49dde0850864be9fab68a21d89d2bea3bd681663c5fe04edd9b8b7f8f69011e9

Analysis

max time kernel
609s
max time network
628s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
13-04-2024 12:35

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

dctroll.txt
Size

23B
MD5

e20921a175a773a7c0c4417c5e4ded0f
SHA1

6bbe9628db2772a11cc7a6f51cca8a8d65dc6c96
SHA256

49dde0850864be9fab68a21d89d2bea3bd681663c5fe04edd9b8b7f8f69011e9
SHA512

e78674458084635846eab87e869b36e8b564671424ae8201d560a77738683c9284f84a1d6bbdd6ad14999742754e59c064ada32b673c884d0c3a1997115406cc

Score

10^/10

agilenet evasion ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Disables Task Manager via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

eulascr.exeeulascr.exe

pid process

1760 eulascr.exe
4180 eulascr.exe
Loads dropped DLL 2 IoCs

Processes:

eulascr.exeeulascr.exe

pid process

1760 eulascr.exe
4180 eulascr.exe

pid	process
1760	eulascr.exe
4180	eulascr.exe

pid	process
1760	eulascr.exe
4180	eulascr.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\A064.tmp\eulascr.exe	agile_net
behavioral1/memory/1760-372-0x0000000000B60000-0x0000000000B8A000-memory.dmp	agile_net

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

000.exe

description	ioc	process
File opened (read-only)	\??\A:	000.exe
File opened (read-only)	\??\E:	000.exe
File opened (read-only)	\??\Q:	000.exe
File opened (read-only)	\??\T:	000.exe
File opened (read-only)	\??\W:	000.exe
File opened (read-only)	\??\Y:	000.exe
File opened (read-only)	\??\B:	000.exe
File opened (read-only)	\??\M:	000.exe
File opened (read-only)	\??\O:	000.exe
File opened (read-only)	\??\P:	000.exe
File opened (read-only)	\??\R:	000.exe
File opened (read-only)	\??\U:	000.exe
File opened (read-only)	\??\G:	000.exe
File opened (read-only)	\??\H:	000.exe
File opened (read-only)	\??\I:	000.exe
File opened (read-only)	\??\J:	000.exe
File opened (read-only)	\??\K:	000.exe
File opened (read-only)	\??\Z:	000.exe
File opened (read-only)	\??\L:	000.exe
File opened (read-only)	\??\N:	000.exe
File opened (read-only)	\??\S:	000.exe
File opened (read-only)	\??\V:	000.exe
File opened (read-only)	\??\X:	000.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs
ransomware

Defacement
T1491

Modify Registry
T1112

Processes:

000.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000\Control Panel\Desktop\Wallpaper 000.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000\Control Panel\Desktop\Wallpaper	000.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2272 taskkill.exe
4196 taskkill.exe

pid	process
2272	taskkill.exe
4196	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133574857174445412"	chrome.exe

Modifies registry class 2 IoCs

Processes:

000.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	000.exe
Key created	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

508 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exeeulascr.exeeulascr.exechrome.exe

pid process

2060 chrome.exe
2060 chrome.exe
1760 eulascr.exe
4180 eulascr.exe
2956 chrome.exe
2956 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

2060 chrome.exe
2060 chrome.exe
2060 chrome.exe
2060 chrome.exe
2060 chrome.exe
2060 chrome.exe

pid	process
508	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

MrsMajor3.0.exeMrsMajor3.0.exe000.exe

pid process

1276 MrsMajor3.0.exe
4124 MrsMajor3.0.exe
4616 000.exe
4616 000.exe

pid	process
1276	MrsMajor3.0.exe
4124	MrsMajor3.0.exe
4616	000.exe
4616	000.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2060 wrote to memory of 364	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 364	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 3028	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 832	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 832	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 4500	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 4500	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 4500	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 4500	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 4500	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 4500	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 4500	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 4500	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 4500	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 4500	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 4500	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 4500	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 4500	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 4500	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 4500	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 4500	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 4500	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 4500	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 4500	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 4500	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 4500	2060	chrome.exe	chrome.exe
PID 2060 wrote to memory of 4500	2060	chrome.exe	chrome.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\dctroll.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc772f9758,0x7ffc772f9768,0x7ffc772f9778
2⤵
PID:364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=1764,i,14384009239192206612,8101021269366279234,131072 /prefetch:2
2⤵
PID:3028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1988 --field-trial-handle=1764,i,14384009239192206612,8101021269366279234,131072 /prefetch:8
2⤵
PID:832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2052 --field-trial-handle=1764,i,14384009239192206612,8101021269366279234,131072 /prefetch:8
2⤵
PID:4500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2864 --field-trial-handle=1764,i,14384009239192206612,8101021269366279234,131072 /prefetch:1
2⤵
PID:1764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2884 --field-trial-handle=1764,i,14384009239192206612,8101021269366279234,131072 /prefetch:1
2⤵
PID:3280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3936 --field-trial-handle=1764,i,14384009239192206612,8101021269366279234,131072 /prefetch:1
2⤵
PID:2816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4608 --field-trial-handle=1764,i,14384009239192206612,8101021269366279234,131072 /prefetch:8
2⤵
PID:3580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4748 --field-trial-handle=1764,i,14384009239192206612,8101021269366279234,131072 /prefetch:8
2⤵
PID:4968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4900 --field-trial-handle=1764,i,14384009239192206612,8101021269366279234,131072 /prefetch:8
2⤵
PID:4328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5044 --field-trial-handle=1764,i,14384009239192206612,8101021269366279234,131072 /prefetch:8
2⤵
PID:5092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1764,i,14384009239192206612,8101021269366279234,131072 /prefetch:8
2⤵
PID:1880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=1764,i,14384009239192206612,8101021269366279234,131072 /prefetch:8
2⤵
PID:4492

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:2688

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff7105d7688,0x7ff7105d7698,0x7ff7105d76a8
3⤵
PID:3752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3604 --field-trial-handle=1764,i,14384009239192206612,8101021269366279234,131072 /prefetch:1
2⤵
PID:2676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3032 --field-trial-handle=1764,i,14384009239192206612,8101021269366279234,131072 /prefetch:1
2⤵
PID:2812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2964 --field-trial-handle=1764,i,14384009239192206612,8101021269366279234,131072 /prefetch:1
2⤵
PID:1660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 --field-trial-handle=1764,i,14384009239192206612,8101021269366279234,131072 /prefetch:8
2⤵
PID:8

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 --field-trial-handle=1764,i,14384009239192206612,8101021269366279234,131072 /prefetch:8
2⤵
PID:3888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=892 --field-trial-handle=1764,i,14384009239192206612,8101021269366279234,131072 /prefetch:8
2⤵
PID:5092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 --field-trial-handle=1764,i,14384009239192206612,8101021269366279234,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2956

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1520

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3708

C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\MrsMajor 3.0\MrsMajor3.0.exe
"C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\MrsMajor 3.0\MrsMajor3.0.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1276

C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\A064.tmp\A065.tmp\A076.vbs //Nologo
2⤵
- UAC bypass
- System policy modification
PID:3160

C:\Users\Admin\AppData\Local\Temp\A064.tmp\eulascr.exe
"C:\Users\Admin\AppData\Local\Temp\A064.tmp\eulascr.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1760

C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\MrsMajor 3.0\MrsMajor3.0.exe
"C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\MrsMajor 3.0\MrsMajor3.0.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4124

C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\C2C1.tmp\C2C2.tmp\C2C3.vbs //Nologo
2⤵
- UAC bypass
- System policy modification
PID:1356

C:\Users\Admin\AppData\Local\Temp\C2C1.tmp\eulascr.exe
"C:\Users\Admin\AppData\Local\Temp\C2C1.tmp\eulascr.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4180

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_windows-malware-master.zip\windows-malware-master\ILOVEYOU\LOVE-LETTER-FOR-YOU.TXT.vbs"
1⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\Temp1_windows-malware-master.zip\windows-malware-master\SpySheriff\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_windows-malware-master.zip\windows-malware-master\SpySheriff\Install.exe"
1⤵
PID:3324

C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\000\000.exe
"C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\000\000.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
2⤵
PID:2748

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
3⤵
- Kills process with taskkill
PID:2272

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
3⤵
- Kills process with taskkill
PID:4196

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' set FullName='UR NEXT'
3⤵
PID:4200

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' rename 'UR NEXT'
3⤵
PID:1884

C:\Windows\SysWOW64\shutdown.exe
shutdown /f /r /t 0
3⤵
PID:704

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3af6055 /state1:0x41c64e6d
1⤵
PID:3444

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
f57a75c9aabfc544cc41df57b099d9a5

SHA1
7b214d5d2decb14b42ed97302e7687c12a05116e

SHA256
2c587e96b662cb47fb5fc68b3a1c7444885213df3e6d4522b57693222ee51692

SHA512
3a8227680123d255434a4dd976251642b7871179b5d40bade58df0cedb495785c0f342e03d900c03cc094987e7a52e4efb7503d508cef70af4ab2fca6b6b24c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\2c01b830-e9cc-416d-b2e5-45d443ebba09.tmp
Filesize
3KB

MD5
dbc7183893dcd8e95fff285d61e28224

SHA1
d266229fb4262bbe097873acbace4714d004fb8e

SHA256
d77d8d818000ccb0ab97bd833911db29c366df73d3d8051dae973e52eebc5eb5

SHA512
aeee5438bc05c14e78e12282d90dc472a00756875fd6e75296ff319e885a3163e016c3b56ff3ae0d1249f54e4f535f4f303b4e828c22205e323c579e77dd0dd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
2b5e4afb8f871e862e1dd37b51fd9c0f

SHA1
1e956cb2231a0a384ec370d165e0f570bcb0baf4

SHA256
c169f9781cb7ec8a86139c7229ff1084297dbcfff3acedbbd8d62852c8458dbe

SHA512
93499466c475d8734bbe2846d1580dcf9f7ebf09a8f45e0cd337eb18157b3c877a3ddcdd076d230853513fe63af1b496c43fd87739a55561d1bae7efc64f5e86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
539B

MD5
a3cbf0076de7989ff55a6f4a413ab80c

SHA1
e8b413563cf144af5ccbb1ee0fb823c93887ae63

SHA256
ce941977ccb0ef8ca1a0d59e83df6e6d4d55b17491021e3052407ddf6341ea6f

SHA512
a5c116b1e2e539241b209abe6102d100be4fdff64b80e7a289786034d1adb575b79f30b281666cfb665cbf5c60961852018b4cbaaa80327432cc644809da2495

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
d58163dcc189719a9830ae0473360d59

SHA1
9d7f1b8d053b1b30c4e970242bb1bc37bad0525f

SHA256
e55c4a35917ddf2accb41409c2d684baf78901fa6beb0e3fa91c7850c70bcde2

SHA512
6a0a7444495a7859ef79044a5a22bd02149cd339a46a9e46a3d403c731007af48d876c67bf483a5eb35e7382c0ee71c9f810b3b2c0c0d9eefb0cf72cc7c9bc3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
d8f4e072f92e88bc3b4cbb5039eb5283

SHA1
29e1b8d2609ea468572c64b952ffd0aca2d6371b

SHA256
9be187c96ec4f08ff64c736e2cd9502d4ccc5248534e7c21ce1acd4ba9d5bbf9

SHA512
a2821baf319a0269605f89146dc1a166538fee1a8faccbee6eb4c6679134f236b6fd6b336a98ba6cf4d813047d78f19f2e58ba067df24524da7f03f8b2177ec9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
0f311269ec39db908f5b028397cb00bc

SHA1
d48777394773ab7329f6bf56f7ad9f58c72c69c4

SHA256
074bab3b6df2aa9644b566a941cffb4bcc7c1cdf680dfab614dc693273dd90cc

SHA512
d3ba252874bd6e147899328e0a1094bce54669d6f51b25cf25b0719e9b1ddf953872f849c24beeb4cba2652b5c985cc36c5eb2ffcfad165707aae41c834b2743

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
dbaf5941fa748795dd9f9dd35e40cd4d

SHA1
665fba373ef684cd5dddf015cd083f09256c5e13

SHA256
2cd9783098f2495f10247dd1b20d08b0ff0c75b1b738be782fad4116c9a9d7ff

SHA512
70df01a131842612338ea9bdbb97baff09ca09272c2e6b959d0a0838c4734f4877865430bc1a526340668827c0d551cef81707db59222bdc597f6eaaa3ec5d51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
6f2542671e7a3ec545ee0e6ef00c7853

SHA1
a027a14c26cfa520b727195a082d2d436f980439

SHA256
3f9e80ebcdbfad6fc56da18f19db2b8decb9bef999aa72c9259a5e651d2fab7c

SHA512
b39fedc48e5eb575ccdc8f38f203f91d7a487cafc42fc82c27832c584b4bd01973163faf8c09122af33c3780c0ca92d535a99cddf095ca5af67a5230f5054494

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
72f7f87f2beddce5352cdc4dff40a1b0

SHA1
10678b5d8c104d28f7ae177f93d6a98a853cd6fc

SHA256
dc3fdab00ebdbe9620b4df45777069cb2cfb403cccdd4380a37bd143eb47aced

SHA512
fd1d50447ab0597ca1cfd2b656bbb5c1e4bad9fdb8ebf6249c7a54bb140541b673ef1a53902a0577e5fa4da280be4edac0b930ca11027bca4c677a8cf5743ed6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5d54f9.TMP
Filesize
120B

MD5
dafafb68f6b092ace6c605fa3b470882

SHA1
b3e4e0457d84bf64c6244cb6c15a9240bf6e0c49

SHA256
fd4167e02dbdffdfd5531fbb31fc188d7dcdaeb16637acda89c9b58fb3991e86

SHA512
7b3728a9450ba7987a176089933a990ee581db57cc0e0e93f54fcb5b4818f1f6b67cc1016f92dc54e872bd5f08ee8888b48a0fcbe5c086df1bba3f51833c58ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
270KB

MD5
3e7ce4941085d10798c1a60b531cc9ba

SHA1
6f6f3e7c85a4155d0820d32492309fa8b90d755a

SHA256
04384577b1e28a9173823aa2a0c265bc290fb5b29417ae9d653c9791219bb457

SHA512
c4e16c625c565f6839c8da17772d01cc5025d616d8c3f738b5ad4b4c5fed9d61101793e3d0d46280d6adf3c8867ba002b34ea4a8aaf5771a0228b4e3f3b30f9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
270KB

MD5
4995f3226a2a5d9286ca6237b5b1800c

SHA1
7d8a0622b9abceab57728a3880f4ffef380da5ef

SHA256
7af7e12f1a9b35ae7a6533eb69a094b1651a43b10f91a5be1b8d64c9eb62a8a0

SHA512
0748318745e837e29352141b3e381dbf5a55647f430e678cdd74047c949da1e44b5f4875be668200192fd2624fc38952159f406adb3929952e77eb328769b7a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
104KB

MD5
b9bceec9974687a48cae0397d8549d6d

SHA1
c12b03e3e7b447fb0aec0d785c25e72ebecfdc9d

SHA256
2f5a50df612aa1fbb791c16c7a89a8bf5d94d3f037836fc110fdc7142242eb86

SHA512
3bd5080a73a334263b332007c605c0145de5815f169983c0ebe9a91a412a423a67238d41d58ebc7b6f69c1ebc608000f9cc131e0c35e557a43f17db951e774b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5e45b2.TMP
Filesize
101KB

MD5
7070ba0ffe553317686ad0499981910a

SHA1
a9727d06ce9311e93794b085053e5ae8c3efa4fb

SHA256
85b36bf6e7fc6bb9123b23556a352d2b02bc3bffdee70d02221b346549c04b76

SHA512
5b3492e5029e21a40857e8bcbec8a32c46601bf0f70a8da986d32fdb41d0b4deb957532ee385c6d4d626bcf2c2c1188d808b4813b0d6f5db46d401a847c52f48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\eulascr.exe.log
Filesize
1KB

MD5
0d24376e070853aeb373fb4efcd9c886

SHA1
5ed08b221c85e2cfcb883f06d9c7151ff81621b9

SHA256
582035d3b58f4c14d8951b45ee83a8843b93bb41c8a77fbc5a092ca116366fc7

SHA512
8d02310103958963d2e9a08b39e31048731fc385c0a66598ae4b35cc3131124092443601473e0632361eb3dcf8aa260c5e4a5b8ffc08a112970dc4619506cede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
Filesize
896KB

MD5
1eb268279c8be97c6e9f4d6ddea29899

SHA1
b92e5e2e0ee1c4aff19f1af4538b140803ea9c2f

SHA256
1387de3ee53e9674926e34a553701c204a8e3b2bb759c6f305f5d17dfcc38f70

SHA512
8d290c3d5368e34399986241bbebd2490bc2ff427d2292b15b9723ad2e23fca2b2976a8b6ea764a6a9e1faafcdb433beda2415c7d3e8413f5333523a712e2c3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A064.tmp\A065.tmp\A076.vbs
Filesize
352B

MD5
3b8696ecbb737aad2a763c4eaf62c247

SHA1
4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5

SHA256
ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569

SHA512
713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\A064.tmp\eulascr.exe
Filesize
143KB

MD5
8b1c352450e480d9320fce5e6f2c8713

SHA1
d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a

SHA256
2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e

SHA512
2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\one.rtf
Filesize
403B

MD5
6fbd6ce25307749d6e0a66ebbc0264e7

SHA1
faee71e2eac4c03b96aabecde91336a6510fff60

SHA256
e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690

SHA512
35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

Download Submit
C:\Users\Admin\AppData\Local\Temp\rniw.exe
Filesize
76KB

MD5
9232120b6ff11d48a90069b25aa30abc

SHA1
97bb45f4076083fca037eee15d001fd284e53e47

SHA256
70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

SHA512
b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

Download Submit
C:\Users\Admin\AppData\Local\Temp\text.txt
Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat
Filesize
771B

MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
\??\pipe\crashpad_2060_AYJODUCYZFBSKZVC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll
Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
memory/1760-380-0x00007FFC64480000-0x00007FFC64E6C000-memory.dmp

Filesize
9.9MB

Download
memory/1760-386-0x00007FFC64480000-0x00007FFC64E6C000-memory.dmp

Filesize
9.9MB

Download
memory/1760-384-0x000000001E350000-0x000000001E876000-memory.dmp

Filesize
5.1MB

Download
memory/1760-383-0x000000001DC50000-0x000000001DE12000-memory.dmp

Filesize
1.8MB

Download
memory/1760-382-0x0000000001360000-0x0000000001370000-memory.dmp

Filesize
64KB

Download
memory/1760-381-0x0000000001360000-0x0000000001370000-memory.dmp

Filesize
64KB

Download
memory/1760-379-0x00007FFC65240000-0x00007FFC6536C000-memory.dmp

Filesize
1.2MB

Download
memory/1760-372-0x0000000000B60000-0x0000000000B8A000-memory.dmp

Filesize
168KB

Download
memory/3324-406-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3324-407-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3324-408-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4180-401-0x0000000001150000-0x0000000001160000-memory.dmp

Filesize
64KB

Download
memory/4180-405-0x00007FFC64480000-0x00007FFC64E6C000-memory.dmp

Filesize
9.9MB

Download
memory/4180-399-0x00007FFC64480000-0x00007FFC64E6C000-memory.dmp

Filesize
9.9MB

Download
memory/4180-398-0x00007FFC65240000-0x00007FFC6536C000-memory.dmp

Filesize
1.2MB

Download
memory/4180-400-0x0000000001150000-0x0000000001160000-memory.dmp

Filesize
64KB

Download
memory/4616-454-0x000000000BB60000-0x000000000BB70000-memory.dmp

Filesize
64KB

Download
memory/4616-458-0x000000000BC20000-0x000000000BC30000-memory.dmp

Filesize
64KB

Download
memory/4616-446-0x000000000BB60000-0x000000000BB70000-memory.dmp

Filesize
64KB

Download
memory/4616-419-0x0000000000370000-0x0000000000A1E000-memory.dmp

Filesize
6.7MB

Download
memory/4616-450-0x000000000BC20000-0x000000000BC30000-memory.dmp

Filesize
64KB

Download
memory/4616-452-0x000000000BC20000-0x000000000BC30000-memory.dmp

Filesize
64KB

Download
memory/4616-420-0x0000000005930000-0x0000000005E2E000-memory.dmp

Filesize
5.0MB

Download
memory/4616-457-0x000000000BB60000-0x000000000BB70000-memory.dmp

Filesize
64KB

Download
memory/4616-456-0x000000000BC20000-0x000000000BC30000-memory.dmp

Filesize
64KB

Download
memory/4616-445-0x000000000BB60000-0x000000000BB70000-memory.dmp

Filesize
64KB

Download
memory/4616-453-0x000000000BB60000-0x000000000BB70000-memory.dmp

Filesize
64KB

Download
memory/4616-418-0x0000000074040000-0x000000007472E000-memory.dmp

Filesize
6.9MB

Download
memory/4616-442-0x000000000BB60000-0x000000000BB70000-memory.dmp

Filesize
64KB

Download
memory/4616-443-0x000000000BB60000-0x000000000BB70000-memory.dmp

Filesize
64KB

Download
memory/4616-1277-0x0000000074040000-0x000000007472E000-memory.dmp

Filesize
6.9MB

Download
memory/4616-441-0x000000000BB60000-0x000000000BB70000-memory.dmp

Filesize
64KB

Download
memory/4616-438-0x000000000BB70000-0x000000000BBA8000-memory.dmp

Filesize
224KB

Download
memory/4616-1306-0x0000000074040000-0x000000007472E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads