nanocore | ef86a58c9c0a8767a87a8e803854102083f18f7114161424b580999e78fcd500

Resubmissions

22-02-2025 00:44

250222-a3l5jsvkfq 10

22-02-2025 00:40

250222-a1gr2stmh1 9

Analysis

max time kernel
86s
max time network
87s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2025 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Kangaroo Patcher.exe
Size

11KB
MD5

bf28450278273ab1c3ebdd4c98bc9222
SHA1

4eb8db0a3816a4d6a627a4fa9367b46c787968fe
SHA256

2a22fe56bc686e4e518318fdd4634f76b6d230baa4b820b4978bda236e4fd500
SHA512

6c888383fa7816eb0d904f914e6525827c43f0ef068ab55300ea2506d24722ec06fbdabbbb5de0452322fc0697d9089981ba08e75e9d5bf67d1a91b16650b573
SSDEEP

192:XRdsxj+V2qTo8OvXcHGMbMJo05GMje3Q5tfWlQskD:XRdsxj42quX0NbMJRNa32su

Score

10^/10

nanocore defense_evasion discovery keylogger persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsSecurity\\1edStK00ETQ0.exe\",explorer.exe"	download.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	r27efRiX5zTjXzIm.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	r27efRiX5zTjXzIm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	r27efRiX5zTjXzIm.exe

Executes dropped EXE 1 IoCs

pid	Process
532	r27efRiX5zTjXzIm.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	r27efRiX5zTjXzIm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	r27efRiX5zTjXzIm.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	r27efRiX5zTjXzIm.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	download.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133846586900664875"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1170604239-850860757-3112005715-1000\{70238DB3-1145-43CC-B35B-5C16EFA6D06F}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3940	chrome.exe
3940	chrome.exe
532	r27efRiX5zTjXzIm.exe
532	r27efRiX5zTjXzIm.exe
532	r27efRiX5zTjXzIm.exe
532	r27efRiX5zTjXzIm.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 1528	3940	chrome.exe	91
PID 3940 wrote to memory of 1528	3940	chrome.exe	91
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 2312	3940	chrome.exe	92
PID 3940 wrote to memory of 3600	3940	chrome.exe	93
PID 3940 wrote to memory of 3600	3940	chrome.exe	93
PID 3940 wrote to memory of 3148	3940	chrome.exe	94
PID 3940 wrote to memory of 3148	3940	chrome.exe	94
PID 3940 wrote to memory of 3148	3940	chrome.exe	94
PID 3940 wrote to memory of 3148	3940	chrome.exe	94
PID 3940 wrote to memory of 3148	3940	chrome.exe	94
PID 3940 wrote to memory of 3148	3940	chrome.exe	94
PID 3940 wrote to memory of 3148	3940	chrome.exe	94
PID 3940 wrote to memory of 3148	3940	chrome.exe	94
PID 3940 wrote to memory of 3148	3940	chrome.exe	94
PID 3940 wrote to memory of 3148	3940	chrome.exe	94
PID 3940 wrote to memory of 3148	3940	chrome.exe	94
PID 3940 wrote to memory of 3148	3940	chrome.exe	94
PID 3940 wrote to memory of 3148	3940	chrome.exe	94
PID 3940 wrote to memory of 3148	3940	chrome.exe	94
PID 3940 wrote to memory of 3148	3940	chrome.exe	94
PID 3940 wrote to memory of 3148	3940	chrome.exe	94
PID 3940 wrote to memory of 3148	3940	chrome.exe	94
PID 3940 wrote to memory of 3148	3940	chrome.exe	94
PID 3940 wrote to memory of 3148	3940	chrome.exe	94
PID 3940 wrote to memory of 3148	3940	chrome.exe	94
PID 3940 wrote to memory of 3148	3940	chrome.exe	94
PID 3940 wrote to memory of 3148	3940	chrome.exe	94
PID 3940 wrote to memory of 3148	3940	chrome.exe	94
PID 3940 wrote to memory of 3148	3940	chrome.exe	94
PID 3940 wrote to memory of 3148	3940	chrome.exe	94
PID 3940 wrote to memory of 3148	3940	chrome.exe	94
PID 3940 wrote to memory of 3148	3940	chrome.exe	94
PID 3940 wrote to memory of 3148	3940	chrome.exe	94
PID 3940 wrote to memory of 3148	3940	chrome.exe	94
PID 3940 wrote to memory of 3148	3940	chrome.exe	94

C:\Users\Admin\AppData\Local\Temp\Kangaroo Patcher.exe
"C:\Users\Admin\AppData\Local\Temp\Kangaroo Patcher.exe"
1⤵
PID:5088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffda92ecc40,0x7ffda92ecc4c,0x7ffda92ecc58
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1844,i,5506652347115134877,9431660413360112082,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1840 /prefetch:2
  2⤵
  PID:2312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2172,i,5506652347115134877,9431660413360112082,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,5506652347115134877,9431660413360112082,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2472 /prefetch:8
  2⤵
  PID:3148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,5506652347115134877,9431660413360112082,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,5506652347115134877,9431660413360112082,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4552,i,5506652347115134877,9431660413360112082,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4564 /prefetch:1
  2⤵
  PID:736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4688,i,5506652347115134877,9431660413360112082,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4684 /prefetch:8
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4692,i,5506652347115134877,9431660413360112082,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4736,i,5506652347115134877,9431660413360112082,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  PID:2560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4836,i,5506652347115134877,9431660413360112082,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  PID:840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5220,i,5506652347115134877,9431660413360112082,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5048,i,5506652347115134877,9431660413360112082,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4376 /prefetch:1
  2⤵
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5360,i,5506652347115134877,9431660413360112082,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3284,i,5506652347115134877,9431660413360112082,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5424,i,5506652347115134877,9431660413360112082,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3220 /prefetch:8
  2⤵
  PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5500,i,5506652347115134877,9431660413360112082,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4132 /prefetch:8
  2⤵
  - Modifies registry class
  PID:3820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5560,i,5506652347115134877,9431660413360112082,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  PID:1440

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:836

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x340 0x344
1⤵
PID:2548

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\Temp1_sorenq.zip\download.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_sorenq.zip\download.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:5052
- C:\Users\Admin\AppData\Local\Temp\r27efRiX5zTjXzIm.exe
  "C:\Users\Admin\AppData\Local\Temp\r27efRiX5zTjXzIm.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Suspicious behavior: EnumeratesProcesses
  PID:532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
dcb905b7846a4494f3fdb4591ee56dd9

SHA1
af9e7df834c5334796839368057aef833be263e3

SHA256
1cece6c7c6532a48528777cbc403208bb9e1dd3ffe2f1639f3efb06c4739f525

SHA512
bf419c858f6bbeaff0d04b16007095236b3e039d6ba878add5770e49ae7f13ca68cdc0c431d7ea52d0faf679898bbae96056cb06407e9caf8cc5ff2ac763372e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
13KB

MD5
38fdb56283cc4285722d9d046bf70b3b

SHA1
3effd8b4ef2482c16b1e0a970cf102aa534c0007

SHA256
0505bbf347de3f4c07b16e196b04947af8cce09f8cfa48cb078b6e730a3cc48f

SHA512
9c6315be80550a28e39229bb8b3ce746f47692d255a045ff6f4ca444f0e582af4ea7d932b965a099a0f08fa0a8ec2b74c8e07b459dae3da66bef1c8bd30c23f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
446f5d2dad9ec425dee619cb9c2d60f9

SHA1
c9474b67b10c9e4188b8c11bb054a341790a96e0

SHA256
eb02675bdf1b631fa617f9349e2396cb3acae113591b684391f6dec81f33c961

SHA512
35bc83e6b0e14ddce4e4f6fe2d5d6605bb43331f462095abe77f84e779a93be2cfa0f3f702bda355cea1f8ce90cb9efcbec59d27b7494687f8757b29a0c466fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
e2700cc5b52336cc36ce08db6858a0b6

SHA1
90dd655eeffcd7835cc62e9a1fadf128e621010d

SHA256
1e5e1c00a7b6e79be9144108aa9d1ed46f4c482639cb861a7f4d76c047338942

SHA512
64ec2af29332cf78c378cf9153449fca73ff3a0020f76bc343ed6c1dc643f3fb1546f1f4a7af3bda240db4f99895e2cd38578ea5b6e8c108db7432555766d5a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
9bd2348c427b551dc3acc0dee2b91183

SHA1
c7ac722ec805d24a375175c0131e390c43ad4913

SHA256
2027282ed3e88fd73d93123eee9b97cfbee910f94265fa7be2e7ca54c62314df

SHA512
200e891bd300f3bf82e2025c45d38835ed61a75f1cbe0e7efe54446b8ad32d6dab045ae9deb05c9568bf8d91c2798ebc3ace269fe7395cf609e88d0cbc5a9d6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a6779a6a7ff7a11503b517a81c17114e

SHA1
8f4e0f2483364963548ebf05d2aa50f2e7618f30

SHA256
ec11313439b871da8acb459df69416797f92973cef3fa950908d27e345c9f194

SHA512
b8c501190eeb14386528ccf37e48a0abe0bda3a0c8539af9b346975b22beb32d0378e0c46db0a236119341a20fa85a6a7e28da7fab1da80b73260150c4fbe772

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0fbd39a2e18e3d4cf9e6267cf3678e1d

SHA1
b15e4b37afd8ad3100e9072466df3dcb1918bba4

SHA256
19d3fff2b41fa46dd536a23598a6ecf3eda93857f260f5f77420fa7d25c597c4

SHA512
68a4d39aa4789110a51ce7e806c540d9b19ef776e1e5e6d405a3fd431bf1e12c8d0a855d6c57e7e5301a6874ee249dc29e79c91162a30100a53ee9d9e8a8abf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
994feb7eb1e5fd948466a092dd1fdd03

SHA1
30cdb1ed2f8e57a82f088c3d25c22f8c3cd6a5ff

SHA256
c2fa601d34761768d022c442ed50614d8caf363968321a522fe85b8e0bb743bf

SHA512
4173f4eacbb9902f3208d31d1961ee3f80a287e3090ce333a002d1d1d9b35b6eca029ec83b2f60497872a118450a4228d068edc4d7cdd5f6f981d22c4ed9028a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d2f9f1d931baa991f4d0cc590c1dccaf

SHA1
aec48edf47322e4a372a1d8460918579355d0f5d

SHA256
48154244c1dcf4efafd87eb30e28f46627a57606cefa0bd6ff1e344a42300ef0

SHA512
9b1eae34c1969f71de8b6cb0954957d5a49248eab65265bc13bd28fd1ffee4e57b8bb5d8967076d7f875a6178dbba8db19478451b0e8d080bb5658fadb34be2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8d8befd58dd2f648e2ce15d717b2b806

SHA1
e782f3da4f89ddfd897f9e650bf41a8ddf4d8d0a

SHA256
9bac20d8e09d9c94c79e7a7ec3ab1d758156274b8c6994b4d8d11cba38a4336e

SHA512
6c1c09f7f5c2dbcc14cf888e95e95abd9e2b0da397f56de38280cb2ce66975edf8ab7d0c08fe85b0075cee258467bf9d358c28488ebdad33e4ee0107deab0c82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
8fa0d2b8b2212acfb0c48ccb2dfd0519

SHA1
aa193f6ea9bcbd2641e46f109fa0ebe235cc3eb3

SHA256
708258722500096532dd1c1ebdd15a433fa0e8cc6b36f91b813eaf66130245cd

SHA512
75b7008982930a1a97bcd6fd1eb2daf826589365db60cf9a086fcdb2964ee9eba10c39811ae31b76f4def5002f6cf2a232f606d6f07836eb970ea9360a8887d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
179f82ffd7abaa05f012684476d53148

SHA1
cef630910cb4f86a126c46ed0034e9e9fde845e1

SHA256
ae4469a5f1e8f5a1f68e3f3e3649032b48155a0119e3c1d5259a4e96c49ca14a

SHA512
88d5b11961383c146e244863a0d6bc2834362e6ceb3491646f2684cb2a081d0068ecc502b54645115879a499ecc433079e2941125467abfe6837b4e6a72d1bac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
8a297f58b44c9fb673d59ab253ed2c57

SHA1
cf9c39e7eb0af2f074f51f6fd8560e59b14c4663

SHA256
f8315f0717a210b9c87089eb6e0f5c08c70a14e28f28a24a5c20770b25f4564d

SHA512
049ea3ca0bfaa5455d39d662ba3d0cd8f7c56b3ecc7c6a0aab2ac7637424480eddf33b7c19b6b13d7b01987d2d1bd2a3342cc8c36fae8250e9ec167c0cbd7db7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\38112a5e-6108-44e3-bb46-810e46ebb604\index-dir\the-real-index

Filesize
48B

MD5
ed2331798fc5cd63e68f4f767d81b16c

SHA1
d1149b19f13f33c5d6c2b272171789c58cebf26d

SHA256
97431a36dc0f07b4923d4a67c27888ccf596c529801fe1662438e5e75598d3d9

SHA512
bf31114041aa1887be2dfa086eba5bae8fb7e1ab305efea3efb99b15667f7efbb90e6b2be84ed360e5d354d5621014a5978407841b1090d7137ffa865039e802

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\38112a5e-6108-44e3-bb46-810e46ebb604\index-dir\the-real-index

Filesize
2KB

MD5
a018221b35183ad12734473b34c92ba8

SHA1
3fc74247e27c8501c4c1eb418d8fb47960875998

SHA256
d3a2050200e3da2bea9b4e08b2b380cd751b749230c3e92b4ac5be4e99ae0c01

SHA512
82ba00d920d79f6527bebe5d929bf1bee94fba7d7b2c9107c9da8027d4541de3fc54c0f8c2797c505a8e3fe9d28c79315d2b7f94ffc3775e9109ca0cc414cd8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\83bc4639-f7a1-4b0b-8d9c-a38c97d1fb33\index-dir\the-real-index

Filesize
600B

MD5
6a3aa025546128150082962ac728b0a7

SHA1
130fd853347279627d61e365faa084011f49d553

SHA256
3dde6000f06689252c0e9dd3b4b41501c7c118e0b95f7222559a308654722c0a

SHA512
126dab248a16bfe9eedff42d97d01275ee97004aa33bf46e143bc02162f8f72935a26161b19a5c21e7c39e770e1af91559047508d10b2d324994f0235cd3a5b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\83bc4639-f7a1-4b0b-8d9c-a38c97d1fb33\index-dir\the-real-index~RFe58ba23.TMP

Filesize
48B

MD5
31cdcf67c4534bf5a49f4fd65510a251

SHA1
f6185c5408cc06526e8cfa86e297c21135e565f4

SHA256
d08de990078cb284739840bec592a7e45012e897c25720d98082af335c427e19

SHA512
5307bba7ac3c2f1b965a1d719cf18015e340af1b6455dd71bf597d7476580ddc37aa702a2b8f4bd5c828c5c57f601c5cebaa96233efb45e6ecf2225d015f0ca2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
183B

MD5
1039fda34ed742308560a2ae1b14c4ea

SHA1
7de54bf3662d869263826cef888a3aa65ac0b590

SHA256
1f693aa33c3cf98b3e7bfdf80279ee54dcc4579451005537e9b4b75380815c86

SHA512
67df5ad638abb83de9dd7843071985b1e7d7f1c62ff3fbcd487ff6a595175c8d60088e307db1eec1dac6219aee739bee85bb29fcb3abb9042f41f29441a72618

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
4b6346869beef8d316645e2311b2706c

SHA1
28f5ac5e21ee95a67e75c8566f6d3a1fa8a5f20c

SHA256
2b35649e962758f246f9884fcffd01442e4a9ffb27caeec18de533e681b25f8b

SHA512
11c79a795e1aa22dd022036d647d17a62679042cf6996574501c6546c258f3c1598ef6d7837552417bfd02fe155cb090abd6b4a4d80371bff0a575a0b4d922d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
186B

MD5
01fc1bee0b2533d97ba40e48f1a789f6

SHA1
f9b391e2f72c98624f617ec5c61437da325019c6

SHA256
7049b33c208c37c8a9f805cc85c33a9514894c5edcc85a74d444543281a66b61

SHA512
2d6ff3fb9d22b9d5865f88c9a0e7de319cdf14a347ed174e37c726b65d764b1480f20ea963ae4fe07289abfb57de9e86c1ca037fe1dabb717ec43f889dac504e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
183B

MD5
c3013e51242a1ef58d752ed862ae92f8

SHA1
7957aa98c6b5e1bbbaafbc2eb728f4041aa9689d

SHA256
76114af90ece681977123cec40210750512b0c8156bc6868895161336c854a31

SHA512
7f542c5e36cacb0d85427a2bfe180b9f374028bf5bd42c3c7fd768e7cbdcab4eba057958595b8733adac57878ebf7268af47fc04ced5e6cdbc8c5ab7e92f702f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe585ea5.TMP

Filesize
119B

MD5
cd3711874a30596696a5a5b1f27d595c

SHA1
94fc5aab0f3c13f4be8708534fd9aa013c072f17

SHA256
c97874a12b47341a13189c670828649c4e310566aa737f3ada36298881f03565

SHA512
9adb6be421625df0a2c463626c9cbbe6bfe1144299e2256dc5477a05741bf754aa61a4105f84b1035850c505403cd70dfeeb3afcc6a30944c48fc2653c633cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
144B

MD5
87382a5df50053f4c8644b2e7cf5d839

SHA1
dff14b42f857f5c06f0199884f51a93dc12f9e52

SHA256
e30c1689bb298055671fabfde65343b3b726dd4f652d4674a6a66f522edf8a61

SHA512
11f92c1b18246380a7b35468ee8c66a32cd7afec80f460ab560c428600aec666f489435ac63e31e2dac8cdccc5fd1e2835c1a63dccaa06d88d6ad69cf9c63c70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir3940_536185850\Shortcuts Menu Icons\Monochrome\0\512.png

Filesize
2KB

MD5
206fd9669027c437a36fbf7d73657db7

SHA1
8dee68de4deac72e86bbb28b8e5a915df3b5f3a5

SHA256
0d17a989f42bc129aca8e755871a7025acb6292ce06ca2437e95bedbc328fa18

SHA512
2c89878ec8466edf1f214d918aefc6a9b3de46d06ffacff4fdb85566560e94068601b1e4377d9d2eabefdc1c7f09eb46b00cf4545e377cc84a69edf8e57e48b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir3940_536185850\Shortcuts Menu Icons\Monochrome\1\512.png

Filesize
10KB

MD5
529a0ad2f85dff6370e98e206ecb6ef9

SHA1
7a4ff97f02962afeca94f1815168f41ba54b0691

SHA256
31db550eb9c0d9afd316dc85cdfd832510e2c48e7d37d4a610c175667a4599c6

SHA512
d00e2d741a0a6321c92a4aab632f8f3bafd33c0e2875f37868e195ed5e7200a647b4c83358edcef5fc7acbc5c57f70410903f39eac76e23e88a342ac5c9c21cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir3940_8717603\Icons Monochrome\16.png

Filesize
214B

MD5
1b3a4d1adc56ac66cd8b46c98f33e41b

SHA1
de87dc114f12e1865922f89ebc127966b0b9a1b7

SHA256
0fb35eacb91ab06f09431370f330ba290725119417f166facaf5f134499978bd

SHA512
ce89a67b088bae8dcd763f9a9b3655ed90485b24646d93de44533744dfcf947c96571e252d1ad80bdec1530ff2b72b012e8fff7178f1b4e957090f0f4c959e0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\c344261a-6ddc-4346-8133-c19fc2f3ca44.tmp

Filesize
11KB

MD5
d73c25e5cbd7b8f542e38da7a2adf1d4

SHA1
b9c4ff2f278dbe5be3773a464a4c1168cf073a20

SHA256
ffd98fbb320667bb4dbd568183f57f38a3ab7c718852462646c49579e0b98c60

SHA512
890b634a47b611322ef97a96b72964a2e84c3845ed9c5aa5fda40f560ba59e6be0908dd1265db449f52c751a79884e5409641bf1c709c61793260d997c7389ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
242KB

MD5
c7837d8fbc6ff539d4ccebd2d56c3880

SHA1
95ff8a571c0f60a9c74c927a35f25703e0c5919c

SHA256
197fca6c66a2eb0bbdd1a4e7024b57b0072a753968bed70ea1ea52870b6af39f

SHA512
9a401e1113c9e3635ece0904e502a98a754e1dee93b837b0d7c03061a4f0a96a7e04c32a0c23d0f5362d0c9b94f5d238ebc163a80ac7562340198ab23e8c14e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
242KB

MD5
c7a3209a099f62ac3d5d95c2e4ac9586

SHA1
dff02445a92d1607b673019dc9dd504a328c5e32

SHA256
7d662fbf4581139d0e8faadeffa896bb7e019700fe0d82cd16b2f219f8f1e436

SHA512
fbaf57c00ae830eaa4e9beac1930ae2c703529dd35af17a2e475ac028ca3528f47532d1dc7ef6fe15b4a56fad943c372922ab56adffcd1fd1a8c849f6eda4a6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
242KB

MD5
de8f606b21571c3862d012be81a523c6

SHA1
cd436d41f5819c837c8da3c558df07980c66dd04

SHA256
49acb766b0ee9ef8ceea3d679e516360ca3a82c237b39476f97b78800c3e2120

SHA512
8912aa3451fae56db364eb55bf6875bdf68477162e883c909c80779d2e2a049afb1e1bb36f8374d861d1956599bc7bc2a488dd1468941e11829faadcec774d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\r27efRiX5zTjXzIm.exe

Filesize
3.6MB

MD5
94484d4b22abf59a05b0dc6542030b91

SHA1
6c6b68fc70bf4a4ff018f6f6f8b832484b205345

SHA256
bcd5e6863d5af75d3c04140e4192709ec1c63162c8447e3484dc72fd75158838

SHA512
0029c54a3c8dd65e1b5c7a0470afced12ae602376cce30b9662465c63cf7427fb9dead317c11ee040e969582a9e69e03be33b4d6bce8f3b7cb42a70ac3473bfc

Download Submit
C:\Users\Admin\Downloads\sorenq.zip.crdownload

Filesize
4.0MB

MD5
8c8355a5982d5c23cf46e1bc208d71f9

SHA1
f3582d5e9ff9d8a93f81fa573b6fe96715002823

SHA256
6421b8dd3f429921cd2cd3b9d6809f8a860d2f6acb58be9387ff14541dc07878

SHA512
fae8127f885f706d57b9af4c5bcc0c45303301f03da316558ec18e5a67d3532d579d7845e1a3042d19326f06ddbcbd5aadea4590fcd6beac9ef0f3f012274696

Download Submit
memory/532-715-0x00007FF7C9F40000-0x00007FF7CA877000-memory.dmp

Filesize
9.2MB

Download
memory/532-720-0x00007FF7C9F40000-0x00007FF7CA877000-memory.dmp

Filesize
9.2MB

Download
memory/5052-666-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/5052-718-0x0000000074AB2000-0x0000000074AB3000-memory.dmp

Filesize
4KB

Download
memory/5052-719-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/5052-721-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/5052-664-0x0000000074AB2000-0x0000000074AB3000-memory.dmp

Filesize
4KB

Download
memory/5052-665-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download