discordrat | 1a44ce70ba73de7159f78b7775a588f97657e1c991bc98c1394d5c0075994ea9

Analysis

max time kernel
217s
max time network
349s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 04:27

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

debff807992d6ab1c4d7ce874cbe5c76
SHA1

aa0994bb764049500dd24dc80016712b23fb604b
SHA256

73cffd144f64cb6db1760979226341a2672a1c423acad623665abc20f2b497fa
SHA512

2f620659102d4f1fd065cc857fe2ca25c0ba6f3fc3a9834581a3d9c3b4628191e8a18f08c502e42e4dee98e09efc755a5154e96059a6100446a89c66ebb2e5bb
SSDEEP

1536:WIWOBaZ84c6gEz5De2FzNDnghTAsKFbOZGdndxRKDIZ8Ud0DGMpbDNr1+uexCxoK:WIWOBaZ84c6gEz5De2FzNDnghTdWd7Kf

Score

10^/10

discordrat evasion execution persistence privilege_escalation rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1NjA3MjI4MTE3NjkzMjQwMg.GxD9m_.zzsnEGguqBxqJmCsGwZDpT0jW55Z5MKiEbx3N8
server_id
1256072040117698732

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4216 created 616	4216	Client-built.exe	5

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2180	powershell.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3648	NetSh.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 31 IoCs

Web Service

T1102

flow	ioc
21	discord.com
94	discord.com
109	discord.com
81	discord.com
90	discord.com
91	discord.com
96	discord.com
121	discord.com
120	discord.com
112	discord.com
113	discord.com
8	discord.com
9	discord.com
52	discord.com
54	raw.githubusercontent.com
88	raw.githubusercontent.com
89	discord.com
111	discord.com
122	discord.com
53	raw.githubusercontent.com
55	discord.com
105	discord.com
107	discord.com
95	discord.com
106	discord.com
108	discord.com
110	discord.com
56	discord.com
86	discord.com
92	discord.com
93	discord.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4216 set thread context of 1608	4216	Client-built.exe	113

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	RuntimeBroker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133645409981247323"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 7d021f002d02d5dfa3231f020400000000001b0200003153505305d5cdd59c2e1b10939708002b2cf9ae5b01000012000000004100750074006f004c006900730074000000420000001e000000700072006f00700034003200390034003900360037003200390035000000000012010000aea54e38e1ad8a4e8a9b7bea78fff1e9060000800000000001000000020000800100000001000000020000002000000000000000160014001f50e04fd020ea3a6910a2d808002b30309d0000000000000000000000000000000000000000000001000000010000800100000004006900740065006d00000000000000000000000000000000000000000000000000000000000000000000000000000000001e1ade7f318ba54993b86be14cfa4943ffffffffffffffffffffffff00000000010000001900530065006100720063006800200052006500730075006c0074007300200069006e00200054006800690073002000500043000000000000000000000000000000000000000000000000000000000000003900000024000000004100750074006f006c0069007300740043006100630068006500540069006d00650000001400000099be64720f0000006b00000022000000004100750074006f006c00690073007400430061006300680065004b006500790000001f0000001b000000530065006100720063006800200052006500730075006c0074007300200069006e002000540068006900730020005000430030000000000000000000000000000000741a595e96dfd3488d671733bcee28ba671b730433d90a4590e64acd2e9408fe2a0000001300efbe000000200000000000000000000000000000000000000000000000000100000053020000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\GroupByKey:PID = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 3a002e8005398e082303024b98265d99428e115f260001002600efbe110000009afc49b432a1da01115758113aa1da01115758113aa1da0114000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\FFlags = "18874369"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000ed30bdda43008947a7f8d013a47366226400000078000000	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\TV_FolderType = "{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 01000000030000000200000000000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "4"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\NodeSlot = "7"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 3a002e80922b16d365937a46956b92703aca08af260001002600efbe110000009afc49b432a1da01531d020c3aa1da01531d020c3aa1da0114000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "5"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\GroupByDirection = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3 = a7021f002d02d5dfa3231f020400000000001b0200003153505305d5cdd59c2e1b10939708002b2cf9ae5b01000012000000004100750074006f004c006900730074000000420000001e000000700072006f00700034003200390034003900360037003200390035000000000012010000aea54e38e1ad8a4e8a9b7bea78fff1e9060000800000000001000000020000800100000001000000020000002000000000000000160014001f50e04fd020ea3a6910a2d808002b30309d0000000000000000000000000000000000000000000001000000010000800100000004006900740065006d00000000000000000000000000000000000000000000000000000000000000000000000000000000001e1ade7f318ba54993b86be14cfa4943ffffffffffffffffffffffff00000000010000001900530065006100720063006800200052006500730075006c0074007300200069006e00200054006800690073002000500043000000000000000000000000000000000000000000000000000000000000003900000024000000004100750074006f006c0069007300740043006100630068006500540069006d00650000001400000099be64720f0000006b00000022000000004100750074006f006c00690073007400430061006300680065004b006500790000001f0000001b000000530065006100720063006800200052006500730075006c0074007300200069006e002000540068006900730020005000430030000000000000000000000000000000741a595e96dfd3488d671733bcee28ba671b730433d90a4590e64acd2e9408fe2a0000001300efbe000000200000000000000000000000000000000000000000000000000100000053022a0000001900efbe1e1ade7f318ba54993b86be14cfa49436f73bebdf5342948abe8b550e65146c453020000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4688	SCHTASKS.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3460	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2996	chrome.exe
2996	chrome.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
4216	Client-built.exe
4216	Client-built.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
4216	Client-built.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
4216	Client-built.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
4216	Client-built.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
4216	Client-built.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
4216	Client-built.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe
1608	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3460	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4216	Client-built.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe
Token: SeDebugPrivilege	4216	Client-built.exe
Token: SeDebugPrivilege	1608	dllhost.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe
Token: SeShutdownPrivilege	2996	chrome.exe
Token: SeCreatePagefilePrivilege	2996	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
3460	Explorer.EXE

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
2996	chrome.exe
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 4688	4216	Client-built.exe	90
PID 4216 wrote to memory of 4688	4216	Client-built.exe	90
PID 2996 wrote to memory of 5040	2996	chrome.exe	94
PID 2996 wrote to memory of 5040	2996	chrome.exe	94
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2620	2996	chrome.exe	95
PID 2996 wrote to memory of 2160	2996	chrome.exe	96
PID 2996 wrote to memory of 2160	2996	chrome.exe	96
PID 2996 wrote to memory of 3240	2996	chrome.exe	97
PID 2996 wrote to memory of 3240	2996	chrome.exe	97
PID 2996 wrote to memory of 3240	2996	chrome.exe	97
PID 2996 wrote to memory of 3240	2996	chrome.exe	97
PID 2996 wrote to memory of 3240	2996	chrome.exe	97
PID 2996 wrote to memory of 3240	2996	chrome.exe	97
PID 2996 wrote to memory of 3240	2996	chrome.exe	97
PID 2996 wrote to memory of 3240	2996	chrome.exe	97
PID 2996 wrote to memory of 3240	2996	chrome.exe	97
PID 2996 wrote to memory of 3240	2996	chrome.exe	97
PID 2996 wrote to memory of 3240	2996	chrome.exe	97
PID 2996 wrote to memory of 3240	2996	chrome.exe	97
PID 2996 wrote to memory of 3240	2996	chrome.exe	97
PID 2996 wrote to memory of 3240	2996	chrome.exe	97
PID 2996 wrote to memory of 3240	2996	chrome.exe	97
PID 2996 wrote to memory of 3240	2996	chrome.exe	97
PID 2996 wrote to memory of 3240	2996	chrome.exe	97
PID 2996 wrote to memory of 3240	2996	chrome.exe	97
PID 2996 wrote to memory of 3240	2996	chrome.exe	97
PID 2996 wrote to memory of 3240	2996	chrome.exe	97
PID 2996 wrote to memory of 3240	2996	chrome.exe	97
PID 2996 wrote to memory of 3240	2996	chrome.exe	97
PID 2996 wrote to memory of 3240	2996	chrome.exe	97
PID 2996 wrote to memory of 3240	2996	chrome.exe	97
PID 2996 wrote to memory of 3240	2996	chrome.exe	97
PID 2996 wrote to memory of 3240	2996	chrome.exe	97
PID 2996 wrote to memory of 3240	2996	chrome.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:316
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f08af617-6262-42f7-9f07-7111241c61e8}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x4 /state0:0xa395f855 /state1:0x41c64e6d
  2⤵
  PID:5864

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1152
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3092

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1412
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1036

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2644

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2688

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3368

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3460
- C:\Users\Admin\AppData\Local\Temp\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "$77Client-built.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Client-built.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2180
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd01b4ab58,0x7ffd01b4ab68,0x7ffd01b4ab78
    3⤵
    PID:5040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1864,i,4394391126887181227,5241016288478406884,131072 /prefetch:2
    3⤵
    PID:2620
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1864,i,4394391126887181227,5241016288478406884,131072 /prefetch:8
    3⤵
    PID:2160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2140 --field-trial-handle=1864,i,4394391126887181227,5241016288478406884,131072 /prefetch:8
    3⤵
    PID:3240
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2860 --field-trial-handle=1864,i,4394391126887181227,5241016288478406884,131072 /prefetch:1
    3⤵
    PID:2188
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2868 --field-trial-handle=1864,i,4394391126887181227,5241016288478406884,131072 /prefetch:1
    3⤵
    PID:1032
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4356 --field-trial-handle=1864,i,4394391126887181227,5241016288478406884,131072 /prefetch:1
    3⤵
    PID:4532
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4324 --field-trial-handle=1864,i,4394391126887181227,5241016288478406884,131072 /prefetch:8
    3⤵
    PID:3844
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4640 --field-trial-handle=1864,i,4394391126887181227,5241016288478406884,131072 /prefetch:8
    3⤵
    PID:4568
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4764 --field-trial-handle=1864,i,4394391126887181227,5241016288478406884,131072 /prefetch:8
    3⤵
    PID:2216
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4912 --field-trial-handle=1864,i,4394391126887181227,5241016288478406884,131072 /prefetch:8
    3⤵
    PID:1512
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1864,i,4394391126887181227,5241016288478406884,131072 /prefetch:8
    3⤵
    PID:4692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4800 --field-trial-handle=1864,i,4394391126887181227,5241016288478406884,131072 /prefetch:8
    3⤵
    PID:4460
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4672 --field-trial-handle=1864,i,4394391126887181227,5241016288478406884,131072 /prefetch:8
    3⤵
    PID:4740
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1072 --field-trial-handle=1864,i,4394391126887181227,5241016288478406884,131072 /prefetch:2
    3⤵
    PID:5788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3580

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3776

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3992

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
PID:4100

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3868

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2192

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2416

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2736

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:344

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1016

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1540

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:5056

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:3888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:2700

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4452

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
1⤵
PID:5964

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:6076

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2356

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5304

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2840

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3764

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4520

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{76BE8257-C4C0-4D37-90C0-A23372254D27}
1⤵
PID:3444

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:5984
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:3860
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jcp

Filesize
8KB

MD5
d1f9bc582f6df6921f901aad75c8fe2e

SHA1
aa0ce9570cb5e078a01ba1735395756d16f1f7a4

SHA256
822235218475010b3021ce482b7362ab6e64f2c6144099d80ea06983b6a4eff5

SHA512
057572523ffa9bedb52fa7e81ca6f2b2d9b2cbb931adc7813a3957fec4df8b209a5e71e4bcf6b49117b388b7ceb2895315089fae581c0fe29762c5c184a85d7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c353cf5960d2b20017af3d3c117bee9d

SHA1
f564b157b1e961314947a926be72320b39477ac7

SHA256
efe315cab2f89c30c5e6b642e2419dcbd1a67aa1627ce90b63ea82939233ad68

SHA512
ea0af6a66298833cce25c3f0452ebb9778a64eefd252ca12667764d005ca4b415461c2de8c65ec6a8cdaf947e6486db0186e87be2a8a394f578836d517f5db90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0473a1bc9bd6ce506c526d05faf21862

SHA1
7aead984db50b2e73aefccdb94a13f83ff8585ab

SHA256
7624a26ab9049eb6400d05f01c2a9a4ea28579a247831955b192128cbeec469b

SHA512
b0d7437c2fad3301a8588171b21e461aed32d1a327ee1d253e7840a2d5851c5ff9805e4d16d23e1fadb61415a412537aed716ecf79676409ceee6e81e6199caa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
0fddbef02c9740bd8a98f991d758be1b

SHA1
a3c5339260993432bc4c99a55f1dab702349e0fb

SHA256
6180b067bc7008ee0bb237d3debc9ad30bc0184a058ed8fd41a8e87721f23a28

SHA512
8590b34d19b94fae1c346b36bdb049b744c3c0cb79e3ab8bbc8d5693f145fea045a67731077157c27ea47c04c8d3a0b1d269de815980b7b8ae4bd51be1c6af6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
50898c96f8ee5ad057f4715a46c172ea

SHA1
a0c0426e006e27be97d1d185458c46dae4fc1cf9

SHA256
3bf88ecc2a550073073cebbb078d58f519f2263fe910a4bb455b416c492ec60b

SHA512
585cfacc665af4f1ea17c896920205c76cc9271e56088adda0ea7c871bb11efad4619e972b5c8d30939b89f0371e061b3033438b80358a83ab9ae3d4be54e9e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
109827bb7d6ce858b54742c0bfa3f89b

SHA1
ba13ce3e45f2e9418a50f4d3c1d100ae2a9ba010

SHA256
2b92bbb25e75b270567398bb92983522c2c35603e8d5842be3ed3f88e9a3e4bd

SHA512
2de64ac8f16a605ceeab8b79d1e2bfdb9f8ba77e22f6ecc06a02e310574b89edd1fe71c50eaf5a6b4c0dca7e33c8d1a06b8da0b287a9ff78f9499a31c7786d13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
270KB

MD5
464f6990be7301fd27cf2d3d2cf0e220

SHA1
9630b4b567502d69e2ec4c24c8a1a135bc35e6b7

SHA256
3b3059cd77a8aa01a2dfa516484fdabd3dec4d91209529727b57d3c22be58aa7

SHA512
ebb05e24af2fb06e9108a85d741469a389e97d77004702c33b632d645617a18e4a93a51053ce29eca1f36be582331ed447da43dfe6b08e15041e9641c888b622

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
270KB

MD5
12b352a459b9616f0f9729dc1168b173

SHA1
c16f647567a2129d78b9a85d917a4b6560a9185b

SHA256
c761a45254cc8c7ee1172a491253ccd9b29cf9bb710a4aaba015cb1f0162cf12

SHA512
696548d05264cd3146e2a4e11001d93f82f8a8ca838b6cc256b4bc85eae2e4bf8f7f1086b553e0be4b98bc7d1b7f65a426d265eded547166114fc9a68f1f2a28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
28KB

MD5
87d9bca9ae972128a68fccde11feb182

SHA1
8c4c0161e94c15f840ba14d704c77e535433f7dc

SHA256
026beab2e6f436e2e8bd8f409baae6c70ca59d67860d241f65d7fd0f5b841d37

SHA512
f822137ffe7706ab17699c0877737453d49c216d20470f8d041eb672455c6a4485a5569407fd87e346c6518c67fe4309a7be041bc3bacebb35ddbe6812860951

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jrqbq0op.4fi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/316-116-0x00007FFCE60F0000-0x00007FFCE6100000-memory.dmp

Filesize
64KB

Download
memory/316-115-0x000001B038130000-0x000001B03815A000-memory.dmp

Filesize
168KB

Download
memory/436-120-0x00007FFCE60F0000-0x00007FFCE6100000-memory.dmp

Filesize
64KB

Download
memory/436-119-0x000001E1AB690000-0x000001E1AB6BA000-memory.dmp

Filesize
168KB

Download
memory/616-105-0x0000027829780000-0x00000278297A3000-memory.dmp

Filesize
140KB

Download
memory/616-107-0x00000278297B0000-0x00000278297DA000-memory.dmp

Filesize
168KB

Download
memory/616-109-0x00007FFCE60F0000-0x00007FFCE6100000-memory.dmp

Filesize
64KB

Download
memory/664-111-0x00007FFCE60F0000-0x00007FFCE6100000-memory.dmp

Filesize
64KB

Download
memory/664-108-0x000001F47E600000-0x000001F47E62A000-memory.dmp

Filesize
168KB

Download
memory/956-143-0x00007FFCE60F0000-0x00007FFCE6100000-memory.dmp

Filesize
64KB

Download
memory/956-142-0x000002A7A79A0000-0x000002A7A79CA000-memory.dmp

Filesize
168KB

Download
memory/1052-124-0x00007FFCE60F0000-0x00007FFCE6100000-memory.dmp

Filesize
64KB

Download
memory/1052-123-0x000002C529490000-0x000002C5294BA000-memory.dmp

Filesize
168KB

Download
memory/1128-130-0x000001FCC3510000-0x000001FCC353A000-memory.dmp

Filesize
168KB

Download
memory/1128-131-0x00007FFCE60F0000-0x00007FFCE6100000-memory.dmp

Filesize
64KB

Download
memory/1136-133-0x00000141F5100000-0x00000141F512A000-memory.dmp

Filesize
168KB

Download
memory/1136-134-0x00007FFCE60F0000-0x00007FFCE6100000-memory.dmp

Filesize
64KB

Download
memory/1152-136-0x000001DCC5D30000-0x000001DCC5D5A000-memory.dmp

Filesize
168KB

Download
memory/1152-137-0x00007FFCE60F0000-0x00007FFCE6100000-memory.dmp

Filesize
64KB

Download
memory/1196-140-0x00007FFCE60F0000-0x00007FFCE6100000-memory.dmp

Filesize
64KB

Download
memory/1196-139-0x000002A2B6BA0000-0x000002A2B6BCA000-memory.dmp

Filesize
168KB

Download
memory/1276-147-0x0000021D5D1A0000-0x0000021D5D1CA000-memory.dmp

Filesize
168KB

Download
memory/1276-148-0x00007FFCE60F0000-0x00007FFCE6100000-memory.dmp

Filesize
64KB

Download
memory/1336-151-0x00007FFCE60F0000-0x00007FFCE6100000-memory.dmp

Filesize
64KB

Download
memory/1336-150-0x00000135E4F30000-0x00000135E4F5A000-memory.dmp

Filesize
168KB

Download
memory/1384-160-0x00000244F2A90000-0x00000244F2ABA000-memory.dmp

Filesize
168KB

Download
memory/1608-102-0x00007FFD25C60000-0x00007FFD25D1E000-memory.dmp

Filesize
760KB

Download
memory/1608-101-0x00007FFD26070000-0x00007FFD26265000-memory.dmp

Filesize
2.0MB

Download
memory/1608-103-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1608-100-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1608-99-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2180-95-0x00007FFD08010000-0x00007FFD08AD1000-memory.dmp

Filesize
10.8MB

Download
memory/2180-80-0x0000018A29AB0000-0x0000018A29AD2000-memory.dmp

Filesize
136KB

Download
memory/2180-88-0x00007FFD08010000-0x00007FFD08AD1000-memory.dmp

Filesize
10.8MB

Download
memory/2180-89-0x00007FFD08010000-0x00007FFD08AD1000-memory.dmp

Filesize
10.8MB

Download
memory/2180-90-0x00007FFD08010000-0x00007FFD08AD1000-memory.dmp

Filesize
10.8MB

Download
memory/4216-96-0x00000279F8070000-0x00000279F80AE000-memory.dmp

Filesize
248KB

Download
memory/4216-9-0x00000279F7FE0000-0x00000279F7FFE000-memory.dmp

Filesize
120KB

Download
memory/4216-7-0x00000279F8C30000-0x00000279F8CA6000-memory.dmp

Filesize
472KB

Download
memory/4216-6-0x00007FFD08010000-0x00007FFD08AD1000-memory.dmp

Filesize
10.8MB

Download
memory/4216-98-0x00007FFD25C60000-0x00007FFD25D1E000-memory.dmp

Filesize
760KB

Download
memory/4216-97-0x00007FFD26070000-0x00007FFD26265000-memory.dmp

Filesize
2.0MB

Download
memory/4216-0-0x00007FFD08013000-0x00007FFD08015000-memory.dmp

Filesize
8KB

Download
memory/4216-8-0x00000279F66E0000-0x00000279F66F2000-memory.dmp

Filesize
72KB

Download
memory/4216-5-0x00007FFD08013000-0x00007FFD08015000-memory.dmp

Filesize
8KB

Download
memory/4216-4-0x00000279F9160000-0x00000279F9688000-memory.dmp

Filesize
5.2MB

Download
memory/4216-3-0x00007FFD08010000-0x00007FFD08AD1000-memory.dmp

Filesize
10.8MB

Download
memory/4216-2-0x00000279F8960000-0x00000279F8B22000-memory.dmp

Filesize
1.8MB

Download
memory/4216-747-0x00007FFD08010000-0x00007FFD08AD1000-memory.dmp

Filesize
10.8MB

Download
memory/4216-1-0x00000279F6240000-0x00000279F6258000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads