asyncrat | 40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff

Resubmissions

20-12-2024 17:30

241220-v3ka6szqez 10

20-12-2024 14:21

11-12-2024 16:57

01-08-2024 19:42

01-08-2024 19:39

01-08-2024 01:19

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2024 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
Size

175KB
MD5

19f436930646f3e8f283fa71f2a4cbcb
SHA1

99397666d23ddde6078496ee73bde00ae9403393
SHA256

40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff
SHA512

addba9ff5bd334ddfec06f87d2c69c06028b82d0aab732f73ef35e84f46d889f48ab6823371a9b9f415e2758e62270866682b833bca7406354802e0157314e0d
SSDEEP

3072:+e8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gTDwARE+WpCc:W6ewwIwQJ6vKX0c5MlYZ0b2E

Score

10^/10

asyncrat stormkitty default discovery persistence phishing privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendMessage?chat_id=5795480469

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/3668-1-0x0000000000E90000-0x0000000000EC2000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
A potential corporate email address has been identified in the URL: WorldWindProResultsDate2024122053100PMSystemWindows10Pro64BitUsernameAdminCompNameYQRLKYONLanguageenUSAntivirusNotinstalledHardwareCPU12thGenIntelRCoreTMi512400GPUMicrosoftBasicDisplayAdapterRAM16154MBHWIDUnknownPowerNoSystemBattery1Screen1280x720NetworkGatewayIP10.127.0.1InternalIP10.127.0.113ExternalIP181.215.176.83BSSID92d8f5746705DomainsinfoBankLogsNodataCryptoLogsNodataFreakyLogsNodataLogsBookmarks5SoftwareDeviceWindowsproductkeyDesktopscreenshotFileGrabberDatabasefiles6TelegramChannel@XSplinter
phishing
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\e2745604ba35f1f2c194cf2fad9269a1\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
File created	C:\Users\Admin\AppData\Local\e2745604ba35f1f2c194cf2fad9269a1\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
File created	C:\Users\Admin\AppData\Local\e2745604ba35f1f2c194cf2fad9269a1\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
File created	C:\Users\Admin\AppData\Local\e2745604ba35f1f2c194cf2fad9269a1\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
File opened for modification	C:\Users\Admin\AppData\Local\e2745604ba35f1f2c194cf2fad9269a1\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
File created	C:\Users\Admin\AppData\Local\e2745604ba35f1f2c194cf2fad9269a1\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
File created	C:\Users\Admin\AppData\Local\e2745604ba35f1f2c194cf2fad9269a1\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3332	cmd.exe
4296	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133791894614536230"	chrome.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3472	chrome.exe
3472	chrome.exe
3668	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
3668	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
3668	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
3668	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
3668	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
3668	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
3668	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
3668	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
3668	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
3668	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
3668	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
3668	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
3668	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
3668	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
3668	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
3668	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
3668	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
3668	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
3668	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
3668	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
3668	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
3668	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
3668	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
3668	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
3668	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
3668	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3668	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 920	3472	chrome.exe	85
PID 3472 wrote to memory of 920	3472	chrome.exe	85
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 2804	3472	chrome.exe	86
PID 3472 wrote to memory of 3748	3472	chrome.exe	87
PID 3472 wrote to memory of 3748	3472	chrome.exe	87
PID 3472 wrote to memory of 3292	3472	chrome.exe	88
PID 3472 wrote to memory of 3292	3472	chrome.exe	88
PID 3472 wrote to memory of 3292	3472	chrome.exe	88
PID 3472 wrote to memory of 3292	3472	chrome.exe	88
PID 3472 wrote to memory of 3292	3472	chrome.exe	88
PID 3472 wrote to memory of 3292	3472	chrome.exe	88
PID 3472 wrote to memory of 3292	3472	chrome.exe	88
PID 3472 wrote to memory of 3292	3472	chrome.exe	88
PID 3472 wrote to memory of 3292	3472	chrome.exe	88
PID 3472 wrote to memory of 3292	3472	chrome.exe	88
PID 3472 wrote to memory of 3292	3472	chrome.exe	88
PID 3472 wrote to memory of 3292	3472	chrome.exe	88
PID 3472 wrote to memory of 3292	3472	chrome.exe	88
PID 3472 wrote to memory of 3292	3472	chrome.exe	88
PID 3472 wrote to memory of 3292	3472	chrome.exe	88
PID 3472 wrote to memory of 3292	3472	chrome.exe	88
PID 3472 wrote to memory of 3292	3472	chrome.exe	88
PID 3472 wrote to memory of 3292	3472	chrome.exe	88
PID 3472 wrote to memory of 3292	3472	chrome.exe	88
PID 3472 wrote to memory of 3292	3472	chrome.exe	88
PID 3472 wrote to memory of 3292	3472	chrome.exe	88
PID 3472 wrote to memory of 3292	3472	chrome.exe	88
PID 3472 wrote to memory of 3292	3472	chrome.exe	88
PID 3472 wrote to memory of 3292	3472	chrome.exe	88
PID 3472 wrote to memory of 3292	3472	chrome.exe	88
PID 3472 wrote to memory of 3292	3472	chrome.exe	88
PID 3472 wrote to memory of 3292	3472	chrome.exe	88
PID 3472 wrote to memory of 3292	3472	chrome.exe	88
PID 3472 wrote to memory of 3292	3472	chrome.exe	88
PID 3472 wrote to memory of 3292	3472	chrome.exe	88

C:\Users\Admin\AppData\Local\Temp\40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
"C:\Users\Admin\AppData\Local\Temp\40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe"
1⤵
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3668
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:3332
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1468
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4296
- - C:\Windows\SysWOW64\findstr.exe
    findstr All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4424
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3236
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2144
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd9cc9cc40,0x7ffd9cc9cc4c,0x7ffd9cc9cc58
  2⤵
  PID:920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,16039215223098419175,4099088430663385985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,16039215223098419175,4099088430663385985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,16039215223098419175,4099088430663385985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2528 /prefetch:8
  2⤵
  PID:3292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,16039215223098419175,4099088430663385985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3264,i,16039215223098419175,4099088430663385985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3168,i,16039215223098419175,4099088430663385985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4808,i,16039215223098419175,4099088430663385985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4816 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5052,i,16039215223098419175,4099088430663385985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5172,i,16039215223098419175,4099088430663385985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5080 /prefetch:8
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5296,i,16039215223098419175,4099088430663385985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  PID:3256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5300,i,16039215223098419175,4099088430663385985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  PID:3988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5476,i,16039215223098419175,4099088430663385985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5344,i,16039215223098419175,4099088430663385985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5380 /prefetch:2
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3600,i,16039215223098419175,4099088430663385985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4388,i,16039215223098419175,4099088430663385985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5472,i,16039215223098419175,4099088430663385985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3268,i,16039215223098419175,4099088430663385985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=3376,i,16039215223098419175,4099088430663385985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3348,i,16039215223098419175,4099088430663385985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=3344,i,16039215223098419175,4099088430663385985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:3988

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\79fa1c80030de49905152229c9957af4\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
96a761f901637778c832837204f0326c

SHA1
5e6c74803c196e4c18ab3dbe5e3d89f6dc7e4494

SHA256
9cfd2421bcfeda4ade814075686db0b753db4df4797ccba1561c4db355d7145f

SHA512
372e4785e3f1f26210cd8c93510deacbc51d476488f6efa34f9a0be8bf5e4606a4d74e8ee9bce2e5ba0d51b3db4926fead680a3dc36f7ae0988c4fe74fd1a4d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
16a615b7a0f7156d3111156795c3b8d5

SHA1
f099381bdde293eb21473e2155e514ab899de000

SHA256
413c8c4e4a0406247fe5a2588cb15d9b87568678e0c6666f0b945bb251276960

SHA512
a34bc66fe9777fe606bd4a63533d5f84dd93d5800cd31d43a2a37ce01777597fc90bf39a6b495cd5fd3ac13d53581e7671bac553997872c575a2c6183d19fc95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
736dcfd8776c4b5015fd5382d06228b9

SHA1
026bea7e89318ba9bcce6e1e4bb2b19a3410e43e

SHA256
949191e6c67f6527dc48255a37ff70709280cb29e1df3cdfd0b9b65ef8441893

SHA512
0e12168eb683889419f6d8c50242724216732bdef363e0afd4caf7b5b0a61f2ecc8a8a479008f1148d56e840b2674a8d0b50e2b8768d72a1dcfb381f64445d44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7b0c16f615c6c8a8c0a737572de870d6

SHA1
843911f41dbca2c64ec8e46f99157ce7c89dc920

SHA256
f59797c7a59d063a3d72521f60da4c531383f4afbd1a6482df79ba33ff060916

SHA512
e40bd9cc65877f88362593994b27c15753050f48a2042519bf9db4dee62276c50d6241ec91ab5b90b54ae76d9ce9ab27c62ef42f630a2c20c07eb572bf571106

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9d742ebc7a167b84ca58e6549d0c27ca

SHA1
ff0f8cdf3db0a45a83d471203a6fc02c6af6da15

SHA256
1a9eb39bd7f2781aaef649f129418a797d6de5af5e190236fbf3acaa73b5170c

SHA512
ea5c06bf163030054dbb8747917c3dde6b6e9669d7666939b553a4732f8dd40889de5a5eb775b97899cfb82f1f737bbfb0d527a53c8fd8fdfbf2de469a2dab08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
742db316f9208a87cf41b751c7bb27cf

SHA1
33b8bd8df0368784cc29aeabbb3ef69e462fdcb3

SHA256
9b05e8044d97f6d296affd867035eadcef3f3c63e67c27a6ad0594494d9aa07f

SHA512
97d075d2d6b04a8cf5eceb37a64ed78eaadf867d7d33b640db6d989d1718c4155e8c6ed7d09ac101e1b8ab1f3c0b952cff593f8821a49f8b484ba3c39cef033b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b4277f5152afb4eac70f5eca9af54c3c

SHA1
090b299e2abe8e09c27e091cdcd2809253f65a84

SHA256
2a697e54273d57d5c76e6569898cbd23a78ab8993b16e0b7f232b4422fc23732

SHA512
439867503e19adc7064de54ffe6ad27a28b139ec8547066321135dba4526d2599efdd6492119ee3d191d1ba5e8e3cd6409568fc00d1308fd20f6f8678a2e8219

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
838e13fd440507dde4418bda4617d46e

SHA1
f73b6af234a64c0ef7bebc6d955673d0b62e8d99

SHA256
d8430f0c9f880ffa3d583b3a1bc2518bc22c496d80e3a9b0ed635f7735508269

SHA512
28bd8d4fb32560033a7a3842081c689811f990f36080a484710aa02b8320edba75fea587d2cc0e997da856c42e01f05b90fd24d7f6e2d7dbf0d37dbd3b9140bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b70c1e38c9ee2ebaaec21a520f4a009e

SHA1
4c3054cc6d302f7bd5bb66fd74f89eb9e1d278dc

SHA256
557c345b7fb2984eda57e49f5c360d800c86b2897589a178405800cae3808578

SHA512
d5ac8c2bc97c50d7d5ce7a15316e9015ff2d535c6530007f8c376b844fb31da2a7c4bee01121e26ac0714ecd3c53b56daa3b9f4899541f4476415c03131de03f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a40bc796f46d3008c6060571c9a4a8fa

SHA1
aa5279a841fb5dab13d0e409b0c4474e99536700

SHA256
2a67afe355b70a4f00fa14f7624a32e457a5ef48660c40ac2fd7852e74dd4032

SHA512
1d7ac126ba97af541d2740346520704ad4e79107b814d37bbe24121a816b776f05713425983159e5378a0cceed8686c72c8ad20a46693a5d35f5738f8ef41580

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6396c8b8292fcf1b949179eb9307e601

SHA1
d6f092722ede5b954177972a590ba2ad2e273a42

SHA256
7890b3cb2e5045b2990668939831d648ec99b0fd173d38ea470217f4431cb530

SHA512
e47ef24e4beb0a1c5c6488260bd0635c47aaf8b54cc037065b1d0bfa845188cf661429f11ba6fad8e9195785adf1d7555a8943a76ca75f96e6469a272f0bfba9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
eb19dc3fc2a3a35944e58f23e8122828

SHA1
973d29b6fe6b7141f47f5e5d2c89692c558a6218

SHA256
1bd74b986fb626448fe68a3ef2fae53a8f5347c226c3c00cd936fb7905fbea7a

SHA512
879fc27b155857d7541de5c09853a9ce27a14474f0b107bca964e39d9e0897dab21842c15ae27da486a2d3b7797ec249bc66ff841b2bbe0afb68591f168bad69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1630511d5330da21e956b38f666d4cf0

SHA1
7049cc1794f54a599e631597dc871a429e06a77c

SHA256
259b3073c9a19cf25b047db2c3bb5b51632775159415d85d7f2794653327691d

SHA512
4977c6c8479c76326182232827adef4e7140f2c9b60a8d69f22e938b89b18d8cc526c121faa1d9d4ddd4336564007181c1f885818290bfbb5773bef8c64c3427

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
c06d8079608fbe4026fda2a59c197d5d

SHA1
5b736a89b0a9c84a3fa7f0970f8ef6565852774f

SHA256
dace319f76d5867cfc1ad004355d2a6f7e47dac1ef61ff310a01f79af656dbf7

SHA512
afd0b67a948f673b3cc5edeb2b9ad523f85028dcba2f86c3d2ef8066e49d3a8980666a0cae9a91f8aa01ceb5c6301ae10d1e795db6c8c8ef41ecf8d717b86ce0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
dc5c74debcf65cf716a670f3cddddae9

SHA1
5a47c64997ef32e3d270ac14a90a0a225708061a

SHA256
f6a9cd25ab209d8b1116e3d09b1f879b8df97078c91baf85745b3d6ed538691e

SHA512
d70385006a112ef5fda5aba2834d984adcef697e07c5c700f0b3c5ced719b50fcb20ef3cf0440de19258ebad2259bb5530b32b9dd2390844b67338628348c9f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
e29c9162c6d98c468423b74a22b9aa6a

SHA1
eb2afef6f50df356dc0a342169309a133eafd6ae

SHA256
4cfff19479fa1df0a2474fa24088238e02c59ac7e2a110c53e1c604d66d38ba3

SHA512
bdaaec2420955ce0448c2002df7df4b48f3efd087580a726b8cd581abd773d6d44472f293df59e622ff52016a72f08b4431e4675870f39010eb537229b6a77f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
db4ca95046b784afaff71d7bd275b070

SHA1
fbd806bb60a0162afe750ecc6958ee065bfb155b

SHA256
d19cee39e29abb4c4fee4c14bb34ba35d87a83a492158eabd55121f97664ba83

SHA512
7e0dacfbe86549ea01c58931e05ba10f7251dfe88d08351de2bbcf08fffa13350234442e705759494458528c042a9f7d6959adabd5a716ef5bfab3998e1d6263

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3472_875137163\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3472_875137163\a3d57a7c-ca9c-4702-95ca-da730a306649.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\e2745604ba35f1f2c194cf2fad9269a1\Admin@YQRLKYON_en-US\System\Process.txt

Filesize
4KB

MD5
86813563d3fcd847da235964fe608dae

SHA1
c84d6cb18c0611aa50996f1fbb04d82aed8779b8

SHA256
f6e690278c97544a506bcd1c63d0675c31e83c3ed4386e7096efcb333670393d

SHA512
8a092a6cbf5c789414d20af1e47331ce3c5a288793713c6be526afc6458c23be1119d3838096bbc4eccaa2d242165c7e4d10281b7efbc2c2813ad872d0b5f0db

Download Submit
memory/3668-540-0x00000000749DE000-0x00000000749DF000-memory.dmp

Filesize
4KB

Download
memory/3668-593-0x00000000068F0000-0x0000000006E94000-memory.dmp

Filesize
5.6MB

Download
memory/3668-0-0x00000000749DE000-0x00000000749DF000-memory.dmp

Filesize
4KB

Download
memory/3668-607-0x0000000006380000-0x000000000638A000-memory.dmp

Filesize
40KB

Download
memory/3668-613-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/3668-592-0x00000000062A0000-0x0000000006332000-memory.dmp

Filesize
584KB

Download
memory/3668-589-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/3668-27-0x0000000005840000-0x00000000058A6000-memory.dmp

Filesize
408KB

Download
memory/3668-564-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/3668-2-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/3668-1-0x0000000000E90000-0x0000000000EC2000-memory.dmp

Filesize
200KB

Download