darkgate | hxxp://194[.]26[.]192[.]57/

Resubmissions

04-05-2024 21:11

240504-z11ycsed93 8

04-05-2024 21:04

240504-zwpdrsec53 10

Analysis

max time kernel
348s
max time network
346s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://194.26.192.57/

Score

10^/10

darkgate rjacline6662 execution persistence stealer

Malware Config

Extracted

Family

darkgate

Botnet

rjacline6662

91.92.245.171

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
8094
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
pfHDzZpK
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
rjacline6662

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 6 IoCs

resource	yara_rule
behavioral1/memory/2484-409-0x0000000002360000-0x0000000002B02000-memory.dmp	family_darkgate_v6
behavioral1/memory/2484-417-0x0000000002360000-0x0000000002B02000-memory.dmp	family_darkgate_v6
behavioral1/memory/2484-415-0x0000000002360000-0x0000000002B02000-memory.dmp	family_darkgate_v6
behavioral1/memory/2484-416-0x0000000002360000-0x0000000002B02000-memory.dmp	family_darkgate_v6
behavioral1/memory/2484-418-0x0000000002360000-0x0000000002B02000-memory.dmp	family_darkgate_v6
behavioral1/memory/5344-420-0x0000000002BE0000-0x0000000003382000-memory.dmp	family_darkgate_v6

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 5360 created 5184	5360	wimzox.exe	146
PID 2484 created 3836	2484	GoogleUpdateCore.exe	59
PID 2484 created 1696	2484	GoogleUpdateCore.exe	72

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
608	retro.exe
6136	retro.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FbEHAfa = "C:\\ProgramData\\hkbdgch\\Autoit3.exe C:\\ProgramData\\hkbdgch\\dbbcedk.a3x"	GoogleUpdateCore.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5808	powershell.exe
5184	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wimzox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wimzox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133593302706629022"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	retro.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	retro.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	retro.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	retro.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	retro.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	retro.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	retro.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	retro.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	retro.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	retro.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	retro.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	retro.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	retro.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	retro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	retro.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	retro.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	retro.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings	retro.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	retro.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	retro.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	chrome.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
224	chrome.exe
224	chrome.exe
5808	powershell.exe
5808	powershell.exe
5808	powershell.exe
5184	powershell.exe
5184	powershell.exe
5184	powershell.exe
5456	chrome.exe
5456	chrome.exe
5456	chrome.exe
5456	chrome.exe
5360	wimzox.exe
5360	wimzox.exe
5360	wimzox.exe
5360	wimzox.exe
2484	GoogleUpdateCore.exe
2484	GoogleUpdateCore.exe
2484	GoogleUpdateCore.exe
2484	GoogleUpdateCore.exe
2484	GoogleUpdateCore.exe
2484	GoogleUpdateCore.exe
5344	GoogleUpdateCore.exe
5344	GoogleUpdateCore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2484	GoogleUpdateCore.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
608	retro.exe
5556	chrome.exe
5556	chrome.exe
4548	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 4512	224	chrome.exe	83
PID 224 wrote to memory of 4512	224	chrome.exe	83
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1384	224	chrome.exe	84
PID 224 wrote to memory of 1740	224	chrome.exe	85
PID 224 wrote to memory of 1740	224	chrome.exe	85
PID 224 wrote to memory of 3000	224	chrome.exe	86
PID 224 wrote to memory of 3000	224	chrome.exe	86
PID 224 wrote to memory of 3000	224	chrome.exe	86
PID 224 wrote to memory of 3000	224	chrome.exe	86
PID 224 wrote to memory of 3000	224	chrome.exe	86
PID 224 wrote to memory of 3000	224	chrome.exe	86
PID 224 wrote to memory of 3000	224	chrome.exe	86
PID 224 wrote to memory of 3000	224	chrome.exe	86
PID 224 wrote to memory of 3000	224	chrome.exe	86
PID 224 wrote to memory of 3000	224	chrome.exe	86
PID 224 wrote to memory of 3000	224	chrome.exe	86
PID 224 wrote to memory of 3000	224	chrome.exe	86
PID 224 wrote to memory of 3000	224	chrome.exe	86
PID 224 wrote to memory of 3000	224	chrome.exe	86
PID 224 wrote to memory of 3000	224	chrome.exe	86
PID 224 wrote to memory of 3000	224	chrome.exe	86
PID 224 wrote to memory of 3000	224	chrome.exe	86
PID 224 wrote to memory of 3000	224	chrome.exe	86
PID 224 wrote to memory of 3000	224	chrome.exe	86
PID 224 wrote to memory of 3000	224	chrome.exe	86
PID 224 wrote to memory of 3000	224	chrome.exe	86
PID 224 wrote to memory of 3000	224	chrome.exe	86
PID 224 wrote to memory of 3000	224	chrome.exe	86
PID 224 wrote to memory of 3000	224	chrome.exe	86
PID 224 wrote to memory of 3000	224	chrome.exe	86
PID 224 wrote to memory of 3000	224	chrome.exe	86
PID 224 wrote to memory of 3000	224	chrome.exe	86
PID 224 wrote to memory of 3000	224	chrome.exe	86
PID 224 wrote to memory of 3000	224	chrome.exe	86
PID 224 wrote to memory of 3000	224	chrome.exe	86

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3836

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1696
- C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://194.26.192.57/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffefc93cc40,0x7ffefc93cc4c,0x7ffefc93cc58
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2180,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2464 /prefetch:8
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4652,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4784,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5020,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4788 /prefetch:1
  2⤵
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4760,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4780 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5592,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5576,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5756 /prefetch:8
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5908,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5928 /prefetch:8
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5936,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5912 /prefetch:8
  2⤵
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5424,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6228 /prefetch:8
  2⤵
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5944,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5916 /prefetch:8
  2⤵
  PID:2292
- C:\Users\Admin\Downloads\retro.exe
  "C:\Users\Admin\Downloads\retro.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3896,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4552,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6164 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5932,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5588,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=6316,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:1360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6448,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6420 /prefetch:8
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5088,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6532 /prefetch:8
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6676,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6548 /prefetch:8
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6740,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6884 /prefetch:8
  2⤵
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6748,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6908 /prefetch:8
  2⤵
  PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=6460,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6868 /prefetch:1
  2⤵
  PID:5444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6404,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6420 /prefetch:8
  2⤵
  PID:5532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=724,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5348,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1176 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6360,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6292 /prefetch:8
  2⤵
  PID:3632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6388,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6436 /prefetch:8
  2⤵
  PID:6032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4868,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2384 /prefetch:8
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6996,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6228 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6716,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6356 /prefetch:8
  2⤵
  PID:5216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5316,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6896 /prefetch:8
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6420,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6888 /prefetch:8
  2⤵
  PID:5800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7176,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6656 /prefetch:8
  2⤵
  PID:5728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6368,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  PID:5684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6992,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6592 /prefetch:8
  2⤵
  PID:4188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4564,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  PID:3092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7352,i,730518796182775302,3863943235394285923,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6988 /prefetch:8
  2⤵
  PID:5704

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:64

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4476

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\Downloads'
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5808
- C:\Users\Admin\Downloads\retro.exe
  "C:\Users\Admin\Downloads\retro.exe" .\greenx.a3x
  2⤵
  - Executes dropped EXE
  PID:6136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Public'
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5184
- C:\Users\Public\retro.exe
  "C:\Users\Public\retro.exe" .\greenx.a3x
  2⤵
  PID:3076
- C:\Users\Public\retro.exe
  "C:\Users\Public\retro.exe" .\greenx.a3x
  2⤵
  PID:3452
- C:\Users\Public\wimzox.exe
  "C:\Users\Public\wimzox.exe" C:\Users\Public\qoizjxn.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5360
- C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hkbdgch\dbbcedk.a3x

Filesize
585KB

MD5
2a86292fdf9c5cfc38f1be079b7a7cd3

SHA1
0a627cd9403bbea703ae05756423f8cf9cd81e80

SHA256
cde9a8bf78bbff3ef61ca5aef5344e752ecab26bb0dcae538a81720739e62a0d

SHA512
8697a4cf39dd74724ae8e46c6862e40ea4b49739d8b8bd8672162a73750de929a19ce9e81ce18b9c5d123fa7fef4d375ce8e48d61a8c2f88c71ba001ae6da6bf

Download Submit
C:\ProgramData\hkbdgch\eaccbdh

Filesize
1KB

MD5
7285d390f8972f27caf089a774186631

SHA1
5189bd59e2bcf89acaac9433c6ff87e6218edf41

SHA256
716498fe8ffd4d0e75ea403c5684c91f9dda748ea2f937cbf099dd16e022dad4

SHA512
f40afb43cdfed05c9d957ad6c433dc88e8f249a32095eda367252be174022c755a4bead80c2fee8db90574743f8c81bf72557562e234afb3029f3e686ea0af88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\5368a25d-70ac-47ce-b45e-06309e5ff54f.tmp

Filesize
9KB

MD5
23b0224f1d40c7072ec37708f3be8f48

SHA1
7615a76a4e8598e45207a0ddd9663caaf7c9566a

SHA256
df7165f8244ba4da61a798f5d70681be7cf8e0c271850c0a5bb4218da971405f

SHA512
2b02a092e27915e2496c0d6d5b087b80c24c342879f55f86f1307fc781427e4bda645da6927f9224603c5d1d9f347960b4db6c868cc96540b15ec163321be531

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e86b200815a9183a061fe5604eec0b2f

SHA1
ccb77ba4e2fde4f5ec06d654dcd21dd4882ce7bf

SHA256
86ea6a6cd93b27480eb4a8d3619edb539b5e9bde9acf1167ec0d1da748153b1c

SHA512
a4d34eafa2e1c334452775362f5260671237edd6a7c82d4ca62a64cfc41acb8f7bb73b508987785d12a8ee0d4bd263b354314681fee1405836566b3b94d4ad5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
22ad8c92fe21010d0b2d9dd61e90767b

SHA1
91f78edf72e1a1a33c4ab539ea0de78e05433080

SHA256
1d84a532a98d9ec30d0ac5ad0468272b113fe85ed3329bc78e6ce44884d8dd2a

SHA512
830f784349d6387127766270b6668989023ccb90d341cd526a25e83b4fe6762289d6f6f96fd5036fb3f70cce2128eca34ea1db57cf21404fb940b630a688dcd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
122bc4ac8ead19a8335bf444100dd596

SHA1
48d3923bcbfae7cf85ba4928679d4b638f326cfb

SHA256
f67dfa55de0b83a6631ce36145070851c634bf38a35ef4b2f1c18d57bc5b58a6

SHA512
a182747b27fed7776f7c658832326037a9c06b5d1d8f1a1aa1cdcd692a94c900f544947617bb9338f009565dae92bf9fcc57ba5c1cb524781b7a768273048017

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
702fd795f34a70d58f2fad8d0abcacbd

SHA1
990d48d0a17b420d5ec55d353f20ccbe3c565b1c

SHA256
4376f7bfd590e6abac6bf9db1341c46928229058876face50b21bf79bec8d84c

SHA512
d14f2a38ef56807733c55369f3f904cc6a92a35e9d837d6921efb56e4128f44e965426877835479a79421de744aa469798448ef083d88804f3fab1c61231a3d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
029323175b0e4be871756e9161583585

SHA1
a58acc93de0094c7d03dfa7f8952990f22966060

SHA256
6f75f024ee79d38f9a1ce3be0254e193f18912966d8d301edb18b3936ca8c88c

SHA512
389d82e7b20576d6573d3224908dea14d5da8e51c540f4f71577bedf4ef2a158087576d33bfe993b78c6b7da8ee34af1fe924bd85390dc3882b22ed662373391

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c80152951a49825a4c61555d6b58e5fc

SHA1
13f8015a80de8aae156911a82fc627b240296a2d

SHA256
500253c2da38bc2e889941d763d47a2da1cc3ccbf533ca9940e40d7c9682edf4

SHA512
cf2936a92242956952b3a0d92cacf7a76521e700cc64bc1d7dbae9c82441fe77893726ca8203346e64e332341850b726733d6fd483ae10ce1680d017eeca9a14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
691f9b26247ddd30f0c971bd9616e644

SHA1
16824f295d08f4a0b2265da85896d8c3073dc911

SHA256
31d3e9f1de41d9cc4fb981c1fb28e52a853a6499016953b809b341eb02b05f44

SHA512
45e56c338823c30dfe301fa65bb9413d8f4056d391c639f62db5e1202fbbf37cfa198d0c3dc6ba069924242c841b2b0e894ec94cf51d6ff4265dc3fed24dd7bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e0c9b217020c744e71909d0bc114344f

SHA1
3be19c445142c26cdba0453eff212930c10111d9

SHA256
b3b1709e9879f2b02cba8dd7cd440500f14efd880de7aa198759ca1583f2e0f9

SHA512
9bf8589e004eef3bf81264eb4b0c0d5069184d00fcef6dd20a316cbc7ac08760296328330a89d8e01016c289f34f06091083a751b28e8d4a97dc0b687f48dc35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
84a9eb9cbb648b1f1a85ab19406f8a50

SHA1
cd00a544d43505c1b7b4bd8fd6a3841c017b4850

SHA256
a4350df9f07048e074e7f245c2a917690e1e2f96b15b5f3d23687d62a992fa78

SHA512
588b82a2e2d37541f6531a8739eac5cead53d2ffd477739d3a28772be8f776ac64cc327859ea06f26fde75675960cdbdf36728bccf888fa90cbc0ddb20a5c26f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7828657dafe5278385aac034c4d5cd4a

SHA1
dc8f9c79d6e218d53f444b6e93cccebe2fe4e1d5

SHA256
d5196cd89f3d381a9c65d4665a4e379f4cb47efa1d00d87c3c6084c32db4485e

SHA512
11b520753120364953d0dc655cd2888572cb3084f0f9d41d877303481a4a462264641f3917e20da5a975f25a5991d1f60a741882cbbd055753d433c0f7246205

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2ca2589d901df0ba23338564c6f1029c

SHA1
676638cd3bead5ce1569f9716bc37a96c5a20492

SHA256
7c9c7e18b73cef58c346a8a8916671c0977a5055430fd4285a7322de6bdd45b7

SHA512
e4808a2ea7bdf4da954c270a359ae6f3bad4603663e87e07ece4a81d013bf69e20a9893fe0bc362b70bb6026644e92f97e389e74fa11e89a19caf9cea434ef96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
34930841356afdbe61e7800a18832bfd

SHA1
8096864d1e0cf812f12d792dad860b77101ca427

SHA256
71c0a9987b3495919fd21c5124d87e38b5511ad53b311d98affb71c59894269f

SHA512
c8940242baf29d523513789f98854a83beb5c46a151d1f6dfbc77ea7465dfd4d9b101816ac8ad6e232c4907638d367add164680743182e562da4c3ea789ebb2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9b3e2ace5155cb33196fabb57795749f

SHA1
c7892ed65e0eebeffae0051d3911b995b343e1e6

SHA256
22cd7ccce4b7b0d446114a897c01990af655ddad51113ca377f457b4f2cd0c92

SHA512
8274d99df274748ebd1042395db418f6d883fa63bf7bcc230e59fa303aed3fa075ecbd545fe195391eaab27beb79c62a14715687377c9543ac491f1e69aa3bc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b644584f3b552aa84e893e1dc2da3f8a

SHA1
45e3625b415c9fb26b6fe312ec19d78872db5f32

SHA256
46f7845f5444f2166c7c59f14500657c16bcca452593b8206541d68a16343650

SHA512
ab6597e2d1b1bd1d17da17e2cbd476f58707cf103c50ac15d9cdccc2dd62989019f0dba4e339cb1d728fbb6c202fe1fea2a7123bb7d110805419930273c7d444

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a8cc0d84af88b7655ed60e0ef62da6a1

SHA1
4d33af1180cf533ad246113c09fc1a020caf196b

SHA256
f14b4e36bc0650376210d11c0c10491bbd996258307099cfb8ccb4389a98dc70

SHA512
6512fa5bcd4981064f980fa3da965e6c4256a7d7bd86e3cbd744ff2fe3f73a4c2fd1d2aa5dac9069ea0eab9adc84eb3cf21c8e5deeaca72ed73b36676020bd49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1722d86bff179b31405209ab39f3b866

SHA1
4de96480ef49654165bbfa933fe3a9e2666d8be7

SHA256
48cd879ff957499174ce1db25a8db915a8b67c2d23eb5f3e2061c10e564da6a8

SHA512
9392369896f412cfb10c1121ee34590e858344007cd9c19b450ae215804179176fc889036cf459fb1df36fbd0fc056264fae98747b0907adb7d0e55aaf83f631

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
440454f4a4ca46ca3ef49e6152e3730f

SHA1
f03dc369beef599886d656be4360649c00459ec6

SHA256
d51755dd3a7b483c39e3235d69d1369734f3b1514f9c8dd152ba7f693b024739

SHA512
b6203a2c4dc3a8e6186e39a7112e6afec78a3141c60d43a92b6153e2423aefc1ac5d8b8c91a93db8511e397e1474877a18ff3d2de2302bafb13afa1738d2af82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
94618ccf96f741031dea6e42b314b1e5

SHA1
c219353d6e350e7105c668f152d3413d38d535b5

SHA256
19bf934b8334610a954be1269b7334ef2d8611b1164bf0900b29813ce03ccaf4

SHA512
b92ed9ca3647f057540e0085af38b6c6f8729af5cb9ca1c35a1c5c56022841e957ae9e527fd3deb37aef5edf200290d4dc61396e87d8f0305d7889b4c69d2150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
562483ee298bad165d77086a467a1b81

SHA1
d91119549333ecc9fe3599e31a6896deb6de6a13

SHA256
a34a22d0935e409d8d4d0543c4050b9412f501a9f53eccaa832c19f66d14b40a

SHA512
c277fd78f073c2b019edeba70967a3c4cda0819ee93a0eb5d89ecfe136e18e86db1afefdabd24ac22997f9c325cd21d970e8f95848c39d1fc47e35d9b36c2e2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2b6db04a49a802f74e87b2334af249d1

SHA1
058e5168c5f2a78402f8b04cd592619594863716

SHA256
a5f18ea21fc7290bc08d8fc8d76ae5adc6aef5051265abc232ff2035aa45c3f6

SHA512
56fb93f66f319d8b1ae2569503b8f765d2772b1d3d6575b69d29603f742f8f19c7caa91412ddc8f3b84972f63bfeb7b641763617eb78fc7042f27c7fb9d749fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1adacf9a9f0da8d34f81f0e9dbc6f9c1

SHA1
8934a3253478c90c46b3b3f5ac97238ca469c090

SHA256
e52368ad94d86f786b6a9c672a23bf384c79b7bfa47e4ec3310b081a5640edec

SHA512
44f15a481e93c80d53b8f4489729a88f0d384828666fcf3e6b58f986fa05c75e33f062a87a7b84c78d36b226b5c94a179f8e15279964044009beaef762001edf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e4518888f184f987ce8bb938f4b7053b

SHA1
832918498ef0734d722704a40dbedd91adf5cda8

SHA256
39aa4c1dbc2cea0a2105531b35cd9477dea0c48e32c73e95ce7751c233a16217

SHA512
d9249361053a7018ece2ed1e8b79a4f32decd993118909cceecf7e8406d2bd4db74fffdb3957cb8f3d30bf6ecd86fb867dae1421de227c6ea70d0c61861b5892

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b244cea1d911c7f2ed7587173e5223d0

SHA1
6af556ed4f095281cbbca17a659086b3a3a527ab

SHA256
7ca86ba35c71206627951d7d000606ecdf8b9b776b5db43c2def96de7917a676

SHA512
503c67331c68a0d51d07d57e02720efc16c957d23cf1cae5f42ea86b83626f3431da6d259fcdbd14a6f35f86b81dd7a3188532bac442be56214a997eacc1fd20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
b9e221cfbb06a18cc5a5cb94e41aeb2d

SHA1
ab3dd90968f4c73cd7a101b359a1ffa65a02dc0a

SHA256
a7a2f6c666f0419e703a817c5861deb923569d6681a95bfe991f381365678958

SHA512
2f56810e1f82737c7e4259f1fc272fa0b94b723468bb75b54b165bbe5d1a8f0e93a1e089c63b449964fe86651bc887ffaa954fb4d786bcd35187f16c662ad873

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
57819b3ace0bd82f04ebba80ae4b4b85

SHA1
92d52c6ab16662ccd1ad22d41af26f96e28a3bd6

SHA256
a6219326b499193995c805461d8355e79f9903c1d33be6d187312f3e890a9079

SHA512
48938a9f83db5e90dbab129371af27bfbb9ba12338c66a2f1c068493b35ec7d7db20f06f3f4ddd57e6332382b846441e3b4c5d863c3cd5c360ff713b5c2d6883

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
2def6287146c7c3146cdff72e014282f

SHA1
06ec5cbb9e46e32a7cda695f9c97cd9d1067bc5b

SHA256
f4b670ee126151e1192893fb0cf79d88e9aab55d4a60f583ac8ae4c9893b631e

SHA512
781bfc8dc55d6d212fe1ead5005ba5ce30b3ce185e3247700e9cff36ba77d0add4ad4e97f3a2d3c5efea6fa2a933fda31383687ef5efd9ca0c0c568c923feaf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pstfawgy.4dg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\FbEHAfa

Filesize
32B

MD5
7a708f499c9302e7edfcc93ac373ddcb

SHA1
ced7e56c7eaf9f066323eb706f5551843f4ed3de

SHA256
832792f61d322ddb1926ae864f8f7b77f24c42451f15802eda4f8787fb7eda64

SHA512
df7ac3c2fa125f02eaacf8ec8712ceb1e42e5571e815f0328ce48d168089c53089f0c321cbbb310c5af58f0a0d57d736a4c3dc250abd990407df52fde07ff6f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Filesize
52B

MD5
f7349ecb22643c81c953b2d53ce4354f

SHA1
39946383b4f3d0e498c26cb05367bd03f88c8e30

SHA256
72a72bd5e488aa4cd9b273ee24d596928d3933a566cb3e9cf5dff22855845068

SHA512
cb62b8a7ecaa2da09f33c1147ca57a9b5150f09e61210048c74b241916df0285eb3d43c2ae01eaad39346db640b6ea92ff7e4d7a523c6a2dcda72c2d5792300f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Filesize
78B

MD5
7994bbc017f5ed4640759eb6e6890bf1

SHA1
148f02bb1b7c3d1e8ad23a4e26c4d00b34b883af

SHA256
784075bc05c04178611b5a95dc689c8efbeaf8338ecc8ef6a82dd65e2fe1e055

SHA512
468acd7841ea4af3be403d0b06447fc3826ec2c3e24f23a0116eecba59c3fb9d58aecccc9a0083b4bc3b6fc9fbcb85f6bdeb69487302012e2371b08d22f84935

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Filesize
91B

MD5
c438b238fca763642f641533072e7f84

SHA1
2872396e85f495bbeacb1a426db2ff026c648a02

SHA256
6ef93519028bffe0e86f4844066d6aba7ba7e8a5ff51513bbc33290ca010a96e

SHA512
8f1ae9a687c20c8e791757bf7ca1303a7b9f9e60664d62266935015100549a592fece92fd9700f6a61963b5b3ab12049e7139924cb51c7b2e0c9b176608104a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
5KB

MD5
93d925cde68ea6382a4ac9b783f2c1df

SHA1
d5d74b137d88afafd8c412ba7fa846cbee4069d8

SHA256
b887b38c09bae9c89d151fb971b0059e5f6138430b2c4e62ba7f3fa68476b5f6

SHA512
e981747526f5073fd57e40f21c8640c5f3a198faae7affb22e0d3a6aca6bbd514e500437a62f996c27ea556175e38bfa9abea5bb867f9d88577e8346bef16440

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
5KB

MD5
64e2356adc20835490da6e98a95cf4e1

SHA1
597b1bbd59ddeff84578104e490c58a6acfc86ed

SHA256
fa72483e53c96648f3360f8dc6470aaf241b2bb3994f597e5399e836c8a5a0c8

SHA512
61d6751577cced13adb38c41b9d747b99bb6d8f688457a63ba8259275f3ffd65539163a63933b23674d33e1bfa426bbacf84363f04ee871d4805a5bf040c499d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 835929.crdownload

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\Downloads\greenx.a3x.crdownload

Filesize
518KB

MD5
b0337aaf71c24bfc36562dc9e25183a2

SHA1
b2da9fc635bbfd754c30fee48eb1f1f466d4a5a9

SHA256
1e77b9576955e21bff72e9e29c9549756ea79562664378cc04664bcbcdc598f1

SHA512
1b7ea31c9841cb621db387f400ee6201ab4a831eeb91db427d267aab89bcc948a7b373fe909b3a92a3beef13ad968728b36a242c23b05eabef90a3cf1e7e06a3

Download Submit
C:\Users\Admin\Downloads\qoizjxn.a3x.crdownload

Filesize
577KB

MD5
bd9566d06de8a7cf1db8ed21656a779b

SHA1
ef338a25b82813d50a9e4c3feffefbeae04de4c9

SHA256
e562d203776c940a9bc62c559aa014fe6296cfcc5945d098dcfeab29dfca3365

SHA512
7198bafe5fe60a18ffaaffd232aa280185af217970608ea7471073537ed73808ee603881d158ef0364e766b2c115b032231049fdaba53997e6e22976a19c244a

Download Submit
C:\Users\Public\test.txt

Filesize
76B

MD5
998f200bfe2918ca4dce5b0fd88106fe

SHA1
ab50c0f3f569c1cbe0137201192c7051072fc549

SHA256
b6a21e9b49f16a8836eba2995d2ea0c29bdd0090e31111188d7e3e6de9f84887

SHA512
3082cde6d393953182810e1ad60fa70529441e5f9505eaadaf77bb67eb623431b0c8fe20184b4b8d0799e11a0e996dad7f7f3f5f8b0a61c064e0f9ec3f3a7caa

Download Submit
C:\temp\bcbbahb

Filesize
4B

MD5
2bccc5aac582b85018d0f35b35f55328

SHA1
a3d8ea5439aa708e15374c8b682a9ab51a4eb527

SHA256
fc5d833c73401ff5da2186feaf6239d96891e56b903b44feb3df2900b746866b

SHA512
ddef1d5369ea64c60b1e5af9a5fd0341f3031440eba7611b050a8171e08680d848c3dc21136db7d193bc24f07b1f891e900f58c317f630c1abab5c5cf6db989f

Download Submit
C:\temp\bcbbahb

Filesize
4B

MD5
66e85c8ad672744b0583577bd5f27ebd

SHA1
4435155d88563f98061bfad061797f92bf46aaed

SHA256
5f18450098a3a280278dcdfb9080136b87cbb60cdc7be8be62d00f7070af43c1

SHA512
b074e41b8b020d46138a06a0ff4b5458905d09a7304082d28a67e8397f3358f3a1281e5dad5c6c0c11cf67fc22c2c780093e27678eea83a572e359982fbba4a0

Download Submit
C:\temp\cbeacdk

Filesize
4B

MD5
02cd1ce0886d36be1b53105be833b581

SHA1
7b5de89a369896333d4dd54693502cf1b32b5804

SHA256
2144f89846be59d91fb530af9330a349de451de9f19c98b5d82cf7c4ffb62dd7

SHA512
e56275797300c41c36085ac22ad0bdf8c23693304b88b795f1ab7e3d05a2c8d4c7e11ffcd2e8090cbddc02b8742e945f23157cd0021d3883206ddafeff861bc9

Download Submit
memory/2484-409-0x0000000002360000-0x0000000002B02000-memory.dmp

Filesize
7.6MB

Download
memory/2484-417-0x0000000002360000-0x0000000002B02000-memory.dmp

Filesize
7.6MB

Download
memory/2484-415-0x0000000002360000-0x0000000002B02000-memory.dmp

Filesize
7.6MB

Download
memory/2484-416-0x0000000002360000-0x0000000002B02000-memory.dmp

Filesize
7.6MB

Download
memory/2484-418-0x0000000002360000-0x0000000002B02000-memory.dmp

Filesize
7.6MB

Download
memory/5184-288-0x0000017EBC740000-0x0000017EBD201000-memory.dmp

Filesize
10.8MB

Download
memory/5184-251-0x0000017EBC740000-0x0000017EBD201000-memory.dmp

Filesize
10.8MB

Download
memory/5184-361-0x0000017EBC740000-0x0000017EBD201000-memory.dmp

Filesize
10.8MB

Download
memory/5184-453-0x0000017EBC740000-0x0000017EBD201000-memory.dmp

Filesize
10.8MB

Download
memory/5184-441-0x0000017EBC740000-0x0000017EBD201000-memory.dmp

Filesize
10.8MB

Download
memory/5184-431-0x0000017EBC740000-0x0000017EBD201000-memory.dmp

Filesize
10.8MB

Download
memory/5184-383-0x0000017EBC740000-0x0000017EBD201000-memory.dmp

Filesize
10.8MB

Download
memory/5184-384-0x0000017EBC740000-0x0000017EBD201000-memory.dmp

Filesize
10.8MB

Download
memory/5184-229-0x0000017EBC740000-0x0000017EBD201000-memory.dmp

Filesize
10.8MB

Download
memory/5184-316-0x0000017EBC740000-0x0000017EBD201000-memory.dmp

Filesize
10.8MB

Download
memory/5184-276-0x0000017EBC740000-0x0000017EBD201000-memory.dmp

Filesize
10.8MB

Download
memory/5184-240-0x0000017EBC740000-0x0000017EBD201000-memory.dmp

Filesize
10.8MB

Download
memory/5184-410-0x0000017EBC740000-0x0000017EBD201000-memory.dmp

Filesize
10.8MB

Download
memory/5344-420-0x0000000002BE0000-0x0000000003382000-memory.dmp

Filesize
7.6MB

Download
memory/5808-180-0x000001572A140000-0x000001572AC01000-memory.dmp

Filesize
10.8MB

Download
memory/5808-142-0x0000015743500000-0x0000015743576000-memory.dmp

Filesize
472KB

Download
memory/5808-273-0x000001572A140000-0x000001572AC01000-memory.dmp

Filesize
10.8MB

Download
memory/5808-146-0x0000015743580000-0x000001574359E000-memory.dmp

Filesize
120KB

Download
memory/5808-261-0x000001572A140000-0x000001572AC01000-memory.dmp

Filesize
10.8MB

Download
memory/5808-217-0x000001572A140000-0x000001572AC01000-memory.dmp

Filesize
10.8MB

Download
memory/5808-141-0x00000157434B0000-0x00000157434F4000-memory.dmp

Filesize
272KB

Download
memory/5808-143-0x000001572A140000-0x000001572AC01000-memory.dmp

Filesize
10.8MB

Download
memory/5808-140-0x0000015742FB0000-0x0000015742FD2000-memory.dmp

Filesize
136KB

Download
memory/5808-160-0x000001572A140000-0x000001572AC01000-memory.dmp

Filesize
10.8MB

Download
memory/5808-230-0x000001572A140000-0x000001572AC01000-memory.dmp

Filesize
10.8MB

Download
memory/5808-190-0x000001572A140000-0x000001572AC01000-memory.dmp

Filesize
10.8MB

Download
memory/5808-241-0x000001572A140000-0x000001572AC01000-memory.dmp

Filesize
10.8MB

Download
memory/5808-177-0x000001572A140000-0x000001572AC01000-memory.dmp

Filesize
10.8MB

Download