asyncrat | hxxp://94[.]156[.]69[.]35[:]222

Resubmissions

07-03-2024 11:55

240307-n3vzcaae56 10

07-03-2024 08:02

240307-jw8jmsfc87 10

Analysis

max time kernel
1202s
max time network
1206s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-03-2024 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://94.156.69.35:222

Score

10^/10

asyncrat zgrat new msy rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

New MSY

windows11.loseyourip.com:6606

windows11.loseyourip.com:7707

windows11.loseyourip.com:8808

windows11.loseyourip.com:4747

Mutex

AsyncMutex_6SI8OkPnl

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3244-457-0x000001A773510000-0x000001A773562000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in System32 directory 4 IoCs

Processes:

PowerShell.exePowerShell.exemmc.exemmc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	PowerShell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	PowerShell.exe
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 3244 set thread context of 4520	3244	powershell.exe	aspnet_compiler.exe
PID 3752 set thread context of 4508	3752	powershell.exe	aspnet_compiler.exe
PID 1556 set thread context of 5660	1556	powershell.exe	aspnet_compiler.exe
PID 332 set thread context of 1804	332	powershell.exe	aspnet_compiler.exe
PID 3784 set thread context of 4580	3784	powershell.exe	aspnet_compiler.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133542868802757113"	chrome.exe

Modifies registry class 64 IoCs

Processes:

chrome.exeOpenWith.exechrome.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 7c003100000000005a58d87b11005075626c69630000660009000400efbe874fdb49675817612e000000f80500000000010000000000000000003c0000000000e5252a005000750062006c0069006300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003600000016000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "2"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\NodeSlot = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	chrome.exe

Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENotepad.exe

pid process

5644 NOTEPAD.EXE
224 Notepad.exe

pid	process
5644	NOTEPAD.EXE
224	Notepad.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exepowershell.exechrome.exePowerShell.exePowerShell.exetaskmgr.exepowershell.exe

pid	process
3420	chrome.exe
3420	chrome.exe
5824	powershell.exe
5824	powershell.exe
5824	powershell.exe
5300	chrome.exe
5300	chrome.exe
1556	PowerShell.exe
1556	PowerShell.exe
1556	PowerShell.exe
5516	PowerShell.exe
5516	PowerShell.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
4808	powershell.exe
4808	powershell.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

Processes:

chrome.exeOpenWith.exetaskmgr.exemmc.exe

pid process

5392 chrome.exe
5736 OpenWith.exe
5584 taskmgr.exe
5792 mmc.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3420 chrome.exe
3420 chrome.exe
3420 chrome.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

mmc.exe

pid process

5792 mmc.exe

pid	process
5792	mmc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

chrome.exeOpenWith.exemmc.exemmc.exe

pid	process
5392	chrome.exe
5392	chrome.exe
5392	chrome.exe
5736	OpenWith.exe
5736	OpenWith.exe
5736	OpenWith.exe
5736	OpenWith.exe
5736	OpenWith.exe
5736	OpenWith.exe
5736	OpenWith.exe
5736	OpenWith.exe
5736	OpenWith.exe
5736	OpenWith.exe
5736	OpenWith.exe
5736	OpenWith.exe
5736	OpenWith.exe
5736	OpenWith.exe
5736	OpenWith.exe
5736	OpenWith.exe
5736	OpenWith.exe
5736	OpenWith.exe
5736	OpenWith.exe
5736	OpenWith.exe
5736	OpenWith.exe
2164	mmc.exe
2164	mmc.exe
5792	mmc.exe
5792	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3420 wrote to memory of 4376	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 4376	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 968	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 208	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 208	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 1748	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 1748	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 1748	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 1748	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 1748	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 1748	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 1748	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 1748	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 1748	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 1748	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 1748	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 1748	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 1748	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 1748	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 1748	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 1748	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 1748	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 1748	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 1748	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 1748	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 1748	3420	chrome.exe	chrome.exe
PID 3420 wrote to memory of 1748	3420	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://94.156.69.35:222
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa48649758,0x7ffa48649768,0x7ffa48649778
2⤵
PID:4376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1640,i,1785805597499224736,1835790206078005831,131072 /prefetch:2
2⤵
PID:968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1640,i,1785805597499224736,1835790206078005831,131072 /prefetch:8
2⤵
PID:208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2200 --field-trial-handle=1640,i,1785805597499224736,1835790206078005831,131072 /prefetch:8
2⤵
PID:1748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2980 --field-trial-handle=1640,i,1785805597499224736,1835790206078005831,131072 /prefetch:1
2⤵
PID:2988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1640,i,1785805597499224736,1835790206078005831,131072 /prefetch:1
2⤵
PID:3360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 --field-trial-handle=1640,i,1785805597499224736,1835790206078005831,131072 /prefetch:8
2⤵
PID:3944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 --field-trial-handle=1640,i,1785805597499224736,1835790206078005831,131072 /prefetch:8
2⤵
PID:4888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=980 --field-trial-handle=1640,i,1785805597499224736,1835790206078005831,131072 /prefetch:1
2⤵
PID:4660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4856 --field-trial-handle=1640,i,1785805597499224736,1835790206078005831,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 --field-trial-handle=1640,i,1785805597499224736,1835790206078005831,131072 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1640,i,1785805597499224736,1835790206078005831,131072 /prefetch:8
2⤵
PID:5772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1760 --field-trial-handle=1640,i,1785805597499224736,1835790206078005831,131072 /prefetch:8
2⤵
PID:5812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 --field-trial-handle=1640,i,1785805597499224736,1835790206078005831,131072 /prefetch:8
2⤵
PID:3928

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5824

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4820

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Public\jj'
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1556

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\jj\basta.js"
1⤵
PID:5300

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\jj\basta.js"
1⤵
PID:5852

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5736

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\jj\Data.json
2⤵
- Opens file in notepad (likely ransom note)
PID:5644

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Public\ben'
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:5516

C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" .\basta.js
2⤵
PID:6080

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2164

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:5584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Public\ben'
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\ben\run.bat""
2⤵
PID:1372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\run.ps1"
3⤵
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\ben\node.bat""
2⤵
PID:4896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "$tr = New-Object -ComObject Schedule.Service; $tr.Connect(); $ta = $tr.NewTask(0); $ta.RegistrationInfo.Description = 'Runs a script every 2 minutes'; $ta.Settings.Enabled = $true; $ta.Settings.DisallowStartIfOnBatteries = $false; $st = $ta.Triggers.Create(1); $st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss'); $st.Repetition.Interval = 'PT2M'; $md = $ta.Actions.Create(0); $md.Path = 'C:\Users\Public\app.js'; $ns = $tr.GetFolder('\'); $ns.RegisterTaskDefinition('BTime', $ta, 6, $null, $null, 3);"
3⤵
PID:5144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\in.ps1"
3⤵
PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\ben\node.bat" -file"
2⤵
PID:2500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "$tr = New-Object -ComObject Schedule.Service; $tr.Connect(); $ta = $tr.NewTask(0); $ta.RegistrationInfo.Description = 'Runs a script every 2 minutes'; $ta.Settings.Enabled = $true; $ta.Settings.DisallowStartIfOnBatteries = $false; $st = $ta.Triggers.Create(1); $st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss'); $st.Repetition.Interval = 'PT2M'; $md = $ta.Actions.Create(0); $md.Path = 'C:\Users\Public\app.js'; $ns = $tr.GetFolder('\'); $ns.RegisterTaskDefinition('BTime', $ta, 6, $null, $null, 3);"
3⤵
PID:2628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\in.ps1"
3⤵
PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\ben\run.bat""
2⤵
PID:5412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\run.ps1"
3⤵
- Suspicious use of SetThreadContext
PID:3244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:4520

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\app.js"
1⤵
PID:5748

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:5792

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\app.js"
1⤵
- Checks computer location settings
PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\run.bat" C:\Users\Public\"
2⤵
PID:1580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\run.ps1"
3⤵
- Suspicious use of SetThreadContext
PID:3752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:4508

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\app.js"
1⤵
- Checks computer location settings
PID:1116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\run.bat" C:\Users\Public\"
2⤵
PID:2096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\run.ps1"
3⤵
- Suspicious use of SetThreadContext
PID:1556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:5660

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Public\app.js
1⤵
- Opens file in notepad (likely ransom note)
PID:224

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\app.js"
1⤵
- Checks computer location settings
PID:792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\run.bat" C:\Users\Public\"
2⤵
PID:3828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\run.ps1"
3⤵
- Suspicious use of SetThreadContext
PID:332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:1804

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\app.js"
1⤵
- Checks computer location settings
PID:5548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\run.bat" C:\Users\Public\"
2⤵
PID:4248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\run.ps1"
3⤵
- Suspicious use of SetThreadContext
PID:3784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:4580

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
f824b7acc87f0349855152b14de07660

SHA1
e90b031b1f86510e85356f72747e5f5e90c1bdeb

SHA256
8f069a85bc4d095200f64cd3c37d22fe59959dbd876160f1656e934234ccaf62

SHA512
db9d208884c5fec3f2bc58646c94b38811b1455b392b1415f49ca8f982de77e06fd78652bd6120d353f6f01066a99bc7d8f61111b96b446025044e3610a5badf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
0fa055db64a126cbf1638190f65e824b

SHA1
91577618a4d354f0fc5cf8a78e104c81dfe569f7

SHA256
fe853efcd13a9f20b142b75d22c68fcbe836a7888decbffc8e0fb9751ec2969f

SHA512
291288f61f1f08864f05634aa9836fd0dbab5cc31045a815f7baa30ab6c96e051c336288328e537f044ced29a81a0b46d8e6be4b9877497c89ce52f8e15002b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
08b82418923bcc6178ee7c0919be8da6

SHA1
4fecade0cfa3c114b4e84e9b81cae8f0e475a143

SHA256
605dafb86d8ddd42a7d0d8806c4f548944642448b96adf7bc4a228e64e3f5703

SHA512
5a248f7dd7f88325a02a0646a22c16df6d18a2323cb797ef71bc383ecd57e8afd6a7dafe2a643049430d1ba414c53a47c19f4caf5e9506b83a7c99adf8f54bf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
10ba9e509d354ba11d0093e8454aa6c7

SHA1
56590df0b3ff701d067f6c7c4b09d845cdb98324

SHA256
8735446a990f42a21b8ba084f8393a3eb38ae99a76f5fd7ef710d1f997284450

SHA512
43ff898ca7d79e25c1a29bb209ba81402f7c106ca520e1f523f6a568b318b187cbcb1d350421be6768e02b80ff3651435cda15fdb748b2e61c8b383508b377ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
ef024fcf019148e04ccc405c15024e74

SHA1
6122375132b922d571ac4e73650d662265558ae5

SHA256
db6fc89d834c9bc319999d9edc737ca39bdd5f5593526bc6bc3153c9ee9ff42f

SHA512
103f456e04d251967956d7788e1be914bbbd22b6bb094488c27821e237fb52870325ccf1a0071cacfac34049b8da62308313805cb390b803c6c419f0710002c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
d9839530dd531f21351d998cfaf38bb4

SHA1
9e0cb38ebb8c7f54cb2071d040463f7324a81c7b

SHA256
f16cb09cd6d5e1ca34f9e961b1e9428c02d66987674b8f1b1405f9d8651c1164

SHA512
21b795d326f7c4a0110e82860312bf433a987346cd64da0a1fc1d7b69f9d0fbbdd0164e6222705ac34e012494d9c2f2692258f66b4e1d6a229019f4c4fd1433c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
da15ecb4ef46331822f94231d1167087

SHA1
cc042ac0d2714b4928d7672286b460ba313beef0

SHA256
a21653cbf72e99f42b6720339f430df858f905c4ca8d1e32370e2d700723fea2

SHA512
9dc9ab0982f0ef8a2c38523667a495afcf8e265004f2214e6a569d1d61f84032716ff0826ef3461e551edc323d13ed7ea9b0b1e7b928fa005bf3b4c64e68f2f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
7e946381d6b159c16bed14dc87cac232

SHA1
9f456fd30bea9f092139afabf02b8dab7fbc9741

SHA256
412121b51288d344f6341060d1e0d6ebff2376e8ac2a010532c3b8686163fe68

SHA512
b148515306bfb1c80526d8d95e68650b056cf02755996657a2ffed9d45ed01d9a7cd5bfd87725cc0cd876794feb933b51d42270628389e047cefddc8474f56f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
2426ceda9dd25f720f21148c796f94aa

SHA1
2411cc06c48c7eb21418801b142c6e9027e7dca4

SHA256
fb98ba6964cd3ebe0692f576a240a864a2a17051e560d76b49350864fa1cd4ab

SHA512
430630ecf695501b376ba552e63d15430d620322d6d13fd432cc69e3bb47304adfdbbe166feb0accd07692fa8f7997160b28d070b55e484b8e8dc8af972ef291

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f40c9ada-0c6f-4bd6-a33e-3f02687c340e.tmp
Filesize
6KB

MD5
27c4ba75278401daa8db91e279a2332a

SHA1
5fad82a7a3bfd66293fe8c843a2b507e31424084

SHA256
01280aa9839d575b99c9979215c319d28148f759bb2527a08836d85eff3c1330

SHA512
fdefdfe4b7aa26ff80ff04f68c54a6585f9fee1347f23217ed8b215a4b97368cd9b7330d1197b30dfdd7f8ef2004091503843fba59204734cbeea6c1640bccd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
0b020e9f03ca3cd0fbe4d1d35e607fce

SHA1
eed848415edcbd88208843ad5fa03a5986cce87d

SHA256
b6fd7dfc5694ca84ef9e6ccfe555951e6824d3c086f5364d59e66ddb7909e221

SHA512
56966a3a77a28b4c998a94af212e4cd266ea5a3c73dab5b1542d250c0cbec52ed0c48680bae10840c595adacd58218d5ad5e25accfcc19da348c7ddf9bc01508

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
0f5d3e9fd6b3559c2833a4384eec3183

SHA1
e906478c53fd5289604ab01b0438c0af31a1da90

SHA256
257b2324dfd840bf8c90d7030ccdb237314690f4c7f22da346150bfebcbe8e9d

SHA512
064c88ff32934d3076c1078d4b44c131fa1fb3f706630c314c429a000e1cebaef46cc44ebf1e16c893f39cb43924cf7c01d7684dc964d7f3807f3b4d094bae57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
9f00fe3f5a8b8bc239d7c5094a27fe02

SHA1
d6da317d6d3d98cabfe2b49aef7c40210d243132

SHA256
f8c9e9f8d8132c3575225d1130e830c609ec8e2af682d6c34a890d2506b5a28e

SHA512
00913c483d474d98b8826c735cc3e7fdf4190a4e82811b5f5ce4bc649fe803f6e3d3ee8933c40a39e9be55bd7bd3f02f01b5146072f35af996ccc3744b693c8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
107KB

MD5
4aa2cbc4272f26d8b4ae80adfbae23a6

SHA1
a1f05f033992f2b5d17268380c04f9ab0f137f44

SHA256
b1fb68645fcd01fba9e6b749af2fb88c9aec10ba804f2aeebcec5ffc4eec0d05

SHA512
ac403265a8d639231aac1993c97adcca1bd9b4e238d095422caa52c05e423d8cdb2dfb143715e94b1e8359475808a317cdbe2fc1ef66d5b5803ec111e906598d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59f795.TMP
Filesize
97KB

MD5
2ded291aa57540eff3ba251be0e723aa

SHA1
988bd7022af0e4b001f76ff982f2d203af1f226a

SHA256
19a0117299765e8ee3724a2f494d43aaf6c43a8e128c94cd0eded12e552c0a1c

SHA512
fb91e5baa8dfae7c55ca948af84ee0265f86dfb8230bd89ae5d1999c717fca6af3c8ce6fc50274c854123f5ee024acbbfb7058921f99f7174ef83b7a4bdc03a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
9dc74c95e47db5a5784fcc871216adf3

SHA1
6d5bad403acfd83319b9afb359b9ccd2b7f93912

SHA256
d3179603850b286dd24a4dbf2d02dbe7eae73e5cf697ffbe8571c509a5bd1028

SHA512
c7110dcbedf5ba723aa2958ce4d22acb6a055a39210ba391de41d47f6d5f63fb9a3400d9c8208a164a6fc205b1d71c67d4e4f51d8b2bc5627a375e1229da36dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
45c6b2621d499adcfc12b5c20a694ede

SHA1
393ef86a5d89b034882a36bdc621cf2943a40a3c

SHA256
41a0a314e19bd8f9885e052aef07a6158558a879568d8c247fbd25f4ae3d4c16

SHA512
2e8d381e827a9e119c68ea944584b79e3279874fcc427729f6bcf42315545b591045c395bd82ac7cb8eb791e5c6787ef0c29c12730913edc5a5b9f4fdab1378c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_compiler.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
b61f243e8d2b9d4e88dcbcb3d90376ba

SHA1
a7ca56ff65fa7fdc0d253e57e4c3d67c9f0c898c

SHA256
3f6a8d47ee94835ac169fa6eed9bcc0cad193e2e8fed4562a21189e1352beb7f

SHA512
e4c6ef0b2838f1645efcb07f855d794b1d80d574202de483def3812e0d607a374ba781aee28b995bc4e4c61875ccbfffcdc3d22986f7035a623130fbf878dcea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
496B

MD5
fa060586114872685ca5609958a4d4e2

SHA1
e99f89f02b15d57a0e1ecb4465f6ae845dc84904

SHA256
b1bcb919273d9713d3ebfbfe923a0de929f169b09d66bbacae6b4f29b063469f

SHA512
bc4e27f648a87c5349afd8f3101ccf0f4b40c4cb2a5591429ca1565517b44c54dac48147a29c6586e9330247013bbe668c3f426b2ccf2c9a4e961cf7d3463ceb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
3KB

MD5
ac25a60ff8f8f056f48f85b3d46a54b8

SHA1
74e5261297da8b8d782e3f4d18baf9443755d9ef

SHA256
319607b15e617ae1b1f55077412accae2c6b7932ab96469ba96dd0233ec2e763

SHA512
86ddc947b7f0a89f58b289c099c4550cdb68786371df259504466530b64004e63e5969f215c0d9227a2ff29017cf00394ce341b0fc4152377e8d15b1f8cadf49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
3KB

MD5
0fbd0edae0b9012453be5f14e98d0df2

SHA1
f56ccb100e7aa6c594bbf357f2674ab17fb6f8a8

SHA256
c3f2e46dfc688b263c9bc51ff9119039a13762624d897bb5ac876346a9242e13

SHA512
367a0b3084afde22dcb8ebd76845afba7d0672cfed9328df3a357a24b17d25f27bdc74a2f52e08e363ffd47d9579f3e5312dfe94c153a75cb6c0f6b80501f501

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9ee417843fde14bb245c6b0fddffd273

SHA1
a3e74b05182afe8eafe4ea4dd384cffc72039041

SHA256
7155f1e8126de0d7016ca239dbfe49a9a25ac6feca78d2f3a23df6b65bc899d0

SHA512
2ae0366d95c6a6dc154c6f0f16d1c6be21b453f3c328649416a1a4455d34264579c9fadf182d42056297ef330f1cfd9ff95392a72ca66832659f2912af5abb9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0b307f78eabd902eaa2188cf2d1fd26d

SHA1
4ced502a554cec782976e9d0f9e0b5af5fbb480a

SHA256
4bdd29130a919c8a4e0f349e96f68684f9c6d2931b9e88135ef6cd339cb27e92

SHA512
f2c0d8be80d3028816073fe239df4dd91d9566e11c557835fb78d4fe85231645bd9e6edbaf556e72593492d0a87c477094c1f30f9815ef579832c8baec738565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0f95ce69fe811961f25b4f335208412b

SHA1
d2996e92a813dc6ecbabb9f00f163a7c79eb6578

SHA256
58f7d2d7d84ef5d476f1b5bf20bcca001991942b7d72d0fabd0027845d470910

SHA512
8e4a2149e873164657c7827eb08a20a02b05fc436e3be10b0408400bf9ef0a17f9e5cd8b6e6db70d2bfc0993690906212be644a25adfb25796286d8b62e3f91e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1ff0a441a0ffe8c7b1c308d880913442

SHA1
341a9c2c230b1ef3c50dbc342eba6b0d6bfa3127

SHA256
5ce1aace5e9762c7c03488997c6b7aaebd591401fed42939d7848429ec6970eb

SHA512
35b2991c44ee334033de97f6eb6f17a9f52552a10a994a7e98ea94e11b84db8f2cf3c7f9c9570be80a144b74939f4aa9561bdea941e2812d160bcbd20319b34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sgjf1abr.lpn.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Filesize
34B

MD5
2799c3ec584bb525147d318b994d76e2

SHA1
dbc8cd17061a50c9ca90b3c10810b52a7fd8d058

SHA256
f7a7c8de6b80045ff05e272719b6fbe50f5c9c77972f28ebc124951fa38ce8ed

SHA512
1809c990e261a4803a5b571bd59f6179a5d9b85d2c0ad8e9ab1ed87176ef66a3299743fbca22ebac17a28c130fb8c42ce0cc9ec59f0b3f95e3ed03bce87c44f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Filesize
58B

MD5
ba71e1b46f5c9a5f1f6d8e9daaf1c8b3

SHA1
9c781726e14ce6c3aa087168a7c63e8c8469b614

SHA256
846d09daddaa6328ca30b3d418b08f825200e7bcf1c6c19caa236bbfe9c92205

SHA512
2e8689c0c92bc451debd4d5b96e7dff700d0bc4de3fb0d76c640d8237704e081d62eb86644b6020d9e8519433f18719c30986552480f0a9bc2bd49335d9bf0db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
6KB

MD5
ee2ebb48ad41bad34ce8cdccd711ec5a

SHA1
d78f88c052e94818b32b14e7dc7e9ac0e19c628c

SHA256
5dc808dce8a49ece91d3bda7c075cee23928a554b06993877b1d918b7b3fe0a2

SHA512
a5ea7c5cb53cc275d14b8d0d8b189ccb667e5fc78a2e521fdb5c4f997641b3d2e7212d36bf4743950f0ada30dd91531550f35449a37d37c371c9350571451057

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
6KB

MD5
b998f245b72bb5d57ecf32f19a841b48

SHA1
348b139a7b49930f76a98695c7c5392e88620a37

SHA256
4dfe5d1ccf7f7aa00f97f7c491093549003ddedcedf8d2b8389ed6ba7d3fad2d

SHA512
ccb585403b8fc3b67d3b684458ffb815a1911b3f161ad50f9132f58f29a8ab7e84627d53497618e26b1499117ccdee05487f614e316a69bd2660a12daafc3797

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
5KB

MD5
a64d50f2ebd4641916c990bdea34978f

SHA1
2b5dcd01745b7cdb058945ce353ae8eabfd8233a

SHA256
eba785e31cfd2fd244b283ad983ae7940974dadb1f46b02134240100a98e9f4d

SHA512
f1930a05406a9edbae138bd0cf00ce0e2af83e8a062e357dcef6941deb1b76fb667d3cfa1a09185244b5bd6464043763f35bad139d26da109f1926f656fbd59d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
5KB

MD5
c605723c8ce076a11d5e1ff1c872ee2d

SHA1
de462c4398c88a878e72cb3818cbc83feb211a0c

SHA256
ba3bf220ed8faaeb33e6fd15b82806c06114850fb7e2044e78fc291c92c48553

SHA512
83c24d507ea83973bb8fec60e977199883a00ce43b497515340a2aafbe62198519c17b7dafa1b625a6de1837059987190a341da6505d6c97d5782cd278f4f8c6

Download Submit
\??\pipe\crashpad_3420_HVZIONIWSOTZXDPC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1556-181-0x000002CCB1DF0000-0x000002CCB1E00000-memory.dmp

Filesize
64KB

Download
memory/1556-184-0x00007FFA32B60000-0x00007FFA33621000-memory.dmp

Filesize
10.8MB

Download
memory/1556-180-0x000002CCB1DF0000-0x000002CCB1E00000-memory.dmp

Filesize
64KB

Download
memory/1556-179-0x00007FFA32B60000-0x00007FFA33621000-memory.dmp

Filesize
10.8MB

Download
memory/1992-385-0x00007FFA38380000-0x00007FFA38E41000-memory.dmp

Filesize
10.8MB

Download
memory/1992-381-0x00007FFA38380000-0x00007FFA38E41000-memory.dmp

Filesize
10.8MB

Download
memory/1992-382-0x00000263DE9A0000-0x00000263DE9B0000-memory.dmp

Filesize
64KB

Download
memory/1992-384-0x00000263DE9A0000-0x00000263DE9B0000-memory.dmp

Filesize
64KB

Download
memory/2140-415-0x00007FFA38380000-0x00007FFA38E41000-memory.dmp

Filesize
10.8MB

Download
memory/2140-412-0x000001F6EB960000-0x000001F6EB970000-memory.dmp

Filesize
64KB

Download
memory/2140-411-0x00007FFA38380000-0x00007FFA38E41000-memory.dmp

Filesize
10.8MB

Download
memory/2164-320-0x000000001D590000-0x000000001D5A0000-memory.dmp

Filesize
64KB

Download
memory/2164-324-0x000000001EF60000-0x000000001F060000-memory.dmp

Filesize
1024KB

Download
memory/2164-339-0x000000001D590000-0x000000001D5A0000-memory.dmp

Filesize
64KB

Download
memory/2164-340-0x000000001D590000-0x000000001D5A0000-memory.dmp

Filesize
64KB

Download
memory/2164-317-0x00007FFA38380000-0x00007FFA38E41000-memory.dmp

Filesize
10.8MB

Download
memory/2164-318-0x000000001D590000-0x000000001D5A0000-memory.dmp

Filesize
64KB

Download
memory/2164-319-0x000000001D590000-0x000000001D5A0000-memory.dmp

Filesize
64KB

Download
memory/2164-345-0x000000001EF60000-0x000000001F060000-memory.dmp

Filesize
1024KB

Download
memory/2164-321-0x000000001D590000-0x000000001D5A0000-memory.dmp

Filesize
64KB

Download
memory/2164-322-0x000000001D590000-0x000000001D5A0000-memory.dmp

Filesize
64KB

Download
memory/2164-323-0x00007FFA38380000-0x00007FFA38E41000-memory.dmp

Filesize
10.8MB

Download
memory/2164-338-0x000000001D590000-0x000000001D5A0000-memory.dmp

Filesize
64KB

Download
memory/2164-344-0x000000001D590000-0x000000001D5A0000-memory.dmp

Filesize
64KB

Download
memory/2164-341-0x000000001D590000-0x000000001D5A0000-memory.dmp

Filesize
64KB

Download
memory/2164-343-0x000000001D590000-0x000000001D5A0000-memory.dmp

Filesize
64KB

Download
memory/2164-342-0x000000001D590000-0x000000001D5A0000-memory.dmp

Filesize
64KB

Download
memory/2628-429-0x00007FFA38380000-0x00007FFA38E41000-memory.dmp

Filesize
10.8MB

Download
memory/2628-427-0x00007FFA38380000-0x00007FFA38E41000-memory.dmp

Filesize
10.8MB

Download
memory/3244-457-0x000001A773510000-0x000001A773562000-memory.dmp

Filesize
328KB

Download
memory/3244-455-0x000001A773060000-0x000001A773070000-memory.dmp

Filesize
64KB

Download
memory/3244-454-0x00007FFA38380000-0x00007FFA38E41000-memory.dmp

Filesize
10.8MB

Download
memory/3244-460-0x00007FFA38380000-0x00007FFA38E41000-memory.dmp

Filesize
10.8MB

Download
memory/3984-430-0x00007FFA38380000-0x00007FFA38E41000-memory.dmp

Filesize
10.8MB

Download
memory/3984-431-0x00000243648C0000-0x00000243648D0000-memory.dmp

Filesize
64KB

Download
memory/3984-443-0x00007FFA38380000-0x00007FFA38E41000-memory.dmp

Filesize
10.8MB

Download
memory/4520-458-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4520-461-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/4808-365-0x000001DB727A0000-0x000001DB727B0000-memory.dmp

Filesize
64KB

Download
memory/4808-364-0x000001DB727A0000-0x000001DB727B0000-memory.dmp

Filesize
64KB

Download
memory/4808-368-0x00007FFA38380000-0x00007FFA38E41000-memory.dmp

Filesize
10.8MB

Download
memory/4808-363-0x00007FFA38380000-0x00007FFA38E41000-memory.dmp

Filesize
10.8MB

Download
memory/5144-398-0x000002C0FF580000-0x000002C0FF590000-memory.dmp

Filesize
64KB

Download
memory/5144-397-0x00007FFA38380000-0x00007FFA38E41000-memory.dmp

Filesize
10.8MB

Download
memory/5144-401-0x00007FFA38380000-0x00007FFA38E41000-memory.dmp

Filesize
10.8MB

Download
memory/5516-208-0x0000021D45640000-0x0000021D45650000-memory.dmp

Filesize
64KB

Download
memory/5516-206-0x0000021D45640000-0x0000021D45650000-memory.dmp

Filesize
64KB

Download
memory/5516-227-0x00007FFA338B0000-0x00007FFA34371000-memory.dmp

Filesize
10.8MB

Download
memory/5516-196-0x0000021D45640000-0x0000021D45650000-memory.dmp

Filesize
64KB

Download
memory/5516-195-0x00007FFA338B0000-0x00007FFA34371000-memory.dmp

Filesize
10.8MB

Download
memory/5516-214-0x0000021D45640000-0x0000021D45650000-memory.dmp

Filesize
64KB

Download
memory/5516-215-0x0000021D45640000-0x0000021D45650000-memory.dmp

Filesize
64KB

Download
memory/5516-211-0x0000021D45C00000-0x0000021D45C1E000-memory.dmp

Filesize
120KB

Download
memory/5516-213-0x00007FFA338B0000-0x00007FFA34371000-memory.dmp

Filesize
10.8MB

Download
memory/5584-331-0x0000021550940000-0x0000021550941000-memory.dmp

Filesize
4KB

Download
memory/5584-333-0x0000021550940000-0x0000021550941000-memory.dmp

Filesize
4KB

Download
memory/5584-325-0x0000021550940000-0x0000021550941000-memory.dmp

Filesize
4KB

Download
memory/5584-326-0x0000021550940000-0x0000021550941000-memory.dmp

Filesize
4KB

Download
memory/5584-327-0x0000021550940000-0x0000021550941000-memory.dmp

Filesize
4KB

Download
memory/5584-332-0x0000021550940000-0x0000021550941000-memory.dmp

Filesize
4KB

Download
memory/5584-334-0x0000021550940000-0x0000021550941000-memory.dmp

Filesize
4KB

Download
memory/5584-336-0x0000021550940000-0x0000021550941000-memory.dmp

Filesize
4KB

Download
memory/5584-337-0x0000021550940000-0x0000021550941000-memory.dmp

Filesize
4KB

Download
memory/5584-335-0x0000021550940000-0x0000021550941000-memory.dmp

Filesize
4KB

Download
memory/5824-188-0x00007FFA32B60000-0x00007FFA33621000-memory.dmp

Filesize
10.8MB

Download
memory/5824-98-0x00000132EAD00000-0x00000132EAD10000-memory.dmp

Filesize
64KB

Download
memory/5824-99-0x00000132EAD00000-0x00000132EAD10000-memory.dmp

Filesize
64KB

Download
memory/5824-93-0x00000132EB300000-0x00000132EB376000-memory.dmp

Filesize
472KB

Download
memory/5824-96-0x00007FFA32B60000-0x00007FFA33621000-memory.dmp

Filesize
10.8MB

Download
memory/5824-97-0x00000132EAD00000-0x00000132EAD10000-memory.dmp

Filesize
64KB

Download
memory/5824-92-0x00000132EB230000-0x00000132EB274000-memory.dmp

Filesize
272KB

Download
memory/5824-91-0x00000132EAD00000-0x00000132EAD10000-memory.dmp

Filesize
64KB

Download
memory/5824-90-0x00000132EAD00000-0x00000132EAD10000-memory.dmp

Filesize
64KB

Download
memory/5824-89-0x00007FFA32B60000-0x00007FFA33621000-memory.dmp

Filesize
10.8MB

Download
memory/5824-88-0x00000132EACA0000-0x00000132EACC2000-memory.dmp

Filesize
136KB

Download