asyncrat | 2d56cb1313e3bddad715567f05b15d31059ba9f72346cbc38064d5293f48c8c6

Analysis

max time kernel
947s
max time network
891s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NetworkEX.exe
Size

795KB
MD5

a65e5a25060a4971f569d663fefb2f9a
SHA1

e2bd4e3c23a71280e47d87c001a909a5b927221c
SHA256

2d56cb1313e3bddad715567f05b15d31059ba9f72346cbc38064d5293f48c8c6
SHA512

0c2598820b49392d87b32e95f4a22342be1ae8f09b28c2a6ea098c954109b1e62e3ddab4fb314f6c61326fa1d891574e030ce3060faf85ce01f9fba943d3e180
SSDEEP

24576:hBCHRbaHtJxyMadpRlV4YrzA74DXa6JIK:CHRbatHyfdHlV4aW4DXa6JI

Score

10^/10

asyncrat stormkitty xworm proxy on top defense_evasion discovery evasion execution persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Attributes

Install_directory
%AppData%
install_file
NetworkEX.exe
pastebin_url
https://pastebin.com/raw/jGuGV3jT
telegram
https://api.telegram.org/bot6554307825:AAFiCM4YZlx7R1yb0K0d5pqenjePI2Nljfc/sendMessage?chat_id=6077384108

Extracted

Family

asyncrat

Version

Venom Pwn3rzs' Edtition v6.0.1

Botnet

proxy on top

Mutex

gdfgvsdfdasfkjasdkjaske9831943ioqwkd

Attributes

delay
1
install
true
install_file
NetworkEX.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/jGuGV3jT

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b8d-26.dat	family_xworm
behavioral1/memory/1884-47-0x0000000000010000-0x000000000002A000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b8e-29.dat	family_stormkitty
behavioral1/memory/2284-51-0x0000000000B00000-0x0000000000B98000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000d000000023b85-13.dat	family_asyncrat

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
3988	attrib.exe
3332	attrib.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	NetworkEX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Network Experience.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	NEX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	$77NetworkEX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	NetworkEX.exe

Executes dropped EXE 9 IoCs

pid	Process
3060	Network Experience.exe
1884	Network.exe
2284	NetworkEX.exe
3260	NEX.exe
4348	NetworkEX.exe
4780	$77NetworkEX.exe
3628	NetworkEX.exe
4740	Network Experience.exe
308	Network.exe

Loads dropped DLL 2 IoCs

pid	Process
3832	taskmgr.exe
3832	taskmgr.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Temp\\$77NetworkEX.exe\""	NEX.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1844	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
21	pastebin.com
22	pastebin.com
35	discord.com
36	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com
429	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpE8CD.tmp.png"	NetworkEX.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetworkEX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
4484	timeout.exe
1440	timeout.exe
3812	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\WallpaperStyle = "2"	NetworkEX.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\TileWallpaper = "0"	NetworkEX.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133756313319799779"	chrome.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	taskmgr.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3216	schtasks.exe
376	schtasks.exe
4340	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2284	NetworkEX.exe
3976	powershell.exe
3260	NEX.exe
3260	NEX.exe
3260	NEX.exe
3260	NEX.exe
3260	NEX.exe
3260	NEX.exe
3260	NEX.exe
3260	NEX.exe
3260	NEX.exe
3260	NEX.exe
3260	NEX.exe
3260	NEX.exe
3260	NEX.exe
3260	NEX.exe
3260	NEX.exe
3260	NEX.exe
3260	NEX.exe
3260	NEX.exe
3260	NEX.exe
3260	NEX.exe
3260	NEX.exe
3260	NEX.exe
3260	NEX.exe
3976	powershell.exe
2284	NetworkEX.exe
2284	NetworkEX.exe
2284	NetworkEX.exe
2284	NetworkEX.exe
3060	Network Experience.exe
3060	Network Experience.exe
3060	Network Experience.exe
3060	Network Experience.exe
3060	Network Experience.exe
3060	Network Experience.exe
3060	Network Experience.exe
3060	Network Experience.exe
3060	Network Experience.exe
3060	Network Experience.exe
3060	Network Experience.exe
3060	Network Experience.exe
3060	Network Experience.exe
3060	Network Experience.exe
3060	Network Experience.exe
3060	Network Experience.exe
3060	Network Experience.exe
3060	Network Experience.exe
3060	Network Experience.exe
3060	Network Experience.exe
3060	Network Experience.exe
3060	Network Experience.exe
3060	Network Experience.exe
3060	Network Experience.exe
3060	Network Experience.exe
3060	Network Experience.exe
3060	Network Experience.exe
3060	Network Experience.exe
4348	NetworkEX.exe
4348	NetworkEX.exe
4348	NetworkEX.exe
4348	NetworkEX.exe
4348	NetworkEX.exe
4348	NetworkEX.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3832	taskmgr.exe
4780	$77NetworkEX.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe
5072	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	Network Experience.exe
Token: SeDebugPrivilege	1884	Network.exe
Token: SeDebugPrivilege	2284	NetworkEX.exe
Token: SeBackupPrivilege	388	vssvc.exe
Token: SeRestorePrivilege	388	vssvc.exe
Token: SeAuditPrivilege	388	vssvc.exe
Token: SeDebugPrivilege	3976	powershell.exe
Token: SeDebugPrivilege	3260	NEX.exe
Token: SeDebugPrivilege	4348	NetworkEX.exe
Token: SeDebugPrivilege	4780	$77NetworkEX.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	3832	taskmgr.exe
Token: SeSystemProfilePrivilege	3832	taskmgr.exe
Token: SeCreateGlobalPrivilege	3832	taskmgr.exe
Token: SeDebugPrivilege	3628	NetworkEX.exe
Token: SeDebugPrivilege	4740	Network Experience.exe
Token: SeDebugPrivilege	308	Network.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe
Token: SeCreatePagefilePrivilege	5072	chrome.exe
Token: SeShutdownPrivilege	5072	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe
3832	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2284	NetworkEX.exe
4348	NetworkEX.exe
4780	$77NetworkEX.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 3976	3200	NetworkEX.exe	84
PID 3200 wrote to memory of 3976	3200	NetworkEX.exe	84
PID 3200 wrote to memory of 3976	3200	NetworkEX.exe	84
PID 3200 wrote to memory of 3060	3200	NetworkEX.exe	86
PID 3200 wrote to memory of 3060	3200	NetworkEX.exe	86
PID 3200 wrote to memory of 1884	3200	NetworkEX.exe	87
PID 3200 wrote to memory of 1884	3200	NetworkEX.exe	87
PID 3200 wrote to memory of 2284	3200	NetworkEX.exe	89
PID 3200 wrote to memory of 2284	3200	NetworkEX.exe	89
PID 3200 wrote to memory of 3260	3200	NetworkEX.exe	90
PID 3200 wrote to memory of 3260	3200	NetworkEX.exe	90
PID 3060 wrote to memory of 3616	3060	Network Experience.exe	95
PID 3060 wrote to memory of 3616	3060	Network Experience.exe	95
PID 3616 wrote to memory of 3216	3616	cmd.exe	97
PID 3616 wrote to memory of 3216	3616	cmd.exe	97
PID 3260 wrote to memory of 3988	3260	NEX.exe	98
PID 3260 wrote to memory of 3988	3260	NEX.exe	98
PID 3260 wrote to memory of 3332	3260	NEX.exe	100
PID 3260 wrote to memory of 3332	3260	NEX.exe	100
PID 3060 wrote to memory of 1084	3060	Network Experience.exe	106
PID 3060 wrote to memory of 1084	3060	Network Experience.exe	106
PID 1084 wrote to memory of 3812	1084	cmd.exe	108
PID 1084 wrote to memory of 3812	1084	cmd.exe	108
PID 1084 wrote to memory of 4348	1084	cmd.exe	112
PID 1084 wrote to memory of 4348	1084	cmd.exe	112
PID 3260 wrote to memory of 4996	3260	NEX.exe	117
PID 3260 wrote to memory of 4996	3260	NEX.exe	117
PID 4996 wrote to memory of 4484	4996	cmd.exe	119
PID 4996 wrote to memory of 4484	4996	cmd.exe	119
PID 4996 wrote to memory of 4780	4996	cmd.exe	120
PID 4996 wrote to memory of 4780	4996	cmd.exe	120
PID 4780 wrote to memory of 2372	4780	$77NetworkEX.exe	122
PID 4780 wrote to memory of 2372	4780	$77NetworkEX.exe	122
PID 4780 wrote to memory of 376	4780	$77NetworkEX.exe	124
PID 4780 wrote to memory of 376	4780	$77NetworkEX.exe	124
PID 4780 wrote to memory of 3436	4780	$77NetworkEX.exe	126
PID 4780 wrote to memory of 3436	4780	$77NetworkEX.exe	126
PID 4780 wrote to memory of 1844	4780	$77NetworkEX.exe	128
PID 4780 wrote to memory of 1844	4780	$77NetworkEX.exe	128
PID 4780 wrote to memory of 4340	4780	$77NetworkEX.exe	129
PID 4780 wrote to memory of 4340	4780	$77NetworkEX.exe	129
PID 5072 wrote to memory of 1184	5072	chrome.exe	145
PID 5072 wrote to memory of 1184	5072	chrome.exe	145
PID 5072 wrote to memory of 1072	5072	chrome.exe	146
PID 5072 wrote to memory of 1072	5072	chrome.exe	146
PID 5072 wrote to memory of 1072	5072	chrome.exe	146
PID 5072 wrote to memory of 1072	5072	chrome.exe	146
PID 5072 wrote to memory of 1072	5072	chrome.exe	146
PID 5072 wrote to memory of 1072	5072	chrome.exe	146
PID 5072 wrote to memory of 1072	5072	chrome.exe	146
PID 5072 wrote to memory of 1072	5072	chrome.exe	146
PID 5072 wrote to memory of 1072	5072	chrome.exe	146
PID 5072 wrote to memory of 1072	5072	chrome.exe	146
PID 5072 wrote to memory of 1072	5072	chrome.exe	146
PID 5072 wrote to memory of 1072	5072	chrome.exe	146
PID 5072 wrote to memory of 1072	5072	chrome.exe	146
PID 5072 wrote to memory of 1072	5072	chrome.exe	146
PID 5072 wrote to memory of 1072	5072	chrome.exe	146
PID 5072 wrote to memory of 1072	5072	chrome.exe	146
PID 5072 wrote to memory of 1072	5072	chrome.exe	146
PID 5072 wrote to memory of 1072	5072	chrome.exe	146
PID 5072 wrote to memory of 1072	5072	chrome.exe	146
PID 5072 wrote to memory of 1072	5072	chrome.exe	146
PID 5072 wrote to memory of 1072	5072	chrome.exe	146

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3332	attrib.exe
3988	attrib.exe

C:\Users\Admin\AppData\Local\Temp\NetworkEX.exe
"C:\Users\Admin\AppData\Local\Temp\NetworkEX.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAYgBrACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAbgBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHMAegBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAcQBsACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3976
- C:\Users\Admin\AppData\Roaming\Network Experience.exe
  "C:\Users\Admin\AppData\Roaming\Network Experience.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NetworkEX" /tr '"C:\Users\Admin\AppData\Roaming\NetworkEX.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3616
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "NetworkEX" /tr '"C:\Users\Admin\AppData\Roaming\NetworkEX.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp708C.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3812
  - - C:\Users\Admin\AppData\Roaming\NetworkEX.exe
      "C:\Users\Admin\AppData\Roaming\NetworkEX.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Sets desktop wallpaper using registry
      Modifies Control Panel
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4348
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "NetworkEX"
        5⤵
        
        PID:448
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "NetworkEX"
        6⤵
        
        PID:4840
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8DB4.tmp.bat""
        5⤵
        
        PID:2464
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:1440
- C:\Users\Admin\AppData\Roaming\Network.exe
  "C:\Users\Admin\AppData\Roaming\Network.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- C:\Users\Admin\AppData\Roaming\NetworkEX.exe
  "C:\Users\Admin\AppData\Roaming\NetworkEX.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2284
- C:\Users\Admin\AppData\Local\Temp\NEX.exe
  "C:\Users\Admin\AppData\Local\Temp\NEX.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Temp"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3988
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Temp\$77NetworkEX.exe"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBC6A.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4996
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:4484
  - - C:\Users\Admin\AppData\Roaming\Temp\$77NetworkEX.exe
      "C:\Users\Admin\AppData\Roaming\Temp\$77NetworkEX.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4780
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /query /TN $77NetworkEX.exe
        5⤵
        
        PID:2372
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /Create /SC ONCE /TN "$77NetworkEX.exe" /TR "C:\Users\Admin\AppData\Roaming\Temp\$77NetworkEX.exe \"\$77NetworkEX.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:376
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /query /TN $77NetworkEX.exe
        5⤵
        
        PID:3436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "NetworkEX_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4340

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:388

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3832

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2284

C:\Users\Admin\AppData\Roaming\NetworkEX.exe
"C:\Users\Admin\AppData\Roaming\NetworkEX.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Users\Admin\AppData\Roaming\Network Experience.exe
"C:\Users\Admin\AppData\Roaming\Network Experience.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Users\Admin\AppData\Roaming\Network.exe
"C:\Users\Admin\AppData\Roaming\Network.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff80191cc40,0x7ff80191cc4c,0x7ff80191cc58
  2⤵
  PID:1184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1852,i,10622432316465096076,6513991159489591502,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1848 /prefetch:2
  2⤵
  PID:1072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2104,i,10622432316465096076,6513991159489591502,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  PID:1700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2292,i,10622432316465096076,6513991159489591502,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2504 /prefetch:8
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,10622432316465096076,6513991159489591502,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3336,i,10622432316465096076,6513991159489591502,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3728,i,10622432316465096076,6513991159489591502,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3720,i,10622432316465096076,6513991159489591502,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3736 /prefetch:8
  2⤵
  PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4688,i,10622432316465096076,6513991159489591502,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4908,i,10622432316465096076,6513991159489591502,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4576,i,10622432316465096076,6513991159489591502,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4892 /prefetch:8
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4952,i,10622432316465096076,6513991159489591502,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5144,i,10622432316465096076,6513991159489591502,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5148,i,10622432316465096076,6513991159489591502,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  PID:804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3736,i,10622432316465096076,6513991159489591502,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5240,i,10622432316465096076,6513991159489591502,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4804 /prefetch:2
  2⤵
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5288,i,10622432316465096076,6513991159489591502,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4916 /prefetch:8
  2⤵
  PID:1860

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4100

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:4432

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\GraphiteDawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\PERTHE563456HGRSEG674RSGE\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
db9149f34c6cfa44d2668a52f26b5b7f

SHA1
f8cd86ce3eed8a75ff72c1e96e815a9031856ae7

SHA256
632789cdfa972eec9efe17d8e2981c0298cf6bd5a7e5dad3cbdcf7bb30f2e47f

SHA512
169b56304747417e0afe6263dd16415d3a64fff1b5318cd4a919005abe49ca213537e85a2f2d2291ea9dc9a48ea31c001e8e09e24f25304ae3c2cfefad715ce9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e42af15a1e15eeab21345ec9b2b719dd

SHA1
22ca9553decfdd31f8dd890484e7284b5f849821

SHA256
142e0e7e547fb9db35ce87601b0a7f5a3dc8964a92cb363b3ede8f6cd5850001

SHA512
90acf1b39adc3a63473fbd0b74b4025b0a4ff1bbd4a2ff7f4c93465e6bf5886f07145756478f42e76e2cfcb05598e3c0437aee254d15c7fdc90777f39b2c01f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\514a4d2c-ac1c-461b-9690-322c1349001e.tmp

Filesize
356B

MD5
732a83cc8a6d8edb5cbc33a08bfd82e9

SHA1
60417c56bd8bf266ab397f8db62976b63605d586

SHA256
4c13fd42b126cf424fda648cdc62b0876906af5002b81f6417c42fa31afdef7a

SHA512
28a77bb09a56332202efdc1b151e066ec78eae29a1bb59681e7e40cd44ba0c05c3178dc4b416971346fa0eb401ff09ef601a5ce1dfbd74a66de3e74e1e51ccdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
22f34b9893ee705e97c59a23fdbf465a

SHA1
c33d58374b8514252afffbad305c10f80b524093

SHA256
9075f858258c5d89c1440424b1bb13651a4db1abcfe7b5861a78841eccd169dd

SHA512
029786f767ff44f0fa75b75aa94a9428cbce54d5ba1c5782f41dbe5476aad7089e6daf8737669bbb6054d889709d1d3e4251a399b148d9f85a66eed22f7cbf15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\ea6a46b1-9e38-4dfc-8e2b-da2a5d3f150f.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a972b8dea9e654e8f3868c73b5e46707

SHA1
9dd5333e138d5c16ab7e5aeda58a14ab42fcf5d0

SHA256
b5489700c2cde9c4f57b8a310d73a2c56d2958700dd11db61c443f6289a0efca

SHA512
c24773198a306b954f6e44ea44aa6bcbae1a9e0abf1a418d0627161263e2b0ca1afe32726146810bb5bc277873e0c7e0619f82328a2e9fc7bd4ec4b413b0cf06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6929d0b852f6eadbc928b55605ecc16f

SHA1
a21272eb0cb44c973995cc764d40cb78bac1bea6

SHA256
b2b57550dd2c2ae4a5d740fe21b4457f1123fefc8301bf806cca60f8951f04ca

SHA512
9d089ae1af2abdcd817375a883700ced73f3a5356c7a5b189dc01045d223e8a55fc928ec777747a0b7152e15e9f6384fdf2d3b4b7c2b672487e26078f942777f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6911488829a0587714d34dafafbabaab

SHA1
3f67b4c607b27ece57b843887e7ae245e7259e53

SHA256
04607e918f19805e52aa4e56e319752da15c91aff8847af18dc8e33f490cfd59

SHA512
be4b3030e1c033ae0bb907ced0031cf89fcfeeaed4ee138177bca1437f1b534e629159e3592177623aa84411fb564d0f3153ed6524704968217b3dcb89a1013a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
365f4928b4490a5d5ead2cc2fed7a156

SHA1
355873bcd6821e085ff05a6976567f533f6b733a

SHA256
968d325d0b9e91df5b9fb102f2f0cb1b83c243055502e2cf0e8fa15081c7cf1b

SHA512
747242a7fca2c9ef23b435294e9bacd20e9e7316addad5e8629421f097276b2b9d22f851c73550dd73f40cfb1673f636346ea840b343da90ad9000a8423e2635

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3f130c378b0f85c99379c0e96e96d755

SHA1
00bddd26b49f4930d609bbc4c9f737ead543df10

SHA256
554506c81b15cba4ee7645556f3cd191324adbaa10f51130c4ad7e4a3d73f7ce

SHA512
b1e07bac5388463a59cbceabe691f67ad592c8908feba4e87c501cce02b6000da62cc4786cf8dd8316f3fc51043059edbc98a8732600e3e45c51bd4de67a6ea8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0001c18422d0b63294f36901b2ed0c55

SHA1
1344d99b3a929cfeff8cb19a7a061a500fa38de0

SHA256
90b42129d9fcff83a6f0b8d51e63a31b9468bda928f70abcf1a62a031c0aa784

SHA512
bda8419422853bec9902cd2f1d2b1c73ec2bc5282fb6f9f2e46f8281b55b8595b6aa4f949c853ab3cce86c5dac47ee3f20c2bfb5d271847a2e4846d771c1c8d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f67e1e50d6470f9be40b97b2390050f1

SHA1
1921efd13205c34cd888975e462cab47bf6e6da6

SHA256
ff50826ab4854506a9f067a9e07754586517851f1396c925a646e8a400358cf8

SHA512
44be0fa945b9826bb664f3d0cc16d08f7fc792b761c50bf0b246334bfebe70329cb209b0be46e60e815bbceb16cc47c40599dd9dbf99b32f4bd1041d86a0fb92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c3da7931dd55f1c9b5dfafc437c79ca0

SHA1
4eb0e69d6e7d7651412ab33e835dbaa731948815

SHA256
5eca9b50d398f3b0252bca43516a4abb692410f5d35038652a9648952e05a93b

SHA512
64e4e4c209fee7b5b640a33cf1da62ed197ec4076a409b4c89c2a72f98680b408a4bcfe4f79781bcf7a62cfd746ff994ed01eb948fda08ed21ddce61f9608ab7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d1b278ef4a1c5933e0ca7af98fa8825e

SHA1
b624c64db2637f92950547dae0fd3ab16b247e89

SHA256
346a38da3b3c72c811981a7468c35a20079463908416f6a2336cf52f3857d808

SHA512
a0a04bd2b5ed90950ce99e7f5afa1a2abef64b8e9d4f94a2d48ec59fb5c778fefddd800ae9826161389951d8372154c3323b50ad2b1de62102e4eaab7cc62ce9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a8472121b1cf2be85ed36101583bf010

SHA1
d8eda5616e4a364b6c776f15f173a214dfabb82d

SHA256
a37846dcb7dab78c495a05960ad3096dd7319003f4f33a7505795bcaba3f1251

SHA512
e43d998d0cf86f2a2f0852c501d092ef04366d97565cb3561a38437fa25d4da651238671d81d0b0713d7563b20b32d9a00cea036676308f4f46ecb74f9959c76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a0810ac7f977a622d655d73d7b9d51ca

SHA1
70de1bd00001ecc0fe1537d39f31f462698edb76

SHA256
d637401f5f31ee28337fb5709c6f175cb36f20bceac54627417d674f2cb5be7d

SHA512
83e1919be4056a0edc02064c4f98b52c41a62a19cdc43209bf634d11a2af42f1b91bd8608f6f7b61922bbbe21788a1a2ddf937155209ac000a484ef10e1791ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3b94d02ec3a23a215ad399e431140c57

SHA1
eb1d5155c973255f91bd08a0997a010d257e4a30

SHA256
c2d037cb006bc6a8e6dd97d297a4dfe62bd866d7374dfb50b2bb1fc02d556757

SHA512
cebc8d1b017de96dd7d6421fa2c6d625f9ad19d6c67eaa54a2876d866f3fca2e1534cbdcb079efc35d9aeea88b4d9b79b7c525e1c04c632657681e30c1c5e966

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d38d7ec6b85bf9c317abbb369d50106c

SHA1
331d3b2be2ed93324f9a61aeeaa505c85266fef3

SHA256
c3befb2b7514a90cc92b679143b0f8a5dc85c7c49bf0295cbd2f583ddfccf0e2

SHA512
84daa3d6e1a57a77089ec628521ca0a8eadee322ef6c5dbf79feb80a583024ddfd2be58c00dd2e02ad2ad448b37530ab4e00825603975263652ed2b0d521e559

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c93c5797cf2650774fac26eef982f539

SHA1
d1d24a52806ef2811334f327055f0d92c2e74f9a

SHA256
943549e80ccf37ed3206b3a6fc4e97d782a5bfcab8b67390082f5a1e3943bcb5

SHA512
ff98b951fdbb8a5ff89a11ffef43a859320fcb1f55f6cab146b9a13ac250ee95e3d3b0ab99f8068e7f1a95e083d77190a6c61afcc83b9a3bee367465c6640683

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3ea9a7a8f9687e0d29450a8d8f5e6653

SHA1
a48e5802e9abdd29bf88c5eae52db343abea3e20

SHA256
5394a869b4f464f8e507c2b55e3e694e5ae13b6aa0f16df74ca5fab406443fe7

SHA512
f04fad9227c4f970cea627baf054456d12a2204389d53a6ddd7990925f1e631c1ddf8e319f528812f53cf9a53bf0fa45e390df94e13092739a789a7dc4155f89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
02d7762437a487580233aeeddd3f160d

SHA1
852b3cdacaf580768585c9cb5a47acf9a68079db

SHA256
c11d895a89dae4bf9ac725388f374368739fbce23b30bd3b4a70084dfe744217

SHA512
593782732e56a3bcdd8b4dcd7c0e001b2a26b8b7380171f089d83168363cbc07b50096f7efa9fe4c54c95d72120b8f7da6251f97cb43f1e56ff53964503e3a90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
01431f5a379e7a9fdef00a7c0b1cf342

SHA1
37a98ccfadb2c3fdd82a89bb9deef2e9d64ea89d

SHA256
365702e7fda43757112feece9179caf78bf25947e1b5ca9ac683e6d9e76bad49

SHA512
6635cb62b3b753c2b69e0c69c511987eab8622b6475e62ad72f73517b248d919880d5aa307c476859177648205e5f89f00c7fa218bd29f4e94c2da7a39a1f641

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c5c8002175fdf280afdebae847162a01

SHA1
145bac3e8586d144a5589a2534bda5ebacba66b0

SHA256
6879b433d240dfc5115b443007d210421ca2e681726fdffd071bbc626bbb422f

SHA512
14c933897d51ef1db7785e3264130cc9cc97e41cef0db5b6daa9641cfbd6725ce1a09ddec5faf9629de99af6b724f7677cb60e9fc9f53497563daee5ee1baf67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dfe021bb0810d4b68df411ccc09ae8b4

SHA1
5ae5e0f1608d27e83e96cb0096711af05dc276a7

SHA256
0b32c65329eee31292b92b09a21363f0781911bac856c88dc73ad1072330f57f

SHA512
d510cd1e066ebdc15fdde1a91ceb5ca5c18acd36356794800c77c0675d79e0c4b950c570d73f5a59384f3ddd38b11a482208d479e00be7d6891aa8b0095b5b32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
246d5401d29f12ccd9f4437d5ab4cc34

SHA1
2b82646bd9e4c553115d51373f224e8bf727ac16

SHA256
1d6fc1be151fa09b615c98cd4163cf16553c1431503e751e81e533bbfb3212bc

SHA512
cca89894a2a741695e087c520cd7e19e79d31f358630fbb55f299ce42171986647b765d59eee2f5c18a3fa3bf8b011822b71beb4cd08e72f276268d7074dccc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
75cfd24b4789a2e5d05ac68a0f723ddb

SHA1
619b7359806edab0846f34d9e9a9312721e02813

SHA256
dcc77701dc5697d0dbb019680365101695b22f63007cd7a390b8c03a7cd99c2b

SHA512
727e3ee6caf96fbda21f4a02ac07ee97b85c10e0195154de36965534df282661050c099d5ba0f50e15eb2721332d6540417d7420c1d126feb56d4016ecbdc593

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
40f05c67e2144c283c8d59d61af46738

SHA1
a62729a1221aedd2d4f0172e9c0a325106873756

SHA256
e9304a5b422cfda8e46b384ad4bb2a446a980823d3ffff4f70e1f113af1f897e

SHA512
6448b90fe126381341f6c96999b7a5d93868baed549234305c191ea81490c2fd4cf166f71b66ffd7a4e12df00fb3ee04bc92659669d6c6547d8242a4a9cb989c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d8275aac30fa35d95bf594d1183adbed

SHA1
b9bc9a02fb9ab764d3329fd0d069802705ef8a91

SHA256
26468c647c87b8f14d7244407cded370275fdf774ffe4715eb7f6b0756247f30

SHA512
f4ab46681a881bbbdb0d437f9fba8f3d02f005767311e266ac8af2f320b895d3953d52ee769e831ce9c1b607c45b23c7aebfe954bae5df224e7d889e9d26962f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e9294add884bbfe9ccf33a1513a00dfa

SHA1
b545ea9200227a0227081052efb837ea3f2415b9

SHA256
176d0cf315adbff15a7611830a433b875029ee43ba0378938798741e7a61dcfc

SHA512
7d96a54dd16ab60dafcf6c3de2604e68eeec7a24b20b723246b46e3bec6cc3d2c6ee3ceb50b38d1132d1809aba5351972bb77e322e8c2e52a5eb4d8abdfe2e5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
cc8e3a12aa9a5e3156d97df6a1e24d0d

SHA1
288d8eddc2ae83f63be5f9896e5c2891e2fbeb70

SHA256
16f4d0913a4f66dff904d48440a29fc0c0e1c28d2ef0e8fa4cc28cafaa9ccc65

SHA512
d95c0698630b6857cf2ba348a58690fadb3d548b9455b75d38a86120fd4b4245d4a5a6aa4bfc25fe4c838cbaeb04112232ee55ec928a4a97154628cd37cee713

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ae096db2-7690-4e26-bb9e-750453c5befd.tmp

Filesize
9KB

MD5
2243193967f328da29b44dcfd56f2858

SHA1
7a1265a9fcbd920332b008ae3d552b2c29092c37

SHA256
ba055cb52a03d3096968bb7bf3b56fc371e22dc99c0f95d248656aea504b89cb

SHA512
8e9c6f46b62f23475107b0c5454cfca48f5622eb86acc2ae14b8db07654633fff49ed61d2dbef45d29cbf704359c778edfe54189c247ee90cc7abe08172175b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
26573f577999d3d75b303ecac6d1b705

SHA1
541079982c22695b1721a4f55fc083d140ac251c

SHA256
bfc8db8a304b9e241eb421b3fa2f1e657fff61c0a5c101b5ddbe44c7b8890127

SHA512
16db730911e1cc6b7281c261e3d9d1329582de97aa1115b7b244dccb09985fe170ff830f08cffb29f1016cc38dc4c4060d740a6e9861d40652d8c01a4dd41bf8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
994153ab6bb3c932712358d9e3797cb0

SHA1
a2d7875f102c31d71648a7553457f11687d2141b

SHA256
5f034e7d5acdd611d038c636f448a15482dce6965c8ab83a11aac958fca4c1ea

SHA512
8e43c5a62ad981ccbea7483ceabd8965bf7bad3feda501d4d1e8fbbd0d5bba376be01a920dc4c90bccb0f878bc8dbf5b10fdb6270e66edd87219c15872acd98f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
8d8d8faa3869255831301848c16acc57

SHA1
f0d4534d0f01d5f0330c630761e9eee483eeea25

SHA256
628b68510fee54e2d6ebfe7c74648e8061178eef1a59ce1d222fdf1e213e9337

SHA512
b933051f828db40fd8e886047b87d178e204c60b5dbec4546d23bf7ac9caa153f5fbf970ab637e86a84918aedc1b8433587cc6da87cceebb958f93ce0f17fa2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Network Experience.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
eb99b6988398745840e150ef81543282

SHA1
586d356285338dfffb18d26064748e7db016b226

SHA256
9ae21e27de4dd783bd356dbefb9d1b5e0db65342a997355623c4dfda9aec12ba

SHA512
c118240a484914f18232f31b151a14e0c7141e13f2dc387664d647b62632abb058c3b80eb88488e99ec6cce1a533b4694fc36af42ac6fafd36fe498bc2d819bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEX.exe

Filesize
46KB

MD5
b2aa5d41e7e62b9a01920fcbc0eedc6c

SHA1
2f028198f705bbcf058df4263d54af37776744f6

SHA256
1c879d07d280d711cc15f582247ae2f4cc7f40ea8828679502d208af85322f98

SHA512
3b8e2122bee0f2dbfe5466ead17c7a3e055f6e33fef41d153c64e2d722cdc695acbf6d05b025d610245e4e6f5fd971411855b36b9f207bfbb34e90a11e14e52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j0whsefc.nkq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5072_849789865\36fc59d1-77e4-4c12-b679-a3bbf9f23d71.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5072_849789865\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp708C.tmp.bat

Filesize
153B

MD5
62f55cd41a96409b153c4c440fb48813

SHA1
b32c6fc2585777cfe5cdd1661e6bedf2163f3bb2

SHA256
a021b8aae7572d4a74fb57b1b3289bc0e3399484e8430d187c68ee30dcf49d4c

SHA512
a9e7cf5e3de34332dd76983360c7d67232fc89fca529419379ff8e140bd336d040393750055cb91cb5ef047084499771b16df4f64c2b764a67cf445af740403e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8DB4.tmp.bat

Filesize
158B

MD5
5d5b163cb20c5502315784de16f99900

SHA1
a9a3412255e2a6f4972f96e0410da5ae69a685c2

SHA256
e0e3aa5d6952cb34a0e545e686e82178adfc1ad7b049decfbb11d2e4d97ea579

SHA512
f05c51974ed5fe444c872103b10bb0bc0aa6779e36914fd2334c3e7bf494ec1748c16dad74c769b99c8726d13ab21a6448194f6bdcfb6eb2b5f7ce8fbae75d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC6A.tmp.bat

Filesize
161B

MD5
90d1015fd50175356f608b6e9e653d9e

SHA1
08e1e989fe1c866b04bccb56e035c63593201024

SHA256
24fed0e0a7445de5ab28286bb776e5f674b09821116bc67e15a129f52bf8fd43

SHA512
cef662d70915d417f439d292e0d87094159b9d34b8f939b7cb0760963b8c5e25a35a017c9bdb51b3f952d72e65da732a4b8deef070d022fe7a20776daf443700

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE8CC.tmp.png

Filesize
21KB

MD5
437d33082fd10193adc7055cc7f2e307

SHA1
d9c760d8bcc3aa5a5ee0523fa1481c178c83632a

SHA256
f2701ecd6376ea963c6a207f941731e0c01a14f90a2e43867d9db1be477be0a8

SHA512
c14ee5e73e463e191e4bc1b1bdbcb334167a8bce028cfe72a59f5db55c1b20003edd1c313a847478b8027e1a3f73419496dd290fe84064e41d150ab628ba9284

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\PERTHE563456HGRSEG674RSGE\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm

Filesize
32KB

MD5
b7c14ec6110fa820ca6b65f5aec85911

SHA1
608eeb7488042453c9ca40f7e1398fc1a270f3f4

SHA256
fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb

SHA512
d8d75760f29b1e27ac9430bc4f4ffcec39f1590be5aef2bfb5a535850302e067c288ef59cf3b2c5751009a22a6957733f9f80fa18f2b0d33d90c068a3f08f3b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\PERTHE563456HGRSEG674RSGE\storage\permanent\chrome\idb\3561288849sdhlie.sqlite

Filesize
48KB

MD5
134986f96505a571c0edefaf1ef085f2

SHA1
fddd38b120d94690c6b6912e5192512c86e320a0

SHA256
d4544add7ba18f90f39e10c7a3fd650e7c7f4067b01650826fffe9838d2fb50d

SHA512
8657831b42fe6ec3204258157e99c5e193ab7e86e72258f8a036ea9cd282b87de43f379155db28e30be9a86151709ea99f58657138752c6c4728eefa866b6ca9

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\Network Experience.exe

Filesize
74KB

MD5
a1e76f2fbe7af658b38383fbfd7cfff4

SHA1
6dc43ef73b59ff29089a4b29bc8ade4ea63484ec

SHA256
7782da3a91f91377c4c8d1d338237c6ff996ad42caaab27c1cdc5ea7e90058e1

SHA512
4a47391ba3132cfb36da8d7f08ae6856312b26547845e3fe5f3ddd0939893245bf4de337671bc917926d5c764a6100d084845236ef1707560ff5be4aa5f2bed8

Download Submit
C:\Users\Admin\AppData\Roaming\Network.exe

Filesize
82KB

MD5
4c69483ff0c35be5ab917fe321fcdf25

SHA1
40845d144583d6e06ebd1bf0e36975cc5068c669

SHA256
be6efed1679ba6aaaa8108b53c046101a056b110aff2218116e2fb2f5ecb5fbc

SHA512
9c42bd25cc2d83b306621d95e31cc2ee07742cb98cd8787dd3659ecdd4ec8885407537028cb5e36144b1b00205f4636aa231aed4aa371148400e747141c0cfc7

Download Submit
C:\Users\Admin\AppData\Roaming\NetworkEX.exe

Filesize
585KB

MD5
2c25c914d6e2f109cf2ce15ce0f005e3

SHA1
7465fc30a3567bf836095d60997ca64b3ae24d78

SHA256
71c22801134351e334bffb40eb1ffe78a96ae703e82eb1440bf8a6e66cc775bd

SHA512
ae2ae00fcb08fb5e88334b33ebff44d9eab5e0854d6025dd964ee3e4809206dd22094e2efe3274001a864effa3098fb55dbb2f737480a8f0f07dca800c4fe081

Download Submit
memory/1844-598-0x0000024458270000-0x0000024458292000-memory.dmp

Filesize
136KB

Download
memory/1884-47-0x0000000000010000-0x000000000002A000-memory.dmp

Filesize
104KB

Download
memory/1884-580-0x00007FFFF81E0000-0x00007FFFF8CA1000-memory.dmp

Filesize
10.8MB

Download
memory/1884-50-0x00007FFFF81E0000-0x00007FFFF8CA1000-memory.dmp

Filesize
10.8MB

Download
memory/2284-51-0x0000000000B00000-0x0000000000B98000-memory.dmp

Filesize
608KB

Download
memory/2672-1455-0x00000207045E0000-0x00000207045E1000-memory.dmp

Filesize
4KB

Download
memory/2672-1454-0x00000207045E0000-0x00000207045E1000-memory.dmp

Filesize
4KB

Download
memory/2672-1456-0x00000207045E0000-0x00000207045E1000-memory.dmp

Filesize
4KB

Download
memory/2672-1461-0x00000207045E0000-0x00000207045E1000-memory.dmp

Filesize
4KB

Download
memory/2672-1466-0x00000207045E0000-0x00000207045E1000-memory.dmp

Filesize
4KB

Download
memory/2672-1465-0x00000207045E0000-0x00000207045E1000-memory.dmp

Filesize
4KB

Download
memory/2672-1464-0x00000207045E0000-0x00000207045E1000-memory.dmp

Filesize
4KB

Download
memory/2672-1463-0x00000207045E0000-0x00000207045E1000-memory.dmp

Filesize
4KB

Download
memory/2672-1462-0x00000207045E0000-0x00000207045E1000-memory.dmp

Filesize
4KB

Download
memory/3060-578-0x00007FFFF81E0000-0x00007FFFF8CA1000-memory.dmp

Filesize
10.8MB

Download
memory/3060-39-0x0000000000D30000-0x0000000000D48000-memory.dmp

Filesize
96KB

Download
memory/3060-22-0x00007FFFF81E3000-0x00007FFFF81E5000-memory.dmp

Filesize
8KB

Download
memory/3060-55-0x00007FFFF81E0000-0x00007FFFF8CA1000-memory.dmp

Filesize
10.8MB

Download
memory/3260-54-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/3832-616-0x000001301A450000-0x000001301A451000-memory.dmp

Filesize
4KB

Download
memory/3832-617-0x000001301A450000-0x000001301A451000-memory.dmp

Filesize
4KB

Download
memory/3832-615-0x000001301A450000-0x000001301A451000-memory.dmp

Filesize
4KB

Download
memory/3832-612-0x000001301A450000-0x000001301A451000-memory.dmp

Filesize
4KB

Download
memory/3832-613-0x000001301A450000-0x000001301A451000-memory.dmp

Filesize
4KB

Download
memory/3832-607-0x000001301A450000-0x000001301A451000-memory.dmp

Filesize
4KB

Download
memory/3832-608-0x000001301A450000-0x000001301A451000-memory.dmp

Filesize
4KB

Download
memory/3832-618-0x000001301A450000-0x000001301A451000-memory.dmp

Filesize
4KB

Download
memory/3832-606-0x000001301A450000-0x000001301A451000-memory.dmp

Filesize
4KB

Download
memory/3832-614-0x000001301A450000-0x000001301A451000-memory.dmp

Filesize
4KB

Download
memory/3976-547-0x0000000006410000-0x000000000642E000-memory.dmp

Filesize
120KB

Download
memory/3976-72-0x0000000005EE0000-0x0000000005F2C000-memory.dmp

Filesize
304KB

Download
memory/3976-56-0x0000000002870000-0x00000000028A6000-memory.dmp

Filesize
216KB

Download
memory/3976-57-0x0000000005110000-0x0000000005738000-memory.dmp

Filesize
6.2MB

Download
memory/3976-58-0x0000000004EA0000-0x0000000004EC2000-memory.dmp

Filesize
136KB

Download
memory/3976-59-0x00000000057B0000-0x0000000005816000-memory.dmp

Filesize
408KB

Download
memory/3976-60-0x0000000005820000-0x0000000005886000-memory.dmp

Filesize
408KB

Download
memory/3976-66-0x0000000005890000-0x0000000005BE4000-memory.dmp

Filesize
3.3MB

Download
memory/3976-71-0x0000000005E50000-0x0000000005E6E000-memory.dmp

Filesize
120KB

Download
memory/3976-571-0x00000000073F0000-0x00000000073F8000-memory.dmp

Filesize
32KB

Download
memory/3976-570-0x00000000074A0000-0x00000000074BA000-memory.dmp

Filesize
104KB

Download
memory/3976-569-0x00000000073C0000-0x00000000073D4000-memory.dmp

Filesize
80KB

Download
memory/3976-568-0x00000000073B0000-0x00000000073BE000-memory.dmp

Filesize
56KB

Download
memory/3976-567-0x0000000007370000-0x0000000007381000-memory.dmp

Filesize
68KB

Download
memory/3976-566-0x0000000007400000-0x0000000007496000-memory.dmp

Filesize
600KB

Download
memory/3976-565-0x00000000071E0000-0x00000000071EA000-memory.dmp

Filesize
40KB

Download
memory/3976-564-0x0000000007170000-0x000000000718A000-memory.dmp

Filesize
104KB

Download
memory/3976-563-0x00000000077C0000-0x0000000007E3A000-memory.dmp

Filesize
6.5MB

Download
memory/3976-559-0x0000000007040000-0x00000000070E3000-memory.dmp

Filesize
652KB

Download
memory/3976-531-0x0000000071040000-0x000000007108C000-memory.dmp

Filesize
304KB

Download
memory/3976-521-0x0000000006430000-0x0000000006462000-memory.dmp

Filesize
200KB

Download
memory/4348-1128-0x000000001BC30000-0x000000001BC96000-memory.dmp

Filesize
408KB

Download
memory/4348-639-0x000000001C8B0000-0x000000001C926000-memory.dmp

Filesize
472KB

Download
memory/4348-640-0x00000000029A0000-0x00000000029AE000-memory.dmp

Filesize
56KB

Download
memory/4348-641-0x000000001C830000-0x000000001C84E000-memory.dmp

Filesize
120KB

Download
memory/4348-648-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/4780-625-0x000000001D610000-0x000000001D620000-memory.dmp

Filesize
64KB

Download
memory/4780-626-0x000000001D630000-0x000000001D650000-memory.dmp

Filesize
128KB

Download
memory/4780-638-0x0000000021960000-0x0000000021A0A000-memory.dmp

Filesize
680KB

Download