xworm | f9893dff26df005089614d3b3f3de8b9a9b1a67cd2081345c1973f420350eac7

Analysis

max time kernel
233s
max time network
336s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RobloxCheat.exe
Size

61KB
MD5

1173330bc76af605137db64a6377f523
SHA1

09713c6e32cc1304dcb40604a1695d7830ceffe3
SHA256

f9893dff26df005089614d3b3f3de8b9a9b1a67cd2081345c1973f420350eac7
SHA512

57baf32951fb5f23758154eee655773de8d1a11552a97ea8bf52368c2d8d4869ef410ed76f29575aebb09e5454bd5844863fbdeb05952f2b0e76091712b32b24
SSDEEP

1536:oHdD3qptlFkbr9H8pV2Vi6lMVOElJJuJXc:Kxq3kbrx8pMVeOElJcJM

Score

10^/10

xworm execution persistence pyinstaller rat trojan upx

Malware Config

Extracted

Family

xworm

amount-acceptance.gl.at.ply.gg:7420

Attributes

Install_directory
%ProgramData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2108-1-0x0000000000C50000-0x0000000000C66000-memory.dmp	family_xworm
behavioral1/files/0x000d000000012272-1014.dat	family_xworm
behavioral1/memory/1276-1016-0x00000000013C0000-0x00000000013D6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2664	powershell.exe
2668	powershell.exe
2176	powershell.exe
2112	powershell.exe

Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	RobloxCheat.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	RobloxCheat.exe

Executes dropped EXE 9 IoCs

pid	Process
1984	ajgdmb.exe
1236	Process not Found
824	dhgfoi.exe
2084	dhgfoi.exe
1276	svchost.exe
2532	svchost.exe
2548	svchost.exe
1592	python-3.12.4-amd64.exe
1136	python-3.12.4-amd64.exe

Loads dropped DLL 8 IoCs

pid	Process
2108	RobloxCheat.exe
1236	Process not Found
2108	RobloxCheat.exe
824	dhgfoi.exe
2084	dhgfoi.exe
1236	Process not Found
1592	python-3.12.4-amd64.exe
1136	python-3.12.4-amd64.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001949f-1010.dat	upx
behavioral1/memory/2084-1012-0x000007FEEE050000-0x000007FEEE638000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost.exe"	RobloxCheat.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0024000000016572-956.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f04e26e6cfcbda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000aebf265ecc9e3d3c836c9155e0931744acfd7a05d44a532404b87ee743c668e6000000000e800000000200002000000035ac15fcfc2d6c06587e127d3fbf8767e5f5e5ff7067652b51f2c6ed22fa898f900000007160e7cfd6dcca9f245c4f9db4a35fad4bf70c0718b0197ba67d32f3074946d20d584e88c10a6369ec5da0ca00d27b6049b4c6f6f38c4e70294107245fac39befb38661473a7a29175819a43986ce532c01ea66a561cce2318282cc380289fff58a6443eff434fabede31842e4e822b21b9030475c94441b20d2d2ee83881382a02534f97291762bc5d39e5aef5e583e40000000f922244ca63e7cd7d7a93cf0362f5cede41b7c4142bf13cbb5c232c0628b992559b646d57de622a7df46bf6d35e0a37ae0ef9a71ee93e38b9a27b61adb3795c0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1095DCF1-37C3-11EF-917C-6A2211F10352} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000c6b27f127a250b4163b466c48b2fa96de035eac6608da58763a81f7afa1e937a000000000e8000000002000020000000fede5f5ec171b8ace0fba918692d3933540f31b4240c01d1703a6df572cc1b7f200000000af8d8c450f64b347ff8f72b6e6b3263374ba038e2f94471dbb1279ba698d57540000000e95209b9371f04705109209c0e84c94e2e9cd629f0cd2720e1d4c0167a08d27dcee8ac57e1ee1218e92e1dcba86e7e4ae29a17531abcf59550cbf20c2dd07435	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2176	powershell.exe
2112	powershell.exe
2664	powershell.exe
2668	powershell.exe
2176	chrome.exe
2176	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	RobloxCheat.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2108	RobloxCheat.exe
Token: SeDebugPrivilege	1276	svchost.exe
Token: SeDebugPrivilege	2532	svchost.exe
Token: SeDebugPrivilege	2548	svchost.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
2256	iexplore.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2256	iexplore.exe
2256	iexplore.exe
348	IEXPLORE.EXE
348	IEXPLORE.EXE
348	IEXPLORE.EXE
348	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2176	2108	RobloxCheat.exe	28
PID 2108 wrote to memory of 2176	2108	RobloxCheat.exe	28
PID 2108 wrote to memory of 2176	2108	RobloxCheat.exe	28
PID 2108 wrote to memory of 2112	2108	RobloxCheat.exe	30
PID 2108 wrote to memory of 2112	2108	RobloxCheat.exe	30
PID 2108 wrote to memory of 2112	2108	RobloxCheat.exe	30
PID 2108 wrote to memory of 2664	2108	RobloxCheat.exe	32
PID 2108 wrote to memory of 2664	2108	RobloxCheat.exe	32
PID 2108 wrote to memory of 2664	2108	RobloxCheat.exe	32
PID 2108 wrote to memory of 2668	2108	RobloxCheat.exe	34
PID 2108 wrote to memory of 2668	2108	RobloxCheat.exe	34
PID 2108 wrote to memory of 2668	2108	RobloxCheat.exe	34
PID 2108 wrote to memory of 2804	2108	RobloxCheat.exe	36
PID 2108 wrote to memory of 2804	2108	RobloxCheat.exe	36
PID 2108 wrote to memory of 2804	2108	RobloxCheat.exe	36
PID 2108 wrote to memory of 1984	2108	RobloxCheat.exe	39
PID 2108 wrote to memory of 1984	2108	RobloxCheat.exe	39
PID 2108 wrote to memory of 1984	2108	RobloxCheat.exe	39
PID 1984 wrote to memory of 2256	1984	ajgdmb.exe	40
PID 1984 wrote to memory of 2256	1984	ajgdmb.exe	40
PID 1984 wrote to memory of 2256	1984	ajgdmb.exe	40
PID 2256 wrote to memory of 348	2256	iexplore.exe	42
PID 2256 wrote to memory of 348	2256	iexplore.exe	42
PID 2256 wrote to memory of 348	2256	iexplore.exe	42
PID 2256 wrote to memory of 348	2256	iexplore.exe	42
PID 2108 wrote to memory of 824	2108	RobloxCheat.exe	46
PID 2108 wrote to memory of 824	2108	RobloxCheat.exe	46
PID 2108 wrote to memory of 824	2108	RobloxCheat.exe	46
PID 824 wrote to memory of 2084	824	dhgfoi.exe	47
PID 824 wrote to memory of 2084	824	dhgfoi.exe	47
PID 824 wrote to memory of 2084	824	dhgfoi.exe	47
PID 892 wrote to memory of 1276	892	taskeng.exe	49
PID 892 wrote to memory of 1276	892	taskeng.exe	49
PID 892 wrote to memory of 1276	892	taskeng.exe	49
PID 892 wrote to memory of 2532	892	taskeng.exe	50
PID 892 wrote to memory of 2532	892	taskeng.exe	50
PID 892 wrote to memory of 2532	892	taskeng.exe	50
PID 892 wrote to memory of 2548	892	taskeng.exe	51
PID 892 wrote to memory of 2548	892	taskeng.exe	51
PID 892 wrote to memory of 2548	892	taskeng.exe	51
PID 2176 wrote to memory of 1040	2176	chrome.exe	53
PID 2176 wrote to memory of 1040	2176	chrome.exe	53
PID 2176 wrote to memory of 1040	2176	chrome.exe	53
PID 2176 wrote to memory of 2192	2176	chrome.exe	55
PID 2176 wrote to memory of 2192	2176	chrome.exe	55
PID 2176 wrote to memory of 2192	2176	chrome.exe	55
PID 2176 wrote to memory of 2192	2176	chrome.exe	55
PID 2176 wrote to memory of 2192	2176	chrome.exe	55
PID 2176 wrote to memory of 2192	2176	chrome.exe	55
PID 2176 wrote to memory of 2192	2176	chrome.exe	55
PID 2176 wrote to memory of 2192	2176	chrome.exe	55
PID 2176 wrote to memory of 2192	2176	chrome.exe	55
PID 2176 wrote to memory of 2192	2176	chrome.exe	55
PID 2176 wrote to memory of 2192	2176	chrome.exe	55
PID 2176 wrote to memory of 2192	2176	chrome.exe	55
PID 2176 wrote to memory of 2192	2176	chrome.exe	55
PID 2176 wrote to memory of 2192	2176	chrome.exe	55
PID 2176 wrote to memory of 2192	2176	chrome.exe	55
PID 2176 wrote to memory of 2192	2176	chrome.exe	55
PID 2176 wrote to memory of 2192	2176	chrome.exe	55
PID 2176 wrote to memory of 2192	2176	chrome.exe	55
PID 2176 wrote to memory of 2192	2176	chrome.exe	55
PID 2176 wrote to memory of 2192	2176	chrome.exe	55
PID 2176 wrote to memory of 2192	2176	chrome.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\RobloxCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxCheat.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RobloxCheat.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RobloxCheat.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2804
- C:\Users\Admin\AppData\Local\Temp\ajgdmb.exe
  "C:\Users\Admin\AppData\Local\Temp\ajgdmb.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win7-x64&apphost_version=6.0.30&gui=true
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:348
- C:\Users\Admin\AppData\Local\Temp\dhgfoi.exe
  "C:\Users\Admin\AppData\Local\Temp\dhgfoi.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Users\Admin\AppData\Local\Temp\dhgfoi.exe
    "C:\Users\Admin\AppData\Local\Temp\dhgfoi.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2084

C:\Windows\system32\taskeng.exe
taskeng.exe {5969721B-8CFA-4786-9608-86D4AC5D4D65} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:892
- C:\ProgramData\svchost.exe
  C:\ProgramData\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1276
- C:\ProgramData\svchost.exe
  C:\ProgramData\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\ProgramData\svchost.exe
  C:\ProgramData\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\ProgramData\svchost.exe
  C:\ProgramData\svchost.exe
  2⤵
  PID:1784
- C:\ProgramData\svchost.exe
  C:\ProgramData\svchost.exe
  2⤵
  PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6ee9758,0x7fef6ee9768,0x7fef6ee9778
  2⤵
  PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:2
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:8
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:8
  2⤵
  PID:668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2244 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2252 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:1
  2⤵
  PID:2504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1116 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:2
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2228 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:1
  2⤵
  PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3444 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:8
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3560 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:8
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3376 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:8
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3944 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3700 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:8
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2324 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3976 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3708 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3872 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4136 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:8
  2⤵
  PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4188 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:8
  2⤵
  PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4204 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:8
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4188 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:8
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4172 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:8
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4192 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:8
  2⤵
  PID:1644
- C:\Users\Admin\Downloads\python-3.12.4-amd64.exe
  "C:\Users\Admin\Downloads\python-3.12.4-amd64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1592
- - C:\Windows\Temp\{977A3960-14E8-4388-B6F2-EF4BE915C0DC}\.cr\python-3.12.4-amd64.exe
    "C:\Windows\Temp\{977A3960-14E8-4388-B6F2-EF4BE915C0DC}\.cr\python-3.12.4-amd64.exe" -burn.clean.room="C:\Users\Admin\Downloads\python-3.12.4-amd64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1136
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" C:\Users\Admin\AppData\Local\Temp\Python 3.12.4 (64-bit)_20240701160343.log
      4⤵
      PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1476 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:8
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3508 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:8
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:8
  2⤵
  PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2452 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:8
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2424 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:8
  2⤵
  PID:2436
- C:\Users\Admin\Downloads\python-3.9.0-amd64.exe
  "C:\Users\Admin\Downloads\python-3.9.0-amd64.exe"
  2⤵
  PID:2948
- - C:\Windows\Temp\{11E1CF12-743E-4265-9483-E74ABE4C4263}\.cr\python-3.9.0-amd64.exe
    "C:\Windows\Temp\{11E1CF12-743E-4265-9483-E74ABE4C4263}\.cr\python-3.9.0-amd64.exe" -burn.clean.room="C:\Users\Admin\Downloads\python-3.9.0-amd64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
    3⤵
    PID:1976
- C:\Users\Admin\Downloads\python-3.9.0-amd64.exe
  "C:\Users\Admin\Downloads\python-3.9.0-amd64.exe"
  2⤵
  PID:2728
- - C:\Windows\Temp\{5770E57E-67B6-4303-87B9-F25EEABD0C02}\.cr\python-3.9.0-amd64.exe
    "C:\Windows\Temp\{5770E57E-67B6-4303-87B9-F25EEABD0C02}\.cr\python-3.9.0-amd64.exe" -burn.clean.room="C:\Users\Admin\Downloads\python-3.9.0-amd64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
    3⤵
    PID:920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2464 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:8
  2⤵
  PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4120 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:8
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3468 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:8
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2468 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:8
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2260 --field-trial-handle=1300,i,2536674368690407322,17507510418762016054,131072 /prefetch:8
  2⤵
  PID:2192
- C:\Users\Admin\Downloads\python-3.9.0-amd64-webinstall.exe
  "C:\Users\Admin\Downloads\python-3.9.0-amd64-webinstall.exe"
  2⤵
  PID:1644
- - C:\Windows\Temp\{C5436A09-D3AA-4F10-A1AB-AA92DD4D5A4D}\.cr\python-3.9.0-amd64-webinstall.exe
    "C:\Windows\Temp\{C5436A09-D3AA-4F10-A1AB-AA92DD4D5A4D}\.cr\python-3.9.0-amd64-webinstall.exe" -burn.clean.room="C:\Users\Admin\Downloads\python-3.9.0-amd64-webinstall.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
    3⤵
    PID:828

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost.exe

Filesize
61KB

MD5
1173330bc76af605137db64a6377f523

SHA1
09713c6e32cc1304dcb40604a1695d7830ceffe3

SHA256
f9893dff26df005089614d3b3f3de8b9a9b1a67cd2081345c1973f420350eac7

SHA512
57baf32951fb5f23758154eee655773de8d1a11552a97ea8bf52368c2d8d4869ef410ed76f29575aebb09e5454bd5844863fbdeb05952f2b0e76091712b32b24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db6aa5cf6c41ab5f87e1433fbb3676d1

SHA1
0e60c1784c2bce2984eba505b3a8c3674b72a552

SHA256
d513b4e2a8cd81bcb539006421911af0b1851eed819f9bd2b72d136c057e0f69

SHA512
a4394af1d0b7fab700f0adf2e65b45237f237408a1c2f43d886ef0fc27ad852e6b4486610a6bf313ce52fff86f9fa4df12f262804197b0555300d14fe71e1347

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4e23b22e69297ebdb44b1d0fb3b29ce

SHA1
570eb664016f5c5c5c440ebd29719e5537bdd7fb

SHA256
505d602fdbe4643d4e1d218089c5fa676be21ba4bd0bd9a49b2711f8837fe31c

SHA512
33f79df0f2e2c8f46d6f72c41fc9633d15b60beb29f989b9f98e8a49a2372b25d4bcfff663d6d4b2e0bc62c6f993235023d368392b564761db8b41d07c7c4e15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d06350748b4cff23ed432516e3b44225

SHA1
f2109bc90e7b12c2a89415e85dd549cba6a02472

SHA256
f5b2b4d3de65bac48851005d4e8de285df72864b9e1f64e99761a3c7c8ae7e08

SHA512
978e84fe9a4bb481547e467eb9f28b7f4a49d83e2aa640ea3fabdc5084bd25ffaf565591690362a23422ab33623c8aa9975822338a0035f2815440a1ef7811ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a6783e2c4104b07dda7b055eec322ac

SHA1
ac1d1be0b50c2dd9a24b661e86562627d40581f2

SHA256
6db7fe6c2461696b2e67ff3a39eb66d8d123857e7558a7d140c61606f4394e59

SHA512
9027a8ab124683a662f79a244b41d91455b452e99e18a1c3cf7efc95df79a80e809950f5517319ce44a113e3bb44655bf86b0453bdccf8056b77eb19888195d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b25fc3a80c2c937a3d2aa7a9e0502d62

SHA1
5566eceedbc1ac4b352b9207feed9914302d7c85

SHA256
623491f904e2564955c4c4ee2d5bc3dcecd6a544c60bccb912dd76a0726f3eca

SHA512
b1a8074af0a56fe731771a2efc650c560a94a6fe37fb6f5a9e52524679af6bc35c6f6c021ba0355b83fe5eba5aa2f97faff581cd3943e5d06f0d2188dc38ff51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4891bf50dd26d9ce513c123deaf9f87

SHA1
d0d5128cb849b77b0025234a53a0377bfd7b2c51

SHA256
a00774383ba06eccf6294b95da62f28b67aaf1e7370a3bfcbd327eb1d3ca7763

SHA512
f356ab4b42835f6d70b00a9ae9efc62a4fc2e1e5d8a2d3c360e2f964aec561280d25b828f385ba996e1d1e7195105bc2b937b1b70352d33c37ffaaef5bb0556d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b26cd4cd6f1295ec4e6cb8e823c8b93

SHA1
72e0ff00aafae49fa3a874907e3ee9d44f093987

SHA256
30fb00f391a656a5eb5648a63912644f7bf7eb64da8e6bb0057e9854ba002abe

SHA512
5cf4e7e04d06acf61c260c3f30d139f1a8a3037095bee93fed514ed9cc0e4e7d95e29a5aa92b6eb684319ccb3fc820cb609d365643d8753feaaac95eb520fdf2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f48bacae57f01bbd34fbc22c32b2e07

SHA1
15d7afcb4e168c5d54c60169159b1edf2e0c0bc9

SHA256
894355ef35e44c45f5d5002ac370f048f42702ce6e618ee1b2515d406bcbcbcd

SHA512
5f9ed665e7e1f156cd66509429b0a5f5ca6107795a778dd791dfa5eea177d4449c2ce0fc3272cb4b397cb7a33f30cbe9ae1318a9139f12edccb849b35a844ff9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd4257c690e0d58f10d0efd58cf85692

SHA1
e9bb73056f60ac13c4f6b043b4cdba84b26d860a

SHA256
2d2a5e82805afe19911f386996cc2e3c3c3187ad28afaa894db59d3d1ac54261

SHA512
338752791edb544ea6cdfb53856c19978e221f7dd0c58f242eaefb05ba4dac2f46f85ce4239dfa83bd9bbcc871a5e5ffcda202c12441b55d843182b30586e377

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
981d9979c82a8e9d6f9d61987cb489b0

SHA1
85af33733e9b9f6c5a97b487bf2d645715eb14fb

SHA256
f00324ca0d9df1ae19b48f92a4354c7b89dae9717803dfa612df18a1d121d578

SHA512
00bcc3960fc7486c2063491f8449d61ba7050b05f43cddcb7e558cfc1a4adecc1c31eb8ac95efd6003471742568dbd55fd9e76acc8e591482a821004104d2bbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d305dc5d6dc5ffc8cffa3cdca2bbd0a

SHA1
7480d9d5879882cd735ce74ca31d4b9c48dd69b8

SHA256
cd9422ae29724a8343bf5505b95728ef5abbff164500dad71598dbbc963eb220

SHA512
b0bcd9c038314603dabbbdcc01e4122bd7b937ff576248198bb399699e579e01d6033ec169790642ffe04df495cb1796e59a38a024d72272ccea7472c13d516e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2dc8d26ca3c79941b14b62cf8eed0849

SHA1
7e4a0122753dc179b80dde6ae25882631e51606e

SHA256
b891d8a0743d3fa8d872dc937d0950b960146bca54ba947cdaabdb15a29a11f1

SHA512
934b640d41755961a1421df4b2a1f871b09361ab392acd291ee54e8b3b799fb1bf764ac1939b74576d8ce7ce1f713a0d032f936922ed02dae17dbec8cc9a85ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
145f4b7e86cc0746ceae2701d830c17d

SHA1
f010a7e00863767ad6040b74f22dcdd88b95d5b7

SHA256
977eeecc3544e3b7a0d2130842482398588f050f4f5ba634ac7aca74a6e1273b

SHA512
a27ffc877a7a3bb36b726f701fcc8fa3040c0e54b01c323792a3fbbc0ca0e5968702a1131bb176b9480ba117c50582c74d15998c875f3851a9755d701e2a3da4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
082afd1e51c84e7dfa293bceb1c1b67c

SHA1
fa191b645e49cf8143385c47b113cae643879207

SHA256
602bcc5d2961bc788b0dfa240f84992bf22ba230153a44c2019feda0df56afec

SHA512
a795c03d4c333880ad160a8367a51ef17dea1b1ca71fdee8659d533a2a5f3cdb651ceed1509b44b1708b8f706089fb51bb65884be3decd859f4679b6e49f2260

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75c30177b25869ed039f1a7de49069f3

SHA1
ee2bd2b53dd58148690dc6ad0a1b7e84adbfbc3f

SHA256
ee31a05be1abf45f8d497776ecc38969d8da3d2cb7a59b2c55170926bd7df44d

SHA512
a3cffdc9f373ef28c9eed2778447c30fb9c2da259688b737e36506718bfcf1c3a44eac510c861754f5901029573108c1e6b32f2d9f75a95ca979b11471861f8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d75ddc6b9fd19de9eb4a0d17d2d9a3d5

SHA1
95f5a33b742eb7afb528bee7cba08ece2b337a7a

SHA256
78ad3bde79954e3399ec150f9d0bd157fc229a218e4823b4389b690aee986d0f

SHA512
df533df8cf0326b5f2c60c22d342aa6843b6f6a7524bf389258a790be058b650437690a13bfea222406e29061083756624c84bc8de9cca5a2e18f9066a1572ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e85a0e57dba34cced12dbc75b5f67b5

SHA1
c0fa9d9d783eddb937a21c8327ad4183b8954417

SHA256
03f8d7e10e5f3fb349641f8ded73a912a3b6a19acc7d5b0bb2f77624a64672d1

SHA512
66d6ed232ff0003545588eaddfc056b5cf5dcaaa97f9094f3b3fc24b2a8dc3aa04d627d6003034b4cbb637b89e0f07626c71640bec13402f943cf74569c736ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
497f75c4c82209b21b98af3edc45c3f2

SHA1
c5f7bcbe1009371b65e0a5767c3350c0922b8690

SHA256
4874a2d032f31311250291a273b4b915475c7b80cc59101a90cb79d7f3fe61c0

SHA512
d37586723253543e7e1c8a5e14122e033ac3bb25785c7c7afa7bb55162e27a854394073c20653f68b27a8fabd9790813701f2894cece1d7231a6b37ed37c5353

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ca114112977fe0356c95a126a40aa3b

SHA1
c9bbe1fd018f3923ed93e2e42ec46a56aab254f7

SHA256
c9b6ca85e73338fd55fe5c48235e43d86b434c36a034657488b94d898d42b56b

SHA512
8e7e07158c1c35fdbb0a4eb40db7edd100aab0e8d48c966cb60b620e2c3ad1709f0572d57a0a2b540a90e4faa9c38f542f62766348a0137bc3c9829347fbdbb5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3bfa2e568302721d5cd4445e9cedc7c

SHA1
b2054db40e2b8589c0399ee6f375d0a16684fdae

SHA256
c9e7760edeb94ef47a2e728b3ff89dfd1a711997f07ba8c56bfb78f8ba9c2ca2

SHA512
bb501eb752b12bc2976b22daf296042313f7ee8397bdae66c79d6ad2e89ef1efdd184c90342ee2b8fac2299e37f2b2185f5069c86d8ca8624ba627f6efd6a359

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b16421f21b758364d036bff283e96e78

SHA1
a14b9f0c5325b18efd2123379eb06389d4970aef

SHA256
9cc3891ae6d4441ab0a0c0c1cfd6915ad1bcbb3a9a13795198f64614e923da1d

SHA512
82dd993b1a76b7d366448685734bd8390bf25adb94e6455df5f3d10bdae2cf305c3ecf7086a01308f5a8c25d64d9e73f6d965189f08e36eb060460190c51bc10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7321c63087474c4028b21444b57def1

SHA1
0b4bf34bae0e0094fcb50b4cf18db588b0873292

SHA256
6f5413b0fa9eed2cffaa5d5cae4d6c99cc65e7586ad7a811260b5d54f263e7f1

SHA512
680df3efea4941cc328cb838bed81447da6b98edefdded90584114cb31a4182643ca0903ec200397e112532bfa596f87869513a22013de4868fb3c7f74c36e58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78d8b418b80b637fb6e6e05c12a07063

SHA1
f50543e9cf689d4b63e0311bd27a033a6072295e

SHA256
63430ea5c97d23929a580950beae336abdcdd9e46dcfa627e436fe6fb237d466

SHA512
d1a6de33c379a5632b8c26289ee60a369346ad0f29743c749db61d2047987e1434da8f96fad6dfa6656eddbd203c210e646acbf2526a3a23a8873a690787d24b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000016

Filesize
100KB

MD5
a20304b408b8ab2fc5ce83258b322d35

SHA1
09f485b44cf61e37e6bbc803dbff65bb91529df7

SHA256
8a5d5085ca9ab8ad9a8e1fb461063ebb6578c9a98ba1ef82476ba632b59bdc80

SHA512
3f306f3fc03d6b9a48b4e4d3270e75635008c2a1f6931a1a9e48eb1540ca8ee73e22fdd26bf28250059a279372934985bce69d726ff3ac9c5ce755f040f9ddae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017

Filesize
32KB

MD5
b582b2eca79a750948dbb3777aeaaadb

SHA1
bf0ea1c8a7b4a55779cbb3df1f1d75cc19910e9f

SHA256
04c7f19e1ae294cc641f6c497653b5c13c41b258559f5f05b790032ccca16c82

SHA512
35cfd88afe4e4e8091d3a5c53f0f3e2dcd92aa58b7544b94d4d9d7cdf508d429c5292aa97b813c9c8ad18e4d121d4e6595c49f5ddafbeab7b39f3a7c9d0b58dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000018

Filesize
16KB

MD5
01d5892e6e243b52998310c2925b9f3a

SHA1
58180151b6a6ee4af73583a214b68efb9e8844d4

SHA256
7e90efb4620a78e8869796d256bcddbde90b853c8c15c5cc116cb11d3d17bc4d

SHA512
de6ca9d539326c1d63a79e90a87d6a69676fc77a2955050b4c5299fab12b87af63c3d7f0789d10f4be214e5c58d6271106a82944d276d5ca361b6d01f7a9f319

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019

Filesize
66KB

MD5
33411bb179575dfc40cc62c61899664f

SHA1
d03c06d5893d632e1a7f826a6ffd9768ba885e11

SHA256
274befc7b39609fed270e69335bc92b3d8251545594636eb408d5d93e0ae1a4f

SHA512
dc830766c928ac84df16d094fc92586b9c2c25f819123dc9b5ec259220b4b1c45e2af28c89a710f047c00c9dcf7df8dd859a9a7a2d2228703f616df13caef2c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
d6d48f52a803084acab3407f7f689d28

SHA1
9672466f03f0bc3a12925f7b879c049e68fc0fdf

SHA256
014279ff2d0ac0156cc4114f5a669e745c72523551276ef69a9991afd68d91e1

SHA512
552951874d3e6519c5c261f84933936fd01f9e7aabadb46bed474b31e569282e805d372e002d44d80381cc7c86352fb86711208fbc164c75a2b0ee6e6d523429

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
648B

MD5
7d66164d5d056f344cce910ec25d287b

SHA1
ba89baac8171d44d2c200e8aef941e8c8bb7809b

SHA256
09532c069eb28c3ba48d8d9d17321983a0088a9d8c9e906640827acaf95b2860

SHA512
df0a2507469664fda6a002df1d63d13c723d5d5df1a79d346cb279f4d2665067694afdc30537aec4441ccde1659c2af03e90469ecac366110d2324c7b04575fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
d36e05364cbb9d2e18410eccb00358e6

SHA1
08b2d6b953109ebc90c627884d3d7188e0229493

SHA256
94ff0659bd8c3c588d1289c713a1b92970253ad2fd71078452d47141bbb0a2a2

SHA512
95efa1851f976ff1699409e31018e9f73c8c228f72f9f74fe0c633a0a338bfaad033efff1c54754c4d60486a5581681e9fc284d83da19d7291ab4582389f58bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
978c228e07ffb94635bd72266556a3fd

SHA1
bc4f5669f6f49870de9261a614f6241268c1de9a

SHA256
05b46cb7a43caeed8428f3894b924a3f4d043e60c187108b36fa3b57c7f2582b

SHA512
0dc1042a34f964f99a27b3e8ff00c611f80db4dec2fbd50f024fc8ad25c48fbc17b2797a17c2b30ec651f2e1e9f77c18e341929d389af926b05392aa02fb9d71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b0775196d19f7f72c0131f45922fda9c

SHA1
2dfd4113606f3185942be01bb4291348fcd1d144

SHA256
39a6428cdb28192589c2c94175c51989133bd327876cd31882cc9413f2600c33

SHA512
31debfaceb61c6a3ec7460693181b3b81c699abf7b9bc6871fdf4f22c0d2194aa204d7f889af74cc431afdd12542620527fce400c37dcac81a17dbc5625142ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a7c3b9484d4d2bb4e40c815e6ddec9d5

SHA1
53dfd514ca4d565ba2c6a1a5676c50254753eeef

SHA256
c3ff51ef372f1cffa23ed2403aedc22c38e4f8725c3fba695fb76a8d1117a4f4

SHA512
d644d8b26aa9e80bf69912ec7c35a3ee36c7ce2639015dff646b26f908d7c8b18ab85e6dd230c1780468b7d811f68ef058e3113be0661db6feff9bc3f4824255

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
30f5424bc42b285fa5c4722374656698

SHA1
78e60eb0805bb0037726063937ca36269bc15fc1

SHA256
69b72e8d0329a308896768104a6e80b7f9a3aa2f9fc6217093076fe243ee4cdf

SHA512
f027b686b632393ffc588a5e67e534c2604084cd58883eb011229001212e716ca862deb2c98a80b858df8ff085ad34fe28c9ad1a918e0d917f86b6d4478e0362

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
959c2b0b2de6a5c1b0de45d787891240

SHA1
d295a74d0bf9dbb9632f243c1d5ca25d22728cfd

SHA256
44cbdceffaf1b4190ac59edd7340cd6afd23992c6239b4f00a0b45cfb7e3e97e

SHA512
ae358164e9386dafbe227124047bc2394358d2d479b1f3c9338d60a1dfb1b5cf423a33f43cddf923f145655c64f6759530f62f48fcc1597ea7286f7628d37cd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d1cf8a5a47c20b0e03730878beeaa994

SHA1
b12ca3430e2abbcb284b4722454c602155d0a087

SHA256
6c78bb9ac98d38e40b0b95ba0d49091238da4bd54cc67280e3ed57b1288b8127

SHA512
753220619ec054cad4ea1a9ef04c20142146b3b75acf9501a4ff704e06c619f8528c7bbb65f6699fe1664b052ee1999dc9508e1b76a0c54262d4e8ee7644a49f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b16ac63bc91f2189e77a6b0aae1f8b1a

SHA1
03c6b0550e0a0729aad4e9ff26bb4f46e1cd0ade

SHA256
c872bbb936edc012cc962f2db5dfbb92ea4377ce91915037f117d642dbf8676b

SHA512
e3188d04382308a4a0b0c5e0c4359043cccac0c57ff1b91c886a549047e239385796d89b443122cd818bbf95d4e0825f00a91ab7e30b089faf4cd0a0c0b49cca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
502e2e9eecde6db618c95e12fb76940f

SHA1
664fb3b8a348c846461f808ad5bb134ac3af6f77

SHA256
9c26f9721808fa4bcd555e19c4207e783b5a05cda87892b200d6b5fb0ac39931

SHA512
dbafff4bb3619ff41c9a2aef3012d92956adcb9d38ae798c93f38487ff6d72daa21b92230df8cba873dfb796ae77703b71b5e98a7e0fe67aad78fa491b0b27a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ce3017cacef5dd21b063da31455eaf4d

SHA1
7c616bd5ab6f7713f508499f9ecf1019e2ed694e

SHA256
cbfa5558e81eb34be974bc0a8bf3982a8c54986503b2eb57eae019a90e3eab3c

SHA512
cdd810ae89ed542d4bfcf525b4870948e8eb670e414889890c80b7176433333166efd6f02b44f4f5aca822b0dce66b7d6da49fe31fab5c1397a3cdf35948430d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b877e33b1694f8e4915e67f934c27883

SHA1
a7107bc12bf3f8e4956d9099c4e728b1c0fccff5

SHA256
2671af0b6ca5d6b0acdc0d55eabbd9beb1f8a257a50c6e563142c96c1c717868

SHA512
6ad8ca01fd4b3639a2deb23ffcdf147ca0c349a33ccf6ad4692f82c0873538d6546ef6ff25e667cf7d58b5730d67377f774c8a334ad29537391d75da5bab7e17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB9C0.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.4 (64-bit)_20240701160343.log

Filesize
6KB

MD5
ae7f1ca0519a70346b352cfb8a598eb4

SHA1
b5e85fddbfe568620fb4b1da6bf2604562653556

SHA256
3277675ac07b83485912d98e84c75d561e0a2ef46439c8a515381e8f93316132

SHA512
e8dfe91c23c42832bc5dbc5ff3a1e98648c799e1da72ba558a697cdeb265d9640fe2d1a31ec4f71d0cda7dae4ca97d736979946852896ece265e973c9b8f184f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBA72.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8242\python311.dll

Filesize
1.6MB

MD5
db09c9bbec6134db1766d369c339a0a1

SHA1
c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

SHA256
b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

SHA512
653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF38CEDCAC1D57921E.TMP

Filesize
16KB

MD5
0efaecdc94d688dd798e9f829c0f8157

SHA1
3adc9c0035b75146cced7ef7c104663ba58cfb3d

SHA256
b693fca0dd762af8cee6a4819aef9d246b67f9f6ab369ab063dc57d867c54b08

SHA512
2fc1131a3ba7496ac9f182542fc3307a97eefe21f474256c45e542bd40ebb22267a6f1dc061510f8890653cfcbb7e86f8654e4e25e7d7db626aca7e69a25cc81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4ea039a501c4265648e6763eefff453d

SHA1
83cac79bb70ffc5fbe6c11219747b3bdc696f5d8

SHA256
1e4560203eea2e403c3026862fd9f910a1d9415f8a50e1a6fda511e088df1a12

SHA512
6254cd7dde221dc508d694549abac4198fd46f2b699cb0fbbe5eaf6aa8d04bd9be090ce80ff3a53092990f4f25c6bfab6dd39ab8f6ab38c43dc18fecf93a1273

Download Submit
C:\Users\Admin\Downloads\python-3.12.4-amd64.exe

Filesize
25.5MB

MD5
f3df1be26cc7cbd8252ab5632b62d740

SHA1
3b1f54802b4cb8c02d1eb78fc79f95f91e8e49e4

SHA256
da5809df5cb05200b3a528a186f39b7d6186376ce051b0a393f1ddf67c995258

SHA512
2f9a11ffae6d9f1ed76bf816f28812fcba71f87080b0c92e52bfccb46243118c5803a7e25dd78003ca7d66501bfcdce8ff7c691c63c0038b0d409ca3842dcc89

Download Submit
C:\Users\Admin\Downloads\python-3.9.0-amd64-webinstall.exe

Filesize
1.3MB

MD5
733df85afb160482c5636ca09b89c4c8

SHA1
0d0649f08933c38bd8a635e4321da4de7bdeec56

SHA256
6b0d2e9841b400f7ee05ccfbac94ef074cb4e93f15bc277088eed719be78f4bc

SHA512
4329d23885a6b6cdc206520e51a9d4c2b01d5085c8c797c3805168d6175351682713b6692509b8a45a51839af217114ee74ca2548a71ce9974b36b87fb1f3508

Download Submit
C:\Users\Admin\Downloads\python-3.9.0-amd64.exe

Filesize
26.9MB

MD5
b61a33dc28f13b561452f3089c87eb63

SHA1
5f29e7b435e0a08830b350f7388337d8b761bf72

SHA256
fd2e2c6612d43bb6b213b72fc53f07d73d99059fa72c96e44bde12e7815073ae

SHA512
2314bd18818aedf228c6c3b5c56f10cbb8d5b7ecd46efe3c048ff4e202098bf4515cbb92d2bff64c4a4b451b19f84dc544d649ca3b2336a2b8ec19bc7ecfb2af

Download Submit
C:\Windows\Temp\{1DF8D281-B05B-4251-A672-04AB941A89E4}\.ba\Default.wxl

Filesize
8KB

MD5
f253078527d6bc87a722097829d10789

SHA1
bdb0538b3fdda880c7bb98daea47d4f07459e63a

SHA256
1ea17a558c96e6e7c9c919b0724355e204969d9c35fb1cf568d9620ced40e2c1

SHA512
09ad35a5bc851576ac13832a57b98f10b529e0d5a2bc8b4d20e712e47e9efab3dfba20cd5c7728b62183a597e8c7e6609c710c6f2d876afa6ddd650dc28392c9

Download Submit
C:\Windows\Temp\{3B7DCA44-394D-4F16-88BE-949A3DAA7C22}\.ba\SideBar.png

Filesize
56KB

MD5
ca62a92ad5b307faeac640cd5eb460ed

SHA1
5edf8b5fc931648f77a2a131e4c733f1d31b548e

SHA256
f3109977125d4a3a3ffa17462cfc31799589f466a51d226d1d1f87df2f267627

SHA512
f7b3001a957f393298b0ff2aa08b400f8639f2f0487a34ac2a0e8d9519765ac92249185ebe45f907bc9d2f8556fdd39095c52f890330a35edf71ae49df32e27a

Download Submit
C:\Windows\Temp\{4DE18E4D-2B11-4AFD-A514-82F04EC6F61E}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
C:\Windows\Temp\{69C6A38E-C75F-4DCC-ADFD-DAA55B25A21B}\.ba\Default.thm

Filesize
11KB

MD5
7a6207931f4f6a7f803128fc3afdf8da

SHA1
8ce6dad67527b348637200fb4eb6dd84f9e59a06

SHA256
6a91f0ac6a2169ffdb3ac84c715f77eb5b1527c27dd5ac4c60174242997937a6

SHA512
0fa70dc31a7a096ed9990e6b8167cb0d403b4e42fcff96a29427e7d8eec3deddaf37b40319583fe1cbd449713df6a240d172bbd9a1c49d82f53a476a2a877bd4

Download Submit
C:\Windows\Temp\{69C6A38E-C75F-4DCC-ADFD-DAA55B25A21B}\.ba\PythonBA.dll

Filesize
600KB

MD5
51d3de5a5700330f407646cb7d36f8ff

SHA1
6e62dc7e9136d3e4934641dd9bbb74a13bf22a5d

SHA256
9c2b52d98ca2e10dfb6e1dd613757283e2c04054ab4be474b8ceacfbe994f14c

SHA512
af3183cfa33a934d5d2c3b2dd805de0a4123e48f2a53fdbf9494fbac87b60c415e18a9456c372f1bd96845f2a35393cb353d11cbb3466e0dc3d6a772f1f4569c

Download Submit
\Users\Admin\AppData\Local\Temp\ajgdmb.exe

Filesize
8.4MB

MD5
8450908897067c9527740d735897740b

SHA1
71c993302b3174fe4fd712eaf8886a4842778e42

SHA256
f5a04c5d6ddcb4cc3925656919c37a9ca18f20f3623c722dc45499cf1e4de8a8

SHA512
841d6d732db87ca350dd7f4eda273584810dc976f6a368a141de8ea8d87113e8f8ef92c747ee2fa3dc8f906456e2c2c17b122d3f86dea9042c40acb9170848f8

Download Submit
\Users\Admin\AppData\Local\Temp\dhgfoi.exe

Filesize
12.3MB

MD5
88b4216901024cb13cdbfde9f7313739

SHA1
4e3a8bf8620ef7c02d33a895f35859fc5c299947

SHA256
68f2fd65f54c0a4027b60ab8aac12e250003d84979c889b716b55e38820da436

SHA512
cde67dbf72c6bacfbafa4898ae09c0bcc3cea8456165036ae746060d6d422cf8a0fec834658c72ae73530cb33abd2b28eeb7a6ed9474cc5dd61e2c15a64a5d1e

Download Submit
\Windows\Temp\{11E1CF12-743E-4265-9483-E74ABE4C4263}\.cr\python-3.9.0-amd64.exe

Filesize
840KB

MD5
a24adfcbdaa879a7dd2eaa67787b5831

SHA1
f40afe160ef9576a6086e5c81de1bd606a8a865b

SHA256
3190473cfeecdd473e5033e7de30bf4045b6e84cdb04e6716e11a0631b58aad7

SHA512
67f93630f80e969a954c0fd4c7ac28fff768be9e6de8e2c946ed10498ebb8cf6e9e4535e9dac5311f884842f0f1792edf964941019208148ecd46594cb952083

Download Submit
\Windows\Temp\{4DE18E4D-2B11-4AFD-A514-82F04EC6F61E}\.ba\PythonBA.dll

Filesize
675KB

MD5
e58bf4439057b22e6db8735be19d61ad

SHA1
415e148ecf78754a72de761d88825366aaf7afa1

SHA256
e3d3f38fd9a32720db3a65180857497d9064cffe0a54911c96b6138a17199058

SHA512
8d3523a12ee82123a17e73e507d42ae3248bd5c0aa697d5a379e61b965781bd83c0c97de41104b494b1f3b42127ab4b48ac9a071d5194a75c2af107016fc8c9c

Download Submit
\Windows\Temp\{977A3960-14E8-4388-B6F2-EF4BE915C0DC}\.cr\python-3.12.4-amd64.exe

Filesize
858KB

MD5
504fdaeaa19b2055ffc58d23f830e104

SHA1
7071c8189d1ecd09173111f9787888723040433f

SHA256
8f211f3b8af3a2e6fd4aff1ac27a1ad9cd9737524e016b2e3bfc689dfdad95fb

SHA512
01aa983cbddfe38e69f381e8f8e66988273ef453b095012f9c0eeae01d39e32deb0e6fb369363cbb5e387485be33a53ac3ec16d3de1f42bb2cde0cfa05ceb366

Download Submit
memory/1276-1016-0x00000000013C0000-0x00000000013D6000-memory.dmp

Filesize
88KB

Download
memory/2084-1012-0x000007FEEE050000-0x000007FEEE638000-memory.dmp

Filesize
5.9MB

Download
memory/2108-1-0x0000000000C50000-0x0000000000C66000-memory.dmp

Filesize
88KB

Download
memory/2108-0-0x000007FEF5B03000-0x000007FEF5B04000-memory.dmp

Filesize
4KB

Download
memory/2108-31-0x000000001B220000-0x000000001B2A0000-memory.dmp

Filesize
512KB

Download
memory/2108-32-0x000007FEF5B03000-0x000007FEF5B04000-memory.dmp

Filesize
4KB

Download
memory/2112-14-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2112-15-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2176-6-0x0000000002BD0000-0x0000000002C50000-memory.dmp

Filesize
512KB

Download
memory/2176-7-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/2176-8-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download