socelars | 653d0cdec49318d4d6931e1fdb2a6e9e06b55583ee1b6271324e705fa4f1e55c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
27/02/2025, 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Size

1.5MB
MD5

8685397030bbd818fe541e1e95390b98
SHA1

16d5614ac965bf805e5829ee251e8153e0d59334
SHA256

653d0cdec49318d4d6931e1fdb2a6e9e06b55583ee1b6271324e705fa4f1e55c
SHA512

b150ff82b2b6da509f99ced91a01807b1c6f25dde673d6f8c07ee7e9197bda38db6798a96ebcedb4bdcd13c8731418ec0849514bf10fc758208dfe59a17a6ac6
SSDEEP

24576:VsLp0FasdJu/+/dfMs2KLoyaU/5DeTgtMyPtTopLo/yydpgYE:ipncZO+HCyPtToZo6ydpgB

Score

10^/10

socelars discovery spyware stealer upx

Malware Config

Extracted

Family

socelars

https://hueduy.s3.eu-west-1.amazonaws.com/dkfjrg725/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars

Socelars payload 2 IoCs

resource	yara_rule
behavioral2/memory/4332-0-0x0000000000AC0000-0x0000000000C51000-memory.dmp	family_socelars
behavioral2/memory/4332-45-0x0000000000AC0000-0x0000000000C51000-memory.dmp	family_socelars

Executes dropped EXE 1 IoCs

pid	Process
2804	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnitmgr.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
32	iplogger.org
33	iplogger.org

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000023b4f-3.dat	upx
behavioral2/memory/2804-5-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/2804-7-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4360	2804	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnitmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
384	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133851133877800101"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4652	chrome.exe
4652	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeAssignPrimaryTokenPrivilege	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeLockMemoryPrivilege	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeIncreaseQuotaPrivilege	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeMachineAccountPrivilege	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeTcbPrivilege	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeSecurityPrivilege	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeTakeOwnershipPrivilege	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeLoadDriverPrivilege	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeSystemProfilePrivilege	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeSystemtimePrivilege	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeProfSingleProcessPrivilege	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeIncBasePriorityPrivilege	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeCreatePagefilePrivilege	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeCreatePermanentPrivilege	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeBackupPrivilege	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeRestorePrivilege	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeShutdownPrivilege	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeDebugPrivilege	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeAuditPrivilege	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeSystemEnvironmentPrivilege	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeChangeNotifyPrivilege	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeRemoteShutdownPrivilege	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeUndockPrivilege	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeSyncAgentPrivilege	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeEnableDelegationPrivilege	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeManageVolumePrivilege	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeImpersonatePrivilege	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeCreateGlobalPrivilege	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: 31	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: 32	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: 33	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: 34	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: 35	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeDebugPrivilege	384	taskkill.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 2804	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe	85
PID 4332 wrote to memory of 2804	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe	85
PID 4332 wrote to memory of 2804	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe	85
PID 4332 wrote to memory of 2684	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe	94
PID 4332 wrote to memory of 2684	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe	94
PID 4332 wrote to memory of 2684	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe	94
PID 2684 wrote to memory of 384	2684	cmd.exe	96
PID 2684 wrote to memory of 384	2684	cmd.exe	96
PID 2684 wrote to memory of 384	2684	cmd.exe	96
PID 4332 wrote to memory of 4652	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe	103
PID 4332 wrote to memory of 4652	4332	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe	103
PID 4652 wrote to memory of 2588	4652	chrome.exe	104
PID 4652 wrote to memory of 2588	4652	chrome.exe	104
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4344	4652	chrome.exe	105
PID 4652 wrote to memory of 4356	4652	chrome.exe	106
PID 4652 wrote to memory of 4356	4652	chrome.exe	106
PID 4652 wrote to memory of 4212	4652	chrome.exe	107
PID 4652 wrote to memory of 4212	4652	chrome.exe	107
PID 4652 wrote to memory of 4212	4652	chrome.exe	107
PID 4652 wrote to memory of 4212	4652	chrome.exe	107
PID 4652 wrote to memory of 4212	4652	chrome.exe	107
PID 4652 wrote to memory of 4212	4652	chrome.exe	107
PID 4652 wrote to memory of 4212	4652	chrome.exe	107
PID 4652 wrote to memory of 4212	4652	chrome.exe	107
PID 4652 wrote to memory of 4212	4652	chrome.exe	107
PID 4652 wrote to memory of 4212	4652	chrome.exe	107
PID 4652 wrote to memory of 4212	4652	chrome.exe	107
PID 4652 wrote to memory of 4212	4652	chrome.exe	107
PID 4652 wrote to memory of 4212	4652	chrome.exe	107
PID 4652 wrote to memory of 4212	4652	chrome.exe	107
PID 4652 wrote to memory of 4212	4652	chrome.exe	107
PID 4652 wrote to memory of 4212	4652	chrome.exe	107
PID 4652 wrote to memory of 4212	4652	chrome.exe	107
PID 4652 wrote to memory of 4212	4652	chrome.exe	107
PID 4652 wrote to memory of 4212	4652	chrome.exe	107

C:\Users\Admin\AppData\Local\Temp\2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Users\Admin\AppData\Local\Temp\2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnitmgr.exe
  C:\Users\Admin\AppData\Local\Temp\2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnitmgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 268
    3⤵
    - Program crash
    PID:4360
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdac29cc40,0x7ffdac29cc4c,0x7ffdac29cc58
    3⤵
    PID:2588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,7849994492999309179,14214367104677476620,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1972 /prefetch:2
    3⤵
    PID:4344
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1860,i,7849994492999309179,14214367104677476620,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1720 /prefetch:3
    3⤵
    PID:4356
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,7849994492999309179,14214367104677476620,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2568 /prefetch:8
    3⤵
    PID:4212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3140,i,7849994492999309179,14214367104677476620,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3148 /prefetch:1
    3⤵
    PID:4368
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,7849994492999309179,14214367104677476620,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3336 /prefetch:1
    3⤵
    PID:2640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3876,i,7849994492999309179,14214367104677476620,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3892 /prefetch:2
    3⤵
    PID:4380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4664,i,7849994492999309179,14214367104677476620,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4580 /prefetch:8
    3⤵
    PID:1736
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4820,i,7849994492999309179,14214367104677476620,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4836 /prefetch:1
    3⤵
    PID:3568
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4448,i,7849994492999309179,14214367104677476620,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4700 /prefetch:8
    3⤵
    PID:392
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4560,i,7849994492999309179,14214367104677476620,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4788 /prefetch:8
    3⤵
    PID:3960
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3660,i,7849994492999309179,14214367104677476620,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3696 /prefetch:8
    3⤵
    PID:4756
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4692,i,7849994492999309179,14214367104677476620,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5076 /prefetch:8
    3⤵
    PID:4792
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5332,i,7849994492999309179,14214367104677476620,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5324 /prefetch:8
    3⤵
    PID:3428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5344,i,7849994492999309179,14214367104677476620,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5212 /prefetch:8
    3⤵
    PID:636
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5452,i,7849994492999309179,14214367104677476620,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5308 /prefetch:8
    3⤵
    PID:1436
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5280,i,7849994492999309179,14214367104677476620,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4960 /prefetch:2
    3⤵
    PID:464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=212,i,7849994492999309179,14214367104677476620,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5192 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2804 -ip 2804
1⤵
PID:3268

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png

Filesize
6KB

MD5
c8d8c174df68910527edabe6b5278f06

SHA1
8ac53b3605fea693b59027b9b471202d150f266f

SHA256
9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5

SHA512
d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js

Filesize
19KB

MD5
158042b95fc84e87609d2b1683ad1d8f

SHA1
d01bbe0df468e920639edb7ac5eb9c8596e82868

SHA256
2195f08f3ad033d62e030dea22e0e485f3368675e4fa473bf315009846b103cb

SHA512
8b1fcf9bf98c8bb49fe37c81f3c8349d12e08de2ab87f0110c43979a93e9f6620c3f7dc143ab898ed7bdf068eeb670aa6ca0e7e6b703f3f3f6f23764d6d50ee1

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js

Filesize
3KB

MD5
368dbd669e86a3e5d6f38cf0025a31fd

SHA1
93c6f457d876646713913f3fa59f44a9a373ff03

SHA256
40d6653a91bd77ecbd6e59151febb0d8b157b66706aab53d4c281bb1f2fe0cd6

SHA512
24881d53e334510748f51ce814c6e41c4de2094fd3acc1f250f8a73e26c64d5a74430b6c891fc03b28fb7bddfcf8b540edcf86498d2bb597e70c2b80b172ee7e

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js

Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js

Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json

Filesize
1KB

MD5
6da6b303170ccfdca9d9e75abbfb59f3

SHA1
1a8070080f50a303f73eba253ba49c1e6d400df6

SHA256
66f5620e3bfe4692b14f62baad60e3269327327565ff8b2438e98ce8ed021333

SHA512
872957b63e8a0d10791877e5d204022c08c8e8101807d7ebe6fd537d812ad09e14d8555ccf53dc00525a22c02773aa45b8fa643c05247fb0ce6012382855a89a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3e633a70bfaddab2326f6c74ba9fc777

SHA1
f4b17a6c3a140d0c850e15cb47a52558db2ba39f

SHA256
f7643e4ce7c22c40e8156764e8dfc9c26aa3af81358a53ce67836e2296016d67

SHA512
e5d48e1b4e630e93c673090f2d5fc2f45389168d494b037d1a103aedd507d86074f7e6e3b248831202c0997ca5d6980fb926d4bd255649fd02c59b2e0d7f080d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
0694a1b9487a237df127f5f82bea31ad

SHA1
413c8a46d58e116c07662079e48e7eef92d10071

SHA256
cf9243b82e4c9c89f54e1fe059e417604323ade0acf08b999b4fd622641add6e

SHA512
fa01eed487749adbf71267fbc205841b5048e8075cfd997225cff0b85af3b1d442898b205e6051154941f146647e6ea92dd3e09696f30ee3a813663c7e969728

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
aa98c1bafd24a7dcfb71808e595468a9

SHA1
6d50f73d3c874dfcc62475f1bd267d2a36ecec51

SHA256
c4d7796a19c74049b77f7d453555a9f239e40eb852c3e6af12010bdb831b8aff

SHA512
0f832a0e010dafaa3d6c70f64999ce4a9971c80cfecde7dbbace0cf6ebdd1b7330b6a16f165bc59073691b18a56ff02dd7cb4a92de8f30dee5ec20d0be5d202e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
22640f8a3bec2c0cca033e25f01268c1

SHA1
bcdce15d4cd54c47f2da7745c19f26f6c8964a63

SHA256
ee0c728a646bf20e2a16be3a7727021d4b1e0dc84deab233700dd3404b0840b9

SHA512
c99b0e3ef9e5f8e6ca1aa5d2afa0c27596fa22a6176781096e063f093b60c960db26b1380610bb5285258fe48e58fb2f41ca2c3e88abc1adb1723fdd289013b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
1d6f0d2e12828ab3e844712fed95fe2e

SHA1
f8b197f2efdca30ba3dd936e8cc87fc5c7a1f19a

SHA256
24432854f0487dd0fa2f78174fc11ac31702e4f4869f7f2ecf9ac44a69104bfb

SHA512
f23c318b3adf74b3a170e3c41938fc171597630567427be802c6b2f49e097da662ea179313bfd9e0e75c44664fab4bbfec9b93078a3068942962f588d0b911f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
6b7769a9320218a04cb8e86b19443ec2

SHA1
22d10c656d5f419e82d0ee3177f566da627b5765

SHA256
006ac20ab1e5d93c40c8b6c795d19e98b5a02a42619a8cef26b4dacb4b5cd6f5

SHA512
e03bcfa1d75e94d7b4c227aeae8da8fae7e6767d43be1107535ff15f54acf6068d18734cce067dd3568e294e71631f105b037a1e6ab53139973aa5c044b6d4b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
234b267c332f4b560a85f0d88f4aeb22

SHA1
e7be008f156fb1a0a27ce463deaada3ee6ee0c4b

SHA256
5490e4433381bee3e38f25dca27370cbdb878f42ca139863df79e649ee1e2726

SHA512
ee5e93d3e428265c4f979c4441ed04b8ccaa6f07243f011a3c197281913eefe593d8f37eabc7b74c72b43d96d6300fcffe005d98b10737ac4887d9ba03fcb855

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
8c085c72ad9e159504464565c66fe967

SHA1
879994459917a337c619f2975b8e834b1c12cddc

SHA256
26e7538fd79694e048b8e1e32da9480980c63f226fc5dfc59e62107fc47e0b7a

SHA512
23a76369ffed7e7d2c29719b02dc94c80114b12868c15724e2995d8987a3f151d61b9cc0a9636b34657779246030c52edcdeaaecc4a010abc9e7edd727873f2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c7cbcecf1a2f8f5fcdda6f108b71332d

SHA1
cb576744dcfe237e293bfa6b154c32eca8a4cff8

SHA256
4bdb4aa2607632a8d1a644d08f7c3d00cbb0086ca007784b03392082786500c9

SHA512
1a0a09224737a6b492fb504f07b3831c65c4237c64ecc475237abfa1e8adf360edc116e55f3d9214b06656ea9854b494ade02fb49264802c0c1d051cf956e520

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
81fd8fed7c08fe06d3d4cd67175cae10

SHA1
0b169646487da0187e8357ed8d2dc68873aec601

SHA256
0258d0517dd31f4d84a04a6f0305124566e170d267b197dccc971714e247f1da

SHA512
38861104df60ab9940f55223f22118d211249639c1d0e29684be663f9f125a590148729aee0815556b8d69da0eacb7ab1779c39ece255266d4d85094d85d7181

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f70449b37d2a9fa24c882ab70f677744

SHA1
1e31454263714629c6290e15093d18c1edc7128d

SHA256
87b5b0cc18bc8b1b0cdb865c94e8f8bd39e0f45da7de8a0500b3294e1baab7e4

SHA512
354306ce44cd0ce3f80c38f7c2018280c5579cf7459ae7a2c05e918acf0aaa6bfbe963bee32e6b27af3b116e6b888b5d5b545008db3ac9e70d7c6cf3eb54a7a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
13ffbb18adc6305dbf986d3681312419

SHA1
e8bdd3161786e517b86f0a06c6025f77233c7087

SHA256
e925703721d5d6ce852c5ae7b0c420b88926b148d4b55f6713efd0b2156f4cdd

SHA512
cd6c2d6b64603c77ca3cca9bf4ddbe3d711e8feda6645f8736ed77fcafda3f54cc72038545b9b72a9737c3b95f3b6bf79c837d9f23ec50e3f02c706222069b7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8668b4c180ce246dadb436d6447e9a94

SHA1
611c0ef98e5dfaedd320a577a45f20aec683fd1f

SHA256
e0e5a53132b29caece7b2cc72b48b3d8cb0acd7e0d48e60dd4dc303068015fc9

SHA512
f2aa0972f98de30f59aa521ec6288e9d75ce358a169aadb025d3fcddb8c28ef9d0d64e0e477189257ba9ce35cab897466af480f3cb7c83b1c26be4cf0d7e65c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
14KB

MD5
676c49553470d82aa8961d82b417892b

SHA1
eb4b3402000e21eec87024276d3933cad332f7d6

SHA256
8baf756be2f547ef7798aafd5a784aea80d10fa3c3936f96d208713ed5eedb2d

SHA512
5a0e501005a3e85d9ce648de5989c2581b53765c0746392c85f6319464840e9ce9f7752d8bbcf6ea8c765ab79b1e753fa4080e2604d4412371c82b909e17224c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
14KB

MD5
4eefa968f72dce74d86e4b9471bafb3f

SHA1
61b97995e7daa6d4fe7594d174a3c27a91b1b28a

SHA256
aacd67aa1b48b18577552e00233a6f5d1e727a2c54d878d7352a1c4ade5031de

SHA512
e8581be97b852bcb778852ee1d82c9bddfe0809692956faf7c7238306f6211b0f6e7f86cf850c3b43ba125bdc1ae3845817c2c80011746006a1d5d9fdbc28508

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
b3cc3947f167eeb90984d3107890507b

SHA1
6161e37665fce70fbc9eb701e45b84b02facddec

SHA256
d20b0ad72385c811212e7de9350eb414057c0463958ef6b41b6fc2cbd790c4fc

SHA512
2b2a4b5276253a86b7d60b595e355bbaf9e3a334843c675a3be0b5abafe212fb6c52fee05c71ac2aa93a92610273a039f9f14c739a1c7b28e37f842585ef1c2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
244KB

MD5
6c74435b0ff9e8eadde463e8c5c8b485

SHA1
296fa2c43fdf133340dabfcf89ff6c87d16a8e78

SHA256
cfa474722a4c7bbff803b67b608a99e16dfb94b25b9b400cdec10dbe49b68f1d

SHA512
35e06af9457892a723a81b5369e52c595478f0bc0125d3943a622b180d6d70d0a530da0189ed885e6debcb5e204d2833d0126be155b6965a50f07acfc58069d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
244KB

MD5
2dc00a2a543e5955e5d1075c24556ac5

SHA1
3fe05f623b6243c9ce5429b8c8f92348f98f9753

SHA256
a9da9a9f113a09349449a0e86852e9d0176a2e91a92265c769659c696e4c0763

SHA512
f3ddbed743e2cd0954f82cbf9d1278edfe1295f0e8141b567219217320c8ee4e96c9c5dae082e29e1fb4ea010ac0bf415eced0a9abbe30bb4e1786bd572b6e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnitmgr.exe

Filesize
105KB

MD5
d5ca6e1f080abc64bbb11e098acbeabb

SHA1
1849634bf5a65e1baddddd4452c99dfa003e2647

SHA256
30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

SHA512
aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4652_1289904625\310cfff6-df93-416e-87d1-db7634952849.tmp

Filesize
150KB

MD5
eae462c55eba847a1a8b58e58976b253

SHA1
4d7c9d59d6ae64eb852bd60b48c161125c820673

SHA256
ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad

SHA512
494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4652_1289904625\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
memory/2804-7-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2804-6-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/2804-5-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4332-45-0x0000000000AC0000-0x0000000000C51000-memory.dmp

Filesize
1.6MB

Download
memory/4332-0-0x0000000000AC0000-0x0000000000C51000-memory.dmp

Filesize
1.6MB

Download