hxxps://cdn[.]discordapp[.]com/attachments/775729889533493268/1052344022485708890/bird[.]exe

Analysis

max time kernel
93s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2023, 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/775729889533493268/1052344022485708890/bird.exe

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133282625837901160"	chrome.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2168	chrome.exe
2168	chrome.exe
4368	sdiagnhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4668	msdt.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2168	chrome.exe
2168	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
4668	msdt.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2168	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 3848	2168	chrome.exe	79
PID 2168 wrote to memory of 3848	2168	chrome.exe	79
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 4584	2168	chrome.exe	82
PID 2168 wrote to memory of 3396	2168	chrome.exe	83
PID 2168 wrote to memory of 3396	2168	chrome.exe	83
PID 2168 wrote to memory of 5116	2168	chrome.exe	84
PID 2168 wrote to memory of 5116	2168	chrome.exe	84
PID 2168 wrote to memory of 5116	2168	chrome.exe	84
PID 2168 wrote to memory of 5116	2168	chrome.exe	84
PID 2168 wrote to memory of 5116	2168	chrome.exe	84
PID 2168 wrote to memory of 5116	2168	chrome.exe	84
PID 2168 wrote to memory of 5116	2168	chrome.exe	84
PID 2168 wrote to memory of 5116	2168	chrome.exe	84
PID 2168 wrote to memory of 5116	2168	chrome.exe	84
PID 2168 wrote to memory of 5116	2168	chrome.exe	84
PID 2168 wrote to memory of 5116	2168	chrome.exe	84
PID 2168 wrote to memory of 5116	2168	chrome.exe	84
PID 2168 wrote to memory of 5116	2168	chrome.exe	84
PID 2168 wrote to memory of 5116	2168	chrome.exe	84
PID 2168 wrote to memory of 5116	2168	chrome.exe	84
PID 2168 wrote to memory of 5116	2168	chrome.exe	84
PID 2168 wrote to memory of 5116	2168	chrome.exe	84
PID 2168 wrote to memory of 5116	2168	chrome.exe	84
PID 2168 wrote to memory of 5116	2168	chrome.exe	84
PID 2168 wrote to memory of 5116	2168	chrome.exe	84
PID 2168 wrote to memory of 5116	2168	chrome.exe	84
PID 2168 wrote to memory of 5116	2168	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://cdn.discordapp.com/attachments/775729889533493268/1052344022485708890/bird.exe
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffaed99758,0x7fffaed99768,0x7fffaed99778
  2⤵
  PID:3848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1812,i,3234001852740467027,11932574359663487147,131072 /prefetch:2
  2⤵
  PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1812,i,3234001852740467027,11932574359663487147,131072 /prefetch:8
  2⤵
  PID:3396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1812,i,3234001852740467027,11932574359663487147,131072 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3224 --field-trial-handle=1812,i,3234001852740467027,11932574359663487147,131072 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3244 --field-trial-handle=1812,i,3234001852740467027,11932574359663487147,131072 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5028 --field-trial-handle=1812,i,3234001852740467027,11932574359663487147,131072 /prefetch:8
  2⤵
  PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5196 --field-trial-handle=1812,i,3234001852740467027,11932574359663487147,131072 /prefetch:8
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 --field-trial-handle=1812,i,3234001852740467027,11932574359663487147,131072 /prefetch:8
  2⤵
  PID:3764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 --field-trial-handle=1812,i,3234001852740467027,11932574359663487147,131072 /prefetch:8
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 --field-trial-handle=1812,i,3234001852740467027,11932574359663487147,131072 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5428 --field-trial-handle=1812,i,3234001852740467027,11932574359663487147,131072 /prefetch:8
  2⤵
  PID:3300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3972 --field-trial-handle=1812,i,3234001852740467027,11932574359663487147,131072 /prefetch:8
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 --field-trial-handle=1812,i,3234001852740467027,11932574359663487147,131072 /prefetch:8
  2⤵
  PID:4200

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2020

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:464

C:\Windows\system32\pcwrun.exe
C:\Windows\system32\pcwrun.exe "C:\Users\Admin\Downloads\bird.exe" ContextMenu
1⤵
PID:2484
- C:\Windows\System32\msdt.exe
  C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCW9441.xml /skip TRUE
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4668
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Users\Admin\Downloads\bird.exe"
    3⤵
    - Checks computer location settings
    PID:5068

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ai5l04qn\ai5l04qn.cmdline"
  2⤵
  PID:3396
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F5D.tmp" "c:\Users\Admin\AppData\Local\Temp\ai5l04qn\CSC2BA69BEB80C04425AE687E3F8CA9FB.TMP"
    3⤵
    PID:3240
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wlyz0cvt\wlyz0cvt.cmdline"
  2⤵
  PID:4584
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA0A5.tmp" "c:\Users\Admin\AppData\Local\Temp\wlyz0cvt\CSC8300942A94B34778961982F8C7BAAD63.TMP"
    3⤵
    PID:2820
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\duktgsvp\duktgsvp.cmdline"
  2⤵
  PID:1428
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA77B.tmp" "c:\Users\Admin\AppData\Local\Temp\duktgsvp\CSCDF8C3C50D3F24ABDB934ACA1487583A2.TMP"
    3⤵
    PID:1260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\733862231\2023051107.000\PCW.debugreport.xml

Filesize
3KB

MD5
75967e6f87795d3cdc191562dc3b6931

SHA1
d2a2d1de5704a7d39ecfda7c47218d2aa22cbbe2

SHA256
83499099d6da76943f27fba0a4a15a5c54923c8912c1b44ec7df01ca9a9a333f

SHA512
788b30c5df2a5a0ccfff553cafe6ea4fd3ebeebdd2a5c496a08400e292e9cb31aaae7b446662b45df13ecbab759b9253e85b2e8eefa9a12012b01387493f0f41

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\733862231\2023051107.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
823B

MD5
98a2492ae08478b1d07ff7e102786b87

SHA1
826b5cfb5f8496c9a5900cf7ce46e2460bd3b74d

SHA256
bce0048b9fc0d666ee4a48af35e3468c45b1685787c09fd6d4ccbfb16c488b94

SHA512
968d317b63efebe6eb08aed23864eb4e01c253b8bee2f3c568c0cca4217216c904de44c07884c32e2918a00997df0a9cb3285923173e078dc5fa6d091f55768a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d93d56ab8a6cd66694620a24738a2878

SHA1
b39dcbb800817da8dd74e2bf090511be345430c9

SHA256
74e7d0ca87f36d751c3b245254ba68775e7340b53361c5e1aab64136a6322528

SHA512
d421cca113996c2d3c28d7a8a2370e836d4f58f88568dd5d8f64f4794ba4857195077f27add24a15073e4a0e77dedf6a268f4c46e3d292e58ca2f19ea583da82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
10961ca8645d63702c41b188dddde7ac

SHA1
a4d0194bfd50e3d805b30702fad50de7fcb73ca6

SHA256
48433377e4fa9520f80029ef796f7d58bb8e97bab5a1addff5c167704842aedc

SHA512
de57664be30707759dad45381db04e0ac1c0382f0d630f0a6083d269e60890a45050efb81618846145ececf2fc3e6d75d872fbd9930cd9f703b8c6a79f325ed0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
975038954aa0457c679382063fafbc6b

SHA1
b333f3ff5748469e4b6b90bcf0a778eb0790db55

SHA256
8079ec5ee69d60e7b38a49715dfe4a95b3e7b1f1b9bb0a0dd195367e662bacca

SHA512
05fcda526de86494f0ee083cf41dc2f1bde25693d411d093e85bdf2f0d3c49dc4e5dd997aabf7b5f0be5b392fdf10556472b1ba6a4e5ca22e5192432f9f43272

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
149KB

MD5
b293352516c92a2fe1aad09dceb54a38

SHA1
8ea998ef5a1c1b9646dbcd5b89451418972fa5b2

SHA256
99279cdeb98f588a5b66cfae9f5b38f2e4a8e95bacc81432d33629a70298ef2e

SHA512
fce733db3505634aeaadf28acc3642357a69cabbaec4cae381fcc829129b8b493d13dc07ad01f36edd3d36c4bb2fc9abb7db7c197d6d757c6977eaa1fe4cf9e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
149KB

MD5
0929ac1858370e56a2d57aaed255f1fd

SHA1
cd437739d745388573ff8f7b3d9cd08363900738

SHA256
b34b8c1615141abc01f02cb84c0b8629c3153b85a09f06c84db5352e749ee93e

SHA512
8037892ca7de97aa761bf4948989157dc8bf5dc7569e1a57065448b37ba5f6a224f2aaaba35780b6f255dbfdf3ee62acb2e87bae60dddd6694f0e8f9f4cc9bf8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCW9441.xml

Filesize
706B

MD5
ff75a1762aa3b67e253b351f969112c2

SHA1
ca1d13996490dc02161b740d46daafb09af30381

SHA256
35d53a00fa6fe662af381428325c775f40e3305c3ef95cf7df0d7b524b82bd7a

SHA512
ed36db8837bfec7ceeffd5b797603f2eb6e10bb6246b4da0b97b2217b19e5e4313c8e3a6732ab2686a19e9cace46c621e89677a7883ab272f00076c5d210b25e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9F5D.tmp

Filesize
1KB

MD5
92f9ed048efa2889200a02ceb1e78806

SHA1
74be3c7267bb289bc30b696517b082b6863be708

SHA256
434d2268f7ed74bb16cae936cab230add6f778f09d62e75c7d3e17ee678267af

SHA512
3cbb35939871e183aa0ce54867a6a8667b94990482b2ed8b6879e264f585357c7c6314b3532274f514eaa1bc185e4fac0598a893b07ad635d3bf440b747dbc07

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA0A5.tmp

Filesize
1KB

MD5
8bbb920b057ae90972d4ca26fea9dd61

SHA1
15983e06531b679ab8f700710b7340343c390fcb

SHA256
431438f7091a32dafd7a8d622561562c398e81ab87a3458f910f703bed3d925f

SHA512
17ab0009fd101c45f80c6f70a91a531171fbb7302b9c38e84356b7ef5c21c7d9717fa3a53878b3d8825110ad65baf411407b0014dc28f9417810b6b9418201e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA77B.tmp

Filesize
1KB

MD5
4d458205130f67ea78aacd8f41f66924

SHA1
e5ffbe090c6ad89d61d612c1877d58c0b3e3ea02

SHA256
2354d8ca1d3349e845a9c96f79c12022e44ce0456ff3a76b8edb22f432bae78a

SHA512
579b349d855e10693a9cdeefa5d27c36f841aa4768567418ad929b36db7f9eb5583ee041b803dbc9819a3044b555f3d628b75c8911d98da381dcce7673ce050e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bgqp5ae4.hk3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ai5l04qn\ai5l04qn.dll

Filesize
5KB

MD5
8f0bf1cbfd9c92cd0f4650e8e676289c

SHA1
9c329fc8a86365691120cdb86a4403d1d94cff89

SHA256
36898f5d1fdff595702f6ab6533318660e401da8275a457a03ab5448bc1c2bc3

SHA512
51cc96d768da4da2a6694c3f96507213b92accc841535971dfd0d305a07eba606d666c662995b22a12d168bf93222661ec75a52de897cb686028b96218a4b926

Download Submit
C:\Users\Admin\AppData\Local\Temp\duktgsvp\duktgsvp.dll

Filesize
9KB

MD5
f0b2bd3df71f1a00534e74d8961d8d5a

SHA1
c3cbd001963300d4508028eeca812edfbc752d2c

SHA256
1f25ff9260f3768e64a5d4c2f269e6ac2e0f0a35bfc71e93467dc5f30aa604d1

SHA512
bfaec139c851dad31efcbb8fc769553b4484e1014890279d991f15a48f28bec7c7db7fe3e686f1187dcf6c43deb83b147950abc8f28b2acdb520fa014e088759

Download Submit
C:\Users\Admin\AppData\Local\Temp\wlyz0cvt\wlyz0cvt.dll

Filesize
3KB

MD5
ddfc29326d5ebcccb0c972875fdbee52

SHA1
c6347fc85c87bd8285e20cd1da4146a7505ab9cd

SHA256
907996de9dd1d53bf3969de94641e29c0524c64f2562fdf9ed30f9774b84865b

SHA512
b7453f945bcdc7efbe47c77ba4d21853a373b41a26ec4eb67796c7b653523d9846138e92bafbc37e813c18a497c0f8d9cf117890a5545a2bed41c3d2c7359543

Download Submit
C:\Users\Admin\Downloads\bird.exe

Filesize
2KB

MD5
3c4ce8ad32542d259572a7bbb2e030b8

SHA1
a8ee21e7544eb5c20c31ed938c9c0c1895d6c5b6

SHA256
ea027a9ec1ae3240bff73e1f6b56983bda32a77ea63b340484dd5397b472c06c

SHA512
8d473ffa1ea4e6b9a721c05884ad95c27f0e368e62d67d3a0888cb3deb5a63084aadd442c9fd809790a6bb1c8620de61f2e66f1a301aac39e991b9a1db968f00

Download Submit
C:\Users\Admin\Downloads\bird.exe

Filesize
2KB

MD5
3c4ce8ad32542d259572a7bbb2e030b8

SHA1
a8ee21e7544eb5c20c31ed938c9c0c1895d6c5b6

SHA256
ea027a9ec1ae3240bff73e1f6b56983bda32a77ea63b340484dd5397b472c06c

SHA512
8d473ffa1ea4e6b9a721c05884ad95c27f0e368e62d67d3a0888cb3deb5a63084aadd442c9fd809790a6bb1c8620de61f2e66f1a301aac39e991b9a1db968f00

Download Submit
C:\Windows\TEMP\SDIAG_34b7cc8c-68bc-47f4-b79c-869531a0e81c\RS_ProgramCompatibilityWizard.ps1

Filesize
49KB

MD5
edf1259cd24332f49b86454ba6f01eab

SHA1
7f5aa05727b89955b692014c2000ed516f65d81e

SHA256
ab41c00808adad9cb3d76405a9e0aee99fb6e654a8bf38df5abd0d161716dc27

SHA512
a6762849fedd98f274ca32eb14ec918fdbe278a332fda170ed6d63d4c86161f2208612eb180105f238893a2d2b107228a3e7b12e75e55fde96609c69c896eba0

Download Submit
C:\Windows\TEMP\SDIAG_34b7cc8c-68bc-47f4-b79c-869531a0e81c\TS_ProgramCompatibilityWizard.ps1

Filesize
16KB

MD5
925f0b68b4de450cabe825365a43a05b

SHA1
b6c57383a9bd732db7234d1bb34fd75d06e1fb72

SHA256
5b1be3f6c280acfe041735c2e7c9a245e806fd7f1bf6029489698b0376e85025

SHA512
012aadec4ed60b311f2b5374db3a2e409a0708272e6217049643bf33353ab49e4e144d60260b04e3ae29def8a4e1b8ada853a93972f703ca11b827febe7725af

Download Submit
C:\Windows\TEMP\SDIAG_34b7cc8c-68bc-47f4-b79c-869531a0e81c\en-US\CL_LocalizationData.psd1

Filesize
6KB

MD5
2c81a148f8e851ce008686f96e5bf911

SHA1
272289728564c9af2c2bd8974693a099beb354ad

SHA256
1a2381382671147f56cf137e749cb8a18f176a16793b2266a70154ee27971437

SHA512
409c2e953672b0399987ec85c7113c9154bc9d6ca87cf523485d9913bb0bf92a850638c84b8dc07a96b6366d406a094d32dc62dd76417c0d4e4ae86d8fcb8bbb

Download Submit
C:\Windows\Temp\SDIAG_34b7cc8c-68bc-47f4-b79c-869531a0e81c\DiagPackage.dll

Filesize
65KB

MD5
79134a74dd0f019af67d9498192f5652

SHA1
90235b521e92e600d189d75f7f733c4bda02c027

SHA256
9d6e3ed51893661dfe5a98557f5e7e255bbe223e3403a42aa44ea563098c947e

SHA512
1627d3abe3a54478c131f664f43c8e91dc5d2f2f7ddc049bc30dfa065eee329ed93edd73c9b93cf07bed997f43d58842333b3678e61aceac391fbe171d8461a3

Download Submit
C:\Windows\Temp\SDIAG_34b7cc8c-68bc-47f4-b79c-869531a0e81c\en-US\DiagPackage.dll.mui

Filesize
10KB

MD5
d7309f9b759ccb83b676420b4bde0182

SHA1
641ad24a420e2774a75168aaf1e990fca240e348

SHA256
51d06affd4db0e4b37d35d0e85b8209d5fab741904e8d03df1a27a0be102324f

SHA512
7284f2d48e1747bbc97a1dab91fb57ff659ed9a05b3fa78a7def733e809c15834c15912102f03a81019261431e9ed3c110fd96539c9628c55653e7ac21d8478d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ai5l04qn\CSC2BA69BEB80C04425AE687E3F8CA9FB.TMP

Filesize
652B

MD5
fb66b03dffe17a1af79087039febfc5c

SHA1
29f6b94947b948553fb07ad22ec5cc5561f8f17c

SHA256
c90b56ad08f7223187342e800bf4bf2f71bd36858af6f2dec5b4bc93098fcfc0

SHA512
a2a71883e0ec82757a7ce747b6fc3d2b6c9515a962442bbe87cfc3e541e5e88afdb2c5ae0c414ac897b9867e7593409d6c6b7f454c5971eff1e9d766ae1af837

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ai5l04qn\ai5l04qn.0.cs

Filesize
5KB

MD5
fc2e5c90a6cb21475ea3d4254457d366

SHA1
68f9e628a26eb033f1ee5b7e38d440cfd598c85d

SHA256
58fcc3cfb1e17e21401e2a4b2452a6e5b8a47163008b54fdcdcc8cadff7e5c77

SHA512
c54b9ce28fa71d7e3629cdd74ac9f23cba873506f1b5825acc2aa407414ed603af4c846dcf388c579f8324e3538e63b26f90421ea9d7fcdd3b277c21bad1a5b6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ai5l04qn\ai5l04qn.cmdline

Filesize
356B

MD5
155d73f2fd4bae62f8cc69a64bcc0d55

SHA1
4d27de39cbdb0989e9047634fa923425b7df4a65

SHA256
e28697e0300eada79f2d44508a58627fd52574c201f6f5cf51084fb93304a394

SHA512
b753dfaeafb4416d3685424e53663513d69d49b93eea809ad3aa9e752fb2d2c6e0d5a8386539ef2c6355ee6259b73e81472bad1633186c384bd7798cce1c9d49

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\duktgsvp\CSCDF8C3C50D3F24ABDB934ACA1487583A2.TMP

Filesize
652B

MD5
838980e677ef8fa1f05658812bdf6c82

SHA1
e80600c5d6ee182d5d91a8ce6c8300c43668ffdd

SHA256
b1dc70f3542ab44f4f1ef566fc033f6fd58f4ae343a30c67e1bcaf1c88cd5558

SHA512
df1bba046007f113eeb7970b24cc7766ab4c38bf4a036614404f9eca057fbc6c1f41d3cb8fb854f96fa628010bbd41a3e392824fd462bf23e7ea09196cf8f40d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\duktgsvp\duktgsvp.0.cs

Filesize
11KB

MD5
acf1a7b8aab4c6efda423d4842a10a85

SHA1
ac55b84b81527ad1224a85640c5a2555b19b685d

SHA256
af0a7036a5f650570990f2d562a7c7636b6eaa54f53b6ce3f43aaa070188dafa

SHA512
22e5a8b633a0189e836adb0c34c84b5029e8069e2f0a77803da91ce2b0da14b8fa231ddd1f1b164992d534b8a4ccc51c270e8ff2ff3f2f34536432b4abfc04e5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\duktgsvp\duktgsvp.cmdline

Filesize
356B

MD5
f6b02e7f10bb837545a1f489602d914b

SHA1
889ee310b54b59068dd1a104af88cfe15db0bce2

SHA256
0eb343a8b7c75d6bc831c393e19bf84032b4af694bbd637af904f9eca804b7d6

SHA512
9fd0d16d731cf02c8f8d56e3d212b9ab8ad9d2bcb9aa4c0f10412329757e359fe1f782c8dc7f5114771b910288640510540537c91dad6011074ae392972538cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wlyz0cvt\CSC8300942A94B34778961982F8C7BAAD63.TMP

Filesize
652B

MD5
d2b25b86462333344fc531062b1978d3

SHA1
e2a538e9504dfc97a9dcadd33b903931387adfbb

SHA256
1f1a2cf312c3d39f4533805ec5703370bcd35ceff090df0057ecad7240f77346

SHA512
646c255f91778c0bc54d54791c0ba42c5e15961c137d7a338cbd2a28779c8fec0de79dd8fde74a58553ac91b99701608fecd7dc5c848a1885bf720092d830feb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wlyz0cvt\wlyz0cvt.0.cs

Filesize
791B

MD5
3880de647b10555a534f34d5071fe461

SHA1
38b108ee6ea0f177b5dd52343e2ed74ca6134ca1

SHA256
f73390c091cd7e45dac07c22b26bf667054eacda31119513505390529744e15e

SHA512
2bf0a33982ade10ad49b368d313866677bca13074cd988e193b54ab0e1f507116d8218603b62b4e0561f481e8e7e72bdcda31259894552f1e3677627c12a9969

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wlyz0cvt\wlyz0cvt.cmdline

Filesize
356B

MD5
0247a0d41b2b12b2430837f0588726e5

SHA1
9359a3cb0680ecd4d380d93eb90839f009084819

SHA256
ce38db39fb6b7c780cce7029f47eff2f8335698a502d00f2e58846c9348b6def

SHA512
e815fe1e58ce83b3d0c5f89d7474367570889294dc85563c2a6196b7ecc17c8236fcf44e26730a17dd79137f1715ddd1fed97efed473d085e903d1aaaa427c64

Download Submit
memory/4368-418-0x00000182F7C00000-0x00000182F7C10000-memory.dmp

Filesize
64KB

Download
memory/4368-415-0x00000182F9060000-0x00000182F9082000-memory.dmp

Filesize
136KB

Download
memory/4368-460-0x00000182F7C00000-0x00000182F7C10000-memory.dmp

Filesize
64KB

Download
memory/4368-461-0x00000182F7C00000-0x00000182F7C10000-memory.dmp

Filesize
64KB

Download
memory/4368-462-0x00000182F7C00000-0x00000182F7C10000-memory.dmp

Filesize
64KB

Download