Analysis
-
max time kernel
110s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/08/2024, 22:56
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/NatroTeam/NatroMacro/releases/tag/v1.0.0.1
Resource
win10v2004-20240802-en
General
-
Target
https://github.com/NatroTeam/NatroMacro/releases/tag/v1.0.0.1
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 57 raw.githubusercontent.com 58 raw.githubusercontent.com 61 raw.githubusercontent.com -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AutoHotkey32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AutoHotkey32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings chrome.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings AutoHotkey32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 400 chrome.exe 400 chrome.exe 2364 AutoHotkey32.exe 2364 AutoHotkey32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2364 AutoHotkey32.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 400 chrome.exe 400 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe Token: SeShutdownPrivilege 400 chrome.exe Token: SeCreatePagefilePrivilege 400 chrome.exe -
Suspicious use of FindShellTrayWindow 41 IoCs
pid Process 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 2364 AutoHotkey32.exe 2364 AutoHotkey32.exe 2364 AutoHotkey32.exe -
Suspicious use of SendNotifyMessage 27 IoCs
pid Process 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 400 chrome.exe 2364 AutoHotkey32.exe 2364 AutoHotkey32.exe 2364 AutoHotkey32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3348 OpenWith.exe 2364 AutoHotkey32.exe 1980 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 400 wrote to memory of 2332 400 chrome.exe 82 PID 400 wrote to memory of 2332 400 chrome.exe 82 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3824 400 chrome.exe 83 PID 400 wrote to memory of 3324 400 chrome.exe 84 PID 400 wrote to memory of 3324 400 chrome.exe 84 PID 400 wrote to memory of 4596 400 chrome.exe 85 PID 400 wrote to memory of 4596 400 chrome.exe 85 PID 400 wrote to memory of 4596 400 chrome.exe 85 PID 400 wrote to memory of 4596 400 chrome.exe 85 PID 400 wrote to memory of 4596 400 chrome.exe 85 PID 400 wrote to memory of 4596 400 chrome.exe 85 PID 400 wrote to memory of 4596 400 chrome.exe 85 PID 400 wrote to memory of 4596 400 chrome.exe 85 PID 400 wrote to memory of 4596 400 chrome.exe 85 PID 400 wrote to memory of 4596 400 chrome.exe 85 PID 400 wrote to memory of 4596 400 chrome.exe 85 PID 400 wrote to memory of 4596 400 chrome.exe 85 PID 400 wrote to memory of 4596 400 chrome.exe 85 PID 400 wrote to memory of 4596 400 chrome.exe 85 PID 400 wrote to memory of 4596 400 chrome.exe 85 PID 400 wrote to memory of 4596 400 chrome.exe 85 PID 400 wrote to memory of 4596 400 chrome.exe 85 PID 400 wrote to memory of 4596 400 chrome.exe 85 PID 400 wrote to memory of 4596 400 chrome.exe 85 PID 400 wrote to memory of 4596 400 chrome.exe 85 PID 400 wrote to memory of 4596 400 chrome.exe 85 PID 400 wrote to memory of 4596 400 chrome.exe 85 PID 400 wrote to memory of 4596 400 chrome.exe 85 PID 400 wrote to memory of 4596 400 chrome.exe 85 PID 400 wrote to memory of 4596 400 chrome.exe 85 PID 400 wrote to memory of 4596 400 chrome.exe 85 PID 400 wrote to memory of 4596 400 chrome.exe 85 PID 400 wrote to memory of 4596 400 chrome.exe 85 PID 400 wrote to memory of 4596 400 chrome.exe 85 PID 400 wrote to memory of 4596 400 chrome.exe 85
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/NatroTeam/NatroMacro/releases/tag/v1.0.0.11⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8efddcc40,0x7ff8efddcc4c,0x7ff8efddcc582⤵PID:2332
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2072,i,7941516311069120124,10813133529336949606,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2068 /prefetch:22⤵PID:3824
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1984,i,7941516311069120124,10813133529336949606,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2104 /prefetch:32⤵PID:3324
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,7941516311069120124,10813133529336949606,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2456 /prefetch:82⤵PID:4596
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,7941516311069120124,10813133529336949606,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3128 /prefetch:12⤵PID:640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,7941516311069120124,10813133529336949606,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3152 /prefetch:12⤵PID:2484
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4568,i,7941516311069120124,10813133529336949606,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4452 /prefetch:82⤵PID:3020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5016,i,7941516311069120124,10813133529336949606,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5116 /prefetch:82⤵PID:4648
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:924
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:1844
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3888
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3348
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\START.bat" "1⤵PID:468
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:4912
-
-
C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey32.exe"C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey32.exe" "C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\natro_macro.ahk"2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2364 -
C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey32.exe"C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey32.exe" /script "C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\Heartbeat.ahk"3⤵
- System Location Discovery: System Language Discovery
PID:1660
-
-
C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey64.exe"C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey64.exe" /script /Validate /ErrorStdOut *3⤵PID:3008
-
-
C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey64.exe"C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey64.exe" /script /Validate /ErrorStdOut *3⤵PID:5004
-
-
C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey64.exe"C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey64.exe" /script /Validate /ErrorStdOut *3⤵PID:2720
-
-
C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey64.exe"C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey64.exe" /script /Validate /ErrorStdOut *3⤵PID:2448
-
-
C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey64.exe"C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey64.exe" /script /Validate /ErrorStdOut *3⤵PID:4368
-
-
C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey64.exe"C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey64.exe" /script /Validate /ErrorStdOut *3⤵PID:2824
-
-
C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey64.exe"C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey64.exe" /script /Validate /ErrorStdOut *3⤵PID:1576
-
-
C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey64.exe"C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey64.exe" /script /Validate /ErrorStdOut *3⤵PID:2512
-
-
C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey64.exe"C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey64.exe" /script /Validate /ErrorStdOut *3⤵PID:4244
-
-
C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey64.exe"C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey64.exe" /script /Validate /ErrorStdOut *3⤵PID:1796
-
-
C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey64.exe"C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey64.exe" /script /Validate /ErrorStdOut *3⤵PID:1680
-
-
C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey64.exe"C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey64.exe" /script /Validate /ErrorStdOut *3⤵PID:2972
-
-
C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey64.exe"C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\AutoHotkey64.exe" /script "C:\Users\Admin\Downloads\Natro_Macro_v1.0.0.1\Natro_Macro_v1.0.0.1a\submacros\Status.ahk" "0" "0" "" "" "1" "" "1" "" "0" "0" "0" "1" "1" "1" "1" "1" "1" "1" "0" "0" "" "1" "1" "1" "1" "0" "0" "?" "0" "" "" "" "" "1" "0"3⤵PID:3292
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:1980
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58608ec7381f606f939df334c53018ba1
SHA1f0bce8251bd62ef2760af7a1a7df180ea0679ed6
SHA25631a5aefced3536d6bf6ee2cabba24a9fa41eb3a1b69c1a01cb1a8260247a0a93
SHA51226704a60f6087b19464b83edd941116107815b0483ed0ddd710851f4e39d6e7b3dfddd6e373047830a289590734cdffd5a412dc1450ad50b80fa0fdc2b4d5377
-
Filesize
2KB
MD510ce86890294a111a0ded6c606f732df
SHA1ebbf3ac7c322b1124ead5954221972a5ce22ecde
SHA2565077853455ce36061a8634f4ca731d2fce56c1e6ba335bea7788f7b8c5e6fec2
SHA51273955f7e91b86848771d39b4267c0fe9de064555c62acaa3003f6632167699fa6071124c7ebbffa78eda70a642a125fa4a44d66ec08206ecd76268e294c1fdc4
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD5826b11058594760f7d9b9353be5b7a1a
SHA167b4c2245e0d522b3e1ddd0027b600d41d340da0
SHA256fedc3201c8699aaac715b14d051ddbaa1bd851dc3a6f46d756928ad744f623a6
SHA512ce48a866b23dcef694525e45a7d4a9aa575a28bcaf61173791251a94bd0a3560568c569800a05312b5ae634dfea954a147bdb55ca854438b1f5d058f83bb5d81
-
Filesize
1KB
MD5adf81bfde0685be74d34f23415c60642
SHA1561ac5d8b7a6ae8e46ef554458a15d3bdf48458e
SHA2567c2a500372ad4e7ac3e97cb61043f51d8582c1e11e306a5e79e2aaff7db367a1
SHA512f753c66e832ca4a27a652c5f82da46ca187e7ab6a791974901e49311ca9ae44fdb621f98eb0d7e8c09f710631e9ca28e69e6b59c9c24aa4a277e40cf0356f210
-
Filesize
8KB
MD5e644dba9b92154e6230380ee5ce915bf
SHA1312352390826df64d54f7a7d4f8dbb996e0a29e6
SHA256fe8c08b4f4f610e2a3b14efe62df1daf04d7fbafafac7361fe1824daa81036ea
SHA512848ffc18e0fb05e506368b9ff71a249f9cdbc224d6985960463fb9ea44806b8aab3503db58895309d4639cd62c559febba049be29bbcb5387dde4e1184f8096d
-
Filesize
8KB
MD5a7c96fe91faf6225c8b816ad421eef83
SHA114f413f5768d21eb6b8afb5ecd0f6965e6b756eb
SHA2565e534127bda10d2be7df4d31c788009c89dd76a37ee8390f2e06c1addc939c1d
SHA512c7ac3f026a8b33235e7ef47d1a34a80cca8db288a6ae3d278f2fc8a6e9244cbff596559ada1215406e611784599ebfcb1f67f69aa219210e00c930af25f4835a
-
Filesize
8KB
MD5f9d33435fe7d709a01afefb7150dc3dd
SHA10f276ee8d1c4c1aec7afbb779522ff106be83c97
SHA256f6ba17193e5f1de0bb31c3481ebb6a1a552a06d108c8ba6397f3765f0a34303a
SHA5122eb21d05d98e9d940123d165deea03fd0d3b29865e29a9ae07b83a03f74e80339e13a3bb56ca121312eeb01a4dfde771321caee00ced23b421e1a1adb159e4a0
-
Filesize
8KB
MD5b4c82e36a14144896f6ae43b306bcb8d
SHA1de4266dcb870af7a68e39240cba809e82d1de3d5
SHA2562210c582e3f4db97428cce291dd40fe28458553e47156c52dc9260a4db3dc611
SHA512fd5c86c2f6bf5c1dcd42bb4b398a80da04033f2d09895c5734b4e329d14cfeb61293243bdd10bc1196e26612fec2bbd59adea02e9825954ec7579a894b92eedb
-
Filesize
8KB
MD51486ee2c4c5f1f0f19ac44888e3e973c
SHA180a76e3bbf2fbaa98188c3016d8ee41a26e4ecd2
SHA2568b3568628757310657717d9dcd63387f653ff649f51d2df63c09f393545bda71
SHA51214a2432b4a2229a76104d7a02c021d037ff47dd65e54ba4fe5a7805abc567fac59153c03b573f3f0da08b4fbbcc91aab56ef6e8e0a2a569618c610857610e94e
-
Filesize
8KB
MD5044bb4349438da7257740d02ebb897e0
SHA180d806adfd9848ed74e724c5891b59c510eabc63
SHA25678190167d4d9b3d60219d2c10f6581d26a6e7cbdcd9bff27107dbaa9214f3392
SHA512d7f068dc2114d2a258023a1b795dac97d0d12b15f6bbb3cdeaa7f27b44ced208aadae19872da5a41d18ad30d647e003ba45c864b26d8a18bbd671db99260b283
-
Filesize
8KB
MD5cf0a951bd54f45c7c5083c0ff4e70022
SHA16857b17c994b15510cbc714a961f30d36d07ad59
SHA256d7d712479259087f55882cbf81eb92086e4a21d950b006fa1a303d8f94c7d44e
SHA512b6608349237bc3d62960f92b9005c4082ae1fc9b734a593d9335781e8f5bbb3e3841806964c413b1a57e68da419740dabe42a89f5f5ef03f04cfe10139a7edfb
-
Filesize
99KB
MD527c883bd9b67d25bd704d5a3bbd6c8f8
SHA1bda27a80a11c4bc2e24b825f0f291cec8cdc0d5d
SHA256be83162198d522989138970cf4f5be101a7bc45eb1175cd06f6e2a37a21ff37e
SHA5126b55118bb0e91d2596ed7518ebf0441db30e93765bc8d0b26a0a8bcb6cb656212279e1a0335195a16ed37b16535048a2808ec21e8ff7463077a85cdd22ae6c8c
-
Filesize
99KB
MD52132e641d54f150d9b6edcd86b4cdc3c
SHA1a00ca7434ab0fe9b613b67335991730a7ad7c175
SHA25634f08daa0926df0df996c34bf7262f790c6028f671a522f44ad2344af0a0037a
SHA51229e1f03767b025e1fbd79b118f83a3d46b02289294296e0b8584f72edb13c084bd57dc1479129dc1a7185db0f2a8e22fa6d268d91cfe497eee1f07366b5aab7e
-
Filesize
6.9MB
MD54f32d2e2ea54c71524e3f2c77a92c91d
SHA1a863c33cca3b3c2cf6cefa18a599ae9989f06d84
SHA2562da12b9469f2f6dfd0f0ded1dd9978d36e081bebee7e01d10b16b81492c0241d
SHA512690eb146832fb174a3e0a69c1cf0919c72331b1fec7791c23c4f037fb1916c520b7c954a64e847765eea4db7ac506790db3f36c24eafada174a268e4f2232374
-
Filesize
10KB
MD51fb95a4056d882fc25fd225a511d49d3
SHA130e4b4c9196427d6ff018b718b0da4bf0e006e33
SHA2567205d5bb70e2bfd54f325bfe4085a6e23b019931682f27e06d64655396652568
SHA5125307a23c6b28feb2309a54647b6c739e83c5296e610ac72c7d9d578a4f00decd9d391571cfcd3169da132413a1ed9fe26689ee877409cee581d810d830d08de1