1ff3a8cf4271296df6cac7148ded17218eebdd58e6c1e561e71ee77f11c89df1

Analysis

max time kernel
342s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 05:43

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

NURSULTAN CRACK(NO VIRUS) (2024 EDITION )1.vbs
Size

7KB
MD5

31089286e3e5cac841818cc42bf064ac
SHA1

d5e3268db6398717d4f81b4c8239d5f4d3c766b1
SHA256

1ff3a8cf4271296df6cac7148ded17218eebdd58e6c1e561e71ee77f11c89df1
SHA512

0f92582e519d72712a42cbe311d2590c1cde153468d69ead406b7f571d533368107930ad123123eadda1a0b398c979e46c1e4ac227905e0dcfe6f6c7377c10cb
SSDEEP

96:5pxUVki1XxW8TqZZ2T4sqvmmicQ/c+suBLG4a6pz5w/qPyo:5puVksBW8um0xhiywxao

Score

7^/10

ransomware

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\installer_and_folder_creator.vbs	WScript.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\installer_and_folder_creator.vbs	Taskmgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\installer_and_folder_creator.vbs	WScript.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\Desktop\TJTRtSBC\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\cW0LfXat\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\UFibnZOs\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\RYL5DcEQ\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\B0068yqX\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\GY06ArHt\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\W1uWXnJO\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\NyURn2Ze\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\fCTUbhGP\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\JH50znGb\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\5gn8lvRN\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\kieo38eF\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\LAcufT4k\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\Pe3r2gTQ\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\sqgNISPi\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\sqgNISPi\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\B6Qgxr6z\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\r3ctuG8C\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\pDvddHYT\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\QWcdNhNq\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\eKtn2PEO\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\2xY69wxD\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\W6OnUbwI\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\zGBaaynl\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\q8GMF4Jr\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\xW1JgriO\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\UEz9weXI\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\wQaky8L0\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\NyURn2Ze\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\Cx3APnNs\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\W2iTVRfM\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\yFNdcKRn\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\V6YvHeSj\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\h0K0iHlJ\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\wXwYxzJc\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\YtM0YKyY\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\7Q4oE0lf\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\yI9WI9FR\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\GW8a7pxC\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\6bAi23I2\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\TO9lrcS8\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\bVEBaWTn\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\QWcdNhNq\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\fCTUbhGP\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\Cx3APnNs\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\9Fo8noti\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\eJyYkGdA\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\YtM0YKyY\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\M2Bg0TyB\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\eETDDVyx\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\09hZ2MSK\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\INfibk2U\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\NySWYkQ4\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\LAcufT4k\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\GbfhXDrH\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\wXwYxzJc\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\KBY9xbfy\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\sztqh0ak\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\UEz9weXI\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\vZuUgAlH\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\dI9YBfFt\desktop.ini	WScript.exe
File created	C:\Users\Admin\Desktop\q9BaXDu4\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\oLI9ALGa\desktop.ini	WScript.exe
File opened for modification	C:\Users\Admin\Desktop\09fen4Kj\desktop.ini	WScript.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\wbcwW5cr.exe	WScript.exe
File created	C:\Windows\System32\sSVQC9eb.exe	WScript.exe
File created	C:\Windows\System32\TN9pSYUS.exe	WScript.exe
File created	C:\Windows\System32\4HnEhxKI.exe	WScript.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\Desktop\Wallpaper	WScript.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\P24gMc8E.txt	WScript.exe
File created	C:\Windows\U1sSyXgD.txt	WScript.exe
File created	C:\Windows\94dNYsUI.txt	WScript.exe
File created	C:\Windows\E3S89n2H.txt	WScript.exe
File created	C:\Windows\zIzS62mJ.txt	WScript.exe
File created	C:\Windows\hUtszKYe.txt	WScript.exe
File created	C:\Windows\9Hb0JssG.txt	WScript.exe
File created	C:\Windows\oKNusDgM.txt	WScript.exe
File created	C:\Windows\XVHLmUSh.txt	WScript.exe
File created	C:\Windows\K2GuliaG.txt	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\Desktop	WScript.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{63B0ECF5-47ED-11EF-9338-7A4AC7ACABCB} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe

Modifies data under HKEY_USERS 59 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowCasing = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\TIP	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\KeyboardLayout = "67699721"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "202"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\CachedLanguageName = "@Winlangdb.dll,-1121"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload\1 = "00000409"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\Languages = 65006e002d005500530000000000	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "202"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\HiddenDummyLayouts	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\Profile = "{00000000-0000-0000-0000-000000000000}"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowShiftLock = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\0409:00000409 = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Substitutes	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133661006987399542"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language\00000000 = "00000409"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\CLSID = "{00000000-0000-0000-0000-000000000000}"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3116	chrome.exe
3116	chrome.exe
3828	chrome.exe
3828	chrome.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4024	Taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3116	chrome.exe
Token: SeCreatePagefilePrivilege	3116	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	5056	LogonUI.exe
Token: SeCreatePagefilePrivilege	5056	LogonUI.exe
Token: SeDebugPrivilege	4024	Taskmgr.exe
Token: SeSystemProfilePrivilege	4024	Taskmgr.exe
Token: SeCreateGlobalPrivilege	4024	Taskmgr.exe
Token: SeShutdownPrivilege	1636	shutdown.exe
Token: SeRemoteShutdownPrivilege	1636	shutdown.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1860	iexplore.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe
4024	Taskmgr.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1860	iexplore.exe
1860	iexplore.exe
4344	IEXPLORE.EXE
4344	IEXPLORE.EXE
4344	IEXPLORE.EXE
4344	IEXPLORE.EXE
5056	LogonUI.exe
3896	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 4344	1860	iexplore.exe	96
PID 1860 wrote to memory of 4344	1860	iexplore.exe	96
PID 1860 wrote to memory of 4344	1860	iexplore.exe	96
PID 1080 wrote to memory of 3680	1080	WScript.exe	102
PID 1080 wrote to memory of 3680	1080	WScript.exe	102
PID 3116 wrote to memory of 1960	3116	chrome.exe	109
PID 3116 wrote to memory of 1960	3116	chrome.exe	109
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 1512	3116	chrome.exe	110
PID 3116 wrote to memory of 4552	3116	chrome.exe	111
PID 3116 wrote to memory of 4552	3116	chrome.exe	111
PID 3116 wrote to memory of 4992	3116	chrome.exe	112
PID 3116 wrote to memory of 4992	3116	chrome.exe	112
PID 3116 wrote to memory of 4992	3116	chrome.exe	112
PID 3116 wrote to memory of 4992	3116	chrome.exe	112
PID 3116 wrote to memory of 4992	3116	chrome.exe	112
PID 3116 wrote to memory of 4992	3116	chrome.exe	112
PID 3116 wrote to memory of 4992	3116	chrome.exe	112
PID 3116 wrote to memory of 4992	3116	chrome.exe	112
PID 3116 wrote to memory of 4992	3116	chrome.exe	112
PID 3116 wrote to memory of 4992	3116	chrome.exe	112
PID 3116 wrote to memory of 4992	3116	chrome.exe	112
PID 3116 wrote to memory of 4992	3116	chrome.exe	112
PID 3116 wrote to memory of 4992	3116	chrome.exe	112
PID 3116 wrote to memory of 4992	3116	chrome.exe	112
PID 3116 wrote to memory of 4992	3116	chrome.exe	112
PID 3116 wrote to memory of 4992	3116	chrome.exe	112
PID 3116 wrote to memory of 4992	3116	chrome.exe	112
PID 3116 wrote to memory of 4992	3116	chrome.exe	112
PID 3116 wrote to memory of 4992	3116	chrome.exe	112
PID 3116 wrote to memory of 4992	3116	chrome.exe	112
PID 3116 wrote to memory of 4992	3116	chrome.exe	112
PID 3116 wrote to memory of 4992	3116	chrome.exe	112
PID 3116 wrote to memory of 4992	3116	chrome.exe	112
PID 3116 wrote to memory of 4992	3116	chrome.exe	112
PID 3116 wrote to memory of 4992	3116	chrome.exe	112

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NURSULTAN CRACK(NO VIRUS) (2024 EDITION )1.vbs"
1⤵
- Checks computer location settings
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" user32.dll,UpdatePerUserSystemParameters
  2⤵
  PID:3680
- C:\Windows\System32\shutdown.exe
  "C:\Windows\System32\shutdown.exe" -s -t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1636

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:3220

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1860 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffbf5eecc40,0x7ffbf5eecc4c,0x7ffbf5eecc58
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1876,i,7930278727507258014,15010976968446804114,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1872 /prefetch:2
  2⤵
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,7930278727507258014,15010976968446804114,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,7930278727507258014,15010976968446804114,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2416 /prefetch:8
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,7930278727507258014,15010976968446804114,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3304,i,7930278727507258014,15010976968446804114,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:3592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4492,i,7930278727507258014,15010976968446804114,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4564 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4828,i,7930278727507258014,15010976968446804114,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5008,i,7930278727507258014,15010976968446804114,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:804

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2664

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbf5eecc40,0x7ffbf5eecc4c,0x7ffbf5eecc58
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2140,i,13500243572190393961,5776245680478457968,262144 --variations-seed-version=20240719-130109.258000 --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1860,i,13500243572190393961,5776245680478457968,262144 --variations-seed-version=20240719-130109.258000 --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2120,i,13500243572190393961,5776245680478457968,262144 --variations-seed-version=20240719-130109.258000 --mojo-platform-channel-handle=2300 /prefetch:8
  2⤵
  PID:2304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,13500243572190393961,5776245680478457968,262144 --variations-seed-version=20240719-130109.258000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,13500243572190393961,5776245680478457968,262144 --variations-seed-version=20240719-130109.258000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4532,i,13500243572190393961,5776245680478457968,262144 --variations-seed-version=20240719-130109.258000 --mojo-platform-channel-handle=4540 /prefetch:1
  2⤵
  PID:2864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4760,i,13500243572190393961,5776245680478457968,262144 --variations-seed-version=20240719-130109.258000 --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4908,i,13500243572190393961,5776245680478457968,262144 --variations-seed-version=20240719-130109.258000 --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:4856

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:1564

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3933855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5056

C:\Windows\system32\launchtm.exe
launchtm.exe /3
1⤵
PID:436
- C:\Windows\System32\Taskmgr.exe
  "C:\Windows\System32\Taskmgr.exe" /3
  2⤵
  - Drops startup file
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4024

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38ed855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
6667f148184a957887bd97e98b6c9bf2

SHA1
e66236f0aee10125e9fb242ab9cda52c87d53e95

SHA256
547be2a2bd8686d674656522ba999d409fa98c0cbb54c0caadb61d2ae51bb3d5

SHA512
fa6d796bf260bad40696ebd3185f536223cfa0c2c9807099c685d169abd1b4e0d9efd67b77351860a28f17cf0f5c8b5c843704c3e7ec34714a56a6c555b33ea6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
81e32c802887ab0807e7ccf488a1861e

SHA1
3030024ce696516d1b5bf9ab5ebe3aaac71ec34b

SHA256
cfe0c6100c03d6d7d4104f6d0051ef578741c1ea6112bad78adacc5b2ad7ba1d

SHA512
0f135b3ffa353f46663ca5e431a1007f5d1fc5cf3b3d100ac976143203ecbb2e4d80c9a198b37ed7bd4f242cba8bc350bc3613c504e0e3f74d8caf022470dc13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
f173d9957a14e1223a937850eb534f9b

SHA1
3fe1a7e1cc7f91749cf4d5ccc08c3f4cf5c06be5

SHA256
a52b5f90876cfb3f64e436d7e60ebe0c9a6ca1ae8a8bea710e7af350e8a8e37c

SHA512
785ad5ea30c15e3b78efcef46cc7d304524033ba41b6c86864be79cddc6fc821813f2d3022432251defa43e7737c6a55b6c6f4e994f4a15bc5e0a225a5626d89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
681bfe0505854effd1cd85a178039e66

SHA1
7fd3d4981172acda519f64a00eb8668c60dfef52

SHA256
5283c629a85ad78905ec0e35f60898199c540b2808714966c890b71e044cd042

SHA512
39e66e722c96788c61ca79af2565f1d6093b6fdb2aa154268f7d4add5adae12fd4a72e5d1ab7f3882c7aac9ec3a7827c33f0862411a625b40b78cb8f156d006d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
1dd0cac7041db57ceebb8e524d55fba4

SHA1
b97cc12cb15ae7d890ec20aa07fe910828cdeb0a

SHA256
406aab4adc3ac4f561f92563d02b541f103224953f52f65a70e806b1c3f6c507

SHA512
8a3c6d6495efe06ed359f87dca018a6dbc2bb4fab8566047efe77df736c03497e4a9c020092ac6f73711973e52be9e0c36febb9cfbf177cb3d647a1ce2f262d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

Filesize
317B

MD5
363cd9896ce9d8d53c5ee18f5cb2e813

SHA1
fa0a3a24622d1e14e830529721b3010601830772

SHA256
d3d60cd7118a6d9b727014b86f1dfc30a1d746f93375a0b0cd812f94684ad2f0

SHA512
12c95e50cd64d588f2bc267b79803685cf80d9eea852a2fc324cc73b49231e55d76c64890397b2cb0812c02204891659ceb0949119ce909a131e69921013ac2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG

Filesize
327B

MD5
51ad9b4bbf3277232b4f16883361cf24

SHA1
7e14e652e7f0e0854d22b1980666976fa4bf532a

SHA256
2b0ae62be0ea43bf8bc26e4dd7075311a2f714ed6101ef115b735a0759c4ad99

SHA512
5d8f49f35913263b6bb43f15a4afd07e0cd3b15a1228ba32358b8f9f439a2dfd4ad0fe6b6510a06c7e7509c0000a7594a7a3f6b66a4d13ff50e80b44b3fec664

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_0

Filesize
44KB

MD5
00aca018f9c995df029c60f0d08b3dfe

SHA1
695ce5278d66076b0559bf4038f5d2e96b78d8f3

SHA256
8877971418b4de24d88048b482a69af1d1bd23378df6fddfce57c2b87ea867c5

SHA512
110dbd0a3ffffbdfa8221494e51bd7271148a6033ab73a64085af92672e5f7693cf3f845621c48a33cb4f9c212cf801e78e67a81861e2835eca97a0a46fe8406

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
7ea94edc3378c957a13d235089637cb4

SHA1
c6ca2d15e27f08158c9680daff6da9a8e36f1272

SHA256
af1e76807f471570674835ad01e63759be90b989227245bf74d377a947cceef2

SHA512
ab2b890ba23da11c00d270f37b335c52785e1bb24360bf0162a53488514420dbb1223cba67cc76206043ca3c7683a5e5f1188e5b97148534680e86756c4df8c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2

Filesize
1.0MB

MD5
b08d4c4c74efb4ccbbf39cc0ca9d7967

SHA1
c13ea9034190cbf419b75a10f1233259c83b9572

SHA256
c3c70955ccf5b5709af0fea2891e35e7b17913bece25ca07f52db9abfec2aaa5

SHA512
9b6ac1bf828d43bf0b327c8e328b5732c65b8b810f6d1c931530f9316e28530cf2d642cf847af3e7c2364cc8db1481c699a6e9d59827a74b87cdfcfcf942d09c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_3

Filesize
4.0MB

MD5
c2c3a58c7a28cbe624d291cad7a7446d

SHA1
22a88a70723410c7c66064ad8d89ef907205ede4

SHA256
3006cfa038d06898340ddde34af50e45a5ef9b4f32b4599eb661770c1a7b203c

SHA512
35194f752d346a3971f76dcb1186a23d090620d0fadcf5b55e5e00c651b741fb0c61b70ae469e8ace43bc97943c199fa57ab02a536036e50489086995662511a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
329B

MD5
e30c927245e33b64a1d6d348d4263845

SHA1
17c27285aebfc029e74872c976b336ee9474e760

SHA256
7371d914e4344d968da008cd493f285afae4e23e86e187ef24d0ec0b49adb846

SHA512
029d0f619af1eaa28195214bb414cd40e7f3aa0e444516118e53ae8dbfa4f9af521b534dbc6328ff90bf5670a3ff51fdcce85639e38e616a53ed5a495e9c8525

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b25b7713df9888b0b2e4e8a179316b2e

SHA1
667ab5edb5039f39049d65936b69fd948160d6ca

SHA256
1b2f1890c9759cc0131cd508890a03a1a8ab3c900dc0b3e98df137ef7d6d6279

SHA512
1bfe4d441f15be0f8ed0824f6b51c8e848d7994342e0902b65ae8a1a8fb3bc1a847a1c2c37c5827954678628ee6f7f80adb5d0c0f62e62b3a8e3767fc92f4ee8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6d5aaf595048f8ce390c0418b66b1604

SHA1
796c90ccf67b98cb6c4f536812e1594767e1a390

SHA256
f7dee02e832625d877e4034cf0579e45697b4f6169f5b24df20a85aa269e09db

SHA512
d03d780af4c550b6ce99fa6e5390c6fce011cd017d07dd66f4da63c63abf3b784b50f9adf98db7d2676506ab458bf262b72a74e00deb163538a62a648c482a9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL

Filesize
36KB

MD5
359e114eff583678573a78c93fded993

SHA1
b2eebbeadb88d4f02374fdf623afc655e038cdf4

SHA256
acb47366ab06e80da7ca811b8b3515002e0343eeb58c2ec41a89b4185b429e29

SHA512
ac0475e7cce4c84c7940b51a8ca3af9414fda540e87ef8ff49c1cfc5962ca7fa46ada54212e46d146e47a42b5cf0bd021dec53f54c3d716176ef44fe4144d204

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
8618527e4c10a73d0dd81d1780b813e4

SHA1
594bb4ba6f53c59cea950855e6ba3099cb4ce7c1

SHA256
d43b42ce0f590a5f647a600bf493cbd30f315b74c29326afa79d935017cde943

SHA512
987b18d2fc3c0fcc40e5f07201bab07b044f6a1b129f3e30bc4d7759f9fd80b8d0a690f32c24c9fdabd0ca4756dacfcd1c76c1658c47a6f769aebdabdd90aee0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
05dfcf4c09796a3e88127fa69816deea

SHA1
e582c0e07a5f1061fbe7fb6f9d06d13e8734b78f

SHA256
94608d30e66989a00805ca20b2db4eefff2f50965e036a4cb7cb8646f2953c3c

SHA512
03c2bbab719fb3aa31ce5e689dd7d61b8cb5df1de2b69a5ccff2ad2c4c639fc985f0b40e11b19cf44c973280db681c97dbc6201a1fa5fd0ba08d0f5987df9798

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
0fe1de6cc4cabb933ea13295c2720124

SHA1
747f011280d75b83c875fa7d19b96bec01ac56e3

SHA256
cb82a236b6e42cadc197c5b18bece1e7113f75a34a995c83bab06617932c43a5

SHA512
396bbccb5fba11d1bc2674dd7c6fe3324469b2d938157a6b0672879f824a3b0b89bd0ccf0773a8490320c270345737fc51477cf91c80c333850125277d4beeb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c8d555cc0633e78f11f2b7cf3bfb9c8d

SHA1
5e0c9f4b84dc3b36e98e2757c85255c0bb6888ae

SHA256
75dbffda3e51b30235ddd37d3dba434f5ddd4f7da89eb9cf20c6d4f49ca648b3

SHA512
0caa02bc8ccb78774e0909058c3c7138ac6d2cd818b85ce685924bb06d1f612764c2745210abe3c36ef09a89d64cd0c94cc4445a48055ce59f6aa9ff1f59eaee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b4daf4d6c209364355af9be82845d155

SHA1
c59902a22140e1ddea46eeb1953e8fc9809084d8

SHA256
6cd618deb1fc2ff408ae813a6a5d03766a801bbf8c5a90dd36e38ccc7b7e96d6

SHA512
e76f2eb8a5c21981fd7d5edbd89b778b2c83f7119d9df8b17cd6680e6f0689e2739b0911474dcdfbf89f14a140e8062bf4aa2aff05d00c8a27cf3bd77c0b0dd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
8c6058d2c25fceef1ab1a41b2c0649cb

SHA1
812715e48e4520c80e7b35f4bc7cb554ce1c8ea4

SHA256
4f48e92e2edb47669166a0222d2101a0a295062ca583fd0b2e6e18321f9d7725

SHA512
868266180dea9246d8216530d61b122fb823702bfa7a46099a4e77bef4ada38909a91a8c27ef544c910b3cd621121a0d3c1db647921e7b555377a31621113b4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG

Filesize
333B

MD5
0a5ec09426c49f74f1c3fe972d868b1e

SHA1
e122b52a2dced9300fcc7f5d894b1c8b8487a3ee

SHA256
58b6f19e5d51a7a47554c1ba466f28cf17a521be91e061dfbda270e7a4efe511

SHA512
aa156a1f7eef0bf6f5a6df2c0fe1b9bea134f3bf6ca654b0ee7ea17f415acc3754c6289981d397a1a0c3885285a4e02ef5b4fa5e7e8281c73d6f6cd3f8b71785

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

Filesize
327B

MD5
a66efaa590a0d16b1874a35836ba0a4b

SHA1
bb750c61e162420271f89a90f2b58f43587680e1

SHA256
b9ab1ed7609e2254b7d4fb655b57b21b2be601646c4ff0b207c411e8bdd9e654

SHA512
2b1ea0c798b69b360ab1546d14fccf7d5f9cb224b31bc8430cdb956c8cc570a086e4cfa10e6a843292deb862f4161dfc9b9abbc44afe397ff0ec9563646ff7a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

Filesize
317B

MD5
2deaf07d11dc391c85507ecdecbc0c38

SHA1
736c5bfa659a5781bae36cd55a5f7f0421190e14

SHA256
7b99f019ec254bc8e7731b6fab3733edffd8ad159eaba0e96cf8267afde9e573

SHA512
e42d95a3449a716be8442f6750b6c6bc3fe29ccb5c5878163d0e486d79f8904133c68f40a6c3fab9872b532c342e9ff7cb87260afb047832ad28cc899003a969

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13366100697656106

Filesize
2KB

MD5
9ad461029b51a041fcf82756d91ddc6d

SHA1
6142647610735eed19ee2a24e8caa0ffa40b38d9

SHA256
b777296a12eb5a3abe67fdb6ce3853f54295c92d89079c87b3b95a76b5a08b78

SHA512
ab4a40128aef50dd63bef9c47f23903c3e01c5e545334cc0a7f5b3a11e301d1d02be3707bc9046e96774beb51a4a4a51a9e047dd6c6c916eec90734aeca35aec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
345B

MD5
719603b17208126e2e9fef59a9abd67e

SHA1
40506729a98b20e5e9fd0fb51b599b65cacdea15

SHA256
bdf07be74bbf4f27becfd5d1f7f54f8dad09f6db74543900d9d1216091f7a957

SHA512
2b0569713af22a315c8cb3f7c0fa324f04de63d5a139174fcc3341ef6e16ea113a0eeb08e24e6f6c5a8d9fab46996053d1c0ea857cd129ae4c6c6eb8b76fd033

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
321B

MD5
80209f9102b96f35a5b1f12affe9b8ab

SHA1
1612c96edd62755642c1a130aa9445dd02844106

SHA256
2e2c4e302d37f27ca8ce452423a1fcb33a80937ae08fb2ff20b5666de8c69b5e

SHA512
76cabba3ca928bea42766d2317241def6a427c21e70120239c584640eaf5c477284b2723a03ac99cecc925168528353af60bdbff1754857f5cfaed4234db30b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager

Filesize
40KB

MD5
dcf1afd975fe1b8b71755b97a1644e7e

SHA1
238ae41f091067a53027407eb487a44b4ce9ced6

SHA256
42a6dd5d0df2a951a76a84cedf3f57ab6ef7fa4f01ce8769f75bcbe78c485bcd

SHA512
08836cca0c210ee319d76a01095451bf9efdbf9543a7f669dc154aec9d8e8d528ba9c48dce37031de362260525c6c0b5e2ace6378fc36a2ae5821d1042a0fb24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager-journal

Filesize
8KB

MD5
7d6893da510d49bffd25485b402c2a02

SHA1
a98ec417ac746abd82be2d8f2d1743dbc8851b44

SHA256
392c37a675249a56f94c4d6e6915e3a08637f1dea6361e758791fe295ccb3535

SHA512
cef6e85d35031892d79a34016c636c29262d5a18e2a8931c93897e6ba53c66ee4c05da482f6db8b89de23bbece2c96a99fb4c894f38095c68509654a543b545d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

Filesize
18KB

MD5
d5f9c940ed39483f93def7d55b01b3cf

SHA1
d9df037dcc5fad369bf3d2be8ca4222baa25bb34

SHA256
3795ab90e6c0ac756d4f837b22d4ea18e4c86591a16ddb88f62e844ec5e62ccd

SHA512
95ba74a0b44a46e211b78df79b36e7b011959b46c731983efa3c95ae9aa4b6307de320bb6e673b93e2b6a0cc272e9ecc81a7c8db19ca115be065fd6253dc78a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

Filesize
317B

MD5
2fce5f41f3f25af5bbd7fa0e3b60399b

SHA1
966eb92e0a117f1d03c904a3e558285d8a45955a

SHA256
bb8b2ee54ec104cce6fe8af96b9ecddcd89a555466afb5e8a568f3ee0b218967

SHA512
ea6167082bef437cc1707ed11c818ea2d9eeaa8a9bbbd03db4de8bc5ff0f09817ae79012704a25319c15c02ad4efc7cbb235fd2c26f6ba1099cad5ba8b791b3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
1KB

MD5
18feef5744cd17b81b1bcc9274f8931b

SHA1
6042fbb392423d0469adda5ebf888b6c7c01dbb4

SHA256
49b356b4d4e3e2b65359234281edf8fcb6daf8a67a7e51322d4a1d9909133f40

SHA512
dbc6cf21482777747d49f6d5389c232f06361f6a6acbb4055ca83ca0e63e917ac05b7ba79f09affd114b1b377c2cdee2038cf66c4275eba94cba18233b2ca902

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
335B

MD5
27fbf758662f05377b05f40e28069e29

SHA1
a2bd5556a72f5667f3b60271668b3e73ff4dbee2

SHA256
f81a4ba9a221d68211dde65ad29b985343445462700046420ccf141bb47a3ab6

SHA512
f78a57d97ecd3cc0319c39a3bbb75eb9e423ccce4c7d64b44ac6cb04dde221c7c55a07b494ab3d2a920a486aa17df3017d9bca121a0a678670351532e3d5d26d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
44KB

MD5
69b0e78af831451748078c9bca6d1fd5

SHA1
3807e587b4bd1afb1dad0bb5f110c9e429c0d972

SHA256
d742fc7e528eec1ba9434de27e55bc5c8e633b95b54390d3ee361ea04fb14e9d

SHA512
f15c77a05e05281e1d507626aa1b56ab35cb4fb5cfb43cf53693444a4b6d9f7d39ebb0a264c8c13e90adceb866f2618b92b1f30359250e974e032416e14716de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
4ff746819444ecde7e07aacd4a663e14

SHA1
a48f8cad28452c81d780b58acc91b4055e8cb81f

SHA256
f203708fc04693df5cb13be36e7676bd50fef5caa86908936420264a6bb6031e

SHA512
e25db2d519831dd86ae2e918070a17e74e13ae81ceab73224ba6ebdea59ca1432f65d3760a3aadd0ec99029e8d09e535717eb9387c0cd0e32f6c8160ec379367

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

Filesize
4.0MB

MD5
9406a31b75f520786926c1ba366adf53

SHA1
d427edac9568fdc25f6d3c0123d92e1991d0d381

SHA256
956c8d978d7c864d85786099233408a5f945be3192fe1f25af7f70573f119b83

SHA512
69729a64c193f4b940c29abfe5690bba5e6dc5679e7eaff290c5b96afd88a9bda14871d2ce3dbbec86ddef6c0bd55fc5d1dde912b50bb3bf79a7437ed8a1eedd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Browser

Filesize
106B

MD5
de9ef0c5bcc012a3a1131988dee272d8

SHA1
fa9ccbdc969ac9e1474fce773234b28d50951cd8

SHA256
3615498fbef408a96bf30e01c318dac2d5451b054998119080e7faac5995f590

SHA512
cea946ebeadfe6be65e33edff6c68953a84ec2e2410884e12f406cac1e6c8a0793180433a7ef7ce097b24ea78a1fdbb4e3b3d9cdf1a827ab6ff5605da3691724

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
aaa1d3398c11429309df446cc70a4b24

SHA1
426037d880450cfe67c0db4e8836d8cf67c3af33

SHA256
d3c5bb416732a0643cb435ce980e4cf7ed0d96375d6d1d866565ffa4cf5f4e31

SHA512
5400a74ad59ee80e11b97e884bedee53af567520b807e4c3c43b68446bb495a967e22838aeee4bfbf02486ec5abfb2e821c5165ab2b894a54e0d7eb70c7355a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
241ef8f2924cdc0df178784613148ef6

SHA1
486ff22e3d2258ea56d663305d2c314b1722486f

SHA256
4c8882440d6eac63704ae0b303077c3d5290a5d29ec5d688b6a224842ef7e26f

SHA512
749732b9aa52cd7f62d9c718f2b5cfc43d06e57e4cbe4327445fc9f4f3ac83dfbdfd7062ce244fdd10566a6dbdb8ecde3672362b32ce1a4c31c56cf9ea3dd001

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
79c3c12992ccdd464738c75a010799db

SHA1
dcb46540d11369d6f284f2f7027f8c93c8689451

SHA256
34117cf08e9e2648315b464e970be97f1d909208b333c47f58ff35e557747b1f

SHA512
806ae6b6996cedd12f396b60661d6a1b8636fc3e9859bf0d82679cb2c2f1e565f6ce1e2ee8c12a48754ea5ff02a60326e670e19f5ef03cc2f405b08d8d50935e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
97KB

MD5
a324283245cb3a16c89505054058649d

SHA1
e3da7f85dc3d4299aaae34da36275ae942015b8a

SHA256
0959c0760ac05664d77fbb6caf11b90afa74ee3a6c9d9d46bdfbbf29f1dccbb2

SHA512
16b5884324d0dac6c98882a5de13b6604a7b8487bbec86283420a3cb89fc4bd47f95351e4d795fb3b8dfa26a68b0b342809575dd730b695cbf833b3ef55b15b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
85B

MD5
bc6142469cd7dadf107be9ad87ea4753

SHA1
72a9aa05003fab742b0e4dc4c5d9eda6b9f7565c

SHA256
b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557

SHA512
47d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\first_party_sets.db

Filesize
48KB

MD5
5a1706ef2fb06594e5ec3a3f15fb89e2

SHA1
983042bba239018b3dced4b56491a90d38ba084a

SHA256
87d62d8837ef9e6ab288f75f207ffa761e90a626a115a0b811ae6357bb7a59dd

SHA512
c56a8b94d62b12af6bd86f392faa7c3b9f257bd2fad69c5fa2d5e6345640fe4576fac629ed070b65ebce237759d30da0c0a62a8a21a0b5ef6b09581d91d0aa16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\first_party_sets.db-journal

Filesize
4KB

MD5
62b481baa370dd284c3f837c0917b1c8

SHA1
8f878a8100dfa6a146f7c210653faf6122187a95

SHA256
ecedcb8acece8b2edb2bfcda68784eb43db615021bb2894b438eeaeb9bffc296

SHA512
7bfd2a25117d3b9b32cb05ea31f8480d87f8bd53b40b67d5d5de56c381756f3428c464c1fd53df22d1a55455c25008143994b5fddc886cf4570e369dbccf4d75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\installer_and_folder_creator.vbs

Filesize
7KB

MD5
31089286e3e5cac841818cc42bf064ac

SHA1
d5e3268db6398717d4f81b4c8239d5f4d3c766b1

SHA256
1ff3a8cf4271296df6cac7148ded17218eebdd58e6c1e561e71ee77f11c89df1

SHA512
0f92582e519d72712a42cbe311d2590c1cde153468d69ead406b7f571d533368107930ad123123eadda1a0b398c979e46c1e4ac227905e0dcfe6f6c7377c10cb

Download Submit
C:\Users\Admin\Desktop\IRMxoBR0\desktop.ini

Filesize
89B

MD5
96d03a1dca26f679c386881ea02f8a67

SHA1
be46cd6e61659daf13fcb55160ff30a719d5ce42

SHA256
fc051706bd7e9c05b41f41d6fa95c7360657065142cd69a3903656f8866f1318

SHA512
54ee971ed745ec8a624f20a6fdae916e2adb97a272bb25607942799ed0c2620f2aaa86c634dcb93ba300b60d99995d4d427b4f40663987833482e0956c96cf7b

Download Submit
memory/4024-510-0x0000028FDCC30000-0x0000028FDCC31000-memory.dmp

Filesize
4KB

Download
memory/4024-509-0x0000028FDCC30000-0x0000028FDCC31000-memory.dmp

Filesize
4KB

Download
memory/4024-515-0x0000028FDCC30000-0x0000028FDCC31000-memory.dmp

Filesize
4KB

Download
memory/4024-521-0x0000028FDCC30000-0x0000028FDCC31000-memory.dmp

Filesize
4KB

Download
memory/4024-520-0x0000028FDCC30000-0x0000028FDCC31000-memory.dmp

Filesize
4KB

Download
memory/4024-519-0x0000028FDCC30000-0x0000028FDCC31000-memory.dmp

Filesize
4KB

Download
memory/4024-518-0x0000028FDCC30000-0x0000028FDCC31000-memory.dmp

Filesize
4KB

Download
memory/4024-516-0x0000028FDCC30000-0x0000028FDCC31000-memory.dmp

Filesize
4KB

Download
memory/4024-517-0x0000028FDCC30000-0x0000028FDCC31000-memory.dmp

Filesize
4KB

Download
memory/4024-511-0x0000028FDCC30000-0x0000028FDCC31000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads