5f2371a56945f6fc5afce3f11172dd7ffb07c02a8ddafcae28c293472dcd1d4d57bd7d739df9b0d9c347

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f17c49fcf60fe8a03d3f3f0c99a68691

SHA1
2385ca9003ee1794dbf9c0129a2870a42a354ec3

SHA256
0176916fab5eef36cbef35ba570d905feef776d91ee78a2a6765cfbcf9fa9fed

SHA512
01fcf13a4f17f76160299aa390ec5c863dafb33ffdebe83d1a67400491bc306a225422c2440bfa461bf4cd68283181835b2c7100755c34993251c7f9ae65ca7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5cc6b31a8a3604a208caff68df69d884

SHA1
b82945c8f7375ab75b17829e1760a2023896e86f

SHA256
ce4b3685e74015f962638b269be9993b20bd3d80e11b71ce6b3c94677ccb9b72

SHA512
963f811c0db09ea57597d6ba7e61e6e2b31e45473215144fb78c0fdd5e76e8cf88614f00c1300b332fca50c66ea7854aaf2c2c6c4d8fd6cc05dffcb64a6a8aac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b5dea4396641f0cabc5b6db0302e5651

SHA1
29a6a5e0ae978eba1569a5e6c4f1f0ff419a3bf1

SHA256
715abf67d7b5f17421b2fdc0c4a0d3479cb4e733545422b89a8c2a74c13b09fb

SHA512
6e6dbf12c6de4be92f5eae2c3cd4885362172c444c9f347ecf70aafdcc3a35775251395ee477755428fba817c467a887e76606bc49c13a79ae96b7cfee68e261

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
21dbe56b8bef011315b92b5e20593575

SHA1
4027f2087f757bc0d46617a9f5c95771d8c08e44

SHA256
63ee01cc6a6ff824bfa0c219749b5de5fc35c64f4f5c869376bdb77e95c2b55f

SHA512
68d5fbd5d977f97aedecefcd1c1abc20e5d72b54f40a2ad6dc60e3663aeeebcd80ba0e1bddd54acf9efbb95dedd7814762ce08861e457903d08637d1daefb07b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
70ae02067b2ee04daeba49d5fa0cd172

SHA1
0cf84ddcbb18d430f0ec298954d406fc94254e89

SHA256
159c94ae8fdf0ad24498eabb168f41856b3fd3215c18cb7c175309b0a89a6247

SHA512
60adc00b18071c5aa57093c97e401c027958e9e083a698666d36ccfc698de596836495944b82d6e2e447e2476631e72580d0bfcbcca03e47888d634f34d55edc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
fc1d52a558e3720473927448afe24958

SHA1
4fc21c98f35e7a841af1bfa699db7ba9bcfedc79

SHA256
c49f343295d3a1615601032013f950d81fbb28e01b39f6fd6b63851f9c52c968

SHA512
7e1cc296cb54f68aa507afd88526f21833c7eb1d6148c379cf56621f8fa992ba2777ab13f902a77ceca04e03374a413a9d540d7057e4f20d071a68091a38c4d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TNFCFwmMVN.bat

Filesize
242B

MD5
2e09cda9facc0add8c4f5904c7ca2436

SHA1
011cd3887d18a2f06c5ea334bdc8ec1c36f34810

SHA256
05f9177309eba5d10e095a7acd42cfcfc07f5f0b98c32e77029432e1974f3cc1

SHA512
a2bfe35ad57df8591d5eb55ce04cb1b4fd307b6067cc230621ce0a48dc28833025a934611b15be0072f578c8ccce4e8d14001f432055f8ad2f10ac3ffe32a0cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1560_1029719202\4e4e6f10-30bc-4b5a-b3b7-96d11171a2d1.tmp

Filesize
135KB

MD5
3f6f93c3dccd4a91c4eb25c7f6feb1c1

SHA1
9b73f46adfa1f4464929b408407e73d4535c6827

SHA256
19f05352cb4c6e231c1c000b6c8b7e9edcc1e8082caf46fff16b239d32aa7c9e

SHA512
d488fa67e3a29d0147e9eaf2eabc74d9a255f8470cf79a4aea60e3b3b5e48a3fcbc4fc3e9ce58dff8d7d0caa8ae749295f221e1fe1ba5d20deb2d97544a12ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1560_1029719202\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
memory/2004-455-0x0000000000500000-0x00000000006DA000-memory.dmp

Filesize
1.9MB

Download
memory/2004-567-0x0000000002950000-0x000000000295E000-memory.dmp

Filesize
56KB

Download
memory/2004-569-0x0000000002980000-0x000000000299C000-memory.dmp

Filesize
112KB

Download
memory/2004-570-0x0000000002B40000-0x0000000002B90000-memory.dmp

Filesize
320KB

Download
memory/2004-572-0x00000000029A0000-0x00000000029B8000-memory.dmp

Filesize
96KB

Download
memory/2004-574-0x0000000002960000-0x000000000296C000-memory.dmp

Filesize
48KB

Download