xmrig | hxxps://disk[.]yandex[.]ru/d/fNZtoEnaBxVvEQ

Analysis

max time kernel
119s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://disk.yandex.ru/d/fNZtoEnaBxVvEQ

Score

10^/10

xmrig evasion execution miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/1644-326-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1644-327-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1644-328-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1644-325-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1644-324-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1644-322-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1644-321-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3332	powershell.exe
772	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
4312	EXSET.exe
640	sejfuydtrkne.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1644-317-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1644-316-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1644-326-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1644-327-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1644-328-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1644-325-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1644-324-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1644-322-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1644-321-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1644-320-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1644-318-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1644-319-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
249	raw.githubusercontent.com
250	raw.githubusercontent.com
251	raw.githubusercontent.com
252	raw.githubusercontent.com
253	raw.githubusercontent.com
246	raw.githubusercontent.com
244	raw.githubusercontent.com
245	raw.githubusercontent.com
248	raw.githubusercontent.com
254	raw.githubusercontent.com
242	raw.githubusercontent.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	sejfuydtrkne.exe
File opened for modification	C:\Windows\system32\MRT.exe	EXSET.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 640 set thread context of 684	640	sejfuydtrkne.exe	159
PID 640 set thread context of 1644	640	sejfuydtrkne.exe	162

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3292	sc.exe
1880	sc.exe
4052	sc.exe
1704	sc.exe
3504	sc.exe
1944	sc.exe
440	sc.exe
816	sc.exe
4760	sc.exe
4364	sc.exe
3788	sc.exe
3936	sc.exe
2136	sc.exe
3536	sc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	conhost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133630126652572477"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2060	chrome.exe
2060	chrome.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
4312	EXSET.exe
3332	powershell.exe
3332	powershell.exe
3332	powershell.exe
4312	EXSET.exe
4312	EXSET.exe
4312	EXSET.exe
4312	EXSET.exe
4312	EXSET.exe
4312	EXSET.exe
4312	EXSET.exe
4312	EXSET.exe
4312	EXSET.exe
4312	EXSET.exe
4312	EXSET.exe
4312	EXSET.exe
3468	taskmgr.exe
3468	taskmgr.exe
4312	EXSET.exe
4312	EXSET.exe
640	sejfuydtrkne.exe
772	powershell.exe
772	powershell.exe
772	powershell.exe
3468	taskmgr.exe
3468	taskmgr.exe
640	sejfuydtrkne.exe
640	sejfuydtrkne.exe
640	sejfuydtrkne.exe
640	sejfuydtrkne.exe
640	sejfuydtrkne.exe
640	sejfuydtrkne.exe
640	sejfuydtrkne.exe
640	sejfuydtrkne.exe
640	sejfuydtrkne.exe
640	sejfuydtrkne.exe
640	sejfuydtrkne.exe
640	sejfuydtrkne.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
1644	conhost.exe
1644	conhost.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
4864	7zG.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe
3468	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1628	2060	chrome.exe	81
PID 2060 wrote to memory of 1628	2060	chrome.exe	81
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 2508	2060	chrome.exe	83
PID 2060 wrote to memory of 3340	2060	chrome.exe	84
PID 2060 wrote to memory of 3340	2060	chrome.exe	84
PID 2060 wrote to memory of 4416	2060	chrome.exe	85
PID 2060 wrote to memory of 4416	2060	chrome.exe	85
PID 2060 wrote to memory of 4416	2060	chrome.exe	85
PID 2060 wrote to memory of 4416	2060	chrome.exe	85
PID 2060 wrote to memory of 4416	2060	chrome.exe	85
PID 2060 wrote to memory of 4416	2060	chrome.exe	85
PID 2060 wrote to memory of 4416	2060	chrome.exe	85
PID 2060 wrote to memory of 4416	2060	chrome.exe	85
PID 2060 wrote to memory of 4416	2060	chrome.exe	85
PID 2060 wrote to memory of 4416	2060	chrome.exe	85
PID 2060 wrote to memory of 4416	2060	chrome.exe	85
PID 2060 wrote to memory of 4416	2060	chrome.exe	85
PID 2060 wrote to memory of 4416	2060	chrome.exe	85
PID 2060 wrote to memory of 4416	2060	chrome.exe	85
PID 2060 wrote to memory of 4416	2060	chrome.exe	85
PID 2060 wrote to memory of 4416	2060	chrome.exe	85
PID 2060 wrote to memory of 4416	2060	chrome.exe	85
PID 2060 wrote to memory of 4416	2060	chrome.exe	85
PID 2060 wrote to memory of 4416	2060	chrome.exe	85
PID 2060 wrote to memory of 4416	2060	chrome.exe	85
PID 2060 wrote to memory of 4416	2060	chrome.exe	85
PID 2060 wrote to memory of 4416	2060	chrome.exe	85
PID 2060 wrote to memory of 4416	2060	chrome.exe	85
PID 2060 wrote to memory of 4416	2060	chrome.exe	85
PID 2060 wrote to memory of 4416	2060	chrome.exe	85
PID 2060 wrote to memory of 4416	2060	chrome.exe	85
PID 2060 wrote to memory of 4416	2060	chrome.exe	85
PID 2060 wrote to memory of 4416	2060	chrome.exe	85
PID 2060 wrote to memory of 4416	2060	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://disk.yandex.ru/d/fNZtoEnaBxVvEQ
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb9277ab58,0x7ffb9277ab68,0x7ffb9277ab78
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1840,i,16643830982920099835,17347519806979146720,131072 /prefetch:2
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1840,i,16643830982920099835,17347519806979146720,131072 /prefetch:8
  2⤵
  PID:3340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1840,i,16643830982920099835,17347519806979146720,131072 /prefetch:8
  2⤵
  PID:4416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1840,i,16643830982920099835,17347519806979146720,131072 /prefetch:1
  2⤵
  PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1840,i,16643830982920099835,17347519806979146720,131072 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4176 --field-trial-handle=1840,i,16643830982920099835,17347519806979146720,131072 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 --field-trial-handle=1840,i,16643830982920099835,17347519806979146720,131072 /prefetch:8
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 --field-trial-handle=1840,i,16643830982920099835,17347519806979146720,131072 /prefetch:8
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 --field-trial-handle=1840,i,16643830982920099835,17347519806979146720,131072 /prefetch:8
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1840,i,16643830982920099835,17347519806979146720,131072 /prefetch:8
  2⤵
  PID:1616

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1844

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5064

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap25430:68:7zEvent27454
1⤵
- Suspicious use of FindShellTrayWindow
PID:4864

C:\Users\Admin\Desktop\EXSET.exe
"C:\Users\Admin\Desktop\EXSET.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4312
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3324
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2344
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1880
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4052
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1944
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2136
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3292
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:2044
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:4500
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:4460
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:800
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "XAOOJKMC"
  2⤵
  - Launches sc.exe
  PID:3788
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "XAOOJKMC" binpath= "C:\ProgramData\zylotjixmopg\sejfuydtrkne.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:3936
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:816
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "XAOOJKMC"
  2⤵
  - Launches sc.exe
  PID:3536

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3468

C:\ProgramData\zylotjixmopg\sejfuydtrkne.exe
C:\ProgramData\zylotjixmopg\sejfuydtrkne.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:640
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1532
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4068
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:440
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1704
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4760
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:4364
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3504
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:4136
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:1688
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:388
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:4864
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:684
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\864171f5-3fdd-4627-ba2a-3bcb0d4983fc.tmp

Filesize
7KB

MD5
4028f380e6f8af11996041bc0608fc23

SHA1
549673ad5b232bc42fba0928c043f5a06b84b7f8

SHA256
686328c69379f89da52ecfefedb1f2f32b4af55bcf616c4cdc862ae243136bff

SHA512
8be50b30fa7c5caae70bb881e2737946ca3697390f9ad125238e694b279de5752f947b856463e25aa4a42f00d8df28072a39925296100bed2a8d4c7302ba57ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000016

Filesize
55KB

MD5
04b46dd7b8f437825e4b2892ccd3bd1e

SHA1
3d7b28c828e39e88baa05c54ce2d0ad9c183236d

SHA256
65cd73f30109c4a68734de37e5e15ff3209351c327fc4cc262b548c024adb05b

SHA512
7494460c41b34a798ac29657ffbbc5170819ce54f423d48eec5627fad3fdfae8914c3ab822ead6bda2c432d1811f6db40a10857aa8176c5aca5024381b626b67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
2496640526f5ae12a780ff9f6f7365c9

SHA1
d8b6cd7b0fd00621ef525c1ff5b788f4d3ff4c5d

SHA256
0131e8fe133670ef665282a0df6430b0994c69c4b4718ff10373312149fd4b46

SHA512
d32afe65e484e89213254544e3215aa9d3f34b868fdaf8e793429bca77d107bdf00b0fd160a33a40711e55bd533376d12d492595ef7c637cb96a2604c7911d27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\001\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
ac0bd098ee8d1399271efcb4f6debac8

SHA1
db4c0e32193139411aa883b83db024aaac1debb5

SHA256
c96aabf3137d021515e51b092124dee473cd0ef90ff90157363757ed2aa48a2d

SHA512
cbf0288c148e38d19ad11e5dd9a7549171c1ca12cf5ae7ee214e6cd7fe542e40ebbcd01ace97ae01d113957bf7d456ff59bd252abcc2de07817c751c16cf4be9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
dbfdc31be9c6250522571d7c7e7e03f9

SHA1
a8eed728467e206210917e480339cc7a905bf6e8

SHA256
bd9f211bddf63d7e34bd93a2c23c41d3eee04e6ecae638d5667111c774e82a2c

SHA512
3de92948089f5aa42d50d43a29959a38e8fe8b4fa65ec39f79143e7501f4e68c67b8111df0e51a01bee0f0e18798655bc3f30b89cfca9b3c912c558354141c27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
93f5169e200b5d6b6452d3627ae11da9

SHA1
323dc7fd43f61bbaa612934521874e8d52a1060a

SHA256
046e8ac9d32617f49adc8053e7aa30c6353ea7b575cf501fc244972be4fe7a02

SHA512
e16d60ce5e8f82df0fc51e0468e30a5f9b25f85958d45d430934560b1afa6e1e37386bb5af665f7d1d0abb97e7f869001f4f46cb0eaa2e45b504967d71a96168

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c24eb184027ffe441bc4141e5639c3bf

SHA1
16e64c7f1d642ae599ce048ff6e072c902790110

SHA256
cbf73f14b10e1543b2af8bc39c595b0d0bb79e1165d962cd09d9dcfb95fea709

SHA512
f8e273776ca124a9c5895cdaa88124a45fd8104606ed60c6cc0db7507978a2296b3ca80c3d1d225db83484398dd4c9dc3961c5eb21fa6ecc31b3d61e2bcb9597

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
3f07b093fb7d1133af0482e301b6eebd

SHA1
bbaa9977bcd5df870446f3be5f2b0026db6f2a84

SHA256
07f8fe4fa731dfc71b52ecd364b50d163edeb1b5ce8f6951c6260a6478e905da

SHA512
426506418eedf05d0a9e4ef903019c490d1edf60ecc0c0cf4faa08f6491a0fad726dbf5775fff1b1c1719d04af9d0155d3348578a71b4c09196fff8917fb941e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
cd7b6af8717a47afaa14c41afa1b3e09

SHA1
b497f34b32742b2843cbff2c6da83a4446977c3d

SHA256
176fae3fc32c86565f33649314a492413e85bd46e9b4a7e3a23febae1b8dd57c

SHA512
d758de1aae57877a03dc4f6c717373f27292d5e716206e90fc0a43cb075e89b90b7e1d34bddfeea2b54254b300fdf77c0f86b8f8603dca908c7a25123a4721ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
94KB

MD5
72468be28c5b118fd0fb984cb9926fab

SHA1
dbda0d16367da95cfe97e5f1773eb8583db28db6

SHA256
be3fb9b1dad3eab4a6c031227a4c50847e2ce9ab5b37946e86091036d760747b

SHA512
ccc5915e0b941d04ed804e4eeae2f8debc9e3ef42fd5af5048009e036fe5b5cbc2e9b15565c9d1ce23df640c54267ca63dc8058bc1aff93762217bfd4a5c4134

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57a662.TMP

Filesize
88KB

MD5
d0962fbb7064055979e5c7ccccaba892

SHA1
af65a483c98cacffa5029c8faccdb4db93da689a

SHA256
d1e0174dd3e6e2310d5521a2f3454052c24f92dc08a0ee6165fd04b7fad8279d

SHA512
1c85ef2a9fe9a07abca6862880055ecacf03645f3d77d222ad322ee20d3eac960a0b8b08677c0760bfab37c92f10d8412dbf6f527224e25cd1c6ffa8daa99575

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pypicgdc.doq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\EXSET.exe

Filesize
5.0MB

MD5
6151a82c13296ebc82b40e6ccf718c7d

SHA1
cadce1e23c0697638b13fa10a9ad4c2c460f51ad

SHA256
565e52f25b220e2258421cf3772cd8c63dd92f67391ff1e1daa79db21d6073dc

SHA512
37104b45e0552405b424a887b8981746a51205c62f52d26f7bd58d59d1491664bd28e32222b7731c0faeb9743fa2848af3a72ce3fa8cc8946aa82cb05e0f3021

Download Submit
C:\Users\Admin\Desktop\EXSET.rar

Filesize
4.0MB

MD5
02dcababe12611e45ecca4f9a48291a8

SHA1
d567fe55eb393620c59d5dc76f084d66c1c5f72c

SHA256
27492ad8228c3f653c667182654e86ca62a2026602f87c4895918fe1b498885e

SHA512
80f508a964326d04a2763f7d08f0161cd6f970c56bebf7cd846038e50892b232754c4e24862bf47322094ad7afbc97208e16647e08b7666dfe10fb361db840db

Download Submit
memory/684-309-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/684-311-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/684-312-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/684-308-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/684-315-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/684-310-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/772-297-0x0000026A70730000-0x0000026A7074C000-memory.dmp

Filesize
112KB

Download
memory/772-301-0x0000026A70950000-0x0000026A7095A000-memory.dmp

Filesize
40KB

Download
memory/772-305-0x0000026A709A0000-0x0000026A709AA000-memory.dmp

Filesize
40KB

Download
memory/772-304-0x0000026A70990000-0x0000026A70996000-memory.dmp

Filesize
24KB

Download
memory/772-303-0x0000026A70960000-0x0000026A70968000-memory.dmp

Filesize
32KB

Download
memory/772-302-0x0000026A709B0000-0x0000026A709CA000-memory.dmp

Filesize
104KB

Download
memory/772-298-0x0000026A70750000-0x0000026A70805000-memory.dmp

Filesize
724KB

Download
memory/772-299-0x0000026A70720000-0x0000026A7072A000-memory.dmp

Filesize
40KB

Download
memory/772-300-0x0000026A70970000-0x0000026A7098C000-memory.dmp

Filesize
112KB

Download
memory/1644-316-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1644-321-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1644-319-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1644-318-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1644-320-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1644-317-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1644-322-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1644-324-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1644-325-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1644-323-0x0000017A67DB0000-0x0000017A67DD0000-memory.dmp

Filesize
128KB

Download
memory/1644-326-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1644-327-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1644-328-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3332-264-0x000002196CDA0000-0x000002196CDC2000-memory.dmp

Filesize
136KB

Download
memory/3468-258-0x00000185EA1C0000-0x00000185EA1C1000-memory.dmp

Filesize
4KB

Download
memory/3468-262-0x00000185EA1C0000-0x00000185EA1C1000-memory.dmp

Filesize
4KB

Download
memory/3468-261-0x00000185EA1C0000-0x00000185EA1C1000-memory.dmp

Filesize
4KB

Download
memory/3468-260-0x00000185EA1C0000-0x00000185EA1C1000-memory.dmp

Filesize
4KB

Download
memory/3468-257-0x00000185EA1C0000-0x00000185EA1C1000-memory.dmp

Filesize
4KB

Download
memory/3468-259-0x00000185EA1C0000-0x00000185EA1C1000-memory.dmp

Filesize
4KB

Download
memory/3468-263-0x00000185EA1C0000-0x00000185EA1C1000-memory.dmp

Filesize
4KB

Download
memory/3468-253-0x00000185EA1C0000-0x00000185EA1C1000-memory.dmp

Filesize
4KB

Download
memory/3468-252-0x00000185EA1C0000-0x00000185EA1C1000-memory.dmp

Filesize
4KB

Download
memory/3468-251-0x00000185EA1C0000-0x00000185EA1C1000-memory.dmp

Filesize
4KB

Download