xenorat | 76b24fbf7dcc4ff46b3a455761b063b46ec52354c117724e34a911dda45b1d42

Analysis

max time kernel
246s
max time network
245s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
19-08-2024 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stop (1).bat
Size

146B
MD5

55511eb333379984acf86f37d5fd5893
SHA1

c787646e4fdd5db20eead33973f3aedd25f3be1e
SHA256

76b24fbf7dcc4ff46b3a455761b063b46ec52354c117724e34a911dda45b1d42
SHA512

c531ea6c7035f1b533ab1af0e9c8218042db7eabf3e58b6d9fb0dc6111e9790ec5a4b0b91f02342e0584c6ce652bb322e4ec5a96b0cbdd8f17755001d29f691b

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

174.60.140.164

Mutex

Xeno_rat_nd8912f

Attributes

delay
5000
install_path
appdata
port
7707
startup_name
TransAgenda

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Executes dropped EXE 6 IoCs

pid	Process
4836	TransAgenda.exe
2324	TransAgenda.exe
2068	TransAgenda.exe
3644	TransAgenda.exe
2796	TransAgenda.exe
1620	TransAgenda.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4272278488\2581520266.pri	SecHealthUI.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TransAgenda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TransAgenda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TransAgenda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TransAgenda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TransAgenda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TransAgenda.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133685540901503532"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	taskmgr.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2552	schtasks.exe
680	schtasks.exe
4272	schtasks.exe
976	schtasks.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
4608	chrome.exe
4608	chrome.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1464	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
1464	7zFM.exe
1464	7zFM.exe
4608	chrome.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe
2348	taskmgr.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
4792	OpenWith.exe
2848	SecHealthUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 4184	4904	cmd.exe	74
PID 4904 wrote to memory of 4184	4904	cmd.exe	74
PID 4608 wrote to memory of 3504	4608	chrome.exe	77
PID 4608 wrote to memory of 3504	4608	chrome.exe	77
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 1460	4608	chrome.exe	79
PID 4608 wrote to memory of 2804	4608	chrome.exe	80
PID 4608 wrote to memory of 2804	4608	chrome.exe	80
PID 4608 wrote to memory of 216	4608	chrome.exe	81
PID 4608 wrote to memory of 216	4608	chrome.exe	81
PID 4608 wrote to memory of 216	4608	chrome.exe	81
PID 4608 wrote to memory of 216	4608	chrome.exe	81
PID 4608 wrote to memory of 216	4608	chrome.exe	81
PID 4608 wrote to memory of 216	4608	chrome.exe	81
PID 4608 wrote to memory of 216	4608	chrome.exe	81
PID 4608 wrote to memory of 216	4608	chrome.exe	81
PID 4608 wrote to memory of 216	4608	chrome.exe	81
PID 4608 wrote to memory of 216	4608	chrome.exe	81
PID 4608 wrote to memory of 216	4608	chrome.exe	81
PID 4608 wrote to memory of 216	4608	chrome.exe	81
PID 4608 wrote to memory of 216	4608	chrome.exe	81
PID 4608 wrote to memory of 216	4608	chrome.exe	81
PID 4608 wrote to memory of 216	4608	chrome.exe	81
PID 4608 wrote to memory of 216	4608	chrome.exe	81
PID 4608 wrote to memory of 216	4608	chrome.exe	81
PID 4608 wrote to memory of 216	4608	chrome.exe	81
PID 4608 wrote to memory of 216	4608	chrome.exe	81
PID 4608 wrote to memory of 216	4608	chrome.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Stop (1).bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Windows\system32\schtasks.exe
  schtasks /delete /tn "WindowsSystem32" /f
  2⤵
  PID:4184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffb4829758,0x7fffb4829768,0x7fffb4829778
  2⤵
  PID:3504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=1856,i,16331030594753963152,10930510642651833437,131072 /prefetch:2
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1788 --field-trial-handle=1856,i,16331030594753963152,10930510642651833437,131072 /prefetch:8
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2084 --field-trial-handle=1856,i,16331030594753963152,10930510642651833437,131072 /prefetch:8
  2⤵
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2856 --field-trial-handle=1856,i,16331030594753963152,10930510642651833437,131072 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2864 --field-trial-handle=1856,i,16331030594753963152,10930510642651833437,131072 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4372 --field-trial-handle=1856,i,16331030594753963152,10930510642651833437,131072 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 --field-trial-handle=1856,i,16331030594753963152,10930510642651833437,131072 /prefetch:8
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1856,i,16331030594753963152,10930510642651833437,131072 /prefetch:8
  2⤵
  PID:3784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4788 --field-trial-handle=1856,i,16331030594753963152,10930510642651833437,131072 /prefetch:8
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5068 --field-trial-handle=1856,i,16331030594753963152,10930510642651833437,131072 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4560 --field-trial-handle=1856,i,16331030594753963152,10930510642651833437,131072 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2592 --field-trial-handle=1856,i,16331030594753963152,10930510642651833437,131072 /prefetch:1
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3064 --field-trial-handle=1856,i,16331030594753963152,10930510642651833437,131072 /prefetch:8
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4728 --field-trial-handle=1856,i,16331030594753963152,10930510642651833437,131072 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3084 --field-trial-handle=1856,i,16331030594753963152,10930510642651833437,131072 /prefetch:8
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 --field-trial-handle=1856,i,16331030594753963152,10930510642651833437,131072 /prefetch:8
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5696 --field-trial-handle=1856,i,16331030594753963152,10930510642651833437,131072 /prefetch:1
  2⤵
  PID:2092

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:368

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4792

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4660

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\TransAgenda.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1464

C:\Users\Admin\Desktop\TransAgenda.exe
"C:\Users\Admin\Desktop\TransAgenda.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4836
- C:\Users\Admin\AppData\Roaming\XenoManager\TransAgenda.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\TransAgenda.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2324
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "TransAgenda" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF9BD.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4272

C:\Users\Admin\Desktop\TransAgenda.exe
"C:\Users\Admin\Desktop\TransAgenda.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2068
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /Create /TN "TransAgenda" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D1C.tmp" /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:976

C:\Users\Admin\Desktop\TransAgenda.exe
"C:\Users\Admin\Desktop\TransAgenda.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3644

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2848

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2348

C:\Users\Admin\Desktop\TransAgenda.exe
"C:\Users\Admin\Desktop\TransAgenda.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2796
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /Create /TN "TransAgenda" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4046.tmp" /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2552

C:\Users\Admin\Desktop\TransAgenda.exe
"C:\Users\Admin\Desktop\TransAgenda.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1620
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /Create /TN "TransAgenda" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDB9C.tmp" /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
e53a3cb702de742ccc796f77fb9212ad

SHA1
cc9dba54dff144c89344c9e5ae9334b2567fe549

SHA256
60d5e7d84a257fa3f5dd569d9477cbfcee3bfe26c40306806f1082d714cdc5db

SHA512
7915d54da8b68023effd9264c02fa4348d69a7ff5aefddbac8791e7f9db8eafc0292722f47a23162f2054b7c111248859ca1912e81626549825b7b1e7b94fe23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
5edfcb996a9fb168a4a3e34d3f384ad9

SHA1
e91366a381afce18e419bd0b0508d503377a062b

SHA256
93dd79eced23595de50720ab894a8357e378a1b633af56082b3a2e9ecd3d4e2f

SHA512
806d6f9ca633eabc220904859ae09adf32f5c53d4cb3be1899584b63328f43dd087d040f761d7a636a6ad6a74235f999d0606eb2f1709896c79d29792d7d8064

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
61eda8680e9ed930e7077a914937f9b6

SHA1
7f16b454c6fb611f5b302627daec92f7c6b4cf28

SHA256
2e8728f245fbaaf76b732672267b7c09f7d07dd5ee5f5b5c1ecad2f6fa6d4ec9

SHA512
aa9afc4ed3a22d9f4866c7df37cac2bea298fa11e1a32970de9b6143e07333b5863b46d0079ed18b133bc65e4000f3906c937b2d71f7b4b97f024adfd8448ab5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
b58df0ef1f48254d95a87d93888ce20b

SHA1
a6ec4f78e7690c879b810317ff047e007b2c5683

SHA256
044d2670ad956e8dc62209b34e3871823b56ccf1e51a899280736e60f8d67cc3

SHA512
f5712e0bf5b8a25becad71ec1b4c804f13809c5e9692a54b0a2be3efc2d9b89999121e16c5c5695a03c231046fc689e0577e8916061a5c21b6a809540fe8b150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
871B

MD5
e23edb50fd08f7d31652718456eef155

SHA1
f9f94ba990d3ba3149f15e7773db80313dea6b8b

SHA256
16d8632f8b4fc6b3b31c4b087065223ec9870de6fec04879f89136aa1fcbaba9

SHA512
fdb714298ddd1702c65bcb8fa7e46f83390e39363032a87fff0b7136ddbb80e49c85cb72c736fda32cd76fa529e8aebd3e536a00391bbcafcc2a95b77c5f69b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
871B

MD5
92c9af316b768942282a93b970919a92

SHA1
89e1ad8106bdcac068e75be42196b31a11b5d541

SHA256
54aeeac86fa529b3ea0013c7c3e190b5b31a01c8513387e157aa64807dc9b0c3

SHA512
57fd82a07f67bf07d3e1af331de53103bbe1c735c868ca48d6478379109cb8c8ecc3e47e6c29a15e77a8d3cde06a09772d0cdea9589ef34b023db738e7fa90c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
b73297480e580de55372bf97b9d8a87b

SHA1
1f791bfa134a6063966e42eea040615aaf8dd78c

SHA256
59fcfc0eee20127c2fe4d6365a47a0642fbb829c3a40c38089edd77e31e4b6f4

SHA512
109436b087f05453a58172dcd5a5e921359834c56c15b56aa7401f5626bf00e2b800f65979d8b39e8536d00f2a6dc0af1b374a66d96ea655f91a6343e459c36f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0972bd513695211d95b892ce2b51bf5b

SHA1
0f176b06a8ac81a855346b86df2589455db7fafa

SHA256
f7336ea120a275c1596aad945bb5137bc6d4d4a518b668fd851ed5bfbed95254

SHA512
ca087a828ea5a2c09ac95ba72a6030bd735876de896d8223119f04e1c895dfba66f115ecd8781b1cf288c15a71645a86521d51401b8a6b53edfca4cf0a995e56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
010befa39e601e5735a71f4048b2cfea

SHA1
6072175e3a3b66f08b4e53569fe9e7e605ee4a9d

SHA256
06953cecce6c523fa6a7507f99b19022dc70e651b2f51705ebec2d2c9ab77186

SHA512
7834fefb9c1b568485ebc4921e2ca385db230da81499d69a9728b712dd0f106440ba55178aa4cf5a07f31a8ef281601441df0140d11a68cf222a1b84c67e2349

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
40b2bc09c6ebecb9f549df1a4a8f87d6

SHA1
c077dcb0f67abb586e31aea7a7a79d44a789da2f

SHA256
8ea43a16021b8c7e1b20554ca7b9c7fb82ee30699144086e4be8688d54ac4e83

SHA512
e0b6aebac5f96a7169ac811bb2ebcf01ccce7de81bed605fb2f93cc15d48a8631592bbe1f8d0205e127f6eeaaa411c17d5447122d17b3cce5378cfa129944b65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c60d5deda56e5a34dc35ee277f44269c

SHA1
f81626cf94b61b075147cf87994c0f219db33ae6

SHA256
77b7fc25a8693e12381eb133e2c521f38195a500b86c30932c80a006fc9f5cfc

SHA512
51d7eee4069f2cc92391e3750962e2a1a0db47ec7e8124857bf99127a50e29c654563c8c208c78d036a2d76c0625b93ae1c6a9eb0ded66de0d5747d7c37ac282

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0c2c8231209a5a6a50efe67ee61f3c9c

SHA1
7fcf8da37500bbd0b21b265e14d418c1a6a30c1d

SHA256
ac4a2045dc874dd19b87a76c9041f1172e3f83268d59b82751b15fb2498da888

SHA512
db8464e3153786215b302a62ddf5805324d59746f601f5bf2f5a06f0682cd55e11d53624a4c5a306c513b476f698bb70b3088599c26373b6e58cf51ec978e41d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
147fa6d591a3de10cfcf0d6cd32fe703

SHA1
97ae67f76450584382bf9d850fa8c6b4268df6e8

SHA256
d5d3eb3ffac46c705a6030c81d333185c057d6d735bd6a396b26d56b3deeb9eb

SHA512
659d87e118aa27c2bbec512b3e2a386ba88b344501b63e33359ffb28381f66f96eadf2c5cb3e4082855d57480c66f573d3abf69d3a0bc77b7e29abd8cf6c8a28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
12b2ca394c7f9d7eef2ff330117b94d9

SHA1
8bc245710260f0a0560e8a66eaf4418fc68c246a

SHA256
75c6bd9dda13d8f2f3b20f74cb2dd43be4d00cfbfe68d4e288554e569aa899c7

SHA512
558b316827db487d0d0ea88ae355993c96c355a49ff0a23d12403261dba5ac23634a26d79b2db5692d6b95c7f0db46a891e4b37553ba3f6081f4fcd1bdd001d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
296KB

MD5
b8a25502572c70f1a7a313b5fe52c0f4

SHA1
99670376646adf0fc5c1dd345a6a519b2815f204

SHA256
5bf7f48e87027213d77b3095b937b9185acf0331973015befcda00d2d348391f

SHA512
70347b92cd52af377e613272766f24f6be5f95b5d10dd50ff20e0a1d897373ddeb2f77dca258a5bac469a9300ff130931b302b3b69ad1374c683b029ad5e2936

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
296KB

MD5
802abd9bb13481998f49eaf79a0245e4

SHA1
485cadb0636d43287cbec882421bb9951518a1f2

SHA256
4cd4e005e173396f41ee2952f8f8d11b25ca1a25626bd18188fc6ede5015cfde

SHA512
820f6775a8290daa5dc0993ad170485016bba0e56b561bcb4d883c7f14f03004435108db0b9d6dfeeb378bf37dd13cdd66961ced2941953851d2ac8b30e74d15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
110KB

MD5
d943fe351ea94903446bf64543571664

SHA1
c62d2864cff31181b99ce5861b75216908f05c28

SHA256
f03b0e71b1fa5e50cb2ed8729fc7a804c38facf6d35f4805e7771c065a4ca1ff

SHA512
f46feae34e50d7f01195af174f7b2a7ded7c2ea10523e8e49081cc3cbbda281c748ddf8b3444b92e60e83faf1b670699898f4f843f69453baf66a3fc4a219237

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe581623.TMP

Filesize
93KB

MD5
52b2afec647f76364b539200b4e8de85

SHA1
67858697ed1daff361b1c91ecbbb3a4d27d2808d

SHA256
bdc1e70909b17fb1f46e7edf378d8c3e03e1b59a1e5c72d5ce004d099712e9ec

SHA512
8b8d943aef8f0a6ef5789c3bc224101289bced52261b27642f467b6893ac8e2637985ac43e6288305c8b1d81df6f4dced8a5dfdaee2ccb57fc15039ddf08aa89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
9afc71295b36a671b1acaeae2d21b7d2

SHA1
c3a9cbf0d859f896d37f2e3c4db645272f7dae5c

SHA256
8ec79b434c9918b228efe3273fe19e4b23fb0c3a501254de7a876d22851e1654

SHA512
951260639aff7df1ae742b5b041a33f15da0bd75876de4bd9af474845049233db635e19d685a50c2d14dc3e5729c15c0de5b7e41ec3d8303e0fac0e619000412

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TransAgenda.exe.log

Filesize
226B

MD5
957779c42144282d8cd83192b8fbc7cf

SHA1
de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

SHA256
0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

SHA512
f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4D1C.tmp

Filesize
1KB

MD5
8b4e1a1239b8d7e51e9a0f2ac78e3041

SHA1
1d8e9e5bb9ee67e376d147a5ff74ebf5fbb815d9

SHA256
0367db2838dbd4ca003ed3e6190544f82550b4fe94991dfbb77b4af1e55144eb

SHA512
f46c338778f00fa1b4ba09524916cfab24e2d9592a3452d23cbb6668ac639928bb6b9b3b95653f3467992286f224661e35daf4f9d2061084d6ceb49fcf38243a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF9BD.tmp

Filesize
1KB

MD5
a9c1f7e3003f94a8c0313a0dc0724247

SHA1
c175bfbdeed865347102f9f709808ab69ef558f5

SHA256
8847403fa9782db190ff467a63a6d84af09ad173a4fed107a9b11aee0cf26e26

SHA512
fc86570456b8d7f1f01c5f8580ace3c627e7368640c704471787831bd58829ce99ee7f0a6cfea601f9038602e4988f769a16e4016790af76431d6ccb54983b37

Download Submit
C:\Users\Admin\Desktop\TransAgenda.exe

Filesize
127KB

MD5
8dbebef8a47ea96ceed4408641e195ce

SHA1
b13a236bdf60de5fac38ab11344392eadb7462a9

SHA256
2bee910afaec59b55af87e2056a52cc43d879a2582dc5d148bcf696ddbd0516d

SHA512
9159cf5a19963d73d947cf17db303eb84353a0237b03bb61fc553b6945f3c670da79cc5185211a793effa191ef438f0ce3f1b894dde3983cc068adce0757540d

Download Submit
C:\Users\Admin\Downloads\TransAgenda.7z

Filesize
98KB

MD5
80d38162566dd741aa1f49d8dff64f06

SHA1
4bf98a19163cec8f30e55f5f51734dac6bf95416

SHA256
2b322a7ca22c6db611c3f427462a2e93f8f7985ca2213d18ef266e66a8e46aed

SHA512
01f95146d3cba4b6a18d341e0546b5101e2078ee93dba624a5deee2c77e56681c06690ddce491f7acf1c0e490dd8599c2650c721ac1f688220548d28fabdc732

Download Submit
memory/4836-331-0x0000000000740000-0x0000000000766000-memory.dmp

Filesize
152KB

Download