dcrat | hxxps://file[.]garden/Z01XJyuAz2yPo4d4/client[.]bin

Analysis

max time kernel
68s
max time network
62s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
14-01-2025 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://file.garden/Z01XJyuAz2yPo4d4/client.bin

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	4396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3216	4396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	4396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	4396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	4396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3204	4396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	4396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	4396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	4396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	4396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	4396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	4396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	488	4396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	4396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	4396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	4396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	4396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	4396	schtasks.exe	83

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
4944	client.exe
748	client.exe
2164	chainreviewwinrefSvc.exe
1456	chainreviewwinrefSvc.exe
1548	smss.exe
2672	chainreviewwinrefSvc.exe
964	smss.exe
3780	smss.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\56085415360792	chainreviewwinrefSvc.exe
File created	C:\Program Files\Google\Chrome\Application\spoolsv.exe	chainreviewwinrefSvc.exe
File created	C:\Program Files\Google\Chrome\Application\f3b6ecef712a24	chainreviewwinrefSvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\smss.exe	chainreviewwinrefSvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\69ddcba757bf72	chainreviewwinrefSvc.exe
File created	C:\Program Files\Common Files\microsoft shared\chrome.exe	chainreviewwinrefSvc.exe
File created	C:\Program Files\Common Files\microsoft shared\7a73b78f679a6f	chainreviewwinrefSvc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\wininit.exe	chainreviewwinrefSvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\GameBarPresenceWriter\cmd.exe	chainreviewwinrefSvc.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\cmd.exe	chainreviewwinrefSvc.exe
File created	C:\Windows\GameBarPresenceWriter\ebf1f9fa8afd6d	chainreviewwinrefSvc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3656	PING.EXE
652	PING.EXE
2136	PING.EXE
1732	PING.EXE
464	PING.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133813380764815143"	chrome.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	client.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	client.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	chainreviewwinrefSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	smss.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\client.bin:Zone.Identifier	chrome.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
464	PING.EXE
3656	PING.EXE
652	PING.EXE
2136	PING.EXE
1732	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1416	schtasks.exe
2600	schtasks.exe
2772	schtasks.exe
2288	schtasks.exe
488	schtasks.exe
796	schtasks.exe
5024	schtasks.exe
3216	schtasks.exe
3764	schtasks.exe
1344	schtasks.exe
4600	schtasks.exe
2024	schtasks.exe
2060	schtasks.exe
2328	schtasks.exe
3680	schtasks.exe
3656	schtasks.exe
3204	schtasks.exe
4856	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3188	chrome.exe
3188	chrome.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe
2164	chainreviewwinrefSvc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3188	chrome.exe
3188	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeDebugPrivilege	336	taskmgr.exe
Token: SeSystemProfilePrivilege	336	taskmgr.exe
Token: SeCreateGlobalPrivilege	336	taskmgr.exe
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeShutdownPrivilege	3188	chrome.exe
Token: SeCreatePagefilePrivilege	3188	chrome.exe
Token: SeShutdownPrivilege	3188	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
3188	chrome.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe
336	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3188 wrote to memory of 3476	3188	chrome.exe	79
PID 3188 wrote to memory of 3476	3188	chrome.exe	79
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1260	3188	chrome.exe	80
PID 3188 wrote to memory of 1444	3188	chrome.exe	81
PID 3188 wrote to memory of 1444	3188	chrome.exe	81
PID 3188 wrote to memory of 1788	3188	chrome.exe	82
PID 3188 wrote to memory of 1788	3188	chrome.exe	82
PID 3188 wrote to memory of 1788	3188	chrome.exe	82
PID 3188 wrote to memory of 1788	3188	chrome.exe	82
PID 3188 wrote to memory of 1788	3188	chrome.exe	82
PID 3188 wrote to memory of 1788	3188	chrome.exe	82
PID 3188 wrote to memory of 1788	3188	chrome.exe	82
PID 3188 wrote to memory of 1788	3188	chrome.exe	82
PID 3188 wrote to memory of 1788	3188	chrome.exe	82
PID 3188 wrote to memory of 1788	3188	chrome.exe	82
PID 3188 wrote to memory of 1788	3188	chrome.exe	82
PID 3188 wrote to memory of 1788	3188	chrome.exe	82
PID 3188 wrote to memory of 1788	3188	chrome.exe	82
PID 3188 wrote to memory of 1788	3188	chrome.exe	82
PID 3188 wrote to memory of 1788	3188	chrome.exe	82
PID 3188 wrote to memory of 1788	3188	chrome.exe	82
PID 3188 wrote to memory of 1788	3188	chrome.exe	82
PID 3188 wrote to memory of 1788	3188	chrome.exe	82
PID 3188 wrote to memory of 1788	3188	chrome.exe	82
PID 3188 wrote to memory of 1788	3188	chrome.exe	82
PID 3188 wrote to memory of 1788	3188	chrome.exe	82
PID 3188 wrote to memory of 1788	3188	chrome.exe	82
PID 3188 wrote to memory of 1788	3188	chrome.exe	82
PID 3188 wrote to memory of 1788	3188	chrome.exe	82
PID 3188 wrote to memory of 1788	3188	chrome.exe	82
PID 3188 wrote to memory of 1788	3188	chrome.exe	82
PID 3188 wrote to memory of 1788	3188	chrome.exe	82
PID 3188 wrote to memory of 1788	3188	chrome.exe	82
PID 3188 wrote to memory of 1788	3188	chrome.exe	82
PID 3188 wrote to memory of 1788	3188	chrome.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://file.garden/Z01XJyuAz2yPo4d4/client.bin
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa0860cc40,0x7ffa0860cc4c,0x7ffa0860cc58
  2⤵
  PID:3476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,5789977012202133084,15782619323931696619,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1812 /prefetch:2
  2⤵
  PID:1260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2032,i,5789977012202133084,15782619323931696619,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2164,i,5789977012202133084,15782619323931696619,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2188 /prefetch:8
  2⤵
  PID:1788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,5789977012202133084,15782619323931696619,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3104,i,5789977012202133084,15782619323931696619,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4720,i,5789977012202133084,15782619323931696619,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4732 /prefetch:8
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4448,i,5789977012202133084,15782619323931696619,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4600

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3612

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3088

C:\Users\Admin\Downloads\client.exe
"C:\Users\Admin\Downloads\client.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4944
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ComponentCrt\sBEZl9whlNx1coUjXXPbcOghFKEeD7haTOPQzUr4aUDA.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ComponentCrt\1lvoZv4qBcC2Me4L.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1068
  - - C:\ComponentCrt\chainreviewwinrefSvc.exe
      "C:\ComponentCrt/chainreviewwinrefSvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:2164
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7vvCXjjJPy.bat"
        5⤵
        
        PID:4008
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1340
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:464
      - C:\Program Files\Windows Sidebar\Shared Gadgets\smss.exe
        
        "C:\Program Files\Windows Sidebar\Shared Gadgets\smss.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yY8shRuf5J.bat"
        7⤵
        
        PID:4860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3600
        
        C:\Program Files\Windows Sidebar\Shared Gadgets\smss.exe
        
        "C:\Program Files\Windows Sidebar\Shared Gadgets\smss.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JRGN3N9ZXF.bat"
        9⤵
        
        PID:4520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:5016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2136

C:\Users\Admin\Downloads\client.exe
"C:\Users\Admin\Downloads\client.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:748
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ComponentCrt\sBEZl9whlNx1coUjXXPbcOghFKEeD7haTOPQzUr4aUDA.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ComponentCrt\1lvoZv4qBcC2Me4L.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2244
  - - C:\ComponentCrt\chainreviewwinrefSvc.exe
      "C:\ComponentCrt/chainreviewwinrefSvc.exe"
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:1456
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b5cCzjWvuk.bat"
        5⤵
        
        PID:2480
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2240
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3656
      - C:\ComponentCrt\chainreviewwinrefSvc.exe
        
        "C:\ComponentCrt\chainreviewwinrefSvc.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JRGN3N9ZXF.bat"
        7⤵
        
        PID:3088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:652
        
        C:\Program Files\Windows Sidebar\Shared Gadgets\smss.exe
        
        "C:\Program Files\Windows Sidebar\Shared Gadgets\smss.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZI9TpMxUin.bat"
        9⤵
        
        PID:4616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1732

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\microsoft shared\chrome.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\microsoft shared\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Windows\GameBarPresenceWriter\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\GameBarPresenceWriter\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainreviewwinrefSvcc" /sc MINUTE /mo 12 /tr "'C:\ComponentCrt\chainreviewwinrefSvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainreviewwinrefSvc" /sc ONLOGON /tr "'C:\ComponentCrt\chainreviewwinrefSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainreviewwinrefSvcc" /sc MINUTE /mo 5 /tr "'C:\ComponentCrt\chainreviewwinrefSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ComponentCrt\1lvoZv4qBcC2Me4L.bat

Filesize
98B

MD5
4dafd9e9509ac96be6aa5baec659da4d

SHA1
a091552663ddea89536560f232b8339f318c9cbc

SHA256
0c53b640295abd25e8387957941e29f5c4e765376365409164ac39e3365a6ccf

SHA512
d290c162347e236e0e197c52afc4f4b33f1eba2498dfe2ad86c414c87ab70c9fbbd2132cd08bfb4137e8555a095ca9acb6675727a4a5f65ccc46141c16698132

Download Submit
C:\ComponentCrt\chainreviewwinrefSvc.exe

Filesize
1.8MB

MD5
11cca9e2c6dc9c2a728b89e7314ec26a

SHA1
58aec3b662a1c4e8b43cc454d90813ac89b5e612

SHA256
300072795259e7b2baa69a7a3d19ffea1844dffc391e710c654aa1b66b0e2197

SHA512
fb1fcff1c94e73b1227f65b237639e25604d614cfe365f2108bbbfdb489b97410fdc17411b8f00fc5b8f57d51080b4496010537a6a4ff9b15b7bdd24f89d0df7

Download Submit
C:\ComponentCrt\sBEZl9whlNx1coUjXXPbcOghFKEeD7haTOPQzUr4aUDA.vbe

Filesize
207B

MD5
b292d233456b16f26abc1aa07c9f5de0

SHA1
7b025705136101b5618d81d8ebf472335eebde43

SHA256
e75d13d4b079fafbd413fa8182c270f1f0f41b1b19b3469db12de226fed67b2d

SHA512
1c9c3846ab0e392dc6833de2a9238c91b6042b5095521196a3ceae8830edf7fb6d73118ed023b2e2daf287a48084fa8ee40241248a231cf668d5cc5e8f947ee4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
bb4a5e0d5017428e1812779d2bc7f026

SHA1
106386e08068acf66ae5b50eb64e52907d7b0b9f

SHA256
dff4548d20367efb6a75d95920163f21c20b69b7db6df84dcccd3a00a3d03de4

SHA512
22a7f8a03b969b92036ad7ef4407e0ea7b9ca42d03929cff554c5a97a69de32bf2c2c159d651f1454fa4e7cd225707871aa5cc331561d3797a5d697dcebbaa93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
eefa801df484507cb4247c592ecb0b5c

SHA1
49c22db20580739ac3146c08a2df87e7ab6e3ee4

SHA256
08c9cb814244ef8331e2eb806ca4b84d9733598397082915d0e9744957f2f3ac

SHA512
34cf3e300bb0ff5309364aad65b6f3d8d0e575eabf4eb149fe9a94e121f4cd5abd28fad6d26dceda550e83f842b0dcd5c7bedadebc76337f0e8fd338b44af6c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4d33365522b5d074c90d5085b3daae8f

SHA1
38ed0566a3b9f01685e37189eb8d46ea4af815b3

SHA256
aebb7dde7c7898a1d3c26155eba0d9026107c0ed7f207521fc189d925d69edd2

SHA512
46393f2e60463395685219e5d2322fd80172bee94855eb5a4cc1d7be9c7126745e5bf93e330e09eae4b57af92dcd07173786261950c9af9f0750fbde980553c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d6ddc5607d08a6afe596a3aa22ac3079

SHA1
d74a1c8810ecaa5c6bcdef184ae07e85007ff4da

SHA256
3fbcc35aac16fb6a8579cf33b868b9b10d605dd11c5743c02c17f3bb8ee0c335

SHA512
ad70687765c9c25c83d468023c6194568bb21f879cb5b18853d0166b5836190cd4eb3a2e8b736d64a948b543ddb56522c9a71f2bd64b8d8392de5e24445f4660

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4a61ef10bbd7519628f115eea3fa0b1f

SHA1
8f516230e0a9544557eb8a35f6ec6680c9658b6c

SHA256
d5a0525b81cb4f1c6e6e02b015e984015450d556ae42b2edde290849b91561b5

SHA512
4177e756374272be963a34a4ddbe261179ce5fc0406259a14db8f64c11e7f0a55b098b3315cd3edeecef01fbcc82d24505e9fadd5d4a56bf41ad5354d1cbeeef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
3f035ecce3e4b92cc49520c885e2b058

SHA1
fe7b88abd62b98359d261bf4a83370812901994e

SHA256
7833464d61c966b5026e9b44a4da1cf53a64b939c2fb42aae792a0d4cdf07f40

SHA512
64f100cf9fe1d88f388b295363fd54b15c44001772196ee62ccb5e48417e98f3e53233ae6578eecc3b781e40a39806e104d4d402bfa469a13d5884d07bc58c64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
164141a604150e956c1d5d974a5913ac

SHA1
808777a1058f024b822e0e41574e78f3270011ae

SHA256
6f9538b215aa97bd3b284763b3a58a7501094918fc555c450ece255dbf17fc13

SHA512
bf7a518d4fefa515bc7901845efc6e8fc49a9dbb23820c5121e44db9703e7f136aeeec784d9e435fd5e200a31b743af3741e034c38247fe61ed2b36b1b0f053e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chainreviewwinrefSvc.exe.log

Filesize
1KB

MD5
1126a1de0a15000f1687b171641ffea6

SHA1
dcc99b2446d05b8f0f970e3e9105198a20ca9e78

SHA256
b886b6c74da838e87b2cbc539ee657a2817d126b55c0cbd6d1ab91480261bcc7

SHA512
6cfb73ea43899ffa3cecd354cd76b0a1a67f57d9054c3e31cff43424491ed3bceae5aecd0f5c414ba92aab539eb7d55af3d40eedde80c9af8d34649bb1f8d4b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log

Filesize
1KB

MD5
f2e58a4d6897d4adf2e33ca36ace55ce

SHA1
67294a7cca4e465fa83b73debd117b3e6f8277d3

SHA256
c146c805685f0d4962c861f33b3ed0740cc7a21f97e79bdf0411dab030d85b1d

SHA512
5e1a8525517f2d1e0d2e422ad06ec3cf2e22252c77f320d36db6792f39b1f6473eb7a0d34518178f705921c51c2c2ded71c2167ab6605c6262d29da4c16e1bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7vvCXjjJPy.bat

Filesize
184B

MD5
db1207698af01297fd36c1593264b26d

SHA1
d3b0611b7c5faa6fd89200947fc161dc840c4053

SHA256
9991ca22371d1781bcb90184c87f4ab1f7c34e7d6b412d2f7cce5f6b5f512c92

SHA512
50a7dcd7182e023232b833bd8abce076707ee5db1c91842163eaac1858072ada8a72e93f233586f3aa1cd103b5f5acad9bba3674285746d2b49450c018a42591

Download Submit
C:\Users\Admin\AppData\Local\Temp\JRGN3N9ZXF.bat

Filesize
168B

MD5
6c88e166f4913f0a4b3a45a13dca7163

SHA1
dcd089d3e209fc50e6bd15fa38df1f758a7c8503

SHA256
246b791c6d1976e45bdff0e9de8384c5fc01da1269151b1b175c9accdf95b10f

SHA512
30a0a7f0b7966b6cf543c736cddf7b4f99dc36ffd6f9f504fd5171c9d779ab1095c0ffca5bfd7a570624314bf9f19463c6000a2ab7131f570ae6ec45f9bafc93

Download Submit
C:\Users\Admin\AppData\Local\Temp\JRGN3N9ZXF.bat

Filesize
184B

MD5
91ac43c5dc2df1ebfb941795ab802f4e

SHA1
a3bb20b1dcf6e2f58025a85199c6f731cf83f662

SHA256
501a81018fb9c01d31d506a5ac49d6d407b03cd3406439e8cd0b98c1bf348914

SHA512
03f3e497d60258396c790657b84b2276347552dc17c55a1a821ed6d80d5ba3d73c3a66d7f8712c5bb0a15bd397fddafc88fd063ec7473096aaf38fb9d379e11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZI9TpMxUin.bat

Filesize
184B

MD5
069cd5bfc9796991685cef3145a3956d

SHA1
776243a8324625f01dd79f8fc51a4d695de083f3

SHA256
9bc4e56ba8af5c4187ec1cc96f95a6d70594078c29d088bc093d5b547cfc6533

SHA512
808a7c8344515e2692de9fb872fceca65aa98f459f4b2ef407755459ac59b753c93950e7948835860e422ad5269fdfe9c18fca950296bf3ca0018540fe921fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5cCzjWvuk.bat

Filesize
168B

MD5
6d399d20e97ac9a32b755a62a1bbeaee

SHA1
0269bb366ec91d3abb38221cf989069642fc5a98

SHA256
d4d03377de708421c3b66001dc4d80f7e4bd00ed9812b52d86acbb5f3f9e28cd

SHA512
f68052d6476b6f2998dcbc63371529318785a37511c647445e8174b3e1b7c41b6f2f41462d4cee2a082e630c81682f62a05451bc4eb38d457fdefec9f8f8d899

Download Submit
C:\Users\Admin\AppData\Local\Temp\yY8shRuf5J.bat

Filesize
232B

MD5
541e76e2aa234d142ef9a8a3c09194d7

SHA1
cb52142a84f6c20acc801e3a099573205579a8e2

SHA256
0b22efae84ff001723008d5fc77ccb48e624942196ccbb5ea5d168f7d2f7c06b

SHA512
5d38618d61961daf83d615ce3546517931351eccc0bfc560e6782b39f8749442c40791b3511dbc37409524c9643332ce0294c7de201be0d8047dcf60621c47f0

Download Submit
C:\Users\Admin\Downloads\client.bin.crdownload

Filesize
2.1MB

MD5
bf4f13d82d217ed69d80124c50d9441c

SHA1
b7ee7d109f61371342e924e6a0c3505347dd318f

SHA256
51890bfc6f223014ff16f4bfa6ace8e2d2ec3c81eb6965406813b9ca32b08508

SHA512
1ba17e55d6d1f6fda99daffe3f11f995d5e8434901b2aea9105728ccbff1b81727d96bf8811a62e8367fca0ec23bdea331165b001088b183281164269668d2f4

Download Submit
C:\Users\Admin\Downloads\client.bin:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/336-68-0x000002484E760000-0x000002484E761000-memory.dmp

Filesize
4KB

Download
memory/336-73-0x000002484E760000-0x000002484E761000-memory.dmp

Filesize
4KB

Download
memory/336-72-0x000002484E760000-0x000002484E761000-memory.dmp

Filesize
4KB

Download
memory/336-71-0x000002484E760000-0x000002484E761000-memory.dmp

Filesize
4KB

Download
memory/336-70-0x000002484E760000-0x000002484E761000-memory.dmp

Filesize
4KB

Download
memory/336-69-0x000002484E760000-0x000002484E761000-memory.dmp

Filesize
4KB

Download
memory/336-63-0x000002484E760000-0x000002484E761000-memory.dmp

Filesize
4KB

Download
memory/336-74-0x000002484E760000-0x000002484E761000-memory.dmp

Filesize
4KB

Download
memory/336-62-0x000002484E760000-0x000002484E761000-memory.dmp

Filesize
4KB

Download
memory/336-64-0x000002484E760000-0x000002484E761000-memory.dmp

Filesize
4KB

Download
memory/2164-97-0x000000001BD70000-0x000000001BD7C000-memory.dmp

Filesize
48KB

Download
memory/2164-88-0x0000000000C00000-0x0000000000DDA000-memory.dmp

Filesize
1.9MB

Download
memory/2164-90-0x000000001BA60000-0x000000001BA6E000-memory.dmp

Filesize
56KB

Download
memory/2164-92-0x000000001BD90000-0x000000001BDAC000-memory.dmp

Filesize
112KB

Download
memory/2164-95-0x000000001BDB0000-0x000000001BDC8000-memory.dmp

Filesize
96KB

Download
memory/2164-93-0x000000001BE00000-0x000000001BE50000-memory.dmp

Filesize
320KB

Download