nanocore | hxxps://file[.]kiwi/0b53492d#nKmGRC7Tr_03-PJBpS2CKg

Analysis

max time kernel
599s
max time network
599s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
27-12-2024 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://file.kiwi/0b53492d#nKmGRC7Tr_03-PJBpS2CKg

Score

10^/10

nanocore discovery evasion keylogger persistence phishing spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

danieleina4439.dnss.net:54984

127.0.0.1:54984

Mutex

d81130f3-1af4-4f7c-920e-a8d8b11d626f

Attributes

activate_away_mode
false
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-10-08T20:09:12.253548236Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
d81130f3-1af4-4f7c-920e-a8d8b11d626f
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
danieleina4439.dnss.net
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8003

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore
A potential corporate email address has been identified in the URL: [email protected]
phishing

Executes dropped EXE 5 IoCs

pid	Process
1772	svchost.exe
4896	svchost.exe
4036	svchost.exe
3096	svchost.exe
5144	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Service = "C:\\Program Files (x86)\\WAN Service\\wansvc.exe"	svchost.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WAN Service\wansvc.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133797980830808339"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
708	schtasks.exe
5952	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
60	chrome.exe
60	chrome.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1772	svchost.exe
2504	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
60	chrome.exe
60	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeDebugPrivilege	1772	svchost.exe
Token: SeDebugPrivilege	1772	svchost.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeDebugPrivilege	2504	taskmgr.exe
Token: SeSystemProfilePrivilege	2504	taskmgr.exe
Token: SeCreateGlobalPrivilege	2504	taskmgr.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4296	SecHealthUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 60 wrote to memory of 1044	60	chrome.exe	82
PID 60 wrote to memory of 1044	60	chrome.exe	82
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 5088	60	chrome.exe	83
PID 60 wrote to memory of 4988	60	chrome.exe	84
PID 60 wrote to memory of 4988	60	chrome.exe	84
PID 60 wrote to memory of 3168	60	chrome.exe	85
PID 60 wrote to memory of 3168	60	chrome.exe	85
PID 60 wrote to memory of 3168	60	chrome.exe	85
PID 60 wrote to memory of 3168	60	chrome.exe	85
PID 60 wrote to memory of 3168	60	chrome.exe	85
PID 60 wrote to memory of 3168	60	chrome.exe	85
PID 60 wrote to memory of 3168	60	chrome.exe	85
PID 60 wrote to memory of 3168	60	chrome.exe	85
PID 60 wrote to memory of 3168	60	chrome.exe	85
PID 60 wrote to memory of 3168	60	chrome.exe	85
PID 60 wrote to memory of 3168	60	chrome.exe	85
PID 60 wrote to memory of 3168	60	chrome.exe	85
PID 60 wrote to memory of 3168	60	chrome.exe	85
PID 60 wrote to memory of 3168	60	chrome.exe	85
PID 60 wrote to memory of 3168	60	chrome.exe	85
PID 60 wrote to memory of 3168	60	chrome.exe	85
PID 60 wrote to memory of 3168	60	chrome.exe	85
PID 60 wrote to memory of 3168	60	chrome.exe	85
PID 60 wrote to memory of 3168	60	chrome.exe	85
PID 60 wrote to memory of 3168	60	chrome.exe	85
PID 60 wrote to memory of 3168	60	chrome.exe	85
PID 60 wrote to memory of 3168	60	chrome.exe	85
PID 60 wrote to memory of 3168	60	chrome.exe	85
PID 60 wrote to memory of 3168	60	chrome.exe	85
PID 60 wrote to memory of 3168	60	chrome.exe	85
PID 60 wrote to memory of 3168	60	chrome.exe	85
PID 60 wrote to memory of 3168	60	chrome.exe	85
PID 60 wrote to memory of 3168	60	chrome.exe	85
PID 60 wrote to memory of 3168	60	chrome.exe	85
PID 60 wrote to memory of 3168	60	chrome.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://file.kiwi/0b53492d#nKmGRC7Tr_03-PJBpS2CKg
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff86f86cc40,0x7ff86f86cc4c,0x7ff86f86cc58
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,5896504266478004330,15227599990022244601,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1804,i,5896504266478004330,15227599990022244601,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,5896504266478004330,15227599990022244601,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2424 /prefetch:8
  2⤵
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,5896504266478004330,15227599990022244601,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,5896504266478004330,15227599990022244601,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4736,i,5896504266478004330,15227599990022244601,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:1336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5356,i,5896504266478004330,15227599990022244601,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5328,i,5896504266478004330,15227599990022244601,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  PID:5612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5624,i,5896504266478004330,15227599990022244601,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5504,i,5896504266478004330,15227599990022244601,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5684,i,5896504266478004330,15227599990022244601,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5956 /prefetch:8
  2⤵
  PID:5412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6056,i,5896504266478004330,15227599990022244601,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:3080
- C:\Users\Admin\Downloads\svchost.exe
  "C:\Users\Admin\Downloads\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "WAN Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpCE8B.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:708
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "WAN Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpCFD4.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=840,i,5896504266478004330,15227599990022244601,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  PID:2172

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:964

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2504

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5004

C:\Users\Admin\Downloads\svchost.exe
"C:\Users\Admin\Downloads\svchost.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4896

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4296

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:4252

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:3152

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:1016

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:4928

C:\Users\Admin\Downloads\svchost.exe
"C:\Users\Admin\Downloads\svchost.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4036

C:\Users\Admin\Downloads\svchost.exe
"C:\Users\Admin\Downloads\svchost.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3096

C:\Users\Admin\Downloads\svchost.exe
"C:\Users\Admin\Downloads\svchost.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a4b180c7464088b9d3b4a46f5cd379a0

SHA1
9d8fa88fd0257068b456c52347996e3e54cecdcf

SHA256
187c9feb87ac1a13f204bb4bc918605d9812afea3b6ca59643d8785b638fbad1

SHA512
9eee6817629e513dbe8de05554f42edf6c4ce239a8955072ab831b761de047d2b30e8c780be885733b4e5b1ac12e86f77afa73bffe13f65125d6276d27f5f4f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
17e4b48d33f31baa3b993f386a784875

SHA1
c8ae81d3fdeda14aeb4e9d5a3bb9ff18941fb8c8

SHA256
641cd261a17c1aa2698abdea4bd78c780031514d52ca0558c22166c8af590f7e

SHA512
5b94221209d3c439163ebafbe0f419f2009f4ca129755ceed827b40cca9baf5793b53de5776dac312cc5c9a24a5dcd5b0c4df6b11d152eb9aa0eb1d806744372

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\00\00000001

Filesize
319KB

MD5
8c73f5ee41f6b890c6cbe239bcfd3b9b

SHA1
0dfbe9f92ecd0ec2199d6012866942e11206ba2f

SHA256
4a000831a33c63eb436d84c65deb110373febac9eb5c0cef7a7752c1263eef3a

SHA512
451a8fbac08f0d5d32f50db66ea1fafe41deca4d07e010315974c35dfa443cdb9ce8417904598db14903098eb904a3e48a8ded12877a2a642ffb1762a8ac7c27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_file.kiwi_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
8f1fce139cd15adb70628d32755ddf18

SHA1
0c743a36739e9352d412c137bbbc1d8e5b9f06c0

SHA256
0102e47e1a527626e8b103a5d38a04b7ba9c5adfb90c81884319865e4fe1d279

SHA512
8842a5ad4aa4565f748995c49cdd03ac99867d697bc2e5ef099ed74db093e053d428dd67d1440c5e13bb0ce944a0d7022dab92e1afad87fd78e03c570e0b2b47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
a1d1d12ccc76f90f2a6afc78c517aea8

SHA1
570d1f8b6a00b2323c01e2a527c96b1ede628524

SHA256
505f0c508dc422bb2d3c1a18ed448933e88842a1b150c312ac5d2ff3e889ea57

SHA512
ee619d37111b0065999bf21387ccdfc951343cbe334209facaa98b2de104ba4dc8c162284c55d7c14c4fdfe700df46a9414b500270219d67f8438f9296d90e7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4e3a3474f3ff348321b7677e4915ea3e

SHA1
4e33107747a6c7771ba997659125af76963eb3cd

SHA256
08dcb8fc30ae9d25dad1f195cf5608f732838b929bd2693905f9d7db0fa7a305

SHA512
b6aa32170ffef38b8365c7d652590ebcdbf0a0b037ca4e4d20b2aa354734695cd912d21e22cbd410f1d94eb43e4be5bd5e183949fdd3aadb84c2922c416d5b24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
918e508499db3cc8019726866179b846

SHA1
28c11afd14bd5f501e39325fe7f4e7e19cd8f630

SHA256
e11d046ea7f160d458239cea5ffe570e344d6211cb4bae1887345c6e235ebf22

SHA512
ca3cf0aacc24b95e5954ae8e53bac23b17c1ff4f06f9c39681b1f13197b0a55dc2b60b1d0ac659a8a28bb3b1b9cd63c5c9a4f479ad440673eea8a0c29ab616cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
44fc40899611a7ef1dae2ba347578dcc

SHA1
e648298732234f830f16875d5eb2c9c835506230

SHA256
e04beb6b00f928a99e0bbb526319b44e8df0cfa50677db6a53ce875f491fa25a

SHA512
29f34915be4efb98ea9506bd8bedf59693527ae9270600fb886eb5cb8d33d96ccb0e2983a5efc648ea013b92a6adce70258d6d355ce245396c112ca7ddd75d95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
14117a3b1a4e6c11bc5f46d2e12b0be3

SHA1
cbbe64a5c50438686141eb3b694d0a076318660a

SHA256
fdac73e21fbca5f7d7d37db7046a6c45b6d9fe40d7e76c1c43d201bde9e72d68

SHA512
6f8c9358ece5bf07d951f71411b7030ab38bb7047e4da2e6b8f89b94372a6c093b298a884a62acb39f08b3514f5d86aa87b1dc550c4c5608d1c454b547778f9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
821cf6d317616da63c751e82af8756b6

SHA1
77e0bc211eaa08957da4d8f621b4564ae2c91119

SHA256
ae968d1defe3198a04480e18c2c6079f6534a386abcbd20e6f81b784ddf8ad59

SHA512
be1ce8c5613696dbee445be99ec5c2e8068c9ddf1e82e1c6e184e3c3e55a24ce64d547e11597d4dd6d5f1217b12dcea54546ff17554bd9e3e1436acdda486bae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7977290f48016e2ea15197c5281f15f5

SHA1
908aacd72101bcb26f414b941906f41a0995151e

SHA256
b343d68e2520c34f0a8dbdcdf812217922eace1a7703a049665d8dfe50fb0206

SHA512
4aa1e6f3972654b786d9ea3613c66275c0387cf12df01d68210e77d439ad2e01c9243ba59c19479a305d89abf6136f499aebcf6283c558ad260ec1668af32bc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c5657687a8fc703f80bd48716d558552

SHA1
b7412f2b9cc2f9ed47e33f7b94cfd95aa2218e50

SHA256
0ab08d342d0de112e15ddca4ef08397af304701c9d3aad4ac974e78f0bdc1c20

SHA512
a08f17ea6d2f84261c7b0d00256e41b0e0580bad0bd8682056b7d8123d8a54b4a8a0a5fbfcd5b221e1a6b7a61a11d0ff5d8b9c6c62cf86114d7c91d3b96cbafd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3f9dbc873e92df6fb47a8fb1319dc5c6

SHA1
18ea8455898ef86ca823029620324d416e1905c4

SHA256
c446ee528c65a6a8343d8b573af7696314afd9d73129a8496cb7b6d48364922a

SHA512
814859eb9f32acbbf5ac26422e2e041e9dd9e78c07adc55ab4e244d8a2dd008fbdbf3a050c4be92496302704e4cf9947291ca208ee6875403d37ed04bc78e5ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
63bf23d12eb7ccf4b2a64863cfa75af3

SHA1
0bb12ea5bc92cdaf63ce545a58c9d3e3bbacd258

SHA256
3e7a1913aa13a398e438bbc7d448b12fbeb25b2a8c3afb90ce39052af5131702

SHA512
0c4e8dd14f7797e82ae4f675e3907a4de75d3738580e05fde63840f9b97911bf2ca0950fd180642058afe4b44d1bf39fa7120901f49a15f47d8eed982f7eff1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f0d3d4e573f2398749f3ad38ebd47d18

SHA1
b450ec16c5518a259da37cd79c073dec1f26c81e

SHA256
f03c84546b5feb25ebf02ed100d088117d5a9163c102fff0f04b5d0d4eef2a56

SHA512
aedbbbd10aa4d4d505b834e5eaf26a1149d9d5b668d35e87357bbbdf2fc610e7a4c8a35ecbcf008a9e202665af620611204fdc9a10c9b479542db34351d6c221

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
965a8ce69549a5fd9b5725c29a0eb4f5

SHA1
8204025c6c3b281fa748460ec57222270538f648

SHA256
d3e41ad5f6f0717c8814e370d842565b5a19f4b1c79b6ce6d7d8dda581f20a6e

SHA512
1c92896434267e2f79bdeb7e8f36a10cc06a0ebea81c491f0835d5ee4eb9dc84bbc07fae5d75bef56a7f3bc75ab5e9c4601fc99c2f2d2a274f649023a8cbb9d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
50744c044b81e2e87266d37833ef14a8

SHA1
7b2ab91ed770c4e5d87ec6bcf08f37042a36e5fc

SHA256
6baae189e544ca90820fa5a68e71eb4694407b69877e9d9e4956149d1e5cbcbe

SHA512
a4adea6a48d65e3af7eef1485b6c31061959d0341ffdd2e9e3a38a3f0411d62496b6cbad0f003632478e2af68ed08be28df044b2988e3f174b9a66fe0c46fc3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f808e79462e9f7668bf8591b755a5806

SHA1
412bfa49163b640ad8ec8486c76d731af84c9a73

SHA256
c949f9efad3d5472f09a595e1c4aee1f4a1047d98da8728cfbaab2552bf9ce0c

SHA512
c9ea2e7de8876d487bea9d02e670a33d005a5abb75e1f631ad709b04fbac5ad0c25a79cdd3e31912531accb0f1c42a81e104b654059efca5cfa2a64163e21c12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ad06c106e63ad4cee04d069deeb0c8ec

SHA1
348b98109504b65f872048e4d0b6126fc0a36655

SHA256
aa11fd18ff9403d27c77f6d00a6ead16f616d87f2f5c29acbdef61321eb8b40d

SHA512
4991751cfb855e018593e4417abffe37db9893f7fb4a776cf6af03c5b086bf3a73bdaf38943146fb6555aae15f8a1f06af6a4ed8ec5230adb2870c49e7ffbc11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
537bd67641495cf5ae283e36418f0716

SHA1
b4259f15da93976e0af66095fbf36c78071342dd

SHA256
36cbfa574af1bcf3f90fd625657a722aa57514ec453acdfbae0c9247c5d3d399

SHA512
31ea3a2e227b6e3ca205db135428d40ae505c4b9b9285b6153f8f89fa25cabff74199cdd773762edfaf8a21223bc6c043aefbad0fe039018177f13b0b8057dd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
16c6dabfe33bcab697bfdf3398390e0c

SHA1
ed36873d6780020aef5d83f5cfdac6864fee0d95

SHA256
cbab85887f9672c3c1cf02027677a3688d4b50070cc5ba0e3f29a68422248165

SHA512
aa25cb04920d04b6271b6a01feaa5824af53360b8afadd8168385e44ffe801237807a912ad1d0d61f5549a70a7a76e615532899a4528c8238f6f4db89a5de5d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2b7746b16335cb3f7a97fb1734d3c0c4

SHA1
5468621c052304282a82d02a0c1e7214ac922e3e

SHA256
48a0d3a0379062e8592065890c755c09233acead8b874fb1f094f4705c06c3ae

SHA512
e5302be4abed70d165e4ff556d9b45e7abf76e773f8d203fa384312497f4177d4a28882e0a8aa06da55e519958bb40350dc957ce8ce3c6c60173e5258cbc18db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
572181b721772563684aa863abd1e1d6

SHA1
d4bd8b9d6734f790b68d02004c971e361ed5af8e

SHA256
0106d66d89bbd728b863687ad2a6f244a4d11f2b8cd0051617d78cb09e46a9a0

SHA512
1a846d2692658087da2791ecb6d9e84a8b02bef3c3ca24817b5e3f80bbf8042be65eafa573bb832dba5c291832b4f695ee2f65b3dc0da5800151fa7ede4b0b42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b1ab91f3187cba73f259d7015df8e13c

SHA1
70cdbb9f5086e4a2d13a854e541e42c95985a01a

SHA256
38b54813a6d914d0941f09ac268a6d789869ceb77914c893929b5d1414ba1c4b

SHA512
46d35d32b63de65ed6229e1adcc96d5c846d8f249ce902ba7f3dba950d9affe17dba9f3e7e9ec0e0e689d1e89d7c57374c8ba8cec478374b3e9ab0ceea00a61a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4cea2a2236b2b9462c801b723fedf29c

SHA1
02e699278458d0d1f330df22c12874f61453e7ba

SHA256
16b80fd6d9dd4e4da9f547e8bcaddf111c2b0cd3b982e8a8a018455020a983b3

SHA512
703c8db6de7a68491c7ea93d607b95c37d4d8cd45b46b914bf48e0c331771161e069ef3574f996fa8d6e8887a6d2b4b7e520d0ff7a7bd993fc61d684d6b56fe7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f5eccbc94be66badf480b35a5287de95

SHA1
91ded4497e88bd2bab7061c234ec5d8bd8ab28bb

SHA256
0e300ec939f7fcf94f4c813468a938ee903f4477461e16becb333f1f41d96212

SHA512
0ca88b05d5fd7e1606109e20302fcfcaf8992204c224e687a0c5c125ef6b5d526a87186d9476078125d61a725bf11a8ef6df60edd785f0d08904f578d3c8f7fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1f41d4090115c2843405676b3f70d1e6

SHA1
0eb7b5d39dd59335ea237c6e2ba7a1bfcbe53cc7

SHA256
6ab20617cc72a6fd4ce2b03b0643611303294809acbf968c70763dddf7a51b1e

SHA512
0f3bf483ffb7636cdcb80c206406d9982eaadb4ab33e32926d38b9dbc8f6de1a52d7893860b29c2271b5830363ed23d1d15ea9f9d3f13c5294924440c5553f92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f2238d8719520c89ab0f3342d8e3bc29

SHA1
26a7c34afd852edeb8629e6bc93bdec801a81073

SHA256
355ea55e0e8eef72ce4ddd1ecc8f37275772cc6add922012da3cfbbfef2b5f81

SHA512
e47585afdbf8424fea07bbe50733a38a6dd84369a7aa6209bcac1094a12d264baf542759ebedc2e81300a4689ca3b17c956ae6451f4e90d9bf130e74dc3ad368

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
de6a970a4264997ec14905b200f63c7b

SHA1
eee77c6135d03be7018240b429eb3e1b7bbd9298

SHA256
a7f46411bcc52a5a9ab31c639fff448c9f13f57026f9e4b59f685810691da7df

SHA512
d6bd2e2155b37572a3968378b3f9dfabf501c8e83f4beea3e9a88c7595b9889638d1a985cf4ac3d594137a94bd2ad81190040e83f6cbe1b5af2bc68a37d7cd5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dcc41e5fd4c31117b70042f0fe41bdfc

SHA1
dcb58dc470a7be8e8639ac76198d82cb1dffa92c

SHA256
130814d1fc5eabaa3229d9802b1e01ac81351ffca14413a2c6b9a183f054e3b2

SHA512
d10c81da6d4b56e653445105bf6c1ee6476a5e34ba34f8ee31497d9ededd502ec98621ececff1e05e086138246bb8a8b1e5b923f2536edaeabb01a1039450f02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6d0ab09c8f1a36eaf3268aad72caa22a

SHA1
9b833ee63425112e9b8f7232281fe09ab2ae09a7

SHA256
f06982e6bf80246659ee242a80a5871752ef04dc023d63c86b5ad7a0444e2799

SHA512
98a01351e4d2a6d884dc6cfa59f101d113c676cfb48c51136d2828cf249a4894c6d20f196aa40f83e0fcd8db900d0e800c295104b60c391aa99c96cfaa7cac58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7ad17b0e4ddaecb9c50e4b4052eb38c2

SHA1
fc81137d1c67959580fea2c2d211556e483d645d

SHA256
2b9681fb437e31ae7de3a073ee1e0ca4651effd1a77e3d85ff32579b4832119c

SHA512
76366c90a3e639acb997ca52e263e1aef5862ab9a4462d378611d66d99b64fc73c5584250cd17a1fcd4b47d51e801166eab820e08ff47073ca6ff7f5824a1a92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b5204fd4a9954b0b4d002da3e5fef2da

SHA1
a7572ea13048fa5efb9aad3b1805a4198af89d20

SHA256
3cf2383e527760ad132c7a95ea97b347e3f16d8cb55b7200fa77e802928a2cad

SHA512
494820c3bae508629210d1e600c74acac4edf7a00cf66fa9725c76c1e48f24056aab68f6967f702084bfba42f08919373095a051c8366e03251a17e501b45ee3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dac4072203906e398d8dd795a96fd21f

SHA1
ce2f54345becffe9a7d60a4e08cc7f3e9400244f

SHA256
a415bed7bb6a97a927c86db9d776950ccccbc2a2c0033219b84df282745fcf7b

SHA512
af75ea9fea0cb3479027afab9a8b54b6cb9291a534cdbc2eaa0f22d53abd58a009fd131deb7a2b7174c3ac8b125df168d8649580908ec670f0f05a6bcedfe84c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
debadc51767ede13e3d61d6083b3f9ab

SHA1
7d6cb961128469a2e759016d6384b17d2de111e6

SHA256
87efa8a44d523de7cc5077ca74a6cfe5172de7f0111ff28c8506fcc63ccfa81c

SHA512
b5fe0931ddbd2f0aa688398953b7ee52fefe34cfe6503429460aaba7764dd1d57854860d8787867dfe5e321703b8d3d2df24190601092ab13c918804af16aedd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
106b631fff95781505509e2427cec5d9

SHA1
b937dfc38ec1c0ea45d136878ae2bc0a7ceabcfa

SHA256
d6aab4ba50fbd4371ed423abdef0447af28d75ca0dc5c3a35343407b417f40e3

SHA512
b3bc4e1dda1bbac88bdc85c3eebd8d63d37c5c263380aed27a3a9b7d3319ff5c89dce8fa145a6360d2e4ca2c722abb943b9505090c92de1c408a9ec04dd150d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
ab2e5210e820684bf9ddef2a1fd7ddfc

SHA1
3206584acdffd80261e1f8e8d6b8d1fb6b89eebc

SHA256
b8a9714b051b2dce17fc7295b8e3578fd56afe803c253ad0371f797dd27d8af8

SHA512
47bb9828050390a267b10adad57bf24f17db4f9ef9bdc49de17fcf529045fccafe499e7e6034c4824086a30a63138898064c6edb8779a69f0f8643b880c13f39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
60b50e360f39364b658696637e738548

SHA1
5155ed1bc9d0610bef41f6a4b574712743caa4de

SHA256
44416f9b5c25509546274f4052a439260ecc6bf16b0ea4de4def00b7297c4f2c

SHA512
23c9b8cc0e9be36fa9067d1caf642fbc0605af7d9b31645577b286661ca7b1d807bd9c82cd09cef6f6e8aadea3fdfe2b10c2594c6dae0a06a95c9b562ff691fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\svchost.exe.log

Filesize
496B

MD5
ecbaa939f4cf8a3c2c4070882a0e61b5

SHA1
5d3733a1386294a95406ade7803c954efe300f0d

SHA256
6f4ae1353d3c20efa457b72225566ee4e50b1c7ce19115faead0ebd6c9711644

SHA512
1cee74c6a3ba57a9d6f6e3d08de07f72c349b308551b2cc25110f077dd3437968b7042a4a5817ab286039d3c74b94b51176317d5d4bfc0d748a03712a7895a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCE8B.tmp

Filesize
1KB

MD5
0e11b943e2417acec4645ada2178b7ca

SHA1
05b97bd610f008988c36abad3159cb0112e38f5a

SHA256
3b916786cca0bee009cb107f780a480fbb351bc4d5a088d7e1db3604589a1ed9

SHA512
be4438765736ae4712aaffd5eeaa4e4665940bf84183bdeaa1f7f72718774f1d3520b137352679ab71df10655f2c707e57a0023737b20b1536f4556b61972cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCFD4.tmp

Filesize
1KB

MD5
9f0deb7cf87b4ae4efde9cc98ff481db

SHA1
760265641ce176e555c64bedb494f6f75fd0bd27

SHA256
a57110ccf892c8ca9c9b28b2608f4d37a8b5df1bfcf1411e7c62b500e82fabda

SHA512
6517829d9a09df437a340485bb87183c7a80135a76296308120e0ab385f5ffa7369a2ace9655ffaf1c594869cc6a20015520b6b0c681217b641b3c58127a29de

Download Submit
C:\Users\Admin\Downloads\svchost.exe

Filesize
452KB

MD5
06ddadbed297ba9e3bf653daff4cfdde

SHA1
39e641e72067c5cb28339148c1d051fe7e96fb8a

SHA256
f218752b490d48f4bf935b35e0ad5b699158f9472a621f23e8b7eb10c9edf863

SHA512
c546583f4d78d75462c68b6e2e1b2b757d91cac266a7b197810d42d6fe183c3c5393c9e6a95cce6d4edccbbd4cdc40213eb3bc6f3b3930232810cc2bcea3fcbb

Download Submit
memory/1772-164-0x0000000075172000-0x0000000075173000-memory.dmp

Filesize
4KB

Download
memory/1772-178-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/1772-146-0x0000000075172000-0x0000000075173000-memory.dmp

Filesize
4KB

Download
memory/1772-147-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/2504-174-0x0000024465360000-0x0000024465361000-memory.dmp

Filesize
4KB

Download
memory/2504-166-0x0000024465360000-0x0000024465361000-memory.dmp

Filesize
4KB

Download
memory/2504-167-0x0000024465360000-0x0000024465361000-memory.dmp

Filesize
4KB

Download
memory/2504-165-0x0000024465360000-0x0000024465361000-memory.dmp

Filesize
4KB

Download
memory/2504-171-0x0000024465360000-0x0000024465361000-memory.dmp

Filesize
4KB

Download
memory/2504-172-0x0000024465360000-0x0000024465361000-memory.dmp

Filesize
4KB

Download
memory/2504-177-0x0000024465360000-0x0000024465361000-memory.dmp

Filesize
4KB

Download
memory/2504-176-0x0000024465360000-0x0000024465361000-memory.dmp

Filesize
4KB

Download
memory/2504-175-0x0000024465360000-0x0000024465361000-memory.dmp

Filesize
4KB

Download
memory/2504-173-0x0000024465360000-0x0000024465361000-memory.dmp

Filesize
4KB

Download