njrat | hxxp://20[.]7[.]14[.]99/server/

Resubmissions

08/09/2022, 17:44

220908-wblklafbe7 3

07/09/2022, 00:27

05/09/2022, 16:52

05/09/2022, 16:42

05/09/2022, 16:37

31/08/2022, 06:37

31/08/2022, 06:32

31/08/2022, 05:40

Analysis

max time kernel
1007s
max time network
1010s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
31/08/2022, 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://20.7.14.99/server/

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

20.7.14.99:5552

Mutex

9636f5e673cfb8069e1ef3d1f8bc784b

Attributes

reg_key
9636f5e673cfb8069e1ef3d1f8bc784b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
3152	Server.exe
4440	server.exe
432	ChromeRecovery.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
3252	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Server.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9636f5e673cfb8069e1ef3d1f8bc784b.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9636f5e673cfb8069e1ef3d1f8bc784b.exe	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9636f5e673cfb8069e1ef3d1f8bc784b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9636f5e673cfb8069e1ef3d1f8bc784b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1528_1287304567\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1528_1287304567\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1528_1287304567\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1528_1287304567\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1528_1287304567\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1528_1287304567\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1528_1287304567\_metadata\verified_contents.json	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 39384a26b9aed801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30981389"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a100000000002000000000010660000000100002000000068f540b14fc6252f88c1057e997de935b4b91cc94374c5ac7e33089d72c51d45000000000e800000000200002000000017269d73abd416b018fae70d1eb7f7205eeaa4b2be755a436f02c0273b98d5b4200000002c5d16e1e933ab5a8a90d5595a52d8c5e505708debf90b9d2cca167840ee2ccc40000000dd22a0390fd2de6d150ece4e54e1db083d7bb21aaac0c08213c84562ae78d0d2bd85e98f3759cb28ae47ce2c17639ba4347d0f87d491406692b05b1ce7d39181	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1015b1060ebdd801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000262b369c535eb976fdb6eca72064d30d646422c01f7bcdb16e0895284b22f0aa000000000e800000000200002000000049f3066954f0079fac3e4f0e51fafbd3aa84c0c6a8967d63770c7b2731b5dd25a00000000125baf00e4eef311d71c4c2269c23b827bc40e4ae7652764708202f7b1dc3242f50ba209258700c907fed06daf5a5698e218693ef12422d1d2baaa73faf4cb2df75cade0a07e0e70147fa5e1fd53d53746ed4a3698e7ee0c4a0ffb58365c1830e06d11d2af477ef0e2df39a4a7a39419fa641d7a6adde1c09cf2b393acfb12589c5040c3e70b26086739dba8619895f46d6c3ee18e34760406076716d4abd69400000004bb0d18d62c9ac37908a1c91199fcdbd75622a5b73e5840a5822e338f17a4fdf8dc6c716fc9dd470ee75ee2b48c91bd2a769a62e833ec5a9932d96e742f3c376	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a10000000000200000000001066000000010000200000007d1db1a67cda6cebe22f8385c97d62303a4c2fcdc5f254b8a659cb45d0436a1a000000000e8000000002000020000000422e868c921e4d453dc2aa870c08525e57e29a78f38ce743ccc8e845a7853d9920000000246039a4901a9e3b65b62f4c6504d0c49d4c2d3954d528ac11c58493ac258fd7400000002959434d773bc5f3447c2dcd44561f007699997566422fc42c7752b93d32b0980e93128e8ddd5b78430ad9ac85992d8ac0cd0dc66584b5ce27c2e1f3fb7d1d34	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00ca304c0dbdd801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a100000000002000000000010660000000100002000000086d384c3b80db1d472af30af0db27590e6be65a95e6afb6ddf087775b820777e000000000e80000000020000200000009ed7b270f3e8f93d7811c4b941dfdff1f59fc64f6765c8d6260a7a06bc6ed6e52000000057d38309d2f3d05d9521328630c7f38f9470bb1a73e7966fa0205ca86af204eb40000000940e697b02cb00eee01a6fa90a80ff031b081e61a016d608ff06c9533b9fb3bf0de6affab48c2253b4a5ebf6611c5b1859aa4c1568a52f7d115cdc739fe00cc3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000fb51e33dd51bd59ce275d26c4f40b4bc6c8a82d406c758141bd1dbbb402034dd000000000e8000000002000020000000d7dce79b5b2ca9ad112fa549ba3d1e687bc5be9b6c64a1cbb6dba228f0f5251b2000000051af939ea0f79e116a8b4ed5abed2063973f11a1db5ea33193d076a32c50fe504000000063c942af3ec0be1e9ce534cb9208713715e74f0d0d23384ecf23ff9c0a6318b8f3d28da572e504bdf82e1edc5438d4cdf22e87c1ad5af1329e59f218c377371b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90ef8b080ebdd801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a10000000000200000000001066000000010000200000007ffd4f917071cb20ca06c82ae2e86d6c67cb019cfa23cbd21538b2071ea7c649000000000e8000000002000020000000a928c2893bd23b1a9eae41036771e5e311e6a42aca67745a656265f6eca24cf8a0000000eb0c8797e1f783b89942c32c30fca688710ab55a64ccfba91a7b340b32b1358bf005f144dd2477d279569c9b97db615fabb288765960c283d8092188b1513c677155c61622b2c1deaed006272dc22d8fe0060c948b63efe7671ebc7b17ca1ba0ac7fa6d7a5c5c5503dde5d56d216d620611e38fa93d828e9fa2b1c051ee6d2e2bcc5c2e830d94f6158ace340859a2bfc45f72620b9f3874cb0fcb696187c2e12400000002f3f858040d68e9b6636a96ce845da9eb06c1bc9047312ae5b3369c49aed802b1f006b45bf2a4be21acd86a1d4ff1bfd927a3b5b2243a4e3ac8a032ce5e554be	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2BC50A5C-2900-11ED-89AC-E64E24383C5C} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d05e73090dbdd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "368696599"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "5590157"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "5590157"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30981389"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a100000000002000000000010660000000100002000000090ba66e02b1105effee22c136301d952fc7d859a8ee3ead49afe6019d446af57000000000e80000000020000200000007415038e0dc375e75f2f8b71d06b8e020aa27e1fb767cab7be6fda590eebbb6e20000000e722ffd28754204ae62ab3a7e25aec9043f82aed8f2e9b22efda76ac462ca407400000000a07139df47473ba91944e3571a4074a145db8ff25a5d1977485755e0bbe18a34f2aa1ac7a5f0f88893b567a35a5eb824cfd49ab991dec58c4a178566572df21	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0b681090dbdd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30981389"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "23091074"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{33C09A0C-1E99-4EB7-AE94-1EE9F307E66B}"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a10000000000200000000001066000000010000200000006d17a4112a9a7dd94f2f70717998472bd3b08887fa167b05d93e5ec1d6c284fb000000000e800000000200002000000071c6fa1830c93bb4dff7ee8eded9d70b9d02730ca3337ce60b8da716e4e5b65f200000008baaa19941ca6ef3083b1904047cea5e225bc8d51fb7a9447334cb184326c31b400000003a735902ed5df62fe46b3743553e9ac8b5da87833708b5fb0bf3c0aad9f0945caaf43124ee73b979dac2112f4b08b708ac735ed6fad171b4d4c2b5deeab8a9de	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20786e540dbdd801	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\text_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\text_auto_file\shell\open	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\text_auto_file\shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe

Opens file in notepad (likely ransom note) 6 IoCs

ransomware

pid	Process
3332	NOTEPAD.EXE
2560	NOTEPAD.EXE
1480	NOTEPAD.EXE
2148	NOTEPAD.EXE
3712	NOTEPAD.EXE
2960	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1856	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2440	chrome.exe
2440	chrome.exe
3516	chrome.exe
3516	chrome.exe
4136	chrome.exe
4136	chrome.exe
4992	chrome.exe
4992	chrome.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe
3528	chrome.exe
3528	chrome.exe
2028	chrome.exe
2028	chrome.exe
880	chrome.exe
880	chrome.exe
344	chrome.exe
344	chrome.exe
1860	chrome.exe
1860	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3716	chrome.exe
3716	chrome.exe
4440	server.exe
4440	server.exe
4440	server.exe
4440	server.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
1856	vlc.exe
2372	iexplore.exe
4440	server.exe
1704	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe
Token: SeIncBasePriorityPrivilege	4440	server.exe
Token: 33	4440	server.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
2372	iexplore.exe
2372	iexplore.exe
2372	iexplore.exe
1856	vlc.exe
1856	vlc.exe
1856	vlc.exe
1856	vlc.exe
1856	vlc.exe
1856	vlc.exe
1856	vlc.exe
1856	vlc.exe
2372	iexplore.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
2372	iexplore.exe
2372	iexplore.exe
2372	iexplore.exe
2372	iexplore.exe
2372	iexplore.exe
1704	7zFM.exe
1704	7zFM.exe
1704	7zFM.exe
116	7zG.exe

Suspicious use of SendNotifyMessage 33 IoCs

pid	Process
1856	vlc.exe
1856	vlc.exe
1856	vlc.exe
1856	vlc.exe
1856	vlc.exe
1856	vlc.exe
1856	vlc.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2372	iexplore.exe
2372	iexplore.exe
5040	IEXPLORE.EXE
5040	IEXPLORE.EXE
5040	IEXPLORE.EXE
5040	IEXPLORE.EXE
1856	vlc.exe
5040	IEXPLORE.EXE
5040	IEXPLORE.EXE
5040	IEXPLORE.EXE
5040	IEXPLORE.EXE
2372	iexplore.exe
3528	chrome.exe
2692	chrome.exe
5040	IEXPLORE.EXE
5040	IEXPLORE.EXE
5040	IEXPLORE.EXE
5040	IEXPLORE.EXE
2372	iexplore.exe
5040	IEXPLORE.EXE
5040	IEXPLORE.EXE
2372	iexplore.exe
5040	IEXPLORE.EXE
5040	IEXPLORE.EXE
2372	iexplore.exe
5040	IEXPLORE.EXE
5040	IEXPLORE.EXE
2372	iexplore.exe
5040	IEXPLORE.EXE
5040	IEXPLORE.EXE
2372	iexplore.exe
3824	chrome.exe
3392	chrome.exe
4284	chrome.exe
1928	chrome.exe
4868	chrome.exe
4620	chrome.exe
4740	chrome.exe
5040	IEXPLORE.EXE
5040	IEXPLORE.EXE
5040	IEXPLORE.EXE
5040	IEXPLORE.EXE
2372	iexplore.exe
3524	chrome.exe
3128	chrome.exe
4288	OpenWith.exe
4288	OpenWith.exe
4288	OpenWith.exe
4288	OpenWith.exe
4288	OpenWith.exe
4288	OpenWith.exe
4288	OpenWith.exe
3136	OpenWith.exe
3136	OpenWith.exe
3136	OpenWith.exe
3136	OpenWith.exe
3136	OpenWith.exe
3136	OpenWith.exe
3136	OpenWith.exe
3136	OpenWith.exe
3136	OpenWith.exe
3136	OpenWith.exe
3136	OpenWith.exe
3136	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 5040	2372	iexplore.exe	83
PID 2372 wrote to memory of 5040	2372	iexplore.exe	83
PID 2372 wrote to memory of 5040	2372	iexplore.exe	83
PID 2372 wrote to memory of 3152	2372	iexplore.exe	101
PID 2372 wrote to memory of 3152	2372	iexplore.exe	101
PID 2372 wrote to memory of 3152	2372	iexplore.exe	101
PID 3152 wrote to memory of 4440	3152	Server.exe	103
PID 3152 wrote to memory of 4440	3152	Server.exe	103
PID 3152 wrote to memory of 4440	3152	Server.exe	103
PID 2372 wrote to memory of 1856	2372	iexplore.exe	104
PID 2372 wrote to memory of 1856	2372	iexplore.exe	104
PID 4440 wrote to memory of 3252	4440	server.exe	106
PID 4440 wrote to memory of 3252	4440	server.exe	106
PID 4440 wrote to memory of 3252	4440	server.exe	106
PID 2372 wrote to memory of 2960	2372	iexplore.exe	109
PID 2372 wrote to memory of 2960	2372	iexplore.exe	109
PID 3516 wrote to memory of 4444	3516	chrome.exe	111
PID 3516 wrote to memory of 4444	3516	chrome.exe	111
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 1140	3516	chrome.exe	112
PID 3516 wrote to memory of 2440	3516	chrome.exe	113
PID 3516 wrote to memory of 2440	3516	chrome.exe	113
PID 3516 wrote to memory of 3520	3516	chrome.exe	115
PID 3516 wrote to memory of 3520	3516	chrome.exe	115
PID 3516 wrote to memory of 3520	3516	chrome.exe	115
PID 3516 wrote to memory of 3520	3516	chrome.exe	115

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://20.7.14.99/server/
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5040
- C:\Users\Admin\Downloads\Server.exe
  "C:\Users\Admin\Downloads\Server.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3152
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:3252
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\njrat.mp4"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1856
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\dll.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2960
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\RUMPE.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3332
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\RUMPE2.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2560
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\melissa.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1480
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\dll2.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2148
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\TesteOk.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb54af4f50,0x7ffb54af4f60,0x7ffb54af4f70
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1640 /prefetch:2
  2⤵
  PID:1140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2012 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2288 /prefetch:8
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2976 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4468 /prefetch:8
  2⤵
  PID:3120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4664 /prefetch:8
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  PID:636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3636 /prefetch:8
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=924 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1544 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4520 /prefetch:8
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=244 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:1208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:1
  2⤵
  PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1548 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3108 /prefetch:8
  2⤵
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
  2⤵
  PID:2580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3768 /prefetch:8
  2⤵
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3676 /prefetch:8
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1428 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4548 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1548 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4548 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1552 /prefetch:8
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3404 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  PID:364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4536 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,8858961666791804065,3207792311734966764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3360 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2632

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:1528
- C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1528_1287304567\ChromeRecovery.exe
  "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1528_1287304567\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={ec0dbe9d-16e9-4f0a-a681-13dea4106092} --system
  2⤵
  - Executes dropped EXE
  PID:432

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4600
- C:\Windows\system32\dashost.exe
  dashost.exe {816047fa-a5d3-4dca-9e8b3b21f2cf990b}
  2⤵
  PID:2216

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Server.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1704

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4288

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Server\" -spe -an -ai#7zMap2890:74:7zEvent13331
1⤵
- Suspicious use of FindShellTrayWindow
PID:116

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3136
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Server\.rsrc\MANIFEST\1
  2⤵
  PID:2764

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4648
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Server\.reloc
  2⤵
  PID:2552

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
PID:4832
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Server\.text
  2⤵
  PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1528_1287304567\ChromeRecovery.exe

Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3

Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

Filesize
319B

MD5
91046f2e147049d3e53cd9bf9d4d95ed

SHA1
228e347d062840b2edcbd16904475aacad414c62

SHA256
ea92f8291b86440b98162409b1f9f04470455c22be01a1480ea5ebc37eb168dc

SHA512
071a9c6e17760a726c3a4519cf8006f36f17f50946af0129e0e1f3e480f6b7fcc804a7614b044247f2420a8b2b46bec5b8493e4869bb918bc7c0f6aa1346c3e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xml

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ru1r3yf\imagestore.dat

Filesize
30KB

MD5
fb91fe07a7270975d3420484340ade48

SHA1
79d342b7ff5fd19cd8f76b4134afd7395410563e

SHA256
8a06e4c4df1850c42a669e707c2220e32524ff736a044c0a7dff5588d23e34ed

SHA512
3c1dc75ac251103a222fddeb56d28ba0c1d8ef2ea3c765b6a4af945391be972d7512a491839e3040b68ad55fc0d3be4cd9a4a9eb9c2f6471e58779878ad04562

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
a3f12d515380ac33257ec6934dbbb907

SHA1
3cf22e902773979d9c03a4bbe10c2fe0d7488c2a

SHA256
bd72f43cf0019f4a5f8f970f307012ddacbaffdb2ad76caa4e3c3be78dd7f716

SHA512
4cf2af81dc39f90c77eab1c9abb8d699753e401320e45c3e66bec42063e13b9cf5dee4b08a33e31cf5d62c9252de1ab1ee3b3f3494c1e37b466124f51260c1f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DU2BEY67\favicon[1].ico

Filesize
30KB

MD5
6eb4a43cb64c97f76562af703893c8fd

SHA1
c50c4273b9d2433c6069454f971ed6653e07c126

SHA256
1d7c95c5eea00a8083a95810f902682f9e26e7fbb7876b022a403642d776d0c9

SHA512
3bae9380d8f0d45617ecf9d0d43818b7f8f83b61ecbd5e6dbd189c19d5853f92aa47965ad257cf712e49c03652f129dca47e8a8dbd86d62e614acc99ea931181

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
23KB

MD5
4cc52b12b15e02c96fed275defa813af

SHA1
a35a727745e25e1b71119968d3f090dfc4c07c18

SHA256
db62cd044da6120e08c11b7cc41f9ac0fb160adedd1f7a3a6380713d3a305357

SHA512
addaa15db05d0eee7f43715406fc41ebd1dd0dc1b626d473c85c302ff541f7033dd77585912e1630e10474db212aa5d9122bb8527d9383437fba9d56e90c3676

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
23KB

MD5
4cc52b12b15e02c96fed275defa813af

SHA1
a35a727745e25e1b71119968d3f090dfc4c07c18

SHA256
db62cd044da6120e08c11b7cc41f9ac0fb160adedd1f7a3a6380713d3a305357

SHA512
addaa15db05d0eee7f43715406fc41ebd1dd0dc1b626d473c85c302ff541f7033dd77585912e1630e10474db212aa5d9122bb8527d9383437fba9d56e90c3676

Download Submit
C:\Users\Admin\Downloads\RUMPE.txt.7nopekr.partial

Filesize
37KB

MD5
eaee8d21c5499ff2bd626130845bccfd

SHA1
517ac624fe36b4e80a051156625dae06628c8d59

SHA256
62ed20879a2550c499477598640794ede63a2c93d2c35a4dc0f8a41d0b26e652

SHA512
f8f67115ce1939606f725ec43e91459319e4822eed7c94293f7d1d91882bb9ce45c9f44915962051de68054d2b239f89b72ce1ea1b84b4a05173ca4d3716b1bd

Download Submit
C:\Users\Admin\Downloads\RUMPE2.txt.yj6b11v.partial

Filesize
22KB

MD5
c2f8bd0d0b06f7e2a7de6807e21e7201

SHA1
bcd8bbbcdc70cd6578e47fb792830dc595bfc6f5

SHA256
e2d0b37e3a1b88286638f6c7735352e51d7611af9787c83ac0a414fad0522d11

SHA512
57e55d5907aeb496b7ab9853aff98e952e2d31c30821005cdcaf195cf7e62eaa06d9ac900a94a8889f691b3d30f73be1a659e0894be15e110537bf1e09ee8a28

Download Submit
C:\Users\Admin\Downloads\Server.exe

Filesize
23KB

MD5
4cc52b12b15e02c96fed275defa813af

SHA1
a35a727745e25e1b71119968d3f090dfc4c07c18

SHA256
db62cd044da6120e08c11b7cc41f9ac0fb160adedd1f7a3a6380713d3a305357

SHA512
addaa15db05d0eee7f43715406fc41ebd1dd0dc1b626d473c85c302ff541f7033dd77585912e1630e10474db212aa5d9122bb8527d9383437fba9d56e90c3676

Download Submit
C:\Users\Admin\Downloads\Server.exe.2nxotte.partial

Filesize
23KB

MD5
4cc52b12b15e02c96fed275defa813af

SHA1
a35a727745e25e1b71119968d3f090dfc4c07c18

SHA256
db62cd044da6120e08c11b7cc41f9ac0fb160adedd1f7a3a6380713d3a305357

SHA512
addaa15db05d0eee7f43715406fc41ebd1dd0dc1b626d473c85c302ff541f7033dd77585912e1630e10474db212aa5d9122bb8527d9383437fba9d56e90c3676

Download Submit
C:\Users\Admin\Downloads\TesteOk.txt.n2xs6oq.partial

Filesize
39KB

MD5
fd1151cc66285adaad818a4655064de0

SHA1
e453df7c5626270b4618a366ded8bfffec27a07b

SHA256
5970261b439b852e66bc8a5ca610ddf72c701cc86282f3e064de95c7f1c3fcf7

SHA512
cbba47208d7682fbe762495fa38101305f1d85779271e2645179b5810ea4c3183c18831900e08f1fb861b13e109fea2dc345c44a39aacbd5dc51982a530bf619

Download Submit
C:\Users\Admin\Downloads\dll.txt

Filesize
12KB

MD5
e7de108397b45e815b7bb96faf93ddce

SHA1
dde47a379fc7fe5a0337841a7eda2d46cc5478de

SHA256
d35d3e587d46f9ad880156cb59a9463f77d6d240c4bd6168a773600599b24cdc

SHA512
77caddfca12e0bbec350172524f9fed16525f1d1e25262b12a4f49b7d2ce1b85593bee1588a4f825494d02200b92e448611f2e46b93cf20d62e60185a73ea0c7

Download Submit
C:\Users\Admin\Downloads\dll.txt.4al0voj.partial

Filesize
12KB

MD5
e7de108397b45e815b7bb96faf93ddce

SHA1
dde47a379fc7fe5a0337841a7eda2d46cc5478de

SHA256
d35d3e587d46f9ad880156cb59a9463f77d6d240c4bd6168a773600599b24cdc

SHA512
77caddfca12e0bbec350172524f9fed16525f1d1e25262b12a4f49b7d2ce1b85593bee1588a4f825494d02200b92e448611f2e46b93cf20d62e60185a73ea0c7

Download Submit
C:\Users\Admin\Downloads\dll2.txt.pdkrsmi.partial

Filesize
10KB

MD5
2f264464da58b60a91af5bce586b6407

SHA1
85b327df83cfb160581f233a66b65c22b46aba27

SHA256
f41d1a2acb06601a308e9fb773c4f580839d11d4798ae174405c267071bdb8ba

SHA512
55394f249d25ec47554bbb27a512b3446d92a9b678c582d054c6ada48f52d99502d2034b7ed5162c70018f408431de945a9a305a42d597e16b6351bbd9115868

Download Submit
C:\Users\Admin\Downloads\melissa.txt.f9ddcov.partial

Filesize
364KB

MD5
bf77aa6a2c79b1fa8290745cfd8cab13

SHA1
4a5abfbcab3aa95489a3d94e7168260eb2d3837f

SHA256
8b87f831c5518a91b298f616ac47055206fbb23b6e0d53310d58639f7dd18ff3

SHA512
b8ec27fd278493eba1da4a6653aa7035decf8dc12f98a77f67e576859797e7c479f815cf36f126ce01b804b73e5ef0844c02741f3116cbeb579c43ed3158aa52

Download Submit
C:\Users\Admin\Downloads\njrat.mp4.t0cpm7c.partial

Filesize
42KB

MD5
1814573dd0c6f90c941b786a3271e33e

SHA1
4d5b9efdacaa0b54ff44b537b57a864575f0a6c9

SHA256
f856403c55eec0fe9eb24472b76e7d9b620c5299bc14142af2f20f0e68af4103

SHA512
8c2213ab7251b66217ac45f93490b2db7330366c90aa8c896cbf9494c27038e4c8c4c1354b2cef49089df0a1c12af0120e706b2999c8bc853267c2b19f3acfa7

Download Submit
memory/3152-146-0x000000006FAB0000-0x0000000070061000-memory.dmp

Filesize
5.7MB

Download
memory/3152-139-0x000000006FAB0000-0x0000000070061000-memory.dmp

Filesize
5.7MB

Download
memory/4440-150-0x000000006FAB0000-0x0000000070061000-memory.dmp

Filesize
5.7MB

Download
memory/4440-147-0x000000006FAB0000-0x0000000070061000-memory.dmp

Filesize
5.7MB

Download