socelars | 653d0cdec49318d4d6931e1fdb2a6e9e06b55583ee1b6271324e705fa4f1e55c

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
27/02/2025, 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Size

1.5MB
MD5

8685397030bbd818fe541e1e95390b98
SHA1

16d5614ac965bf805e5829ee251e8153e0d59334
SHA256

653d0cdec49318d4d6931e1fdb2a6e9e06b55583ee1b6271324e705fa4f1e55c
SHA512

b150ff82b2b6da509f99ced91a01807b1c6f25dde673d6f8c07ee7e9197bda38db6798a96ebcedb4bdcd13c8731418ec0849514bf10fc758208dfe59a17a6ac6
SSDEEP

24576:VsLp0FasdJu/+/dfMs2KLoyaU/5DeTgtMyPtTopLo/yydpgYE:ipncZO+HCyPtToZo6ydpgB

Score

10^/10

socelars discovery spyware stealer upx

Malware Config

Extracted

Family

socelars

https://hueduy.s3.eu-west-1.amazonaws.com/dkfjrg725/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars

Socelars payload 2 IoCs

resource	yara_rule
behavioral2/memory/2936-0-0x00000000000D0000-0x0000000000261000-memory.dmp	family_socelars
behavioral2/memory/2936-46-0x00000000000D0000-0x0000000000261000-memory.dmp	family_socelars

Executes dropped EXE 1 IoCs

pid	Process
2876	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnitmgr.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
30	iplogger.org
31	iplogger.org

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x005a000000023c4e-3.dat	upx
behavioral2/memory/2876-4-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/2876-8-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1268	2876	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnitmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
2160	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133851136180942634"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4020	chrome.exe
4020	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeAssignPrimaryTokenPrivilege	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeLockMemoryPrivilege	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeIncreaseQuotaPrivilege	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeMachineAccountPrivilege	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeTcbPrivilege	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeSecurityPrivilege	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeTakeOwnershipPrivilege	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeLoadDriverPrivilege	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeSystemProfilePrivilege	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeSystemtimePrivilege	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeProfSingleProcessPrivilege	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeIncBasePriorityPrivilege	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeCreatePagefilePrivilege	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeCreatePermanentPrivilege	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeBackupPrivilege	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeRestorePrivilege	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeShutdownPrivilege	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeDebugPrivilege	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeAuditPrivilege	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeSystemEnvironmentPrivilege	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeChangeNotifyPrivilege	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeRemoteShutdownPrivilege	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeUndockPrivilege	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeSyncAgentPrivilege	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeEnableDelegationPrivilege	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeManageVolumePrivilege	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeImpersonatePrivilege	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeCreateGlobalPrivilege	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: 31	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: 32	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: 33	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: 34	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: 35	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
Token: SeDebugPrivilege	2160	taskkill.exe
Token: SeShutdownPrivilege	4020	chrome.exe
Token: SeCreatePagefilePrivilege	4020	chrome.exe
Token: SeShutdownPrivilege	4020	chrome.exe
Token: SeCreatePagefilePrivilege	4020	chrome.exe
Token: SeShutdownPrivilege	4020	chrome.exe
Token: SeCreatePagefilePrivilege	4020	chrome.exe
Token: SeShutdownPrivilege	4020	chrome.exe
Token: SeCreatePagefilePrivilege	4020	chrome.exe
Token: SeShutdownPrivilege	4020	chrome.exe
Token: SeCreatePagefilePrivilege	4020	chrome.exe
Token: SeShutdownPrivilege	4020	chrome.exe
Token: SeCreatePagefilePrivilege	4020	chrome.exe
Token: SeShutdownPrivilege	4020	chrome.exe
Token: SeCreatePagefilePrivilege	4020	chrome.exe
Token: SeShutdownPrivilege	4020	chrome.exe
Token: SeCreatePagefilePrivilege	4020	chrome.exe
Token: SeShutdownPrivilege	4020	chrome.exe
Token: SeCreatePagefilePrivilege	4020	chrome.exe
Token: SeShutdownPrivilege	4020	chrome.exe
Token: SeCreatePagefilePrivilege	4020	chrome.exe
Token: SeShutdownPrivilege	4020	chrome.exe
Token: SeCreatePagefilePrivilege	4020	chrome.exe
Token: SeShutdownPrivilege	4020	chrome.exe
Token: SeCreatePagefilePrivilege	4020	chrome.exe
Token: SeShutdownPrivilege	4020	chrome.exe
Token: SeCreatePagefilePrivilege	4020	chrome.exe
Token: SeShutdownPrivilege	4020	chrome.exe
Token: SeCreatePagefilePrivilege	4020	chrome.exe
Token: SeShutdownPrivilege	4020	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe
4020	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2876	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe	84
PID 2936 wrote to memory of 2876	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe	84
PID 2936 wrote to memory of 2876	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe	84
PID 2936 wrote to memory of 216	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe	91
PID 2936 wrote to memory of 216	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe	91
PID 2936 wrote to memory of 216	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe	91
PID 216 wrote to memory of 2160	216	cmd.exe	93
PID 216 wrote to memory of 2160	216	cmd.exe	93
PID 216 wrote to memory of 2160	216	cmd.exe	93
PID 2936 wrote to memory of 4020	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe	99
PID 2936 wrote to memory of 4020	2936	2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe	99
PID 4020 wrote to memory of 5004	4020	chrome.exe	100
PID 4020 wrote to memory of 5004	4020	chrome.exe	100
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 4080	4020	chrome.exe	101
PID 4020 wrote to memory of 2524	4020	chrome.exe	102
PID 4020 wrote to memory of 2524	4020	chrome.exe	102
PID 4020 wrote to memory of 3448	4020	chrome.exe	103
PID 4020 wrote to memory of 3448	4020	chrome.exe	103
PID 4020 wrote to memory of 3448	4020	chrome.exe	103
PID 4020 wrote to memory of 3448	4020	chrome.exe	103
PID 4020 wrote to memory of 3448	4020	chrome.exe	103
PID 4020 wrote to memory of 3448	4020	chrome.exe	103
PID 4020 wrote to memory of 3448	4020	chrome.exe	103
PID 4020 wrote to memory of 3448	4020	chrome.exe	103
PID 4020 wrote to memory of 3448	4020	chrome.exe	103
PID 4020 wrote to memory of 3448	4020	chrome.exe	103
PID 4020 wrote to memory of 3448	4020	chrome.exe	103
PID 4020 wrote to memory of 3448	4020	chrome.exe	103
PID 4020 wrote to memory of 3448	4020	chrome.exe	103
PID 4020 wrote to memory of 3448	4020	chrome.exe	103
PID 4020 wrote to memory of 3448	4020	chrome.exe	103
PID 4020 wrote to memory of 3448	4020	chrome.exe	103
PID 4020 wrote to memory of 3448	4020	chrome.exe	103
PID 4020 wrote to memory of 3448	4020	chrome.exe	103
PID 4020 wrote to memory of 3448	4020	chrome.exe	103

C:\Users\Admin\AppData\Local\Temp\2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnit.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Local\Temp\2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnitmgr.exe
  C:\Users\Admin\AppData\Local\Temp\2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnitmgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 264
    3⤵
    - Program crash
    PID:1268
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffc5778cc40,0x7ffc5778cc4c,0x7ffc5778cc58
    3⤵
    PID:5004
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1856,i,1599370304338011527,12607637537860768659,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1852 /prefetch:2
    3⤵
    PID:4080
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,1599370304338011527,12607637537860768659,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2188 /prefetch:3
    3⤵
    PID:2524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,1599370304338011527,12607637537860768659,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2416 /prefetch:8
    3⤵
    PID:3448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3108,i,1599370304338011527,12607637537860768659,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3116 /prefetch:1
    3⤵
    PID:2532
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,1599370304338011527,12607637537860768659,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3160 /prefetch:1
    3⤵
    PID:4980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3828,i,1599370304338011527,12607637537860768659,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3840 /prefetch:2
    3⤵
    PID:2580
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4664,i,1599370304338011527,12607637537860768659,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2248 /prefetch:1
    3⤵
    PID:2616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4872,i,1599370304338011527,12607637537860768659,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4848 /prefetch:8
    3⤵
    PID:1624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4864,i,1599370304338011527,12607637537860768659,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4960 /prefetch:8
    3⤵
    PID:4836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4988,i,1599370304338011527,12607637537860768659,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4952 /prefetch:8
    3⤵
    PID:1160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5168,i,1599370304338011527,12607637537860768659,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5180 /prefetch:8
    3⤵
    PID:4392
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5196,i,1599370304338011527,12607637537860768659,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4952 /prefetch:8
    3⤵
    PID:1908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5464,i,1599370304338011527,12607637537860768659,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4908 /prefetch:8
    3⤵
    PID:3412
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5324,i,1599370304338011527,12607637537860768659,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5440 /prefetch:8
    3⤵
    PID:4800
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5480,i,1599370304338011527,12607637537860768659,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5448 /prefetch:8
    3⤵
    PID:2784
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5652,i,1599370304338011527,12607637537860768659,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5620 /prefetch:2
    3⤵
    PID:5436
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5328,i,1599370304338011527,12607637537860768659,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4904 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2876 -ip 2876
1⤵
PID:4184

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png

Filesize
6KB

MD5
c8d8c174df68910527edabe6b5278f06

SHA1
8ac53b3605fea693b59027b9b471202d150f266f

SHA256
9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5

SHA512
d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js

Filesize
19KB

MD5
5d41756a525e0f677a5042a806b6029e

SHA1
887d30efe472131846c993a2cf19c86bc24c48d4

SHA256
8a1b4636664429f3e06ffa983055356a487b00c35d326181c6622772a1dc47dd

SHA512
02428383550553523015f19742cb2a4d33fd194bd59cb29ae5aed73c99e2e990dd438124a5a702a04831e8be15a4702b90728bcd4435b5bdddcfaf7c2e239005

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js

Filesize
3KB

MD5
368dbd669e86a3e5d6f38cf0025a31fd

SHA1
93c6f457d876646713913f3fa59f44a9a373ff03

SHA256
40d6653a91bd77ecbd6e59151febb0d8b157b66706aab53d4c281bb1f2fe0cd6

SHA512
24881d53e334510748f51ce814c6e41c4de2094fd3acc1f250f8a73e26c64d5a74430b6c891fc03b28fb7bddfcf8b540edcf86498d2bb597e70c2b80b172ee7e

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js

Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js

Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json

Filesize
1KB

MD5
6da6b303170ccfdca9d9e75abbfb59f3

SHA1
1a8070080f50a303f73eba253ba49c1e6d400df6

SHA256
66f5620e3bfe4692b14f62baad60e3269327327565ff8b2438e98ce8ed021333

SHA512
872957b63e8a0d10791877e5d204022c08c8e8101807d7ebe6fd537d812ad09e14d8555ccf53dc00525a22c02773aa45b8fa643c05247fb0ce6012382855a89a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
8bc6fc8081a18a9eabe2b3623bff5226

SHA1
f0f9946a546759f3c9f733c510376cc71d05ea6c

SHA256
fe7c009b266971b36b19670cc9da0b2ae9f217c858cc8a7eec81947485675b8e

SHA512
6b0c4c3a3e293d370d9139cb70b79af0fc10f485469b7eb75f843b67373c00387422dfe8db2440a62b1aaacfe7655938fd2040a998113aed474e82b123d7736d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
555ac0097a58e4910c577894b5e6bd7c

SHA1
46dd0047dfb4339f06765be741aea510e547d57b

SHA256
3473a6fb8a5140d41e1d73c9ef3cfb12d6459d764c73c035f1363c897ab39a14

SHA512
c3e664b5efe9d6a0628a5402c1c78f9dc1343e104f62d4d01d09a2a9ca09bdef30777dc48b83a5a98464fe44ea5d5fb33b43b4dff605b62ca3e1fb107fafd0c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
4fc8f93c78c1ca77f2a5746fa9455717

SHA1
fe04056ff735b5632f576dc93ad2e95d71345562

SHA256
a86bfc7a48b0c929757612468b0c0995a180d56117df05de90df1fd80257da8c

SHA512
705dd939e8d21d5479c3f7b9acaf62863856a5509b77d6465109fa067d2887c6a123d2c069f1c06fa8d1f1270c6b1ea82284b1aa1eff4a5a4c9e575ad36cc162

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
49b5e3481c77b6f6abcdd50fa2aeb6b0

SHA1
450bbe890739120c3806928e9b532f369b817625

SHA256
054dba09d7c82ed9f5627be2f2814a2410399a57f23e5bd55185cdc2caf44d2f

SHA512
a922fdbd6664b2f762ceca156b4d7f8089629c8d87fa6edc574e9d685383d718911d4a1a4dd442c9f954711b27ad26c5920783d53579fd3331d5aadbd3a13bf8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
c588ab7dcdb392efad26f19b78763b8c

SHA1
138c5e0c3e302f481dd88cb95d9dddf22384cb65

SHA256
db64379cddf42fb32836179d37a463fc1cf9ae0d7683dc035def9f6610c3b7b4

SHA512
87ffe61e4e7585fad84ad9bd4b330186fcdd9d9fa7fa1f41168bfab6bf8ba37f3a6ab783aa8ab0450999dce30ef53825339b83e0852a35cd7d69bb2ecd21f955

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
29171172d08e0bbc6ad36eaa50a7ef36

SHA1
6f922262c9e70bd9281ed89339867ec0461da95b

SHA256
3f14821e5ec9838aaadff91231d2c6115267f2d5ec680082f229d459d8c179e9

SHA512
2c16cab5cb394898a3046be970d1c4521a2f6147d3d4dd21612564aae4f171b876741ee205c6b739fc3e4c345f4fc6ef3eb1e63245e97a708706dcb6bf7aa69e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
5c5c12a0e95d6faf25448438e9d166f8

SHA1
eca55df8ca903edc2edf4314a752af51cc75817f

SHA256
32d010c79987162fabe0b2c07be2cd250d98ce252e375f1a0da1fa6336088157

SHA512
5c001e13ce1e43270b17302aded790a815fca1ab5f986a994fc39fef765680782ac2fc963a452538c363ab2b957aaedbb79bd267e6cb21f36daa392b5835a67b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
045493a213bb94f3ce61119e5cddedd1

SHA1
ab4d1940c7a1488c35de8bd073168f176c1759d9

SHA256
ad7dede16cd768095d21ea39254a7977137ae943adee4546b7e144f9008ff214

SHA512
507333848b9ef155eff0de845504220108ad2cd49a0514262c579d6614c31ba667e99f130068fd4a40495776779fb3efb126beca642b56bae0f8e8c63b6f59e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ea9ab501af1ef922025f792789a5743b

SHA1
ea28c6bb5f47ebdce70414be70bffd28f53a917b

SHA256
6d8a72d1380909ccc6fd2d5fa4be1af930c34659a926c221bdfde1c8664f9e94

SHA512
df24a956a4c6b7d7403b3b7bde2cd2adfae162e3570a26f91cb8ae1c4d266c6fcd3f119930e5787ca077e01998f7620584902721c4908d24aaf2a42d249a73a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
454546d02ef2a705c8a8cfd0d434ae6e

SHA1
10c7a5544b32ee194650256ff63d0139a83b6e48

SHA256
e667a0c22ca9c5973a9d410664feb75df61c7d7c5ebff1e2987d42090c0cceb4

SHA512
d2c208159bfdaf19d4650530e7c8c7862cb5090ef72822368c8209a533b8c61b6cc82f2cf35361365c53176ade9d9274138a9732149431c6dc6e0315985ae5c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5709692e963456eb012a332a757581ae

SHA1
68cf7725d6e98ee3b9c674d4e2f73c4d7eb2eec5

SHA256
4ade27fbbc30310ad7bd4393c558821bf8637be5a6a48ca7d7731284517afe5e

SHA512
d6e5dbf0c09c2a9f41f4d6a4f9617cc9894eacd06a9988b5922f9424a162dbecba8fb8d313fa4b2a68395cd1ee5eb992f5a0462dc2067a5597f35e3617f2f6ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
aab08b56330a9c4be79a9ed550187d00

SHA1
76f9eab1fd09f068b39be03ae938b2402468f01a

SHA256
4e437ec830dc29bdfca3d5a98a924bd4dbcf5d92376820b755a8af76cb0ea36f

SHA512
b3146fcd747c598709c966edea5ddf9f59d984bee326124081722eed4626edc8b1ae44528a30b72b771707829ebf5ab3472f0c077da9ba0f126f64c974994dd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
5ee2ae5b7dc7e387155a9ca5ec55d6b8

SHA1
efa01544325aa56b8eb8cc9d2558e48a0a7de684

SHA256
a5e5215c2d6a4ee31bf870f34a2acb47db3d568718b0f09a838811f9599f840e

SHA512
f27a1bf2b9717ce063f4702ce1f90252fdfb6bf4e37e6d202c75b45ce5573e0a40cacc733912099e131c9396e6fedd9d5a4707d2e6ca849bffc0a688ca9e2b59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
06505b2b832aeefa584670dda665ba19

SHA1
1ee6dd8d7db56d285d95703c937fad259fb1ecf7

SHA256
82cc4bf9f9006c9d90003be5d281d80d7b5d0c14ac02358aa5849aeb0dcba5b8

SHA512
34756048ea1f2fcf74f8c4ef7395512d15b3683b5d2c11685ec51e61fec1f1fd0076f6d0cadf0913f19dabd9738d6a459d38eeb63a8d167e2392e6521f37b85d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
af9a7d10be21d080db64f044ba724e18

SHA1
15b9985db5e1985dec732b83f55fd14a4616b97b

SHA256
6765b9afb200886936c32d713c475aefbebb1c053ad81442117e4bdd54ead1fd

SHA512
e7a4bf277f3f14e6aad082a64faf54b8668686c816bdde5dfdff973d527990936f00de178614b502b3e409ba2ab61e1008770af5da33be588aabc4c5f342c9d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
244KB

MD5
05535439d1c3717af4bd074375aeb5b0

SHA1
2026708bd1dabaa3cf27b99ec44a823f61dbca0d

SHA256
29d842f81b92b29e9dca63072eef1fa696a63e60f40f1bea73559782c5526428

SHA512
634457f01f7411212e852c8324e9a4faab12e5060eee5912042d6fb0f524aa33af491dc6779ceb6c523c369f18f6de33f0520956a79e5c3e9370a19d5e601ec8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
244KB

MD5
d784448c6acb1cc6406c2f2fc28e9f8f

SHA1
f0c310c4bbc7c00268b1c83c33008355bea895a2

SHA256
8dd782be99fe7550fd1acfa54c056091d5909b941e97058eab007ddd84224110

SHA512
355bfc9645be2ff58631645a318f6d03dfd55db6f76ebeb037bf3ea189d7a06c0d9282eebb3617cbcf91d603fb7702d7313371cebf5e1ba15f1f8725cf14e276

Download Submit
C:\Users\Admin\AppData\Local\Temp\2025-02-27_8685397030bbd818fe541e1e95390b98_avoslocker_luca-stealer_ramnitmgr.exe

Filesize
105KB

MD5
d5ca6e1f080abc64bbb11e098acbeabb

SHA1
1849634bf5a65e1baddddd4452c99dfa003e2647

SHA256
30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

SHA512
aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4020_1268112675\9be5af8f-249a-48bc-80f7-9281c9195eab.tmp

Filesize
150KB

MD5
eae462c55eba847a1a8b58e58976b253

SHA1
4d7c9d59d6ae64eb852bd60b48c161125c820673

SHA256
ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad

SHA512
494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4020_1268112675\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
memory/2876-6-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/2876-8-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2876-4-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2936-46-0x00000000000D0000-0x0000000000261000-memory.dmp

Filesize
1.6MB

Download
memory/2936-0-0x00000000000D0000-0x0000000000261000-memory.dmp

Filesize
1.6MB

Download