zgrat | c9499d8b6f057e5b5bd51744a01ccb98b70f3914a1dadda407b0ba8f825bed53

Analysis

max time kernel
767s
max time network
778s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 10:20

Sharing

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-21T10:33:54Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240412-en/instance_3-dirty.qcow2\"}"

Report Analysis Logs

General

Target

x.exe
Size

2.3MB
MD5

e86f0f9c72161e6cbcd2f7ae8592aba7
SHA1

ceb84f379e845c14bbcfb95d93305fbb65eee935
SHA256

c9499d8b6f057e5b5bd51744a01ccb98b70f3914a1dadda407b0ba8f825bed53
SHA512

0db8b784ed7a97fb5fd6ed16048aa6633acbfd907324d730fa9c9f9a7a886e599f277405eefe0c7de5ec9e92f71568299838ccf9c8eba210f05d369051530358
SSDEEP

49152:294J7Dmzq+O93+x5pz7BNBNTnx2azxcoBrZS3f:2AmuruLx7DbxfFfw3

Score

10^/10

zgrat persistence rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/848-13-0x000000001AF20000-0x000000001B0DA000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-14-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-16-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-18-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-20-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-22-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-24-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-26-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-28-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-30-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-32-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-34-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-36-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-38-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-40-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-42-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-44-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-46-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-48-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-50-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-52-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-54-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-56-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-58-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-60-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-62-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-64-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-66-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-68-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-70-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-72-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-74-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-76-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/848-78-0x000000001AF20000-0x000000001B0D4000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sppsvc.exe\""	ntoskrnl2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Program Files\\Common Files\\DESIGNER\\backgroundTaskHost.exe\""	ntoskrnl2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Program Files\\Common Files\\DESIGNER\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\""	ntoskrnl2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Program Files\\Common Files\\DESIGNER\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Users\\Default\\Saved Games\\Taskmgr.exe\""	ntoskrnl2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Program Files\\Common Files\\DESIGNER\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Users\\Default\\Saved Games\\Taskmgr.exe\", \"C:\\Windows\\System32\\ntoskrnl2.exe\""	ntoskrnl2.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	x.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	ntoskrnl2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	x.exe

Executes dropped EXE 4 IoCs

pid	Process
848	ntoskrnl2.exe
3732	Taskmgr.exe
2052	Taskmgr.exe
2492	ntoskrnl2.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\WindowsRE\\System.exe\""	ntoskrnl2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmgr = "\"C:\\Users\\Default\\Saved Games\\Taskmgr.exe\""	ntoskrnl2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmgr = "\"C:\\Users\\Default\\Saved Games\\Taskmgr.exe\""	ntoskrnl2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntoskrnl2 = "\"C:\\Windows\\System32\\ntoskrnl2.exe\""	ntoskrnl2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\WindowsRE\\sppsvc.exe\""	ntoskrnl2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\Common Files\\DESIGNER\\backgroundTaskHost.exe\""	ntoskrnl2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\WindowsRE\\System.exe\""	ntoskrnl2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntoskrnl2 = "\"C:\\Windows\\System32\\ntoskrnl2.exe\""	ntoskrnl2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\WindowsRE\\sppsvc.exe\""	ntoskrnl2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\Common Files\\DESIGNER\\backgroundTaskHost.exe\""	ntoskrnl2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
407	camo.githubusercontent.com
408	raw.githubusercontent.com

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\ntoskrnl2.exe	x.exe
File created	C:\Windows\System32\ntoskrnl2.exe	x.exe
File created	C:\Windows\System32\33a22f3fbfeb15	ntoskrnl2.exe
File created	\??\c:\Windows\System32\CSC476D2ED5E32F4F3A8D121B73D552DAF.TMP	csc.exe
File created	\??\c:\Windows\System32\h7kkvz.exe	csc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4960	x.exe
5196	x.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\DESIGNER\backgroundTaskHost.exe	ntoskrnl2.exe
File created	C:\Program Files\Common Files\DESIGNER\eddb19405b7ce1	ntoskrnl2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133581685683660750"	chrome.exe

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 010000000200000000000000ffffffff	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	ntoskrnl2.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	taskmgr.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3568	x64dbg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe
4960	x.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
3732	Taskmgr.exe
5436	taskmgr.exe
3568	x64dbg.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4984	taskmgr.exe
Token: SeSystemProfilePrivilege	4984	taskmgr.exe
Token: SeCreateGlobalPrivilege	4984	taskmgr.exe
Token: SeDebugPrivilege	848	ntoskrnl2.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeDebugPrivilege	4144	powershell.exe
Token: 33	4984	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4984	taskmgr.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeDebugPrivilege	3732	Taskmgr.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3568	x64dbg.exe
3568	x64dbg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 1836	4960	x.exe	88
PID 4960 wrote to memory of 1836	4960	x.exe	88
PID 1836 wrote to memory of 464	1836	cmd.exe	89
PID 1836 wrote to memory of 464	1836	cmd.exe	89
PID 4960 wrote to memory of 848	4960	x.exe	90
PID 4960 wrote to memory of 848	4960	x.exe	90
PID 4960 wrote to memory of 3732	4960	x.exe	91
PID 4960 wrote to memory of 3732	4960	x.exe	91
PID 3732 wrote to memory of 4696	3732	cmd.exe	93
PID 3732 wrote to memory of 4696	3732	cmd.exe	93
PID 3732 wrote to memory of 4948	3732	cmd.exe	94
PID 3732 wrote to memory of 4948	3732	cmd.exe	94
PID 3732 wrote to memory of 2052	3732	cmd.exe	95
PID 3732 wrote to memory of 2052	3732	cmd.exe	95
PID 4960 wrote to memory of 4416	4960	x.exe	99
PID 4960 wrote to memory of 4416	4960	x.exe	99
PID 848 wrote to memory of 2740	848	ntoskrnl2.exe	106
PID 848 wrote to memory of 2740	848	ntoskrnl2.exe	106
PID 2740 wrote to memory of 3736	2740	csc.exe	108
PID 2740 wrote to memory of 3736	2740	csc.exe	108
PID 848 wrote to memory of 4144	848	ntoskrnl2.exe	110
PID 848 wrote to memory of 4144	848	ntoskrnl2.exe	110
PID 848 wrote to memory of 1960	848	ntoskrnl2.exe	111
PID 848 wrote to memory of 1960	848	ntoskrnl2.exe	111
PID 848 wrote to memory of 2736	848	ntoskrnl2.exe	112
PID 848 wrote to memory of 2736	848	ntoskrnl2.exe	112
PID 848 wrote to memory of 2472	848	ntoskrnl2.exe	113
PID 848 wrote to memory of 2472	848	ntoskrnl2.exe	113
PID 848 wrote to memory of 2268	848	ntoskrnl2.exe	116
PID 848 wrote to memory of 2268	848	ntoskrnl2.exe	116
PID 848 wrote to memory of 4844	848	ntoskrnl2.exe	118
PID 848 wrote to memory of 4844	848	ntoskrnl2.exe	118
PID 848 wrote to memory of 2072	848	ntoskrnl2.exe	122
PID 848 wrote to memory of 2072	848	ntoskrnl2.exe	122
PID 2072 wrote to memory of 1080	2072	cmd.exe	126
PID 2072 wrote to memory of 1080	2072	cmd.exe	126
PID 2072 wrote to memory of 4752	2072	cmd.exe	127
PID 2072 wrote to memory of 4752	2072	cmd.exe	127
PID 2072 wrote to memory of 3732	2072	cmd.exe	130
PID 2072 wrote to memory of 3732	2072	cmd.exe	130
PID 3828 wrote to memory of 4984	3828	chrome.exe	135
PID 3828 wrote to memory of 4984	3828	chrome.exe	135
PID 3828 wrote to memory of 1996	3828	chrome.exe	136
PID 3828 wrote to memory of 1996	3828	chrome.exe	136
PID 3828 wrote to memory of 1996	3828	chrome.exe	136
PID 3828 wrote to memory of 1996	3828	chrome.exe	136
PID 3828 wrote to memory of 1996	3828	chrome.exe	136
PID 3828 wrote to memory of 1996	3828	chrome.exe	136
PID 3828 wrote to memory of 1996	3828	chrome.exe	136
PID 3828 wrote to memory of 1996	3828	chrome.exe	136
PID 3828 wrote to memory of 1996	3828	chrome.exe	136
PID 3828 wrote to memory of 1996	3828	chrome.exe	136
PID 3828 wrote to memory of 1996	3828	chrome.exe	136
PID 3828 wrote to memory of 1996	3828	chrome.exe	136
PID 3828 wrote to memory of 1996	3828	chrome.exe	136
PID 3828 wrote to memory of 1996	3828	chrome.exe	136
PID 3828 wrote to memory of 1996	3828	chrome.exe	136
PID 3828 wrote to memory of 1996	3828	chrome.exe	136
PID 3828 wrote to memory of 1996	3828	chrome.exe	136
PID 3828 wrote to memory of 1996	3828	chrome.exe	136
PID 3828 wrote to memory of 1996	3828	chrome.exe	136
PID 3828 wrote to memory of 1996	3828	chrome.exe	136
PID 3828 wrote to memory of 1996	3828	chrome.exe	136
PID 3828 wrote to memory of 1996	3828	chrome.exe	136

C:\Users\Admin\AppData\Local\Temp\x.exe
"C:\Users\Admin\AppData\Local\Temp\x.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mode con cols=55 lines=15
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Windows\system32\mode.com
    mode con cols=55 lines=15
    3⤵
    PID:464
- C:\Windows\System32\ntoskrnl2.exe
  "C:\Windows\System32\ntoskrnl2.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\phhomh0l\phhomh0l.cmdline"
    3⤵
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD6F.tmp" "c:\Windows\System32\CSC476D2ED5E32F4F3A8D121B73D552DAF.TMP"
      4⤵
      PID:3736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\backgroundTaskHost.exe'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\DESIGNER\backgroundTaskHost.exe'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\Taskmgr.exe'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\ntoskrnl2.exe'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4844
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cnaEIOTEmi.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1080
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:4752
  - - C:\Users\Default\Saved Games\Taskmgr.exe
      "C:\Users\Default\Saved Games\Taskmgr.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:3732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\x.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\x.exe" MD5
    3⤵
    PID:4696
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:4948
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:2052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4416

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4984

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3848

C:\Users\Default\Saved Games\Taskmgr.exe
"C:\Users\Default\Saved Games\Taskmgr.exe"
1⤵
- Executes dropped EXE
PID:2052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff2ce1ab58,0x7fff2ce1ab68,0x7fff2ce1ab78
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1220 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:2
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:8
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:8
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:1
  2⤵
  PID:652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:1
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4296 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3616 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4620 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:8
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4792 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4200 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:1
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4732 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3228 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:8
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4700 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4636 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:1
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5424 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5828 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:8
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5952 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:8
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:8
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:8
  2⤵
  PID:920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:8
  2⤵
  PID:5960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=2488 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:1
  2⤵
  PID:6112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5640 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1688 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:8
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3328 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:8
  2⤵
  PID:904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=3328 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=3372 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=6128 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:1
  2⤵
  PID:5736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1572 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:8
  2⤵
  PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3096 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:8
  2⤵
  PID:5380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1080 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:2
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=4256 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:1
  2⤵
  PID:8
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=244 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:1
  2⤵
  PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=6296 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=4296 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6224 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:8
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1084 --field-trial-handle=1948,i,5474934503247849210,989092664570245637,131072 /prefetch:8
  2⤵
  PID:5256

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3292

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:5436

C:\Users\Admin\Desktop\release\x64\x64dbg.exe
"C:\Users\Admin\Desktop\release\x64\x64dbg.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3568

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\KeyAuth\Debug\x\04-21-2024.txt
1⤵
PID:5992

C:\Users\Admin\AppData\Local\Temp\x.exe
"C:\Users\Admin\AppData\Local\Temp\x.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mode con cols=55 lines=15
  2⤵
  PID:1484
- - C:\Windows\system32\mode.com
    mode con cols=55 lines=15
    3⤵
    PID:5276
- C:\Windows\System32\ntoskrnl2.exe
  "C:\Windows\System32\ntoskrnl2.exe"
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\x.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  PID:5392
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\x.exe" MD5
    3⤵
    PID:2532
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:5788
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:3432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KeyAuth\Debug\x\04-21-2024.txt

Filesize
244B

MD5
198f2019e50ed92cff7175ebd4fb8128

SHA1
32894d593019c6fb1e88016073c74d323ddf5d81

SHA256
956dccd165a681d8e59621ddb54e64c2620e53cbb242281e7843fc772bb725c6

SHA512
7b66658d203b1dc8044c513b1dc990c2807f28b29cadca7045d915c14977ccdb8086b9b77822fb4a0eb14573f0895557f62ed94781be0085a37a42f2f58dbb57

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017

Filesize
24KB

MD5
5366c57b20a86f1956780da5e26aac90

SHA1
927dca34817d3c42d9647a846854dad3cbcdb533

SHA256
f254eb93b015455a3c89aaf970631bc989fe2bd387f79e871b514992359651aa

SHA512
15d7127970436f2510344600f3acecc19c39a05f8e82c8a7950095386382b2e2da55883a5a9faa97b84452e67315b9ac1693b6592274c8c1c35c813dfeb543a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000018

Filesize
24KB

MD5
344ee6eaad74df6b72dec90b1b888aab

SHA1
490e2d92c7f8f3934c14e6c467d8409194bb2c9a

SHA256
a3cf4861c7d0c966f0ed6564f6aad6b28cbd3421a9ca4f60e2246848d249f196

SHA512
2a9a9162d610376512a8fae2cf9eb7e5146cc44c8ebde7a12e9a3985da1718c62ae517c25b00de7c0269efab61b4850a0becfbf04382a25730dbe9cf59825a62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019

Filesize
39KB

MD5
3075bd5470d101dce346f6411120cc09

SHA1
149fb0bd72b61829035021122a3a28d0d0816cb1

SHA256
e3de2a33f9059826cd26fe44f2021a3170bb32fbe050c74a74a37fffbb36a9bb

SHA512
bfb8798616624482e89f7cc5fa4d23c2ffd4a52dd93f7762ac7288ccb6b2805a5238f93fd912c444d8f23ded93a8af253821096a002dcafaccaedcc8fae6f50d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a

Filesize
64KB

MD5
b2be5352ac4b55fa22408585f875b711

SHA1
e8fdc29f50bb154268084325381478a072c6e1f0

SHA256
9552a05a7cfb2e4970b3e3f9ee49d42fa0b169f906f08ddc41f134eaf4b8c3f5

SHA512
2da1748ae9e5c92d0ddee8b0a031a2a4c1666f4baeac4ae07c41ff4c332bcf724c7a97d5256c13e54da86a3604ff947de0ca15706bd520ab5a97cc1873bfb1e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001f

Filesize
90KB

MD5
c0abcec4c1c4fe0c6e8b022590021c56

SHA1
105c11bb982889feefd663118e7e43d72a764545

SHA256
a6976b42e3110a6f7e65a33b6d0217975b5e3b9bc64d489cd80d7e543fbb2dca

SHA512
7ce448c1c40b156eb7718fea5f06d73a813606618c721fb9c58e0e7a9500c624dd994fbbbd5d617f8e15c12a10b75fd26193ca7db877e47e2f4632eea8f5cd3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000020

Filesize
16KB

MD5
e883307856d87c8fd4706253d8c71721

SHA1
76fbc49265fedff25530d5a01e177dbe695eed88

SHA256
37a4264731e880c6536ea14d266319a8981e91594217a3ae5a7aea2993273541

SHA512
6dd7c7a99e870d452395507e742920624fcc0a76b7dd097bac9014b0df56c14f9df493baaaa0b8f555cbb607ce6ce1fec91a5d4aaa04298a7d2cd2f8eb520acd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023

Filesize
28KB

MD5
509dd9d99cdbc6e7cd130be09e1c6d52

SHA1
15629fc0215fb5d4127d193ee0e1e765537f9c60

SHA256
85e04681b24497e86a49dea51dd6f8a64641ea7d7bf1c706a2857cfea148e1c1

SHA512
bf2bd6746d0b477f01758e17e9b14eb0249ac373b4da7a41a0659e17af2e2f9365a9e38ad214a7202b1273305718f6ca67d5aab6388014365a8a8af426f415d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000024

Filesize
140KB

MD5
acbcf92b051967d507516ea5c40bc2d4

SHA1
4f55d73d531a3bc12a53f80c2b0c0e533a808f48

SHA256
476d22c9e4c24ef2e63b2eed3d413f7dac82c8b0dfeedf09b6a407f0f1888772

SHA512
bd5b0b05cdc72c830a47596db688fb6ba0c3929c70afc65ba1284ba7419e952495fcd481a716a6dea9ba50137b4b0d008acec125508b8dc3279b017d93325596

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000025

Filesize
17KB

MD5
542065aca86ef1aa46e44d36bed7d9f6

SHA1
c1a3d05699ee569b7116bdb746a5197d463cff65

SHA256
53c65332b57d990f860edee3552d43231b58c087b1bef4e3c8a5967108a2bb65

SHA512
f941cccff436fd1e1a62180884c5ef00cadeea646a1a96e8e54836998443cefd95a322051d9046cbbc527c2772e76d444245e17096b535bb0b8db9643694d0dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000027

Filesize
63KB

MD5
34d5015941e4901485c7974667b85162

SHA1
cf032e42cf197dcc3022001a0bde9d74eb11ac15

SHA256
5c166a5d40aeefd0679a14f95e47ff28824e66abba82adfa30be41803cc25632

SHA512
42cef1d6847f535a6e8afc0469b9f5ef79ce4ab21512ac7eeda8ef9667d5f24bb33b30aba9a29824b3d853d41d4addf6bdee2042cf4fbd0a033b61657c671f0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002a

Filesize
65KB

MD5
d37a0b50e8cbbc3de35d3d1e9e1185cf

SHA1
c898ddfa3f2c551980ab4bef4a463c3fd11021b3

SHA256
deb12434ba06baf14aed67ee8aa28f48ae856f3792797eeeab1ee218754caf04

SHA512
d52983a3cd1343454bb9bfecdcdb76791a93b15fe83a46a62ca668041fff818f94815b6c596c2794972e11df3f4139a86e480578cd5e332bf9325e6e5e1572ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\7408f1461634e545_0

Filesize
266B

MD5
710238c0516800d86f44263f243c1643

SHA1
20627f6c803493bf338bcb78f42c9c71ac66173f

SHA256
934253eb991042d3f6e448019983bf997bb2ba3d6eea446e0140f91a3c38c56f

SHA512
71acdc67064f22c27dddf2da320205b2faf8183f9656dc36dfafb8a0399626fa214c77f5bb332d91f999c8fa2969b63451554a155917c60ad41c6745000293ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\823b2eea0c7ee25f_0

Filesize
58KB

MD5
640fbb6670fff933165b8279dc12b21b

SHA1
9ae8e13ae672a0b5989ace10b90be117592d5043

SHA256
2549871e54933ea6be8130f17af2d345a1c8ae703fb72359649c3ae98fb2861d

SHA512
ee603c1192939a485a09fdf81d37e6bd75ae04cd12df25b34de193d29047ae48224ba68f2953eb9c39d353e85054a99d542245325aee9e19856f85b693a655ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\86f73e83e3501e8f_0

Filesize
306KB

MD5
00f2f5c44301775487131653f9621b67

SHA1
59f6575499327d8ceae438401cb249ed215a36ed

SHA256
4af148f09746d05e596615080875cffb0b7b6ec56385e9bcf92d2d3970e09107

SHA512
4ffc9f91dd5f64b6c75d9428eb6b404d986f23de57f4eaa8f25a9460a4ae6e2b379a7f0792612d70b7aea825e222188d10dab490ecdc0c12c69787bc628326d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\f043fc37cce6f0ab_0

Filesize
334B

MD5
228bf1571ab5d7187abec0df9f981bd5

SHA1
87800b2f8a6cb38e8eda0b9c68f3d7673b333ac9

SHA256
9995a533ed34b3b769012386629d5a1be4086277d5427af4eeaa855bd280499b

SHA512
8405fed3d84d0cee0d3918b06d6e1511a8d157f4d78b8118560d9c48caac58256ab512c11de90e3f2bb337f9b216770fcd6957dfe16cdcd8d3626aa97c7db9f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
3KB

MD5
853f157b6314d03a751f6e0e5279b0cd

SHA1
f3f35731a2ae9ce7f8903e4010e12fb9dfe6c744

SHA256
6847ca511c6b76536d2e3bc72a50635696671242ae05c0f0b1e7c71a636210c2

SHA512
3a29c5ccb9ce99adae608ca7062b3670cac23cadc5268433d160cef620ada65662f53c4c0237a6a5f9fcd1a994c8671cd6a6504d2336446b11ee292e755c5050

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
1aca5fe222b93991f59d6ff89b11c4dd

SHA1
62977d2ead8dbea91db1061a0b0c4542fe435efc

SHA256
0c09605315598f9752013bcc59b78b6a41d5b0570ed8129c7d8ebe88a3385bb5

SHA512
9b64b5b69761be2118549d1f3e56a594340a2fb7cdf0a1e45230823bd7644524a522294a6a6dfddd829b59c17fa92cf4c15898b1b7a45ffbb951640a620848bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
bba5f3d3ff6f8e2b0cdbbbb0781ea548

SHA1
e0271db2e3f4cfba3ce931a7bbd774d9cccedb1a

SHA256
f307487a6c627c701d62c66dd49611584651a452a9d698fd816bea7e995d8041

SHA512
3bb2b355e4b4b8bdbfe814bbe464191c1aa84423483595df500ae47e3a5f0cab698ae44e1b5cf82ad41509d7506340facac77c082a5a1ba116958be580fd8363

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
cbb48af458f3b3fb34da9ec35ba043d4

SHA1
1abd418342299112521c5db49fc8aebbb1976064

SHA256
ccb2d1fd61a80f618c8f0fedc81c7b7e963a80fa961350a9b731d33980588657

SHA512
34b4ca2b94ddf2949b9d4962fe16b1170ac6130882d06ad7f5cefa7ac985cb9b75f5fa34f6d49ef69f0bfda7054f82c40bad3d9e6d8adfb11f2ee2d62fd9700a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
10KB

MD5
8b5da5e4c01989bd624a2d0eee96e50a

SHA1
af2187253e33643ac00738900bbe919f04f995e4

SHA256
c20f6bd7c6043d82a8623ef630b2ebdbc248ec3458e387cdd7664d1c3d6c1853

SHA512
79bc9734e82f21d3d4e4bb440953bc1230274f8cdd685165f89dbf62f1fc824540b4a61ebe7cbe4567bb16e1119c7ddeae93a2848827ddae2d529be0a5252f35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
8453ad095c4ba111e5d309114a9a360b

SHA1
80cad392a379be6d95f922cfe4841dc11b80e9a6

SHA256
6f5b69a5d08f449b9daaecfcb2f8491bc827881d05aa8f17a63fc40b6edbfb2a

SHA512
a987c0a84815a29539dec93918984dbc62d8126d8db802cd90411cec6f81dab7c83cac631698bb3e15315350ebda82d9fb001266f1a169d529e65ad46a3b0baf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
b3258b5c5a24c26697c50c3b6b04af11

SHA1
5334fdf405c78b110445104ce3a4934371506dc4

SHA256
c0fdd9d13216de24dda550b7f1b7d0ff56cc9057b855eb6fe12ee88fa6b81c8b

SHA512
352e43a7e2a999c6f393f49f9b71a7d3d11be8754a5041005b03c7def8a13f8fdf21ddccd588f78e0f48256b94f9efb901ae983e12aa3d885385f4d26c1bf276

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c8744ce31fe88ef2f370b9e7fbbe86f4

SHA1
00c35e728f21675f60710895844bada5e0dcd11f

SHA256
2e9f89abb33dcc6445534a340bbcd8ca660b30adafc4fb6a522077aecd9b8e88

SHA512
22a1df0d52de52ac879489ee6788f932d62196ad9e2277a61e8fe6a2e82b3cb0ec700155908f345abe62efa0ac1e2d2b066970810cc5a3b8126e458efe18d1f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c37ececcdc3d30abf360629bae945806

SHA1
37ef7b1c60478f4a7904cab134f0fbccca9db848

SHA256
a557b0bdc303fc1102e26fdde45a99d3191b25750b03de97a14b206545805fb0

SHA512
6d0fb035991aa2e9485a17f26f5ca149e6d8468bf27da2cdb3139701fc24a6421d16f360a19cebbfd8a6b1b6e7a2105cd65ed7fdae9f94713d199d04d66dc7ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
60adf9642d3689a54bf21ff3ee2a2443

SHA1
03d213146599c2a48ceabfd8026ebc91cffa2c32

SHA256
4103265329d52ccb22a5c72fd0fd452e07eb26ae68d754db90929fdfc2878d39

SHA512
944e43a229c120b33641a51c34965eb7b8e8606949a08088cc848b6f1950337e847c51528ebe577b62dfb3697192ce119ced16b7c78b329099cd28904883947c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
17262aab1bbdd14cda2b081919576963

SHA1
0aad3bb5363c12cb9d76c17c76f29a72b03562e8

SHA256
66a749e5714ea29dab58c5e8aec78af6dca297d1d2f05e9c01838abc137a5f44

SHA512
c25cd4d5f5044c685bc98f2b73377a9cba50517460c232468a51f9b0a2e301a02bb62e5d6e742ef614a9e32826db274c98ab9bbe3b751e9f1c5cd894fdbd8ae1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
12c6a64b2f93927da46d18d5983d6704

SHA1
89493efe30ffdc54fe4125b261d55af1a793085e

SHA256
465be490ff0b02a280a8eefbce6f19df3b0a8e75b7832368ccb05b41d1f583b6

SHA512
3d4ddab48bd36d6fca078d7e1cad46bba7627cba1c7bbf7b3dc657eb628dba7fe44d8e9069f6ddc2a649cb9ab9e397b07b3fd85effb522d9221355e9a49352c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
2bf735994ae9d1e8a92531c1723237a5

SHA1
26261be79bb0d76d068e3f3f9eb3343ce981dc79

SHA256
98b00c40e71db661310b27883586567243f093f9dfd29d75d0ded96fc8b0d749

SHA512
e31b799ea692fb6eb1cc61080a14841ac8f6b913158bdc88f2c74992323ee3eb54584ccc218d65b3b07959304fb7ed10ae89b0d01e0fee8970f5af338efbfb05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
fd8a4abade8056755b97b6415ab42e20

SHA1
d0a2e491a782d625d644471bbd7c15a786a15eeb

SHA256
222eea0a05eff898069d4637c1caee584ac5c446e07c8d45b5abdfc780749c44

SHA512
34449f0b15913c6d753fb50692df8530b50f635ab266744a01407221bcd9774beca71b4150a36b85c4dd9d56c8457113faabae37569cb93aaa5160d2890e9b65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
b5dc9ba286e4e5078acc29dc1268cd80

SHA1
f55dc1bd00ffbc7f61aa402a4aa5d753b0e156f8

SHA256
d8c5daf49489cc7f8a3a759f86b3670f09329c649523505e61097f78e0c4606d

SHA512
2f10c369777c3c4c5a03e6786ccad5df6c8c132735b265f0d117d208b3183a892b5cca51130a542b4dcea25f30bd888789ad2d09ea163f1a2c0478d6db0a1a5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
ef56a7bc780d0b2a76eb90741d52d574

SHA1
08af0f4838137543085ba6ec6370993e45889316

SHA256
baa31a0cb45601dab28040295d2abb783d1b1e4e3d37903267d28e6414090cc5

SHA512
7da248659446b3982771dc9b876595445a97b155efcddad37055f2e8547aa6f0814b253ef0eabd9379eeafa0bbf1fe4be510a35084299a3199b1d81bef36a71f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
809a0f49fb3c697704b01088e0939cc8

SHA1
2dd983a27bd494692c4c210df3c1437a595c2792

SHA256
5cedb71960e0e26d64bc9fea0af7550a51a2bd53c4c95cdff1379a6dc9adc5c1

SHA512
e8d3071de957f91ae313e9c454e152f475c337814024a4d83d0af57879af7684fc517b5362110a765be71040832ce7c3f015a9517aee47960ec4c164b4d4bc4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
992a9be5726c19b5cf3777b292ebc957

SHA1
517246421ea321d0e533738bcbc15b552482ccf3

SHA256
a2a63324baa05e8604e54f9118dcd61234ddec678a5b2bf13cf8faf564d6f275

SHA512
ed0757495df99ac28556823f5c7c163860fe91125e988ce37a8db6b3322ae6637140943b84bcfdc04e67d4a63d3d808a0811a484ae1a933bb1c3d9af429ee083

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e0f45bc1b2e633273913296b93972647

SHA1
e22e58f3e4e3eeb2f8c32574720ef75ad86780f5

SHA256
5c7911b33c056384085dfd8caa3cf418f12e125c3457a233b7c4f5da3ded3274

SHA512
1c625bf697410dabbac5919c841b2fae734437a77ad29904cf94b67eb6c3a9cab1643caa801e79ada8cccd6227fe977a36170bc4cdd643e08f5f85a4c765625e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
4c1d0273eef67a75777d7183d2bdcb05

SHA1
2d78c76d2b492edeef1400ac8c62294e2528ae70

SHA256
74df930a5d2f97e6faa5e8a0f584cdf05ad11bd323a9d9df323bcddf4731d801

SHA512
638fb8ba5617ba63a5b61c5ab055340074a2d9f857136d372450aa4c9214d1e5ba8b715013591686f2505ed209be921a43bfc3ac7621580ea01693047176e81a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f42313dca30dad234c139880b42b3de9

SHA1
e1def7a94aa638fe8e466f63bba3e0e011c99eab

SHA256
aea4f8571e07f48a024c184d27c28d965607ee1e92bd1b220dc295322fa401c1

SHA512
d125458b22e1ecc6267bf64431e0c029d1eddba4bc32c7dd7b407dfabbf36dba2974da5dfdd0648d052614cb38e744142ca74e19e2a6bc1e9bc5b46d06013633

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
3b5de8e55e90576277a8cf6dcd3ea40a

SHA1
63133627997b4cfbfd69f0d3e3f928e0f41141fe

SHA256
b1d33b12bc3bad5b05734398b410f91a6368f4a7f65062cfea597a94af3e34c6

SHA512
a3e6dc73ed1c7c2472f0ccaeeab0189c72f91a7a9405d69b81c7a704e25edbc370f9af5737e3f3204be67b7e105d9c2b02af9a85567f0d55ed664967beda28b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1aa32a4bdd615fe5a1eea9f8d974f4c9

SHA1
dab13e038f5f6d98ce8ad1646e96f70b5a82c13b

SHA256
4e330ba22ca7174f7c3f10f73e79aebdfc847a905870d00ac13cb43f334f2e51

SHA512
22373940d8ee75e3a31eb3d1ddbb24dea7c0064e7b7d9e4001c9ea9640130676cbd6a6a2a1415df4506a86bd492e874b14827a49dadb4eee1422b5a96b7ecc90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
e9c0b81182e52cc2d596de52cc8ceab0

SHA1
12da51fabc1c9e644b6ed520dc57ac5b61d2f57f

SHA256
41475f3c1a4521d33cafd1a44139c38fb6152b1d3f80606b54fd1528c3fd998b

SHA512
00c25b421e580aabbce86631b511db551d3eb992751ee09a5254185baf000b5aa5da14d3fca28a58bddc6621b5db1c77b1c217e58c0cdb7fe6faa456f15ae7ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe59b52d.TMP

Filesize
120B

MD5
02ca0d2ca6dac90b0158b9fb7dda629e

SHA1
679a99bf9ec53db2380fe2774b26300525fb3129

SHA256
ee285a97f44af136070d6aa38c91fbc98f223bf872e5bb862c6072d5faefc06d

SHA512
b0cb37888ce02ae2179f971ffce0cc34eb0c984a77a080069f6c89041a71954d758c32803d7e01a50a8272531349f27440b42df30a5fb6a08e4ec7071f6e5570

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
ef6e5ea68b15baf130325d23615f1659

SHA1
78cfee37cb1b51c414c2dcd5bad43687e415eaca

SHA256
d871c6164da80860498649f0b7b3d1b276d91962b48f5cd848799cc34d26a47c

SHA512
d2ba278708c4f7cafca1cdcc77bad9174148c4c1365acc53dca35d8d94c82da8c2880615bf5f4f8ca1406140b192bf1c6378d96f70434631b76ac378794824e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
a2e7db8fd7b13165fc21e2227797bbd2

SHA1
1ec00adece50475858bcfb67217e2758455053cd

SHA256
2c82b8b885edf10332618563869e35619ed7fefda830345053fde39da85d006e

SHA512
0249b39d8fdbecc37cdacfd30bb5e6d9922ec51d976f91d28ac68909899227ca1e811bdd17ff48106c4fc267155683df7321c97d1e079b7be9ca547ee0a4fb84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
beceb08074fa415f0eff09750566ed6e

SHA1
a067e2e34bc8ff3dcbd959aa20b60ac6ae9b6983

SHA256
8cab4a72f329ea76dc188f827cd85271cb4eb6c1af59d7aeccf8525fe2c29aa5

SHA512
aef199412fc2669c56a189ba53c161f4202e16eedff0c8059d07d069b88d8b2f6cc2930553b35b5e92d9fc20318b6dd2a9f46c54aea889bfad9df1c0695e9da8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
254KB

MD5
98d6eb950563cf47e91639700615029d

SHA1
687af4b5dfb38e0fae2e367d7fce172fd550fd20

SHA256
1ba9e4f54c3d5b47668ecf1b5f6bfaa06b64cd0d576e9c5f5455ed99e9280618

SHA512
fd215e93d4d384f74c171f3996ead7158485309618a7be26b76a287475880787e1613073c5a20562a1bed8708e2cc58269acfa6af7d1a3eb09239ef1ff351b82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
254KB

MD5
e80d402989522c4425c1d74be77a91f1

SHA1
50f648e7263129214f32e16435029528a53216bb

SHA256
25a01ce418e6e3e26c8437668dff57a93c8431d23f47d1e8c67e691a93dc2f1a

SHA512
1b8208bc19d6d39a06007ff4a7f34f29e4668321c5c793b413627e48a4bcba1bc7e77b605c8db429a67470ad528131e1c6938c1e7850e63b16b3f7101735703a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
254KB

MD5
3ddb6187bc69d137092e589932c34fb3

SHA1
20a3604f868910d6cc8720df429c7459ebc7416c

SHA256
21df0d59a7901fe3827b1ceb7b742dde45f86d63948209e5344ca57e3987c1d0

SHA512
113c6569956dc6c2df2da0b2be56a20545010ccf64337f0c48c367f7c49fffa6b226c6598c3d7807db5adea9ab1d1ff0dc684741291cbf5ea8dca57b7831f48c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
301KB

MD5
983607a6990ae831516d2d9a6a5e4617

SHA1
424f4623abbf44721fa3152a3e320395a8d9b321

SHA256
46b68e813f4be2c3a6888db8e98293505053ef6d5a2fd1b3517738416aac901e

SHA512
d7825ef155154ae0661630e1498d70b2e360afff41ac53e7d598478a2113a214ae489818a60f483eb47c3e967433df556a287d0dbfef56c5974ec9697ecfb836

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
337KB

MD5
9c561cbd8088f551821bc5d666ae0252

SHA1
fa10e08dbd555e1bcda9032a02044d7f5b60c594

SHA256
7ceb96de55cc6c29871bb767185aacf37fc089f725b06221281ef5ad3a521ba4

SHA512
08bda04e5690ccc9fbad31f15fc1d72369f38cd22e10aa0e148f5fc6887f03de4603db53ee7323eb613a45fefa4707ee66d33234bf35656a4254b2588d4ffe81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
254KB

MD5
3bbbdd68af4fb9381a1652ab2ff7c5b1

SHA1
664e940f2e527a38cfd0437b1d5b0c71b2f22e0f

SHA256
b4b307364dc8af14b13e941e58ccbe2dd3ac59207bbcd14c9f1a9f196efef2f9

SHA512
60d387edfe6ffde1df9cfa3bccabceeabbbb027c387cd17f800d9daa4341315e9675591910391333f3ba4ed511b7ac087749763b7471bc31fc9a83d4f1c74079

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
100KB

MD5
9c620d49218bacb66ee73b094d8b7715

SHA1
4b575354c41f4815fcca84239079307758aff794

SHA256
67e4d8102b20baf3be71c8f31227ecff41b8c45347f6ecc4da47267c7318cbad

SHA512
2b8baca5c77eaf598e70aa9a7eca73695bb6c4094a9e7a0b82d7d20cbc241702e65cc4a77b4b2c6a377a7311aec27c105e4f8b2c2971de1e99d831794b6336b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
103KB

MD5
171289f66b766ca42592ad21831c6424

SHA1
fcc2c77b07cfb12293d47a8f657c894c8b87a659

SHA256
66338f7348b04f8ce52f52dc34833075db9ecbdc242a0d602da7f8f6dc6bada5

SHA512
ad970308ad74d7276d6b92d15f7b8cedc32d692234f3b66c298dea0fc75451d163e2a37fed10f70f8f446f646d43e61d608a05c4857c2b938f63dafbc49fd100

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59b26e.TMP

Filesize
95KB

MD5
ea12643a3a1af6dab33faecfb14d6a12

SHA1
8a5abc6c7ef476c6f2bc8b2526301a9f2d195452

SHA256
8a86698557920724fb1c2ad37721f68da9b508e890169268a6deb8f5512f2bb2

SHA512
c8959f9f3fbf5eb1b7317bed4830c868be5a071601f160f2b7683a98a7f1496703e5bfcd7aef470ad891fd685b7fc8ad3065731435745206c8aef5339d1897d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ntoskrnl2.exe.log

Filesize
1KB

MD5
850494ce34f0d54da82d83bbb2ef2e20

SHA1
878825bbad76191a994913ef1f53536e91038546

SHA256
6495bbbabb7f978b6399c82dfa99f9dd76972a9d8af7099cd67862b5a327ebaa

SHA512
fb85a9f3102f358d2b995db5361b3b89a7306fd07ac7701db5890d3385eb1ca7fade2959e0d1c65be23da9d06995b314bb833e7130d239b367b709917177255e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDD6F.tmp

Filesize
1KB

MD5
d857e40d649b7e049c24ab8742fac112

SHA1
1ef2524cc2dbe1d7217fbc0b0f36235e738ced2c

SHA256
f3b622e7f998776e74868c0425c0beb253ee156d6ebd3c100b763fdeba2e5dd0

SHA512
7de092e7e2ba7cba9bdab3072d1d0f3c650441aeb573a714e95496d8e9656b3553ff5e3c1051fa014580a074f3f1642e1f0344e246e93cd1bb35a7a70070d3c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pmfmo0bc.ztx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cnaEIOTEmi.bat

Filesize
216B

MD5
7274acc56bf605be272bdcb74b8a6238

SHA1
7e91640765e329e68a5c214d5e1ae877a24668d1

SHA256
083f8a4d2710cab95d7c0861549a53d47589493e3c5f16b39e87d3e6584d125c

SHA512
4d4c886fe1cd72034d02f6530ff1cf14bc022536022f79ffc8620ddafa2dc3da5e5c77146ed4987c5e5a2e2abd487e32103dff1a418034d8a0ee67f99d06cad6

Download Submit
C:\Users\Admin\Downloads\ScyllaHide_2023-03-24_13-03.zip.crdownload

Filesize
3.6MB

MD5
138bffc8d10d42fc5c43194f632dfac8

SHA1
9f1769eb39f971e2fb72c539dbc76788982ad14b

SHA256
edeb0dd203fd1ef38e1404e8a1bd001e05c50b6096e49533f546d13ffdcb7404

SHA512
248777f1bd83f9ec55526bb095e85bc0f64c87c0cb4959c091dc7a9008369a5ba2864ac4230b40590438e86bc84e70b549c01cb9524d3c0c86dd3bc335c2b962

Download Submit
C:\Users\Admin\Downloads\snapshot_2024-04-11_18-47.zip.crdownload

Filesize
17.5MB

MD5
3d321160983bef1e1d574376b62a007c

SHA1
cf937f9a67d184283c7a750e6373017f0fa4f27e

SHA256
9abf4fbff28da45902fd495bd3a9b1b7d51dbb779ed447b4a996b4c9a8ba16ee

SHA512
6b8bbb2b65b3530aaad4f155e671ccc6e7260ef5eeb157b3d79df77aa890706538b1ec6101fa33a4e6faf5e3a8d675e93f655284126f405886312efbcfd710c7

Download Submit
C:\Windows\System32\ntoskrnl2.exe

Filesize
1.4MB

MD5
c8848d70c25cf0a1e0a4122cab55e5f8

SHA1
20e0cffe94951e3201ca5aa3f5a2876b20408702

SHA256
6ebed9f6de82360a3724c5148eaaced3273ce3e48826492d87da9d7e978eb6fc

SHA512
b93aada5cdf824c5feb5c2a992a92cb929479241e7895c42c8a6af32b11c72767523d4abd641c44a0b2e310288e533f7aeef3f1931023ac72154171bc83d2cc0

Download Submit
C:\windows\system32\h7kkvz.exe

Filesize
4KB

MD5
bb5bcb03e5b33dfeecff688cf466bd88

SHA1
44ba6e381a8bb8faf633857243bde1e1fd7f1d53

SHA256
43c63fc9bfed63b0dc3e192f0f85c26f3bd6d276b98fe7e224d6d1452c6741a8

SHA512
c488f69e6263a95cdbe9e5137a59a7822c7610b617d929ae21dc26463428f660a0f0767aab73974d07183b8fa05333514d8fbec430cb3f6b166f2548311eecfa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\phhomh0l\phhomh0l.0.cs

Filesize
377B

MD5
7bcdac2b0b9559df6da0fc9d3fb5a40a

SHA1
ecdd02a96b629438f243997fda61580dfdf2406c

SHA256
753267f9439d538c61d8253709db2d9623d6b68e9d209a7e3cf2170bd826ff0b

SHA512
b446eec0e278b8aa7cb9b6b455383bf2a8d874d789e6daec7968fb0d3e8c1220068a6050254676bb9e7bf4674b028222a7d134a96a08ca6c5b0768fd2f752ec5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\phhomh0l\phhomh0l.cmdline

Filesize
235B

MD5
c2a8fd3d7d759b6f8a55fab4aa4990a1

SHA1
ccd2793b15867fc331fee31b1cd16654f75a1d0a

SHA256
656dd12bc6152eac0146ec8d06028f6efc88a1798237e7600a4f58b5c913e2f3

SHA512
af868a699bf44bb6df9e9d857b84b0d8c7c3c806c97059a63190d59b1ea77f2c8352e7f7ee3f2bcfa1d0118cfdceba767d310aedb94a77978a17e1fd1df0e813

Download Submit
\??\c:\Windows\System32\CSC476D2ED5E32F4F3A8D121B73D552DAF.TMP

Filesize
1KB

MD5
c7819b618dea7040964ac749fa4f9c7c

SHA1
b9f7a7719ef735a50af758e182669c05d121e8f2

SHA256
15824da58838d1d225915395b53e61f8d5d3a905faff73e2c98e8208b97ce372

SHA512
c990842238ed4c379a3dbba7dd7e0a5068a73405c82fa72f38445c882e32bbad2b1376b439c7e3c5aeeccd03e7c38b27c414a3408c9c79d9d68f63d2392a81b5

Download Submit
memory/848-3591-0x00007FFF4D5F0000-0x00007FFF4D6AE000-memory.dmp

Filesize
760KB

Download
memory/848-54-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-11-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/848-13-0x000000001AF20000-0x000000001B0DA000-memory.dmp

Filesize
1.7MB

Download
memory/848-12-0x00007FFF2F620000-0x00007FFF300E1000-memory.dmp

Filesize
10.8MB

Download
memory/848-14-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-15-0x000000001B1C0000-0x000000001B1D0000-memory.dmp

Filesize
64KB

Download
memory/848-16-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-18-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-20-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-22-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-24-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-26-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-28-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-30-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-32-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-34-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-36-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-38-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-40-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-42-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-44-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-46-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-48-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-50-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-52-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-56-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-58-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-60-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-62-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-64-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-66-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-68-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-3642-0x00007FFF4D5F0000-0x00007FFF4D6AE000-memory.dmp

Filesize
760KB

Download
memory/848-3640-0x00007FFF2F620000-0x00007FFF300E1000-memory.dmp

Filesize
10.8MB

Download
memory/848-70-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-72-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-74-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-76-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-78-0x000000001AF20000-0x000000001B0D4000-memory.dmp

Filesize
1.7MB

Download
memory/848-3525-0x00007FFF2F620000-0x00007FFF300E1000-memory.dmp

Filesize
10.8MB

Download
memory/848-3587-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/848-3586-0x000000001B1C0000-0x000000001B1D0000-memory.dmp

Filesize
64KB

Download
memory/848-3588-0x000000001B1C0000-0x000000001B1D0000-memory.dmp

Filesize
64KB

Download
memory/848-3590-0x0000000002570000-0x000000000257E000-memory.dmp

Filesize
56KB

Download
memory/848-3592-0x00007FFF4D5E0000-0x00007FFF4D5E1000-memory.dmp

Filesize
4KB

Download
memory/848-3593-0x00007FFF4D5F0000-0x00007FFF4D6AE000-memory.dmp

Filesize
760KB

Download
memory/848-3599-0x00007FFF4D5C0000-0x00007FFF4D5C1000-memory.dmp

Filesize
4KB

Download
memory/848-3598-0x0000000002580000-0x000000000258C000-memory.dmp

Filesize
48KB

Download
memory/848-3596-0x00007FFF4D5D0000-0x00007FFF4D5D1000-memory.dmp

Filesize
4KB

Download
memory/848-3595-0x000000001AED0000-0x000000001AEE2000-memory.dmp

Filesize
72KB

Download
memory/1960-3632-0x00007FFF2F620000-0x00007FFF300E1000-memory.dmp

Filesize
10.8MB

Download
memory/1960-3633-0x000001D7B3440000-0x000001D7B3450000-memory.dmp

Filesize
64KB

Download
memory/1960-3711-0x00007FFF2F620000-0x00007FFF300E1000-memory.dmp

Filesize
10.8MB

Download
memory/1960-3653-0x000001D7B3360000-0x000001D7B3382000-memory.dmp

Filesize
136KB

Download
memory/1960-3634-0x000001D7B3440000-0x000001D7B3450000-memory.dmp

Filesize
64KB

Download
memory/2052-6245-0x00007FFF2F620000-0x00007FFF300E1000-memory.dmp

Filesize
10.8MB

Download
memory/2052-11232-0x00007FFF2F620000-0x00007FFF300E1000-memory.dmp

Filesize
10.8MB

Download
memory/2052-11135-0x0000000001380000-0x0000000001381000-memory.dmp

Filesize
4KB

Download
memory/2052-8495-0x00007FFF2F620000-0x00007FFF300E1000-memory.dmp

Filesize
10.8MB

Download
memory/2052-6248-0x000000001BC50000-0x000000001BC60000-memory.dmp

Filesize
64KB

Download
memory/2052-8513-0x000000001BC50000-0x000000001BC60000-memory.dmp

Filesize
64KB

Download
memory/2268-3719-0x00007FFF2F620000-0x00007FFF300E1000-memory.dmp

Filesize
10.8MB

Download
memory/2268-3639-0x0000014D72800000-0x0000014D72810000-memory.dmp

Filesize
64KB

Download
memory/2268-3704-0x00007FFF2F620000-0x00007FFF300E1000-memory.dmp

Filesize
10.8MB

Download
memory/2268-3641-0x0000014D72800000-0x0000014D72810000-memory.dmp

Filesize
64KB

Download
memory/2268-3707-0x0000014D72800000-0x0000014D72810000-memory.dmp

Filesize
64KB

Download
memory/2472-3732-0x00007FFF2F620000-0x00007FFF300E1000-memory.dmp

Filesize
10.8MB

Download
memory/2472-3638-0x00000187BA1C0000-0x00000187BA1D0000-memory.dmp

Filesize
64KB

Download
memory/2472-3691-0x00007FFF2F620000-0x00007FFF300E1000-memory.dmp

Filesize
10.8MB

Download
memory/2492-12403-0x00007FFF2F620000-0x00007FFF300E1000-memory.dmp

Filesize
10.8MB

Download
memory/2736-3662-0x00007FFF2F620000-0x00007FFF300E1000-memory.dmp

Filesize
10.8MB

Download
memory/2736-3723-0x00007FFF2F620000-0x00007FFF300E1000-memory.dmp

Filesize
10.8MB

Download
memory/2736-3635-0x0000026019AC0000-0x0000026019AD0000-memory.dmp

Filesize
64KB

Download
memory/2736-3637-0x0000026019AC0000-0x0000026019AD0000-memory.dmp

Filesize
64KB

Download
memory/3732-3735-0x000000001BA90000-0x000000001BAA0000-memory.dmp

Filesize
64KB

Download
memory/3732-8503-0x00007FFF4D5D0000-0x00007FFF4D5D1000-memory.dmp

Filesize
4KB

Download
memory/3732-8515-0x00007FFF4D5C0000-0x00007FFF4D5C1000-memory.dmp

Filesize
4KB

Download
memory/3732-6978-0x000000001BA90000-0x000000001BAA0000-memory.dmp

Filesize
64KB

Download
memory/3732-6621-0x00007FFF2F620000-0x00007FFF300E1000-memory.dmp

Filesize
10.8MB

Download
memory/3732-8489-0x000000001BA90000-0x000000001BAA0000-memory.dmp

Filesize
64KB

Download
memory/3732-8438-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/3732-8498-0x00007FFF4D5F0000-0x00007FFF4D6AE000-memory.dmp

Filesize
760KB

Download
memory/3732-3734-0x00007FFF2F620000-0x00007FFF300E1000-memory.dmp

Filesize
10.8MB

Download
memory/3732-8457-0x000000001BA90000-0x000000001BAA0000-memory.dmp

Filesize
64KB

Download
memory/3732-11191-0x00007FFF4D5F0000-0x00007FFF4D6AE000-memory.dmp

Filesize
760KB

Download
memory/3732-11190-0x000000001BA90000-0x000000001BAA0000-memory.dmp

Filesize
64KB

Download
memory/3732-8501-0x00007FFF4D5E0000-0x00007FFF4D5E1000-memory.dmp

Filesize
4KB

Download
memory/3732-11134-0x000000001BA90000-0x000000001BAA0000-memory.dmp

Filesize
64KB

Download
memory/4144-3724-0x00007FFF2F620000-0x00007FFF300E1000-memory.dmp

Filesize
10.8MB

Download
memory/4144-3655-0x000002B2FF890000-0x000002B2FF8A0000-memory.dmp

Filesize
64KB

Download
memory/4144-3706-0x00007FFF2F620000-0x00007FFF300E1000-memory.dmp

Filesize
10.8MB

Download
memory/4144-3654-0x000002B2FF890000-0x000002B2FF8A0000-memory.dmp

Filesize
64KB

Download
memory/4844-3643-0x000001C8B1A40000-0x000001C8B1A50000-memory.dmp

Filesize
64KB

Download
memory/4844-3656-0x00007FFF2F620000-0x00007FFF300E1000-memory.dmp

Filesize
10.8MB

Download
memory/4844-3731-0x00007FFF2F620000-0x00007FFF300E1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads