b29e8580734a462ecd1834e60e46a5276d5c58d65a89a43fd66e21373c7bc99a

Resubmissions

25-07-2024 20:33

240725-zbyrpsshmk 9

25-07-2024 20:19

240725-y37cgssdmp 9

25-07-2024 20:16

240725-y18sjavhqg 9

Analysis

max time kernel
930s
max time network
866s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
25-07-2024 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2b3c6d7549e216fe9e8fb517553a240N.exe
Size

64KB
MD5

f2b3c6d7549e216fe9e8fb517553a240
SHA1

c8c59541cc7bb898a6ca98e1bcf9981e1fb78ee4
SHA256

b29e8580734a462ecd1834e60e46a5276d5c58d65a89a43fd66e21373c7bc99a
SHA512

cd110e425299c12df33a94121cf3982d4a974145c11d1645b9c7cdf57c15c1fe2ff3e5dc386c73be1b0b51d14466c0059665396d9f985903df0b2ddb9339addd
SSDEEP

768:kBT37CPKK1EXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2rcu90TKe+0TKeIiKxP:CTWJGpG7TWJGpGjUpCUpS

Score

9^/10

credential_access discovery ransomware spyware stealer upx

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Renames multiple (12303) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.tmp	Zombie.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe

Executes dropped EXE 2 IoCs

pid	Process
4476	Zombie.exe
1608	_MS.MSACCESS.DEV.12.1033.hxn.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/904-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000900000001aa9c-7.dat	upx
behavioral1/files/0x000800000001aacc-8.dat	upx
behavioral1/files/0x000700000001aad1-11.dat	upx
behavioral1/files/0x0002000000015487-15.dat	upx
behavioral1/files/0x000800000001aad1-19.dat	upx
behavioral1/files/0x000200000001a31f-26.dat	upx
behavioral1/files/0x000200000001a31f-29.dat	upx
behavioral1/files/0x000200000001a320-30.dat	upx
behavioral1/files/0x000200000001a322-36.dat	upx
behavioral1/files/0x000200000001a323-40.dat	upx
behavioral1/files/0x000200000001a324-44.dat	upx
behavioral1/files/0x000400000001a1d4-50.dat	upx
behavioral1/files/0x000800000001a1d9-57.dat	upx
behavioral1/files/0x000800000001a1d9-60.dat	upx
behavioral1/files/0x000400000001a1de-61.dat	upx
behavioral1/files/0x000500000001a1de-67.dat	upx
behavioral1/files/0x000400000001a1df-68.dat	upx
behavioral1/files/0x000700000001a1e0-72.dat	upx
behavioral1/files/0x000800000001a1e1-82.dat	upx
behavioral1/files/0x000400000001a1eb-86.dat	upx
behavioral1/files/0x000300000001a1ed-90.dat	upx
behavioral1/files/0x000500000001a1eb-94.dat	upx
behavioral1/files/0x000400000001a1ed-98.dat	upx
behavioral1/files/0x000300000001a1ef-104.dat	upx
behavioral1/files/0x000400000001a1f0-110.dat	upx
behavioral1/files/0x000400000001a1ef-117.dat	upx
behavioral1/files/0x000300000001a1f2-121.dat	upx
behavioral1/files/0x000300000001a1f4-132.dat	upx
behavioral1/files/0x000300000001a1f5-135.dat	upx
behavioral1/files/0x000300000001a1f6-138.dat	upx
behavioral1/files/0x000300000001a1f8-142.dat	upx
behavioral1/files/0x000300000001a1f9-150.dat	upx
behavioral1/files/0x000400000001a1f8-149.dat	upx
behavioral1/files/0x000300000001a1fa-155.dat	upx
behavioral1/files/0x000400000001a1f9-160.dat	upx
behavioral1/files/0x000500000001a1f9-164.dat	upx
behavioral1/files/0x000300000001a1fb-168.dat	upx
behavioral1/files/0x000700000001a1f9-175.dat	upx
behavioral1/files/0x000400000001a1fb-185.dat	upx
behavioral1/files/0x000500000001a1fb-194.dat	upx
behavioral1/files/0x000300000001a1fc-195.dat	upx
behavioral1/files/0x000300000001a1fe-204.dat	upx
behavioral1/files/0x000300000001a1ff-205.dat	upx
behavioral1/files/0x000300000001a204-209.dat	upx
behavioral1/files/0x000400000001a1ff-215.dat	upx
behavioral1/files/0x000300000001a205-218.dat	upx
behavioral1/files/0x000300000001a206-219.dat	upx
behavioral1/files/0x000300000001a207-225.dat	upx
behavioral1/files/0x000300000001a208-232.dat	upx
behavioral1/files/0x000500000001a207-236.dat	upx
behavioral1/files/0x000400000001a208-243.dat	upx
behavioral1/files/0x000300000001a209-250.dat	upx
behavioral1/files/0x000300000001a20a-254.dat	upx
behavioral1/files/0x000400000001a20a-260.dat	upx
behavioral1/files/0x000300000001a20c-264.dat	upx
behavioral1/memory/904-560-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	f2b3c6d7549e216fe9e8fb517553a240N.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	f2b3c6d7549e216fe9e8fb517553a240N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jce.jar.tmp	Zombie.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-runtime-l1-1-0.dll.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\Sounds\CrownAppearance.wav.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Effects\sakura.png.tmp	Zombie.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8ES.LEX.tmp	Zombie.exe
File created	C:\Program Files\Windows Defender\fr-FR\MsMpResL.dll.mui.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\surfaceHub\en-US\toc.xml.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.News\Assets\news_button_down.png.tmp	Zombie.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1849_32x32x32.png.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\3899_48x48x32.png.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\dj_60x42.png.tmp	Zombie.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\na_60x42.png.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.tmp	Zombie.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic.xml.tmp	Zombie.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\201.png.tmp	Zombie.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-300.png.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\uk-UA\msaddsr.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Spider\Tips_4.jpg.tmp	Zombie.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-256_altform-unplated.png.tmp	Zombie.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5671_40x40x32.png.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dummy.aff.tmp	Zombie.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_removeme-default_18.svg.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\ui-strings.js.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-256_contrast-white.png.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Themes\autumn.jpg.tmp	Zombie.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_12c.png.tmp	Zombie.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\mooning.png.tmp	Zombie.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-72_altform-unplated.png.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-30_altform-unplated.png.tmp	Zombie.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\MSOINTL.DLL.tmp	Zombie.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-40.png.tmp	Zombie.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\10912_24x24x32.png.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteWideTile.scale-125.png.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-24.png.tmp	Zombie.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6478_24x24x32.png.tmp	Zombie.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeLargeTile.scale-125.png.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-runtime-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ADOMD.NET\130\Microsoft.AnalysisServices.AdomdClient.dll.tmp	Zombie.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxManifest.xml.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\remove.png.tmp	Zombie.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\profilePic.png.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\chrome-ext-2x.png.tmp	Zombie.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\Example3A.Diagnostics.Tests.ps1.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grid.Base.dll.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Catalog\chess.3mf.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Moon_icon.png.tmp	Zombie.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.scale-100.png.tmp	Zombie.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-16_altform-unplated.png.tmp	Zombie.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AdeModule.dll.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\StickySelection.scale-100.png.tmp	Zombie.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\2.jpg.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe.tmp	Zombie.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\phone.png.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.scale-100.png.tmp	Zombie.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoetwres.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\vlc.mo.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.VideoTk\PassthroughVS.cso.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClientsideProviders.dll.tmp	Zombie.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\1.0.0.0_ja_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.Resources.dll.tmp	Zombie.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationFramework.resources\3.0.0.0_es_31bf3856ad364e35\PresentationFramework.resources.dll.tmp	Zombie.exe
File created	C:\Windows\INF\hidbatt.inf.tmp	Zombie.exe
File created	C:\Windows\INF\mdmfj2.inf.tmp	Zombie.exe
File created	C:\Windows\Fonts\coue1256.fon.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Windows\IME\IMETC\HELP\IMTCEN14.CHM.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\Settings\AAA_SettingsGroupSyncAccounts.settingcontent-ms.tmp	Zombie.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0\10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll.tmp	Zombie.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Drawing.resources\2.0.0.0_it_b03f5f7f11d50a3a\System.Drawing.Resources.dll.tmp	Zombie.exe
File created	C:\Windows\Boot\PCAT\zh-CN\bootmgr.exe.mui.tmp	Zombie.exe
File created	C:\Windows\diagnostics\system\Audio\RS_SamplingRate.ps1.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.SmartTag\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Office.Interop.SmartTag.config.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Windows\diagnostics\system\Audio\CL_AudioDiagnosticSnapIn.ps1.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Windows\Fonts\ssee1257.fon.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Windows\INF\c_netclient.inf.tmp	Zombie.exe
File created	C:\Windows\diagnostics\index\AudioRecordingDiagnostic.xml.tmp	Zombie.exe
File created	C:\Windows\diagnostics\system\AERO\TS_WinSat.ps1.tmp	Zombie.exe
File opened for modification	C:\Windows\Fonts\MTCORSVA.TTF.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\TinyTile.contrast-black.png.tmp	Zombie.exe
File opened for modification	C:\Windows\INF\c_fdc.inf.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Windows\Boot\EFI\sv-SE\bootmgfw.efi.mui.tmp	Zombie.exe
File created	C:\Windows\ImmersiveControlPanel\Settings\AAA_SystemSettings_Privacy_AdvertisingIdEnabled.settingcontent-ms.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File opened for modification	C:\Windows\INF\acpitime.inf.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Graph\15.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.Graph.dll.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Windows\Fonts\ariali.ttf.tmp	Zombie.exe
File created	C:\Windows\Help\Windows\ContentStore\en-US\noarm.mshc.tmp	Zombie.exe
File created	C:\Windows\Help\Windows\IndexStore\uk-UA\art.mshi.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Windows\ImmersiveControlPanel\Settings\Classic_{8bb27ec5-5cb3-4781-baee-3439df4806e4}.settingcontent-ms.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization\3.0.0.0__b77a5c561934e089\System.Runtime.Serialization.dll.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File opened for modification	C:\Windows\Globalization\Sorting\SortServer2008Compat.nls.tmp	Zombie.exe
File opened for modification	C:\Windows\IME\IMETC\DICTS\mshwchtrIME.dll.tmp	Zombie.exe
File created	C:\Windows\ImmersiveControlPanel\Settings\AAA_CortanaSettingsPageGroupTalkToCortana_Language.settingcontent-ms.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Windows\Boot\PCAT\fr-FR\bootmgr.exe.mui.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Windows\diagnostics\system\Power\DiagPackage.diagpkg.tmp	Zombie.exe
File opened for modification	C:\Windows\Help\mui\0C0A\msorcl32.chm.tmp	Zombie.exe
File created	C:\Windows\ImmersiveControlPanel\images\wide.Devices.png.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Windows\diagnostics\system\Printer\it-IT\CL_LocalizationData.psd1.tmp	Zombie.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.D0ff51f83#\b3886d4a893e45c9be1280325abc4240\Microsoft.Dtc.PowerShell.ni.dll.tmp	Zombie.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\sr-Latn-RS_BitLockerToGo.exe.mui.tmp	Zombie.exe
File created	C:\Windows\Cursors\size1_im.cur.tmp	Zombie.exe
File created	C:\Windows\diagnostics\system\Audio\de-DE\CL_LocalizationData.psd1.tmp	Zombie.exe
File created	C:\Windows\diagnostics\system\Device\TS_DriverNeedUpdated.ps1.tmp	Zombie.exe
File opened for modification	C:\Windows\Fonts\vgasyse.fon.tmp	Zombie.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd518ee0d#\3b2915a96f365ea9c6dc0e97570c64a1\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.ni.dll.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\napcrypt\6383449efebaf90892554912d612dc92\napcrypt.ni.dll.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Transactions\963e23452dd4b751573f32fac3a29c02\System.Transactions.ni.dll.tmp	Zombie.exe
File opened for modification	C:\Windows\Cursors\aero_link_i.cur.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Windows\assembly\GAC_MSIL\UIAutomationProvider.resources\3.0.0.0_ja_31bf3856ad364e35\UIAutomationProvider.resources.dll.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Windows\ImmersiveControlPanel\images\TileSmall.png.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\SecurityAudf6921413#\ae41d4f7d096adf360470898458882ff\SecurityAuditPoliciesSnapIn.ni.dll.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File opened for modification	C:\Windows\Cursors\size4_i.cur.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Windows\ImmersiveControlPanel\Settings\AAA_SettingsPageCortanaMoreDetails.settingcontent-ms.tmp	Zombie.exe
File created	C:\Windows\assembly\GAC_64\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll.tmp	Zombie.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll.tmp	Zombie.exe
File created	C:\Windows\ImmersiveControlPanel\Settings\AAA_SystemSettings_Devices_Pen_SetHandedness.settingcontent-ms.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\Settings\Classic_{A73DCDB5-E233-4FC2-8083-6E431939002A}.settingcontent-ms.tmp	Zombie.exe
File opened for modification	C:\Windows\Fonts\simsun.ttc.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File opened for modification	C:\Windows\IME\IMETC\DICTS\IMTCPH.IMD.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Windows\Boot\EFI\es-ES\bootmgr.efi.mui.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Windows\diagnostics\scheduled\Maintenance\ja-JP\CL_LocalizationData.psd1.tmp	_MS.MSACCESS.DEV.12.1033.hxn.exe
File created	C:\Windows\diagnostics\system\Power\uk-UA\RS_Balanced.psd1.tmp	Zombie.exe
File created	C:\Windows\diagnostics\system\Search\es-ES\CL_LocalizationData.psd1.tmp	Zombie.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\Square71x71Logo.png.tmp	Zombie.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zombie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2b3c6d7549e216fe9e8fb517553a240N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_MS.MSACCESS.DEV.12.1033.hxn.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133664132471496592"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2416	chrome.exe
2416	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 4476	904	f2b3c6d7549e216fe9e8fb517553a240N.exe	71
PID 904 wrote to memory of 4476	904	f2b3c6d7549e216fe9e8fb517553a240N.exe	71
PID 904 wrote to memory of 4476	904	f2b3c6d7549e216fe9e8fb517553a240N.exe	71
PID 904 wrote to memory of 1608	904	f2b3c6d7549e216fe9e8fb517553a240N.exe	70
PID 904 wrote to memory of 1608	904	f2b3c6d7549e216fe9e8fb517553a240N.exe	70
PID 904 wrote to memory of 1608	904	f2b3c6d7549e216fe9e8fb517553a240N.exe	70
PID 2416 wrote to memory of 2112	2416	chrome.exe	74
PID 2416 wrote to memory of 2112	2416	chrome.exe	74
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 3140	2416	chrome.exe	76
PID 2416 wrote to memory of 2224	2416	chrome.exe	77
PID 2416 wrote to memory of 2224	2416	chrome.exe	77
PID 2416 wrote to memory of 2004	2416	chrome.exe	78
PID 2416 wrote to memory of 2004	2416	chrome.exe	78
PID 2416 wrote to memory of 2004	2416	chrome.exe	78
PID 2416 wrote to memory of 2004	2416	chrome.exe	78
PID 2416 wrote to memory of 2004	2416	chrome.exe	78
PID 2416 wrote to memory of 2004	2416	chrome.exe	78
PID 2416 wrote to memory of 2004	2416	chrome.exe	78
PID 2416 wrote to memory of 2004	2416	chrome.exe	78
PID 2416 wrote to memory of 2004	2416	chrome.exe	78
PID 2416 wrote to memory of 2004	2416	chrome.exe	78
PID 2416 wrote to memory of 2004	2416	chrome.exe	78
PID 2416 wrote to memory of 2004	2416	chrome.exe	78
PID 2416 wrote to memory of 2004	2416	chrome.exe	78
PID 2416 wrote to memory of 2004	2416	chrome.exe	78
PID 2416 wrote to memory of 2004	2416	chrome.exe	78
PID 2416 wrote to memory of 2004	2416	chrome.exe	78

C:\Users\Admin\AppData\Local\Temp\f2b3c6d7549e216fe9e8fb517553a240N.exe
"C:\Users\Admin\AppData\Local\Temp\f2b3c6d7549e216fe9e8fb517553a240N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:904
- C:\Users\Admin\AppData\Local\Temp\_MS.MSACCESS.DEV.12.1033.hxn.exe
  "_MS.MSACCESS.DEV.12.1033.hxn.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1608
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffb93079758,0x7ffb93079768,0x7ffb93079778
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=1868,i,14902787347195294776,8243498805011132184,131072 /prefetch:2
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1804 --field-trial-handle=1868,i,14902787347195294776,8243498805011132184,131072 /prefetch:8
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1868,i,14902787347195294776,8243498805011132184,131072 /prefetch:8
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2992 --field-trial-handle=1868,i,14902787347195294776,8243498805011132184,131072 /prefetch:1
  2⤵
  PID:240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1868,i,14902787347195294776,8243498805011132184,131072 /prefetch:1
  2⤵
  PID:3644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4372 --field-trial-handle=1868,i,14902787347195294776,8243498805011132184,131072 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 --field-trial-handle=1868,i,14902787347195294776,8243498805011132184,131072 /prefetch:8
  2⤵
  PID:4240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 --field-trial-handle=1868,i,14902787347195294776,8243498805011132184,131072 /prefetch:8
  2⤵
  PID:776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4920 --field-trial-handle=1868,i,14902787347195294776,8243498805011132184,131072 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3256 --field-trial-handle=1868,i,14902787347195294776,8243498805011132184,131072 /prefetch:1
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3192 --field-trial-handle=1868,i,14902787347195294776,8243498805011132184,131072 /prefetch:8
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2992 --field-trial-handle=1868,i,14902787347195294776,8243498805011132184,131072 /prefetch:8
  2⤵
  PID:1460

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1453213197-474736321-1741884505-1000\desktop.ini.tmp

Filesize
33KB

MD5
6db9afd09e78386ef5473c238e5b1729

SHA1
dde67c59274eff92c9f80c82d7e669fb9553b6be

SHA256
c3ca751232b0b3d4a0d7113cd276fc026cb3b42dc104ae649ba195a3c05522a3

SHA512
9eb4a85fbbe9d075ced483c63b8908bf73b75651b7a98ee563c8e8515eeb9fda88dde84b3f70d4834eff52b3b51b23fdabb66fc891d43a793bdce525e24b8160

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
145KB

MD5
6d8682a236fa0a5f7b05e76740f10a09

SHA1
9d5c03ecc7995d1c27f3468c260e99bc78e78e6e

SHA256
f585bb21cbe822df2c663f0cfde1bbe9cede98350d491883cd910d31378a5490

SHA512
5186a3736635bfc4e7040054c41deee5f4cc7f6310b4091ea7d7d91da38d1b56dc2a614ab29ce909cc7f2ff2e89706e81995e5715db14b34e4a49c2b593000ea

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
131KB

MD5
310c5e1d2a7389421a4e2d604d146ff1

SHA1
14657a98236b17ced6baddd057284e6f8122f55a

SHA256
0d1c37eb3ed885ddb2d170ac073c771f10b9a3b583c204c578bada61439a0d9c

SHA512
db56887c1b38bcdef9cecaed4233a7799740719af9d1b3c300691982aec7da9c856e0507c23a7ad0a84451907a403194cf831707b0379869c73dd01f12030ef6

Download Submit
C:\Program Files\7-Zip\7z.dll.tmp

Filesize
256KB

MD5
eac2778950751baca524344c6c1c993c

SHA1
1ec41eb431d267dd365824def727edb6d0dceb0f

SHA256
de326459740e9691e0f4b6bbc1a4307ef018c5241fb9b680557d38d5fcb9c224

SHA512
0994b4d6c54d7d0d10dbf383491edbe297e41896698eed4f02223f1f423c8023570831bb5c8b1df0efce7c118e9dbd7787c4488dfe7ff0c36a729bfd27e61c4d

Download Submit
C:\Program Files\7-Zip\7z.dll.tmp

Filesize
1.8MB

MD5
94bb58d35e00e4173d2fcb730a58833a

SHA1
f028e0183bf5a9fc9cb65d925546e671d2371516

SHA256
60ced0efb256d14382a4d7d125f817e316a7876a688c6fb9d3d00cc548e36eca

SHA512
f235aa773f263cce4f50a60afb13103e2eabd6c70bb9e84e58f9bd762daea7c5b70a5fd4de0059ce4416ff981412f32e72524687f5bd11e1fe96d6250438d3ce

Download Submit
C:\Program Files\7-Zip\7z.exe.tmp

Filesize
576KB

MD5
39837510c57cd35cd61da35204c186b8

SHA1
4aa99ce0382172abd3fdfbd0fd8940ffdb5e195b

SHA256
4e793066db4faa6b242cefd862e88e5b55243769e86538a2060b42e46ee2a6a4

SHA512
e72cf4f852048d90e23fcd01abeb965232f4e255e99d3abaff7818124d0a2b6d3ba5dfa15f99434a95508745495eacc915eece331990fc7319350d4c8f6575ec

Download Submit
C:\Program Files\7-Zip\7zCon.sfx.tmp

Filesize
221KB

MD5
9cf99797698aeb8243ffa359b7f25663

SHA1
c84337127b62fb4926dddbcebb81744d2d9cbda2

SHA256
f9009a3fba23be06770b47475d788f2ed2873fb0e159ea8176f764565b824ed0

SHA512
fe3276479a5cd4a59ef1f6526c6987b23221353466d24be7ed297f4d5c9325745762a5a3b0d787004c7c41e47e1d316630d8673332ff8f6f9e6f298f736e221e

Download Submit
C:\Program Files\7-Zip\7zFM.exe.tmp

Filesize
963KB

MD5
ff0530ebed655676a0ef466b4447040e

SHA1
4ac1e3bdc82d322b7ab5a103ae00acbde57d1309

SHA256
05aec95ce2213fc8d217346d3ea83ce6cb178533daf7a958db1f6755f846b9c3

SHA512
49ca1524a6c40ddf001d03df2ca532fd7ff67e6326182880de20e4c259e145ed5fda4ec364fc8e5485c175c10251bf44fd068d06aeeee455df6684dbdb1d6cd1

Download Submit
C:\Program Files\7-Zip\7zG.exe.tmp

Filesize
716KB

MD5
299d4493ff4f5f9ac13ac418c6c8fe09

SHA1
736d6ab555119519542e07c0b7508270adb61574

SHA256
a2ae2726e27d4e8dc8e9acc50d6f564e42ec01a55339bfdf3e160334efddc31f

SHA512
11a764b73852d771fba67c462d965d3705fea07f12d9be574ddc1fbd5a732473b6232d9558438ea533b4dd4cc0371780b5bd89a3ac72104dbd19f52798b8dd79

Download Submit
C:\Program Files\7-Zip\History.txt.tmp

Filesize
89KB

MD5
baf1531b48254d0232f160463c4bb2da

SHA1
545097e7a1f9b7f5413bccf5900118fb711fbaa1

SHA256
bc8fa717a05d9f60f6e0e9eb0891e4cb2ca648b052a01508fc1d627fca00658f

SHA512
c565482cdb1e0d8792ec9022935831c57ef260b6070dc46ce62c1d279af10e903a1e194964cb09094557f03b15693d1b409076f64e0389d2afbe7d9b6f7e9744

Download Submit
C:\Program Files\7-Zip\Lang\an.txt.tmp

Filesize
40KB

MD5
2b672c650b2b57e76fec17b87b2e8624

SHA1
18bde7abe44e2a875db2d2f3a3086963b9f7e8d9

SHA256
88e4005ef5e748d2d68f05b37ef8f562f7ce6938dd61d123af9b28cce3fa42ae

SHA512
146900224096b00c06a8f562078e6cc6728dc7dedcfd4384edf3905e45bed04e577828223a52b83cb7bd5f34698cd46694f9f4aed73ece2665e04205b621f5ec

Download Submit
C:\Program Files\7-Zip\Lang\an.txt.tmp

Filesize
40KB

MD5
523c5bcde857d7e7a14e816a039a2fcd

SHA1
7a077b4baa493cfd0624810f9e772d11f0ce0b40

SHA256
3b6f4b3ab7fea5885a06508e9c9e043ee06a4f7bc6f1730b10879c9c2cf2e420

SHA512
57eb04e86b1540ae650c05cbc6bfcb33f04c5869a5500192e534e973db06458f7d98df3d37949ed22cd6ead693b6060108c734e5561f9ff5b2585ab2ee47a631

Download Submit
C:\Program Files\7-Zip\Lang\ar.txt.tmp

Filesize
45KB

MD5
4e868c45bab139172ffbc9c202294db0

SHA1
94c64459adf7c5ed6de0dbcf8877f45fa83a328e

SHA256
d9b92c8e0012bfd5f031efd76c730765ce4b8a56dc79c5cb138bfec5bfcd9171

SHA512
61a7c7cc567a651b48f054b6b3eb4075dd5d893bc0db2cb44a517f528ced5efdc863908807ba3aacdb06c331955d1ab61a4de68374cfe769d0e7ac5ea5d194f6

Download Submit
C:\Program Files\7-Zip\Lang\ast.txt.tmp

Filesize
38KB

MD5
78c60cfc80250be6f60a7c7cb94a098a

SHA1
7281ef316839c8a51f2b95fcca910f5ee93698e5

SHA256
c1b461cec8e776bded9fca28e8bdde05122b98162030d669f48f9fa4e0b09281

SHA512
b1e15ee64afabd61752522fd5c26aacc2435000c785c680fb83956825e9f30bd89c7c320887e99f2a870609a11d2865345997f0f7d544980ddb8bc74f9c9f770

Download Submit
C:\Program Files\7-Zip\Lang\az.txt.tmp

Filesize
41KB

MD5
783901b0115aeec6001242587d341a41

SHA1
a3c723ea7d00e5e9ae6d24d72e4a7c9e187300f8

SHA256
275ded1d5a50ec897d19259be81f3fb57efa3f70884e87495fbace89d1abe1d7

SHA512
ced0bb83e0484ec042b84e135d061fc826f7fe58206620f71c2822a796facd226525701f4817b808dfae9f689b8704ab6620d16d08bd12cb9ea99c9d481e81d4

Download Submit
C:\Program Files\7-Zip\Lang\ba.txt.tmp

Filesize
43KB

MD5
97f4be780e7c9d4b82b0d958c00c16c5

SHA1
99bb4933e906a22b65be21082557b7f879f52abb

SHA256
ff02f4a3214ea7dfb57a1edaecf341d3950b9304b1610d1ce689345a1812fd94

SHA512
182e79b2684e9b6fd926f21dccb81aefd6d2f7e22820013fd5ce7f36bdad8dfe9b68ac109d9bdd65f91e8007c0aef3a08eedf91b5b96b57b58f7e945eef4583e

Download Submit
C:\Program Files\7-Zip\Lang\bn.txt.tmp

Filesize
47KB

MD5
2461ff18533f61e9ed9c748c26893af2

SHA1
0db4200fb893ceb3c61fd0a631a7348d07422ea5

SHA256
f2636a29a9ec9740f3704cfd429f477adb6707bc27cdc6e1f6499f4be9c97cc1

SHA512
d510d61cd0c0cb55f7e77f3813dfc85a12265fc16aa6d6302f985102ec5ad2299a657901c2b1ab5a142ea6e5e4e9b2ec81c5b032bc370bc029a9d07fac60db45

Download Submit
C:\Program Files\7-Zip\Lang\br.txt.tmp

Filesize
37KB

MD5
8d92281c28f142270fc968ee4b587817

SHA1
03f16022b529a91d4dfd58940d473723b8f36c3d

SHA256
b2d6fc95464c85c74ae10ae8ad0f380520e3f41c8a8e8537dbf7fdbf97aaaa80

SHA512
bd4e306463e3e2c913e78befe9d13fe1b7b5ad06233767624de787edc6d051e1c7577e07663f223f7bf67afe5b2544220635e8b5cfac9715294b420597c30a5e

Download Submit
C:\Program Files\7-Zip\Lang\ca.txt.tmp

Filesize
41KB

MD5
ec028df105f07f5f4c1b1e87da3565be

SHA1
7e7896f7fa61ed0470b3919db200f1595afe55f7

SHA256
43849d95e30e490ddca8febce07e0c2c48b409767b7894f842b03db1d47cc9dd

SHA512
894b6beed0bac83938b5b331c05c38f05287b2a8ac18bfc117c1e952aee853d0ccc2dada96e199fd729b1b6f71fee1a25f6a81c8364b81e0654a55b96e0040ff

Download Submit
C:\Program Files\7-Zip\Lang\co.txt.tmp

Filesize
43KB

MD5
ab1106df4b278cae2b7e2ad6227582a1

SHA1
3a6c6fa35ca222a1d9e3d96b3c317d07cb7a83ae

SHA256
c026cc8362262b015732184b02b3f75aa0a6818d869efc5dc31a6db381049ccf

SHA512
34eb627345403d2f9ebc3e6d1a9f3a01414db5b06e9c34780609f94f62fd7fe3c86dbe0520feafd310634182900235ac9caf67c69a06907dd01a90efd39291dd

Download Submit
C:\Program Files\7-Zip\Lang\cs.txt.tmp

Filesize
41KB

MD5
7106f1fa05e247d5e78cf8ea2d094f4a

SHA1
c46bd3ae713741f6f8229d0f2c1eebe3f68dce7a

SHA256
9a91b7088c20654aeb08e340223fb56add075fe6fefb214e8da730265a52197d

SHA512
3bf4858d687d7c60490b22d73500391b075a7e5a9157ec7952bc208195157359c45abc30500326fd65121633edfaf2836dd13a5f58fbc7d35e9c44a636a55d8f

Download Submit
C:\Program Files\7-Zip\Lang\da.txt.tmp

Filesize
40KB

MD5
922179612d26b2d6f8830e19900c6ed3

SHA1
13d15795f20baa26137c89e889b1a647fecb84ae

SHA256
24454c27310362b8c61f21744e97947ba2700b67ae5ec2877ee667e15a505201

SHA512
4654f4637a9901c8a60598fee0564ff4655c9e1f5a77f59e4d3eaca719ed13135dbb9e88d6e4842d6db8e0e9a3e48a585868a8f4831161fc5a081c2d51c6d2cc

Download Submit
C:\Program Files\7-Zip\Lang\el.txt.tmp

Filesize
49KB

MD5
1307c0534cfdc4d63f6ca1fa319ed70a

SHA1
ca006c5086a8224b0bbed33ffba5eb56c6e85103

SHA256
190205f6c4f5a87dec2b8d200e9229f07d3942c7538913c07daa59957d284594

SHA512
865e6bff07d2dcfd3cff3b68532a8e9fde3f7b85e2eb3b3d4260ba1ed861d8ba642708f1b7d3ae569ba825c956c38dae832aba81d1ee2775f27cc3c79d736752

Download Submit
C:\Program Files\7-Zip\Lang\en.ttt.tmp

Filesize
40KB

MD5
55cd8d68cac5b16d8c4cbc64c037c434

SHA1
56265547550a0ef43b73a24913716d7c23d1214f

SHA256
ea147ab184a64e9dadd3df71ed04ca3e45c717426e4ab9a9772565d2bc65ed41

SHA512
db24b3363a79b4457ce5bfc644965de7429cbc2e550e7b1e9096397aed47f9fac55e5bf8a978995e936ce14f88678438453734285dd74e27b631d975f148ef44

Download Submit
C:\Program Files\7-Zip\Lang\es.txt.tmp

Filesize
41KB

MD5
cbe83cb19c6d2176a824448392c482b9

SHA1
0319cf4e9f27b70d26e9e68b1d1a2187249122f7

SHA256
fa7de6ab5e255f572ff634f2fe74730a6e875418c024d34cd1cb3e3a9e5b56d4

SHA512
f55a29eb2df3d6954cc790c9a72991dce543bf785573b30fd6e6bb33547fd6078c46fd47db7822eabbd3d05a825c4e61a7df80b556ec02e4f3c64ff1241f1e44

Download Submit
C:\Program Files\7-Zip\Lang\ext.txt.tmp

Filesize
40KB

MD5
4d28c4e29ae47682f2faa2b03ae3921a

SHA1
e7104f586a5615f7b4ed07f88685967e2b8d1009

SHA256
bbd8ef39e9a7c14fd3870f9c89cab3cf46c676c43c97d9877d25519c92ace225

SHA512
616da4d8125e9bb59d4e8d8d98213370bca208d06151c51f5734363153cca49474f85bfd063b627197eab60481ab81a13aa95d74ee8e9de33438ae46cff39f19

Download Submit
C:\Program Files\7-Zip\Lang\fa.txt.tmp

Filesize
46KB

MD5
787a60c2cc06a3f315db2493fd46419a

SHA1
95d15a1ae6e4548d4ed3f1994a3af9f119929709

SHA256
267a582d214406963758387587a7ff646a5668fed309bee47477115b89747ce6

SHA512
7fb78a6e536221eefe38d8d8d9412d8fde36a3272e03a3b823191a4d2ecd9ec5cbded787973bb5de47ad558b5ea7c76f9d4de7aaa27e96c0acf4d86c1099aac1

Download Submit
C:\Program Files\7-Zip\Lang\fi.txt.tmp

Filesize
40KB

MD5
056c975196f2052ab770f1ffd42ca2dd

SHA1
88055d9877f180cf41636232b8160e708729dd4a

SHA256
7e4fb76cd49609e1e7ab9a5c3714b364a2a8a175433cc3ffc42b3903febc253b

SHA512
ea5b74dbd5f1b41cf968b37094a35448c7f2e01493e6e1ac9d3b142ce261ec6cdde18e7255a992c90fe13e7216f04e0a6971af35aa58e5e0738e8c0b759e4f71

Download Submit
C:\Program Files\7-Zip\Lang\fr.txt.tmp

Filesize
42KB

MD5
622d63489d2f9c6b20cde22a8f3d057d

SHA1
693711b56c22bf8768722e95c4139e81402920ff

SHA256
583511d06fdfecfc8c42eeb8a5ee7969310b20ec067e489c6823b25f3af4308c

SHA512
81506e809b9ee8ebf3b2549be4adaeaa6147fe6f97c514bb8e43d8ac6f94b7876d77c1f80a21987ece728621aad3dd2ad6f6a6c29db01c16508773dae154a2b5

Download Submit
C:\Program Files\7-Zip\Lang\fy.txt.tmp

Filesize
39KB

MD5
a02315f7421b2d32e50e7f5b99895c62

SHA1
178c9fef72fa2c267fe6ed61acc0c06674ccb204

SHA256
b8c802eb7d196a25c26a483ddc7e690a0a704a65abe7daf9ec4d223f64ebe9c8

SHA512
a2279563b07031ff56b39e120943c0dd71e124073a66216541b382eff09e54251a224cbd2c8c528efd41edadf599f05690bf72d147632f11b87f931dfa7cf34f

Download Submit
C:\Program Files\7-Zip\Lang\ga.txt.tmp

Filesize
41KB

MD5
496e1301c243ad31321ab44454537eba

SHA1
69de6eb3459ccebebdec8898a55b560c908ce17d

SHA256
206da21199f5b10e54f2cb976d93285cf3ec0db530f77491db3adb1023a12b4a

SHA512
8a0eba0f7279dd6026f33752fee8017a0af99050991338f3fc6936dbdad006fc4307192719dd3468f8c451a66e2f8f7e79e57d4e07672e7da51644830e5654ae

Download Submit
C:\Program Files\7-Zip\Lang\gl.txt.tmp

Filesize
42KB

MD5
3959f3405583f305b18a98e6541488cb

SHA1
49fc91d0f00efb60b183536372c00f84fbfa0ba9

SHA256
aa80a823752840f1339defc00eeeb8b7a4b456abd5ece42b9aa855c35ad05880

SHA512
655d4709298006a155de2e55ced3effa73c0833fcd5ca2414cdda83e156c514e2629987091277ed3f92eef5b02e95a31b1d6bcad4bb88b4f7e9eb0cb099769ab

Download Submit
C:\Program Files\7-Zip\Lang\gu.txt.tmp

Filesize
50KB

MD5
723cebedde6d7f16ffc48d7f28c08c44

SHA1
03ab89d15fd2dccbb9dd69b20e5aab2d1f233bd5

SHA256
6b360e2ba4e6d3c777baf77982aea6bc14d0f22a17dfc03b83bd8ab269caf1fa

SHA512
1cbea8b516a87a7e591037706ee920ab157ee0f87316814142091a5b80d34bdd621bf357bac0aaef40b2502a78783456c8dbc1907a5fd67912882eb006eb41ca

Download Submit
C:\Program Files\7-Zip\Lang\hi.txt.tmp

Filesize
49KB

MD5
ff3fdd37825b3b74818ba2f3d84ed5df

SHA1
b54d917479acb104b6dd3a0f8572fa8c3f4cbaba

SHA256
e66a5258b431afb1aed6821b0473539a0af7445dbccab88522e60acd28fbbf5a

SHA512
d78f302e085b2485aba015998d23f9ace96dd7742bcee47c2d55b673543a0250ea418c9f13576a60a257c77ab1a7ee40e71651548c5570f518b0b114cb9de3d0

Download Submit
C:\Program Files\7-Zip\Lang\hr.txt.tmp

Filesize
40KB

MD5
731312aa4c7669bab7022c35289dd76e

SHA1
94c5011c9386cdcc91250316f80f8bb00ceddd4b

SHA256
fb1cb390dcab5d8e7b57989c0d4c60be93c6e97db39427238721de10418cbe86

SHA512
08031f51282db1e89d9bf9dfe763264bf43d4e863001322be646349b71cf00625197c94a183ca56a1be7b95bca4658f62a3b16209d53ac3f1e18332479f20fe8

Download Submit
C:\Program Files\7-Zip\Lang\hy.txt.tmp

Filesize
46KB

MD5
e636ef3224b1066c9bac04714100a5e6

SHA1
e665b4ae946ef7fe01e411dd553ee855dfed90cd

SHA256
a7613719f617cabd9b461335d0d2db56a52c1b616fa39e277610751afaf02c3d

SHA512
64080a8a200e1a5eaf3eba7925d8f5c4e0f767aa7a51ccbbc27f24679afa00e8416a44ab4c85cfd8c452cb59012735c875b40829f167fcf35cceedf5dcd3ca7d

Download Submit
C:\Program Files\7-Zip\Lang\is.txt.tmp

Filesize
41KB

MD5
3d9b06fca8803fd8bae204b67541dc28

SHA1
44fa6a7f8fccae3b4e09610c9fb5569a57f88ec3

SHA256
4980b8175b9f8725259fa899d449a2ac48516314c28c5425cfb17bc5eaf0befb

SHA512
92989b5bc4ef955f9a5a1b468ef05f0520d040130450d058d0296de45bf313497db9ae932929bd2969d1f6f71989aaf1d5ddd548a06acff588ee90ead62feb14

Download Submit
C:\Program Files\7-Zip\Lang\ja.txt.tmp

Filesize
44KB

MD5
7b91b24eea3089484e3a3953f6c33905

SHA1
85fd015e755d7c849c8c8705a150a5b64e5ef360

SHA256
ae62f3456c2bb5c4fc57a155c7dc7cc79e5d0e893812caf87795809bd36f27c8

SHA512
ca55f6b272b630dc9edc37a76b853e2f1daec162e894bc063e1a2e428837c7eb04158b9d76cf1003b15b033c00b97a25cfd52c7958dc929a96ee864c12d44a80

Download Submit
C:\Program Files\7-Zip\Lang\ka.txt.tmp

Filesize
50KB

MD5
8b3534d9670bd0b522c03d8fba0b4898

SHA1
98dd2568827b10fb8cf581164e8b7a3dc83e9843

SHA256
1535252a36d6058a67ac143eb2a550b069e68562bc31ee1b4237cd8764497cc5

SHA512
da551478e522780a549dd4688aaea54c047c6d78d8b3aab164bf7197ac52833788779d0b5b373c380e03e2c58005a1ad6b919392540a891c050ac2f736d31c9e

Download Submit
C:\Program Files\7-Zip\Lang\kab.txt.tmp

Filesize
41KB

MD5
f4e116143b5664d2c406ffcf82f0fa3d

SHA1
8d97082177311f51f268fe10f6db0ddafa7f3f52

SHA256
e6b02cd3f11d2a8bd9b377b1327b581aafffeebce4633203a0dfb1ff77c962df

SHA512
338869ecc5e19bd33fbb653b3a69e47bfcabdce4f25ccba56726caadcf66ffd7ff995b6ef0812a7ad5c72a3a7e8b13801f61a768868641dfed9d26dea5b849b7

Download Submit
C:\Program Files\7-Zip\Lang\kk.txt.tmp

Filesize
43KB

MD5
d94bcd8c12b25710fee0247a9743f0ee

SHA1
3772e21366cfe4e398788b8d70a98ea272c3df4a

SHA256
f62fc65cbde1f21cf665cf231b28aaf749c75d9b33fd6be2230617ac2a245f6e

SHA512
1445cf87f7d3e77eaac9afe4e99f30a232e0a0ddb7c75c34d369e017559d7cb77b9be27b72b33a76b473d3e1596abc4805d0398e1f04c2d5a8392d83110ea48b

Download Submit
C:\Program Files\7-Zip\Lang\ko.txt.tmp

Filesize
42KB

MD5
58169531a80cc01766456294f50b874a

SHA1
7f1a8bd8bdc3626e22741f859a1f8a9f304b59ad

SHA256
9136e2c96d461b4564b437d7190c34df4df9629711f09b9037966e8b0bc6104d

SHA512
bb8a3e79c0888811def91c8b111d9e7435711b6ee269f44ce9c06d2f07fa84f1705755f7c8de965a059d7f1a73cbb83554a8f7347a8f6e677cada34f781edcff

Download Submit
C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

Filesize
44KB

MD5
e548ed065fadce29f939f8226e563af5

SHA1
377fbd73e27f9cc886a4dcf1fc8567af0fc55e1f

SHA256
4e74498401fc9836940035628ae7996128a4a3cb0d273f006e4733b09d25c647

SHA512
0583c5004c50ace2780105a4413c5911eae2e4d027f1afbc9974815b892235529efb1a84276dcb109688388364b44e95af38999a1f3fbf0c762f9eaff7be335d

Download Submit
C:\Program Files\7-Zip\Lang\ku.txt.tmp

Filesize
38KB

MD5
895be036628745f3a8ae690401f0a2e4

SHA1
d45a9d1daa1a27033dfac493f005ab1516023ac1

SHA256
050f5b0919fbe06eb5c89a18b5183d76d7d503fdab53b8c3026733fbc6c6af9a

SHA512
6a7c7acf87d4e496ba3aaba174b23ed8cc83984c632135bfbb2b5839bb967c61078b1c3bfd4d9b4e21e5ba6bfa8a4d6bcdedecd6da2a5d122da4fd911d7ccb08

Download Submit
C:\Program Files\7-Zip\Lang\ky.txt.tmp

Filesize
45KB

MD5
60a0a00ede88ffaa1e0a061e65868740

SHA1
109bb26632174cc999fba9ac155574d8c4596227

SHA256
792595701e3a64cb4344f76d44c9331ecc54d4df6d788daffd0a2a08cb3f257f

SHA512
aeb4cf6accb474b13464347a3c57ed09e0a75dbaada5e3d3f95a62455c0d3fd6ec7d3642f62a839057ac9c8e4133b41c7b43e8c29c32609bd3e976ef3cf8238f

Download Submit
C:\Program Files\7-Zip\Lang\lij.txt.tmp

Filesize
40KB

MD5
49e42ae72691d58d8444421a2d676e3c

SHA1
9c8faa0ab7ef1169f36aea01a27a30eeef213b5d

SHA256
dffabe06c32fb79135474549bcc2517f6f7706d46f9ca56b89d74fca1f124977

SHA512
b98027e7bc518ee483c0dd1c8c8829f26919299776aa1dde0c1620c5e707594d60369c4885820709355cd635a71d271a2fa2b8e8674dde1a4b738594266437a0

Download Submit
C:\Program Files\7-Zip\Lang\mk.txt.tmp

Filesize
40KB

MD5
2f2b69e312b20b3207dd1d9be3718320

SHA1
8cae718780cf3244261a7b420a4ab3650909e525

SHA256
f445f4d843ba699e5d325548ffa84f45b0cc764960d3fbf315f2b18512ee5c85

SHA512
5efa9870d0319489cdc4f2547eb04a19fe97f0a8bab994529d223d8fad4755b35b459f3f86377b57ae7cbc1ebefddcad378bafc0b5ff9ba160dccf5b1db8552c

Download Submit
C:\Program Files\7-Zip\Lang\mn.txt.tmp

Filesize
40KB

MD5
1a9a134ddc3d58a94f258a9b485dcb72

SHA1
9854d1d8be51f4906c77d180f1d7c3f680c03d07

SHA256
266b323034cb8a011b63ba0569bb660cd4b811636abcaab98f022090ba99b817

SHA512
b13846efb4c620ba9b59ddf871fb1da47f734fb8d91641481c466d211dd80c701d4502d2a1bf3559781ea5686fff84bceb44ce9db5faa9738b64cfe760a3ef34

Download Submit
C:\Program Files\7-Zip\Lang\mng2.txt.tmp

Filesize
53KB

MD5
02a734227fb286127eda1ebe502fe3f2

SHA1
b1fd25a8d7de7786f7647a359c4236381ee2f969

SHA256
f1fedb3a85e40fc8d49b51a7970a6c57b9ed677b89d776b242052c5972a70b97

SHA512
5f5870100f05da93980e872490beb4d03c477c7fd15c21289df79b8123369d5a63505ba60341b50d0757ed9599ca3ba92457434064f2c0bbe166b4886de37c78

Download Submit
C:\Program Files\7-Zip\Lang\ms.txt.tmp

Filesize
37KB

MD5
92a45c11e73dd1beb8f5a3ed793ac246

SHA1
e41113dc07f86f14a67b50829094e5f026bdbffd

SHA256
27f479aba4352e5d8e51ed18258e6f16015d3e7cf57eb91a6c109226c5f90cfd

SHA512
5ac9007fd1ec2da33d099e0a250b13a0c67906cbc90ec046f7212fca0794f5775c562c442401e2fd6744c2771c9f97f84380a0814b9e063cca36b5a10d70715f

Download Submit
C:\Program Files\7-Zip\Lang\nb.txt.tmp

Filesize
37KB

MD5
671614c30a4552aa033cf0b64b317ef8

SHA1
fd67466e5fd80d66dde5e20c5d5713233cbf0d8e

SHA256
5cb6ac9df44c1dd82dfb5091e46717b15063106b5a866a373dcba85b63fca95a

SHA512
61a48d37ea99d2ee88503b0fc9b74f08f5d723570a6359f109ea1e95044cc9bd9634870707b58bb12c83508b2a774f54dc04a53522083a2f5625f8aa618a61b0

Download Submit
C:\Program Files\7-Zip\Lang\ne.txt.tmp

Filesize
46KB

MD5
b88b3173122acfc7789ad253839ae52b

SHA1
8fe7ddb87e8ad323e7500e3ea9d3d9ad8ced27ca

SHA256
56b55835d33b092a71d36f7f2d581967e6c265893df6d5fd6d74f40c0f659ff7

SHA512
35c66b9efa6f19f52963c049371f7d0b4835b65a6c16e6aae87021aa109ec6e3afe4bc2b1560ab78b044f187055b508df3656a667777c473d934d28e16893f64

Download Submit
C:\Program Files\7-Zip\Lang\nn.txt.tmp

Filesize
32KB

MD5
0b0c4421afe80c137179fc2bacabc2f8

SHA1
46fc222ee2ec4a28639e8fee52da74e2a4a483a6

SHA256
1ba5ec479fe78dcb5712675c887ec69b55cfd7c4c1160b0d4094f54a54f18369

SHA512
a1d8b48e99700388c55fb049f54d9978fb9728e0c2b19e2b38ae5765eac491cf5d02402ec01983b0fcd3b0c8ed1ddbadc498448358890ec68bbedca14223273a

Download Submit
C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms.tmp

Filesize
56KB

MD5
4faa5956d0d91da41ef2e54a31ad4e9b

SHA1
7f810b1bd36d2abe052b4042cb6a83f467d91c8e

SHA256
876935b9de87e8da725587f00966d70969ff66ec1bb39ff6c815276cf1953a29

SHA512
8b5c2a13deb057b290e3becaf127c5c8eb8c98b90b0a8870c2ebcf9eb3cedce73bf9399da7c65ea821d320133d737cce0a2047fe90bc4740c96486fe5243db8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004

Filesize
210KB

MD5
5ac828ee8e3812a5b225161caf6c61da

SHA1
86e65f22356c55c21147ce97903f5dbdf363649f

SHA256
b70465f707e42b41529b4e6d592f136d9eb307c39d040d147ad3c42842b723e7

SHA512
87472912277ae0201c2a41edc228720809b8a94599c54b06a9c509ff3b4a616fcdd10484b679fa0d436e472a8fc062f4b9cf7f4fa274dde6d10f77d378c06aa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
5f135ff8e45697bced72f56a328a1b91

SHA1
b1ae33cd88c2ec82f6fc58d6df5adec7c6e69ea6

SHA256
7a35b9c62045547d240b37ab0a9e9ca93b243ebb1c9015adef3f2bd74f824851

SHA512
901c8c0bc7137bbc796d809499dbd463bf421aa9973289423918a0147d275f990d99c06f212f730511a4a2fa74320af645ced8846b9e5d88838bc2459d26f3bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0d6c1afbb4021e1795025fb3ba033066

SHA1
3cac9bdd4d21f106442b33a0f57d13597a4af2c5

SHA256
10cbbc74a6e4f321342cffde4a5212fee244d761bf4d6c4e8b0fc703a5085faa

SHA512
cde9f3515d341fbeca5168ad65cec94c4cf1c4fb0c6958e9a59db8b1f67d6c62dfa18fb99c19ab1128e4fa6ef5f5585797e1a4b8db1ec287caa810038e1fcb87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
204B

MD5
d1007c2ec10de95be0e047d666dcb72e

SHA1
66ec1a666fca11ea307af603e7ed066ee8aef3bf

SHA256
29d3728a21558a510ff6ebd156217ac7a191b67a10601c747da84e48f8ef6b19

SHA512
ae6d949a60eff3d0cbd37ea63ad5d52cf83e2966f708f8ba4ff608436b1d17ac6fc786c03e6e92f412d6681a18a5ebb98477054b43bc2bbfea775b06d5f86297

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
fbaab9bcb6db27267850edbec0eaa5dc

SHA1
98d346f9e15ce00c170f8840ded3c21f90f79256

SHA256
dfda93946cd394085cfa5e70a116348c062f54a329776cced9224455e6273c64

SHA512
59ef4d329d7a188b74e9634288b3c4a1e1fde5cbce2f0d1eef1475ff5c99103de6b1831587f89f49ada1868df7e8ebc258850d20e6bc29296521be08d59e3125

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0d06861f29cbf1094e3b4c5f2a39fa73

SHA1
cd20ee5c27e8e92697142df20c67e364c5bcc9c2

SHA256
68968d4d4bd2ae4b5b13186d4d23db2d944a5bca06aad44499b3c9eef8205e3e

SHA512
6b18137fb1bcf1a91020d79715df2c54be327f68f03f6889769f604575d68f1852e273a9a98cf65432b5cca231d573f8aaf3685d3441b5c3b78e2be99ac2d110

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
708963ed9efd6fa2a8a64b92a7b41871

SHA1
a1bc3951bb2d7ab2837123e27041243a12b5dcb2

SHA256
cb5473cabe9cb88eecf437a7a2d2a65cffc74ebfe39703fc71a6fcc0053b72bd

SHA512
6ca219694dae8b92590d56822705589c7093773c027a1732df3d3e10c933ee38d0dfd17183096e5efdd13edac9bc5964407cffe722f190aa00f9b63b55b0df5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
72abfd748c32e5f9bbf0fe2371b26234

SHA1
6eb5ffff9afcc9b65115b9f7244a42a272707f6a

SHA256
4e50aca5abadb4f4df1a8b4ab3c976a3020c96ce9418d39fc382b17b7c356dad

SHA512
22aa36331be0d55a971c6173c51d3af5d6afc6f4af029f7e118abaf7f6fd51cd99328523a1527411460b238f254a22260b05368fd1b89444da1660925763746e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
437d50ee5e04be7e7b9565716d6ea8f7

SHA1
857c7f8cf68c578b002b68337286a993ac3b0809

SHA256
01878ffe0f7e932dd49ff5cf1c4f712591982f21486734c8eb151f56dd095fc5

SHA512
c72cdbb19925bfd29ee05b89518b141a43113baadcce4a22553f6f9f50fa1ba3140b036c51d9a1f7750479a3802a730ddd041fbff423af95480232270752f54b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
307KB

MD5
89b42b22c6a496a4abad9d049f70f695

SHA1
431b12eb6350e80d0d3abaf08239a51446921f26

SHA256
a90eb80b37c70d9f517b13dcc46f284284e16542e845db3dafaa54793955faf3

SHA512
4e24a46984b2c268e429373f2ec3eb0d9f751f272976551322fa1d083cf351c59679da52c51b46220e29e2f8f0c2214646f1bce81c371060e5fb2e14cc36a9cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
307KB

MD5
a79f7062139a392281eb24e8560c093c

SHA1
3815d8f57929a66295203a61fe9ee90eb48305a2

SHA256
b45aa939f597efb4ee1d5fecfd37569c451a3bd89f1993bcd1f32fe37c3f2970

SHA512
daec645f2a57ae62e0b0b8bbd15e704839a439f184c62981deab7ff245eb0162e4a58165dc3e26e268d7e574b70c87ccd9f362fe6ed2f9bb57823c75a937068f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
d7bbc612ae832f455a862d8062f5c780

SHA1
26999b20f5716d1de16dc114181209bba1c72daa

SHA256
7d5cda9718d2a5c0e8f2b8906e3d00a11e8c7250e09c93ae7cffd79bf121b445

SHA512
37484e7e028b02441cda79b09fbfb9d11882229841bcb42af318097bacf644c15bec6186c7ffbb4af8d0fe181398fbae7ccd1a2c6dc1acccc251a5a698f2588f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MS.MSACCESS.DEV.12.1033.hxn.exe

Filesize
32KB

MD5
ec1269c8bdc76857a94dc4a40a00089c

SHA1
35de207e45c4429f4114c5f61bb04d10de5a55d5

SHA256
d9320e81828b58cb44aab5159da83a10e58faa6236185204f58cc3fca9537eaa

SHA512
ede83c5e0c4e97ff13be254d398723d55e1391d32bd085679462ad7e630835789724bb984e6a3d0ccaa216ea29d84779dc4fb1f229786ac0b6c949436d842e8a

Download Submit
C:\Windows\SysWOW64\Zombie.exe

Filesize
32KB

MD5
d63f3eb960dc7b912368120baca0f579

SHA1
3aa3abf0dc6734c395c008d5974b3161f8e70521

SHA256
a164f5665f91418a5bb1d4f5ece1ab195f7aae1e05bf8af0e06d875ec3d80a9c

SHA512
d7118bf464c02feb5a7076cdb27f059c6b0e7fd45a9273abd88f42773242a44eaa3f7d24aa6dedec9860169e56478d0b3642012f7de0916c9f8320e5926f2145

Download Submit
memory/904-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/904-560-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download