c94ed445611ed35ebbe8c3c2af5c17e20cdb8ef76ecbc1ef535bdec7ccf08f4b

Resubmissions

11/02/2024, 20:27

240211-y8tnksdb78 10

11/02/2024, 20:21

11/02/2024, 20:11

11/02/2024, 20:06

11/02/2024, 19:54

Analysis

max time kernel
633s
max time network
639s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/02/2024, 19:54

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

winrar-x64-624es.exe
Size

3.5MB
MD5

1da8374156fc6492f06828e55ea4dc13
SHA1

4923d045851434d65ce7c56b7e1bd73a08fc2305
SHA256

c94ed445611ed35ebbe8c3c2af5c17e20cdb8ef76ecbc1ef535bdec7ccf08f4b
SHA512

445392ffca842263310d0f4b8371e0bfd6bcb40d9e846d645c73616b252315b0603d7e538d9e5415028c35f747989da5c14566cf356860304e889ae7f12565d2
SSDEEP

98304:jwBOBfKqQ0K1MTXtbysMqIpmCcBQz/J6+14CeZx1kR7:jw/qQv1MTXhysMs1BQnG1G

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
136	raw.githubusercontent.com
137	raw.githubusercontent.com
114	camo.githubusercontent.com

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
3320	system.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1256	SCHTASKS.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133521549463736135"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "235"	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
864	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2424	chrome.exe
2424	chrome.exe
3020	chrome.exe
3020	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
3620	winrar-x64-624es.exe
3620	winrar-x64-624es.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
2664	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 5084	2424	chrome.exe	96
PID 2424 wrote to memory of 5084	2424	chrome.exe	96
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1692	2424	chrome.exe	97
PID 2424 wrote to memory of 1672	2424	chrome.exe	98
PID 2424 wrote to memory of 1672	2424	chrome.exe	98
PID 2424 wrote to memory of 872	2424	chrome.exe	99
PID 2424 wrote to memory of 872	2424	chrome.exe	99
PID 2424 wrote to memory of 872	2424	chrome.exe	99
PID 2424 wrote to memory of 872	2424	chrome.exe	99
PID 2424 wrote to memory of 872	2424	chrome.exe	99
PID 2424 wrote to memory of 872	2424	chrome.exe	99
PID 2424 wrote to memory of 872	2424	chrome.exe	99
PID 2424 wrote to memory of 872	2424	chrome.exe	99
PID 2424 wrote to memory of 872	2424	chrome.exe	99
PID 2424 wrote to memory of 872	2424	chrome.exe	99
PID 2424 wrote to memory of 872	2424	chrome.exe	99
PID 2424 wrote to memory of 872	2424	chrome.exe	99
PID 2424 wrote to memory of 872	2424	chrome.exe	99
PID 2424 wrote to memory of 872	2424	chrome.exe	99
PID 2424 wrote to memory of 872	2424	chrome.exe	99
PID 2424 wrote to memory of 872	2424	chrome.exe	99
PID 2424 wrote to memory of 872	2424	chrome.exe	99
PID 2424 wrote to memory of 872	2424	chrome.exe	99
PID 2424 wrote to memory of 872	2424	chrome.exe	99
PID 2424 wrote to memory of 872	2424	chrome.exe	99
PID 2424 wrote to memory of 872	2424	chrome.exe	99
PID 2424 wrote to memory of 872	2424	chrome.exe	99

C:\Users\Admin\AppData\Local\Temp\winrar-x64-624es.exe
"C:\Users\Admin\AppData\Local\Temp\winrar-x64-624es.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3620

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\a55140f3259a46cf82c6caf08c08edec /t 912 /p 3620
1⤵
PID:1836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9982c9758,0x7ff9982c9768,0x7ff9982c9778
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1916,i,1868986892715866365,11064584654353619937,131072 /prefetch:2
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1916,i,1868986892715866365,11064584654353619937,131072 /prefetch:8
  2⤵
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 --field-trial-handle=1916,i,1868986892715866365,11064584654353619937,131072 /prefetch:8
  2⤵
  PID:872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3164 --field-trial-handle=1916,i,1868986892715866365,11064584654353619937,131072 /prefetch:1
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3148 --field-trial-handle=1916,i,1868986892715866365,11064584654353619937,131072 /prefetch:1
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4640 --field-trial-handle=1916,i,1868986892715866365,11064584654353619937,131072 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1916,i,1868986892715866365,11064584654353619937,131072 /prefetch:8
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 --field-trial-handle=1916,i,1868986892715866365,11064584654353619937,131072 /prefetch:8
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5416 --field-trial-handle=1916,i,1868986892715866365,11064584654353619937,131072 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5524 --field-trial-handle=1916,i,1868986892715866365,11064584654353619937,131072 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5816 --field-trial-handle=1916,i,1868986892715866365,11064584654353619937,131072 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2924 --field-trial-handle=1916,i,1868986892715866365,11064584654353619937,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5956 --field-trial-handle=1916,i,1868986892715866365,11064584654353619937,131072 /prefetch:8
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 --field-trial-handle=1916,i,1868986892715866365,11064584654353619937,131072 /prefetch:8
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6028 --field-trial-handle=1916,i,1868986892715866365,11064584654353619937,131072 /prefetch:8
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 --field-trial-handle=1916,i,1868986892715866365,11064584654353619937,131072 /prefetch:8
  2⤵
  PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1040 --field-trial-handle=1916,i,1868986892715866365,11064584654353619937,131072 /prefetch:8
  2⤵
  PID:184

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2060

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4388

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4032
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\README.md
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:864

C:\Users\Admin\AppData\Local\Temp\Temp1_7ev3n.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_7ev3n.zip\[email protected]"
1⤵
PID:4716
- C:\Users\Admin\AppData\Local\system.exe
  "C:\Users\Admin\AppData\Local\system.exe"
  2⤵
  - Executes dropped EXE
  PID:3320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat
    3⤵
    PID:4252
- - C:\Windows\SysWOW64\SCHTASKS.exe
    C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1256
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
    3⤵
    PID:3140
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      Modifies WinLogon for persistence
      PID:2432
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
    3⤵
    PID:3292
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      Adds Run key to start application
      PID:1744
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
    3⤵
    PID:3692
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
      4⤵
      PID:3892
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
    3⤵
    PID:2892
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
      4⤵
      UAC bypass
      PID:808
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
    3⤵
    PID:2788
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
      4⤵
      PID:4424
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
    3⤵
    PID:1084
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
      4⤵
      PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
    3⤵
    PID:3928
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
      4⤵
      PID:3600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f
    3⤵
    PID:4900
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown -r -t 10 -f
      4⤵
      PID:1548

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3956855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8638cd63-8f08-4e2d-833e-eb7f9a80b039.tmp

Filesize
6KB

MD5
25bdb3e4315735bfb3a1fe8d78cbbc91

SHA1
6039903e8821bb63484914a424bad3861ed98cd1

SHA256
9d3a75ef8bb0cb62e935a87432518ca63c462137bbbd1ae037cea7ab9795aaef

SHA512
7fc0a62ba2120b441fd62a662477eaf5f4c79220124abbb5506ed931d0d32900876a711a360371ba2ea87bf3f6c7d9744ce12b74c37b7590b4255f6b820cb04c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
194KB

MD5
36104d04a9994182ba78be74c7ac3b0e

SHA1
0c049d44cd22468abb1d0711ec844e68297a7b3d

SHA256
ccde155056cdce86d7e51dfd4e8fb603e8d816224b1257adfcf9503139dd28f1

SHA512
8c115e3e5925fb01efd8dda889f4d5e890f6daaf40b10d5b8e3d9b19e15dadcb9dcf344f40c43f59a1f5428b3ee49e24e492cf0cb6826add1c03d21efdec52ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
929459428637ac6c6fcb3752877a00b3

SHA1
ca30bd36fec3c95f8544567bfc3df1a018907ae8

SHA256
166b656da2895ead1e7a51c647b867f99f7fbaef089235b4e87978907d3a49df

SHA512
805bc87ef042d8b12ed8b827567a3dad70e4e424553d27aea12382dd506ca112c00805279b91d83eb78c55c7b564f240458a8ee037679bbdb6b3ae67aedb890f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a4702825c5ba06c0be5cf71c237637db

SHA1
105d9a738fa66d5ce64a798e586094591b1a62ac

SHA256
96170fabf8bcfea3f8be2c0dfedbd40e0f59058f05c9767f3fc97ee66ea33d23

SHA512
4c7ebd56ea103fe56d52fe1862a6f8dd5a91819ed7bcb14d0fd3faa29027a76e10415691cdbfbd146bb45d7c4c09eff02678937468bb04bd2988348b51314c12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
c09fe736b6e32771349e54b4012c3e70

SHA1
5529661f73f53df06c8e59c568da0f638224aea4

SHA256
7d983c82a15358e6030b59b32109dafafa9823968ae42dd67e4560f4b1831a01

SHA512
ca969a9e9dac12b72080a64bafd815e8228c0bb63f5da4b60d4adb562b45e4fc1025b60681fe986a2be955e9690f0670eac0344484b0006353e29eea9f2c1a2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b118f6f07464abb674f0f9074ebecc08

SHA1
8757d04d7a18c6421b10f682226800ef3540883e

SHA256
c963edb17dc034b2c325cb688701eb3df33b36150ad9743fffae223a1d97df46

SHA512
24b5acbe43d5f36b52268c546dfcc5500e3c4da25845a14449a435f35281531db5b870e07ea4d01bcdb8e2f17a2d6742768e785eeaf43d0d2b7378a9af588a47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
38ea2dd0f7bb53c2c1d9955c046aebb6

SHA1
886efadf54163e56f63d1c97f12a0935736dbd99

SHA256
cafb601d2b5756e2fc9c0ffc94bbfa821f39286f67a9162c85522f6da1f1a66f

SHA512
c9a5dfdf5f637518827de95691b63cd902a009cd69551d7ac30e75605e40099a4c9b2d6cfa0b8fc85b96c3e0bc84f48c7cb412e08115d76218ccbec07108c271

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
82eda3a116b28562eaa8c9bb489628e2

SHA1
a555330ab2e750d0333f245a65bffa318447afaf

SHA256
77141f4e12fbc93ea91d53df33b003201e604686d8aafd8c3797e89402c1ef5a

SHA512
d87d57136feedade17707964c17246ac971c9647785dc47ed09e716709fe90256bea8fa0ddca380a6cd283aa6d9c1d5e2291902f78461dd00844e07acac64da1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
de42b8ffb259002585194973c045362d

SHA1
222f3b7ee640bbe04f0ace0c00a2392c5be53737

SHA256
667d626353883617aeb011500a5e3508fab4dc7cca0d29cec07fcfa8def902d5

SHA512
9c6f271401cf250c8479cf5e78e67c7dc8fb0564e2823636de138ab9a90e310b67545dff089dd471f8960340647bf6f104e3a7f688b5d9d9450a55c64e7b7a60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
dc04b48daf7a985ef43897fbb5411b37

SHA1
69fbd8c9c27dd43a0587ed4b9f47885ab284d9dd

SHA256
922a31b7f9a5469a16275e29a948c536fdbbfdce462fa79f63055b36610f8633

SHA512
fefd094abbaf455033671b9b53973d1496b13536d7527821596ab4c3d5aaaf3173ae4f2695ac4de44b6fae11c9db0fbf6cb4e84a68e96125fe391eae1631c23b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
ba764c1f9f0ec44d39db1eb76cbd20ec

SHA1
e6b3db71b1d5ebb55828a34a1d38eba3750e098c

SHA256
e4dd13b69a1d69a0663616a645e42c95a35d191f9ac98037825da1641d487a50

SHA512
a114eb4a9e7621c1a0dbbd17826d32ceb8dfa1a65628b3f64924732b475ff9f3e68d3f71608537da0f82b1ad89855de6556e9150635e42ec72587c8d3d06c129

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
b2b895fca3c90ac1dd28cce5ceb6dcc8

SHA1
a0040b9ab94a74b38101d2c8f76bcb1204e283d5

SHA256
b3ed0ccf6a024e10329825afbde239adbc4ae4e615148a65213a347312c2f7f9

SHA512
94c74e09f1944279b84fa73c198fbe5183d7afc933c168529669f925758f5c572ab408cc25862f6f4f21613f2e3959060565a15bc60561f5809943ca7b891e83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
36be5da5db10b88d2b05684c6242a39b

SHA1
eb069f7fb3c44be14b139cd56a429c6302268e47

SHA256
6d8940b408796eeecab52567e30dfa0f8f70eafb1c30dd2e039d4ef595c57711

SHA512
de831049da3211435b916ebe81139396f473891b7cab38e4b20f1f2a87eb25dffe79807a4e976e8a820f6cdea9bc33d4c0e57b581464fbe894bcd6723c686225

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
d318987c1ab2dc40a52f9e731744c17d

SHA1
788e37d166d68d440b252c5dd73a8e66c5780ced

SHA256
a70382247c69f677124dc1b224050d386b18d630aa97d910d57cc1bae6302378

SHA512
fa876130268c67e83ecedc3fdabc7449c7515c1c98dfe9bf21e76c60965dde0e945502287dd3725e10453e5b4e8fb652e752c9f9b8b918de69cf21801dc5128a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3d162b412194f6cd8f72d701ef53fbd7

SHA1
12853409d7b2d352696648384add5706c3b1d615

SHA256
d75767eb98b675eda537bc158ac4acef174dbe3a7edcc4a0ec68c5882f47e0ad

SHA512
e93f92d29263bf1840eb009b94c491d1c97f24b609e4b216cde312b4efe11de279d853cdd41f056de5a123081df9e38efe8a77a87026aa03e034d8fbfe31b98b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e670c13260498606ef217e9f6055357c

SHA1
6ef48993e93fcf1c6552642306159bb8131a922e

SHA256
68c687106a16ab8e104bf237af1273d44437060a01b49c18e357432cd477addb

SHA512
625beb5783a4c9809a1cc84c51142abcbd197cb415d66839f2ac592ea5bfa23827de13a513cf064a0c6ff5c82accd4b07cf24d927f59d810104bd369540bea98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
60622dcdaa6fea08387a6c3c2d5a0c39

SHA1
237e2a5113676fbd4202a1d0a5318ae80f4a7e95

SHA256
aef3bab67994815f32ca8e24b846edd43c0f353795abe0034cc408c7dddf58ac

SHA512
d28630394fe0d75f0fc762fc463ffb170f7c3a11a4bf6a9c59ba7f866e8af55e8f001078bfce59de4313e58bf582d1a318ad2285f3fecb140261b68609419d31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
cbad08957f61e3c0f512c3361e9b392e

SHA1
67cf6819d1034416d81205a57b2500f0d6e41f7f

SHA256
939386b68bc7f5bd40d03ed0bf4b44eb3d1bd67a276d354546dad1d47f58e1b5

SHA512
ac55dd37c99daf5a571b5cafe5599f2a047fe82623179f79190751fd06e570edd574bc7c505a019f371560818577faed59c5704bbcf63ee2f0d054e7ade45744

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f5e525155955b17539cf97e61f1aa694

SHA1
3e6cf6fd581df5b0a87c7f213ab2d5012a623d0e

SHA256
c9c60df18f8f8ed1b7f151cc70673481b62466912ed4cf81a60d04bd9b7ab9b7

SHA512
a1acd00ab84118307ac6915afed6b3befc853449c16c3bb66421be2ccc6ae4153d7f1c6ef293e40062188e68f1f5a7bb15fbcff125d63de2a73761031a305d97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e970eedbb59ff3ca826563d78b57ffb1

SHA1
d0737e08da915eec6f347da8b34c3992edf4393e

SHA256
acd7645e9d0951375af517a55a003b5295b0378758467dcc3cf63681d4a884b6

SHA512
127dc997216642d3b6f553e0244e3f59b26874b5041fb43937c499fb58701967334105cd651730a657833a376fc703670c5c63d60a684cc2cbad94ac943edbe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
21a9c91d7b08763f3846117f92b4ea8e

SHA1
5461783101aba739d74821e28ea77ca6f9d0cfd7

SHA256
c01011ee666343d8decd0b3dd8d149c16b3e6cf3a3d348af0781428d63512073

SHA512
b26bbb8ba92650ef02857c1756637c64c133a8e4e644964c5577a1495bac28ccc393d655ec91f938de2cade3bff653eaf4f77e35630f6cc15f3ecc84761b9cad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
81a98915330074c43534457ec48bb9a5

SHA1
54c038e80357b6590a81eeab7bce84f86c7471ae

SHA256
da52a838cb486d567a09cc1607f184a5272be6cefed37e2d959b2a3d10598a05

SHA512
4ec60a0cd32d30acd4b4d771330b9043916e9086d0d7349e4774482268c05f617b9f9bdd05883573622f06cf24cd08fe819db1eaf4abd0af6401e39a21b0f557

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f1ebecdeb5f0fbfdea04ed6b79026231

SHA1
9aa75125d2191b8b1d7516fd517e62628817eb84

SHA256
0b3fe1af56301548765de7a77ca402b18fdab7be3bb7ae7913d3f2e420c952dc

SHA512
af9b27a078e12fb9c762dc55d9065700736a75e09ede5f3f4c8c13e80736f087ac7768aee8ba0f2d2ed6417b912dd578c0c8b7194720296a0ff603d129325add

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b258deb566f66dcf8f97e46d5bb18da0

SHA1
bb9af32603e8742af9f2b0d76327df1c91fc626d

SHA256
ed0b7d41c1d8ab0c2235c820eac8c99ec0c5a0221fa2273b28ead063ca8d2572

SHA512
46738690e43c5415548e91d4b7b2ce92d58c3580a72b860725a6beeb3f1f8aedc39bb066989c74b50ccecfc79eee0056473db432ebb1bbc4eb5727f1e0e4463a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
55a2ad519acc3217d493215c99e0f568

SHA1
6002e50beb7db4d1e3b6bb8ecdab71ae1fbff769

SHA256
5bde8f9493bf16b94bf62eb21f276c761eec6804031aef2af0f44b6ab9d7d879

SHA512
396372b898396a3e70ea58ace2c136ee3788199b8dfb3ed50a45f86c09b56802b40b51d1ca7c4918ee9e86f15c56fbb247decf42841516b083a19c06e80694b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
993b00d9f02e3e02de7777547b5969e2

SHA1
1cf5997ef5936a0ed9670f49984253dec73482d2

SHA256
f85fa26ed34ecbf6808d052eec971becd128669b2434f21f47eac7822643064a

SHA512
08ee6533983987013d7d1e74e28c476f635ce21732d003d3c043ab9dd14b91b28bf8825411e9e892d2db7eae4f569b22753efb5620b306da3be641445f1bd537

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
982d6506e55211f9e0eb1411bee1727f

SHA1
4e3426a50e74ff6f91fd7d820fdd628412d18de9

SHA256
afd5a358234198efd75e300262c49ab7a73d4ba888b15b611ba343e653aa4570

SHA512
c8bb8b43bc6286f71781b124f05c81d83ab2f6c36da743e4a37e38d78547ea7ab89ba525510e5339f5cf8042624dad52666ce0dbb5b08e33738949269ecc35c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b924ea86ee42713a00a1bfb9a1ab3ef9

SHA1
bec8b09f3d5b4144d85e99e45bb0b5f117ee0466

SHA256
68075a482a9a867b5750675dfea1cc0ec30af4658c392877e4692e0a6404c60b

SHA512
c152932aab1fb9b6f37512343c33b265b6b443a24615e8e40104465d655b96c9ecb75aff8fefe1d9e40dab0957bd7180af64d12c1dc946f95dff76cbe21b57d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a0c356a7d30d3d34661eec00780f6582

SHA1
5e69fd3f784854ff4f5dc9bd4b582ebb586896e2

SHA256
4aada65389c169924bc13660afe343b33e04f4fcb7696d7b8989f23d389fcc49

SHA512
977d070fda51ee6c691ea41c743aedf19452efd45329dead49c439c1bdc77e5633bdfd1f0c43f7567f73d584abf76f2977c6b77b6e37ff31aa3b50eab430769b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9ef14e0e90f320c6fd2b30d9d219c3c0

SHA1
16cf45efbe3148de484150b76885d2c9abeb462b

SHA256
e23c26705f9ffedee65c345768cb4ff98ffdd604760e156370e9170f30fe27b8

SHA512
94f16ab2e41a1a91426fa9ce3da05425b8a448e0910989e58662c5c0c8deb5de74f4387c48d937654709f38f6d7474cea6046de50d78591da0ba0ff135d8bcb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9e4a23c2a08eb5220f89ae70ec2e9262

SHA1
5cf556a220ff9afc9335bdeeb811228db9bc46e6

SHA256
c9f73bf465068fcaf75e2dfb3e8e68f9bb7821314b3580242fbf63dc36cb9e1c

SHA512
853eabadd1f9272e331924eaf9577f14fead8bc8c40251f537dce1ab0d7fec0c89f631a8b9cdff24ac0ff786c75b5c6273af5fb04fdcf76fdb3663bb5625a470

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1a2f268565428c1523d77cc7cd5924dc

SHA1
0931bc5e1879a9798ea0817963243f17ba7ab66a

SHA256
b7735872c3a4d78dda42c9a67cff9a51ceeff13160516a9325a6f1d3ed1df085

SHA512
581bf9a2d66a580e58e69e83f20e2c1df85e9e9241411c8af6a2985328dfb85375324cf411c252dc5bb61e98c864ff903a903a634af617d8d82e68212a3a059f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7f6e145712cdd5e3fffd1e297e2b3841

SHA1
dba079bd5bde4e59da265b33cb3b49d19cd15aef

SHA256
9af4cb9f86ecd10d3cc35155621008d5d418523422b42207c7fae84012214d2a

SHA512
9b7167f6784f0599b2845c901f15025e6dbbd43103e6a6e79ea1620a97d030e5dddbb32e7bf2f75ac7bf73701af27bc29ff3dd46e9187f3ead8a1db45ae60860

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
15059e30f6ee065c573685d2cea723ba

SHA1
6fd435ce4d47a348b664aa27b325470b945805a4

SHA256
11232e072129bb115ea5a8f9268199c53faf231974ada7e5d908726cef2e2388

SHA512
1c05551110a30d3331ebd73c6ea981a8f60a3b315a35c59b86a4fec92e93d351cbd278bd309bdef82ade20e52891563e5d4e18c7dbba18c8e300b8cd7e9d17f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
239KB

MD5
a0d22a11978681508c7d09da413ecd20

SHA1
3fd215b4cc6dd2e55809e808b8b7b5c535efa54a

SHA256
e928141357d9bb6bad54410d51a7a3e6dd463f67483bab96a28bffed1343437d

SHA512
8168b81afdf778d28cb6955cb10712651ca3a60003a0411bd2ce8e1ba56b4bab5a2a6218ad1976e6787138b8940d3d511882ffba82eaf89a438701637b8c050f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
239KB

MD5
f55e7cd83b6872bd9f1a489c489f95da

SHA1
98fd3952502581bc2371fec314c63d9e96e8a10c

SHA256
70d20a28802324d8dc9e35866f498421d532d0cc955d0f0b643efe36738dacba

SHA512
46ebced2e9174ab442a8a621577cdd3243e053acfabc123b6a7858408382fc412808f0766f5ebf082deda29e072436a1b5ae9f04377791f489e48a6895993b2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
103KB

MD5
2d1ce7d816c214eef4e5f53ccba62216

SHA1
93bf06d7bab194b553e0dda79959c1b9004c2b4c

SHA256
c7598f0ada8bc58448391acbe5951b047269c06779c90d9b80540072fb08dcd3

SHA512
19dd21762da6b313a2040f0c746bf7be7165630d806364e2f07441874e09fb35ecfc8f57b441bbfe03012d63065e24a4ac14da4cd8e6ed19720009d0e3caba6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
106KB

MD5
524e9c4a3b4653877b4a7088b0444c31

SHA1
cc5869b09b7021c19440726a75ae194342d972ad

SHA256
ac9f4533043508d49fd82b31894f415415f53544f1d6d1602538f1322553020b

SHA512
3c27716a42f21c204cf4f227c8a04d3dc7dbc6ec191c840ae0e83bd77357de91d94db3f87f13aa93845712e37cf9c870d86cbbff8856e3290f3c6f9d8677774c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5ae139.TMP

Filesize
97KB

MD5
6b7ded14739367509bc82923b8c077ef

SHA1
cdec8e78478ea7853e1c09327ef4cf9bea7f1a8b

SHA256
de67727aa4b47ac2b8c396326471fe173ed7e0c297128222bd5b7a4a3860fa54

SHA512
46bcab46c51d02641fcfac12472f1ddd2d4f2ae7a27188b3421c8998ce30a12d55f7012d5401ed1c63684333bcb5f7faa897917e6b30605d48b4fec3e70a6fce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\del.bat

Filesize
92B

MD5
ec326bbb3bccbdc24ecbca52d7727227

SHA1
6d230c114148c2c62d1ee91fcf6b9575194ebea2

SHA256
e430f2a59f3cdd5474ecbe58a9d3a2414813e84f3124ecbd4d9180802e7cc57a

SHA512
59768d77a6360d2bb7f161ccc747635516ee374fd158ddd6163802559cf02bd6843087f04c26f3471ba8472f8b2219564b6e998f705770105672db86747e5525

Download Submit
C:\Users\Admin\AppData\Local\system.exe

Filesize
315KB

MD5
9f8bc96c96d43ecb69f883388d228754

SHA1
61ed25a706afa2f6684bb4d64f69c5fb29d20953

SHA256
7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5

SHA512
550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6

Download Submit
C:\Users\Admin\Downloads\7ev3n.zip

Filesize
139KB

MD5
c6f3d62c4fb57212172d358231e027bc

SHA1
11276d7a49093a51f04667975e718bb15bc1289b

SHA256
ea60123ec363610c8cfcd0ad5f0ab2832934af69a3c715020a09e6d907691d4c

SHA512
0f58acac541e6dece45949f4bee300e5bbb15ff1e60defe6b854ff4fb57579b18718b313bce425999d3f24319cfb3034cd05ebff0ecbd4c55ce42c7f59169b44

Download Submit
C:\Users\Admin\Downloads\README.md

Filesize
3KB

MD5
2f0c9dd2a112bf13385a1f57bd284d39

SHA1
83de7791dd6d930cd698edfd7c04f799148c4241

SHA256
cfcb7cd126178d5a18862d3a29640b4d903d58aa74b2892fe3eaec452442dcd0

SHA512
c980ceb58c593484c172f10fc3b9da6ed45e2a4b7d928f47c3c7e4b8965959d9f459d15bc71575ab9f822ea03dbc779d0dde4f4806080cc804600c60fe011f97

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads