23dee5b6da253d40f520994b2b1f6d2ea2bb5abfbdd3229e36fa659a50bd4bc4

Analysis

max time kernel
20s
max time network
23s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19/11/2024, 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Se-Up.exe
Size

10.0MB
MD5

e61bac59c6970b001f36e63340686f0f
SHA1

0e4fe625538c7e42fed34ce58bcbf049d1d67c0d
SHA256

23dee5b6da253d40f520994b2b1f6d2ea2bb5abfbdd3229e36fa659a50bd4bc4
SHA512

fef04a7278e08270a9c7d4a6f5ef44c22f47cfa3ecf90c28c80a868ad93c53652ae15342598285e6fe5772bc24d84da92738107c5f1fa11029840be937b3609f
SSDEEP

24576:jIdl35T2dU6ouUESCqa6whCf39FtNQKc9Qysso/ebVP2H:sHJT29o8SF/t37GiysssQV+H

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
6128	Jm.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
724	tasklist.exe
5356	tasklist.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\BehavioralCarnival	Se-Up.exe
File opened for modification	C:\Windows\TmpWebster	Se-Up.exe
File opened for modification	C:\Windows\SomebodyIa	Se-Up.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jm.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Se-Up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133764994510806067"	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
6128	Jm.com
6128	Jm.com
6128	Jm.com
6128	Jm.com
6128	Jm.com
6128	Jm.com
5164	chrome.exe
5164	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	724	tasklist.exe
Token: SeDebugPrivilege	5356	tasklist.exe
Token: SeShutdownPrivilege	5164	chrome.exe
Token: SeCreatePagefilePrivilege	5164	chrome.exe
Token: SeShutdownPrivilege	5164	chrome.exe
Token: SeCreatePagefilePrivilege	5164	chrome.exe
Token: SeShutdownPrivilege	5164	chrome.exe
Token: SeCreatePagefilePrivilege	5164	chrome.exe
Token: SeShutdownPrivilege	5164	chrome.exe
Token: SeCreatePagefilePrivilege	5164	chrome.exe
Token: SeShutdownPrivilege	5164	chrome.exe
Token: SeCreatePagefilePrivilege	5164	chrome.exe
Token: SeShutdownPrivilege	5164	chrome.exe
Token: SeCreatePagefilePrivilege	5164	chrome.exe
Token: SeShutdownPrivilege	5164	chrome.exe
Token: SeCreatePagefilePrivilege	5164	chrome.exe
Token: SeShutdownPrivilege	5164	chrome.exe
Token: SeCreatePagefilePrivilege	5164	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
6128	Jm.com
6128	Jm.com
6128	Jm.com
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
6128	Jm.com
6128	Jm.com
6128	Jm.com
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe
5164	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 4068	1068	Se-Up.exe	77
PID 1068 wrote to memory of 4068	1068	Se-Up.exe	77
PID 1068 wrote to memory of 4068	1068	Se-Up.exe	77
PID 4068 wrote to memory of 724	4068	cmd.exe	79
PID 4068 wrote to memory of 724	4068	cmd.exe	79
PID 4068 wrote to memory of 724	4068	cmd.exe	79
PID 4068 wrote to memory of 1088	4068	cmd.exe	80
PID 4068 wrote to memory of 1088	4068	cmd.exe	80
PID 4068 wrote to memory of 1088	4068	cmd.exe	80
PID 4068 wrote to memory of 5356	4068	cmd.exe	82
PID 4068 wrote to memory of 5356	4068	cmd.exe	82
PID 4068 wrote to memory of 5356	4068	cmd.exe	82
PID 4068 wrote to memory of 5460	4068	cmd.exe	83
PID 4068 wrote to memory of 5460	4068	cmd.exe	83
PID 4068 wrote to memory of 5460	4068	cmd.exe	83
PID 4068 wrote to memory of 2844	4068	cmd.exe	84
PID 4068 wrote to memory of 2844	4068	cmd.exe	84
PID 4068 wrote to memory of 2844	4068	cmd.exe	84
PID 4068 wrote to memory of 5112	4068	cmd.exe	85
PID 4068 wrote to memory of 5112	4068	cmd.exe	85
PID 4068 wrote to memory of 5112	4068	cmd.exe	85
PID 4068 wrote to memory of 2848	4068	cmd.exe	86
PID 4068 wrote to memory of 2848	4068	cmd.exe	86
PID 4068 wrote to memory of 2848	4068	cmd.exe	86
PID 4068 wrote to memory of 6128	4068	cmd.exe	87
PID 4068 wrote to memory of 6128	4068	cmd.exe	87
PID 4068 wrote to memory of 6128	4068	cmd.exe	87
PID 4068 wrote to memory of 5744	4068	cmd.exe	88
PID 4068 wrote to memory of 5744	4068	cmd.exe	88
PID 4068 wrote to memory of 5744	4068	cmd.exe	88
PID 5164 wrote to memory of 3084	5164	chrome.exe	92
PID 5164 wrote to memory of 3084	5164	chrome.exe	92
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 3816	5164	chrome.exe	93
PID 5164 wrote to memory of 1684	5164	chrome.exe	94
PID 5164 wrote to memory of 1684	5164	chrome.exe	94

C:\Users\Admin\AppData\Local\Temp\Se-Up.exe
"C:\Users\Admin\AppData\Local\Temp\Se-Up.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Remain Remain.cmd & Remain.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:724
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1088
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5356
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5460
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 67158
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2844
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "MadonnaNhlKeepsHousing" Replacing
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5112
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Blues + ..\Fioricet + ..\Peer + ..\Plumbing + ..\Reviews + ..\Payment + ..\Persons + ..\Law E
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2848
- - C:\Users\Admin\AppData\Local\Temp\67158\Jm.com
    Jm.com E
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:6128
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff9947bcc40,0x7ff9947bcc4c,0x7ff9947bcc58
  2⤵
  PID:3084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1728,i,1126599339846323371,18075799546641985963,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1724 /prefetch:2
  2⤵
  PID:3816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2072,i,1126599339846323371,18075799546641985963,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2116 /prefetch:3
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2204,i,1126599339846323371,18075799546641985963,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2220 /prefetch:8
  2⤵
  PID:360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,1126599339846323371,18075799546641985963,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:6028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,1126599339846323371,18075799546641985963,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4440,i,1126599339846323371,18075799546641985963,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4472 /prefetch:1
  2⤵
  PID:3776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4696,i,1126599339846323371,18075799546641985963,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4800,i,1126599339846323371,18075799546641985963,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4840,i,1126599339846323371,18075799546641985963,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  PID:1840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5044,i,1126599339846323371,18075799546641985963,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4684 /prefetch:8
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5172,i,1126599339846323371,18075799546641985963,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  PID:1360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4672,i,1126599339846323371,18075799546641985963,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:1088
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff7f7184698,0x7ff7f71846a4,0x7ff7f71846b0
    3⤵
    - Drops file in Windows directory
    PID:2624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5288,i,1126599339846323371,18075799546641985963,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5256 /prefetch:2
  2⤵
  PID:3148

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
586b46a0c01e0a067fe6fbf04b61f386

SHA1
0799e8509a13faa063360b5c583c736cb3dfe793

SHA256
334cf80f37bfa6a7a2697efb5978ec87b83e754eeb98cdd201197f370c0aa514

SHA512
1bf8c7f2de4d4aed111cf6c14b91124fed60e3ca5ced172cdb7e7a6ce662e8aca140b0bfde58ee7c424fa79ecae4226afc3f18b24b7bdd2eb353eef7ed7c0892

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b4276ea518c76ccfaede6387658d6ab5

SHA1
24f19fdf3e0e47856ba6d32d6055cdaa042cc65e

SHA256
1246c582f3c28dd174142d4030a10fe26c1a4fcdaeefbf8b4f9ee0960e81273d

SHA512
64244f01821927b0f65eac89edd9bbf0eab52add86b91615b4b1f417b2d3ecc3b58bef7b7798c32fb83a48b0ef876907ca1e9aef9e58fd33dd8ffbfea245e9d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
ee48c9ea237dce4e2dfda3cdc13d8e5a

SHA1
8b0938527a777529af066a1580c5c026029e055f

SHA256
b8b9055eb9896e3005e03481ae74096f023b8df07a0d594415b406e3f42d900c

SHA512
9d4350477a293f94c5103d48e0d0078d618a79c49b752b8589f0c0af59396bbe0b3cef9355701d2e46357f93aad65fce879141db572b39d560648402f273b03b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3590078f1116e12c5f8cd61ffa40c75a

SHA1
013aa4c61cc18395347971145860cf00cfb470a8

SHA256
2b9dd7f666942d21082441f82fc472991aa7447981c485578a3c3e139842ade1

SHA512
51243637026f99be19bda8cc0ad6c4360687316caa630781481608a60f1db2b838da8710fdf86d0668646c3598fb3a3cb4cdfb76794fce034bf6d812b9ae74a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
d2c2f0f02e5704ea466117a9d7a8eead

SHA1
970eb69b0510e8422eb7a1854366465f8fbbacb4

SHA256
327798800f3c2cd39343865775f6226e9d4737ac885058996484ff1ff0557e97

SHA512
4b17d5e3b8e0e39bbb20016565f3feff60bd505efe90401d8520c8786401d61ea1dfb8c92aaa588062831e99de4f17fbaca2cf33a0063656e1462bb2f643ab2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f321a6850e8280937595c686612e996d

SHA1
2fa0f842444fbcb26b8739da724b50bf1cc1c61d

SHA256
a64508cee1fb1759b6b3f1e3acfa7abaed805bb70d39c96929a7e263db900e7c

SHA512
dfaccd1dffa1795b87156eff3d9ec8bc3ba6d0d4a760fc5f6147c8e7725b00f1e0a19f8e1f1b3b3adbf9dd61bf72eafdec6aa1e7ea458a91e59131ae59b2cc8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
6b9fe7c42b64e6c99f36007bac9a2c50

SHA1
e9e8b1b9aee678ef73d88bc9a577e95e50c15b3b

SHA256
d9b4413398f4b9c0c3fd086a286bbdf1f4911e824385e464e9b2c7b917cfdf03

SHA512
44ab143c54ec23d924d75f61efbbee88b1f6495ae8f94e5da445aaee975f9d8c004f973ea56e3f2dabb05cc780c8c39b07ffa4b5256a7de3a7b7fd5ff3c19a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\67158\E

Filesize
498KB

MD5
5a15d919f5b97bb32433b312e1c66e38

SHA1
be064187d71aa8b9af013f15507b975f47aa4dba

SHA256
e2abeacba2571adee724c1826a655f595a725c36a7257f148c10e243800aa7d7

SHA512
fa2a91e958a6c827c02f7121a2f473af19df734cb53f7a03464e50014d4906948fed2a7ce33ce870f61c483d5e6235445ab8d23f2241ab52d6c436d3381b40db

Download Submit
C:\Users\Admin\AppData\Local\Temp\67158\Jm.com

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\Blues

Filesize
58KB

MD5
915f1ec8215d5f966f265162750084ef

SHA1
b779405e8fc1e8ad44c3f309ccc7934797d16a7c

SHA256
36d9922c62a711cebc5a57e08d66ca71114422ac1be2a1846f8148d380ced9b9

SHA512
e9db53bc3e8599a1c883b62ced23a56edd83ae38c4353c383593c0a100921c52ab440cf3619e36714871047b83f86776b5f9b0e9625c68f50a18115b9def8247

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fioricet

Filesize
53KB

MD5
962f06621ff948970a5765377b3b0b4f

SHA1
915cc99063cfcfeb2faac6f26da94396708e1b5c

SHA256
7270e8440e2392d78da801770e594dd1f421e08c4ac856218a8ba0d2cfba05bc

SHA512
66bcb78d4a7f9700a46f2e64ed69b2c97829249ffb2a3b2bfbf33e3dc96b7034986dee813207387e4b84553d6346b0331a4f26e0dd32c5dcf8075be32416fd89

Download Submit
C:\Users\Admin\AppData\Local\Temp\Law

Filesize
39KB

MD5
df7be3b34e037196fa675bc1b10d0b63

SHA1
c09bb1c82a32b0171dd56d70038e8073cefe210b

SHA256
5c87fe19dfe812d74f83bd2c38c5739a2ee7b98c04b29ee1accaa68ccbe2127b

SHA512
fe5139556cda6c7587ea511d9f6e2d779a92e4c2a8edea37903361473dc5ccd38df2ebe3ca64e34828b8685eb164158e14801ea85d859c29801a4cd117f13241

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payment

Filesize
67KB

MD5
85e22fa91c9b070888eb22f558c2fb65

SHA1
99501b20785cf213b9503c8bb2c3e59a384b1635

SHA256
c0993cc2b42c5aecc622041e9ed06104e64ac46ea93f2d9e9902494de96fbedd

SHA512
bf7b9eab0db37345aee878808b2b9add33468495b7e1d24e48e3da3067691a40c43ad496dd4c59129f6c2fce311b6a6005ac9a8d3cef0654c9dcd32e211d8538

Download Submit
C:\Users\Admin\AppData\Local\Temp\Peer

Filesize
59KB

MD5
028cab01c4c5f6d4491a4e8ca70e35c8

SHA1
28e11b5891278f9784156801c86f355dc725417f

SHA256
d6b02b7f70e439ed591231967e50f027d262fb071c374156f382b16660af1928

SHA512
489bd206b5f37b6ae74749ede74b82079fa240cc3631156772d8328075ba4393737beb2c27fa36f4e842d0d4249a7509185760cd71fa8b4ffd094fbcda2b2640

Download Submit
C:\Users\Admin\AppData\Local\Temp\Persons

Filesize
66KB

MD5
96510eefd8969506cbb58e5473546bc5

SHA1
c7382450047892a2febbc588eba7d72eea7973ec

SHA256
dea115fbf5b2a8ef6ea8ed69ab57910e4561e576df2fff5255333a651aa005f4

SHA512
cc8d6f4534c6fac3da5d9749cc2b351b094f5e604c0bd43e0d74d64a94e9646f222b0e3f52df71c11a1c31727bcb6baa25763daeb04c4a4982b09da29b60a45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plumbing

Filesize
83KB

MD5
a66f643c78dc21c06b41aa6783391ad3

SHA1
caeffaca8bee1f426a231531961fa6f451da4286

SHA256
43200ea4f80b3c1d93f94bd60b8ba0d857fd89c1b3796be8a8ebc4101fceb1fe

SHA512
08035a06b0096c88b6997445d372a2edfb42c639a73fed9d4db14deb9e12452c8df20f4afd71b2f6c09a398bc825deb511856c19ce25426d8ab28dda13c83230

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remain

Filesize
28KB

MD5
fe5fce1badf8f6ed89d1706e3bb247ab

SHA1
ea0fb449c5041753f7368743758083b97ab58efe

SHA256
c58b4b334ed813c206614385ccb738ab8073867b6fe9c937926d3560f485be1c

SHA512
39082d742832c9e8c1d673046be766948214adacef9aea7bccb88f8141c0778f6a0ddf2c9d3bc618b7fc09dbc8fd6c5f7679cf7e114d3b35a49b4141c37ace2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Replacing

Filesize
375B

MD5
5009941faa6a00c61b21ddf8f408f6c1

SHA1
6518be2da47fe8665c2c9cf51d132a5311f6bdc5

SHA256
e07cf78af6b2b8f26fb673a8e420280b4eb983e7b853376aeb9f445c254eb60a

SHA512
dcc653821b1d3ed64ab634a0de980bb4960e341626f772beadcfde4d1e28a102cf776b9db72d63e72db3346acc0f0a202b7c5fe0100a0f427d7d5822c6a1bc0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reviews

Filesize
73KB

MD5
43560909ef6d5db7fd868eea450bf532

SHA1
f3bab69a8edea89d563a8dadead2f7a7453d1369

SHA256
41ac5eb0f4418a5a07a39399329e8248dad23bad6ba5795234e8c2d722412d6f

SHA512
ff7754d8f7cc2a59674af4852d87b13e29def17d52a4c1f20ada901581065d8ad5696cd51cabe4c55d118906338cbd6c837b4718a6f4c0118115d0189cdae396

Download Submit
C:\Users\Admin\AppData\Local\Temp\Strip

Filesize
921KB

MD5
9712d045abc9ec82e4ae9ff73fd881b5

SHA1
ea2a8a2edd95f7e0205c1d9ac5411e14dad8f135

SHA256
bc237bca4bcfa143c8dcfa7a841ad7746cfcbd50d9704dff1a98e4f9b6f82995

SHA512
eed8dbbb85197cf73c8340ae9daeca2184afa7a528bb85f96e66034ca2904167667f2ce352725e31e2d2e6474ad2649e88cf4d18f764c63197dbce5aaed5bce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5164_560726789\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5164_560726789\f3d73b1a-2d73-4a0c-82d1-5e52b0fb710e.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit