hxxps://ufile[.]io/mhnszhl8

Resubmissions

01/09/2024, 19:54

240901-ymwaaazfjm 8

01/09/2024, 19:51

240901-ykybvs1bma 5

Analysis

max time kernel
221s
max time network
219s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
01/09/2024, 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ufile.io/mhnszhl8

Score

8^/10

defense_evasion discovery evasion execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4284	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
772	Winhlp64.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Power Settings 1 TTPs 4 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2404	powercfg.exe
4044	powercfg.exe
2580	powercfg.exe
3320	powercfg.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\MRT.exe	Winhlp64.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
568	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133696941104366782"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1735401866-3802634615-1355934272-1000\{35268B63-3EB0-4FB1-BCB9-DA09890AA110}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\AquaticV3.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
952	chrome.exe
952	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
3612	powershell.exe
1240	powershell.exe
3612	powershell.exe
3612	powershell.exe
1240	powershell.exe
1240	powershell.exe
772	Winhlp64.exe
4284	powershell.exe
4284	powershell.exe
772	Winhlp64.exe
772	Winhlp64.exe
772	Winhlp64.exe
772	Winhlp64.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
952	chrome.exe
952	chrome.exe
952	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe
Token: SeShutdownPrivilege	952	chrome.exe
Token: SeCreatePagefilePrivilege	952	chrome.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe
952	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 1396	952	chrome.exe	81
PID 952 wrote to memory of 1396	952	chrome.exe	81
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4600	952	chrome.exe	82
PID 952 wrote to memory of 4632	952	chrome.exe	83
PID 952 wrote to memory of 4632	952	chrome.exe	83
PID 952 wrote to memory of 480	952	chrome.exe	84
PID 952 wrote to memory of 480	952	chrome.exe	84
PID 952 wrote to memory of 480	952	chrome.exe	84
PID 952 wrote to memory of 480	952	chrome.exe	84
PID 952 wrote to memory of 480	952	chrome.exe	84
PID 952 wrote to memory of 480	952	chrome.exe	84
PID 952 wrote to memory of 480	952	chrome.exe	84
PID 952 wrote to memory of 480	952	chrome.exe	84
PID 952 wrote to memory of 480	952	chrome.exe	84
PID 952 wrote to memory of 480	952	chrome.exe	84
PID 952 wrote to memory of 480	952	chrome.exe	84
PID 952 wrote to memory of 480	952	chrome.exe	84
PID 952 wrote to memory of 480	952	chrome.exe	84
PID 952 wrote to memory of 480	952	chrome.exe	84
PID 952 wrote to memory of 480	952	chrome.exe	84
PID 952 wrote to memory of 480	952	chrome.exe	84
PID 952 wrote to memory of 480	952	chrome.exe	84
PID 952 wrote to memory of 480	952	chrome.exe	84
PID 952 wrote to memory of 480	952	chrome.exe	84
PID 952 wrote to memory of 480	952	chrome.exe	84
PID 952 wrote to memory of 480	952	chrome.exe	84
PID 952 wrote to memory of 480	952	chrome.exe	84
PID 952 wrote to memory of 480	952	chrome.exe	84
PID 952 wrote to memory of 480	952	chrome.exe	84
PID 952 wrote to memory of 480	952	chrome.exe	84
PID 952 wrote to memory of 480	952	chrome.exe	84
PID 952 wrote to memory of 480	952	chrome.exe	84
PID 952 wrote to memory of 480	952	chrome.exe	84
PID 952 wrote to memory of 480	952	chrome.exe	84
PID 952 wrote to memory of 480	952	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://ufile.io/mhnszhl8
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb016dcc40,0x7ffb016dcc4c,0x7ffb016dcc58
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1772,i,8074473905483148817,14400507188397545557,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1768 /prefetch:2
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2024,i,8074473905483148817,14400507188397545557,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2156,i,8074473905483148817,14400507188397545557,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2356 /prefetch:8
  2⤵
  PID:480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,8074473905483148817,14400507188397545557,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3076,i,8074473905483148817,14400507188397545557,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4448,i,8074473905483148817,14400507188397545557,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4512 /prefetch:8
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4436,i,8074473905483148817,14400507188397545557,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4656 /prefetch:8
  2⤵
  - Modifies registry class
  PID:4184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4880,i,8074473905483148817,14400507188397545557,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4892 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4652,i,8074473905483148817,14400507188397545557,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4696,i,8074473905483148817,14400507188397545557,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1432,i,8074473905483148817,14400507188397545557,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5128 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2024

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4416

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4804

C:\Users\Admin\Desktop\AquaticV3.exe
"C:\Users\Admin\Desktop\AquaticV3.exe"
1⤵
PID:4288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAYwB5ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHkAeABnACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVABoAGkAcwAgAGEAcABwAGwAaQBjAGEAdABpAG8AbgAgAHIAZQBxAHUAaQByAGUAcwAgAG8AbgBlACAAbwBmACAAdABoAGUAIABmAG8AbABsAG8AdwBpAG4AZwAgAHYAZQByAHMAaQBvAG4AcwAgAG8AZgAgAHQAaABlACAALgBOAEUAVAAgAEYAcgBhAG0AZQB3AG8AcgBrADoAIAB2ADEALgAxAC4ANAAzADIAMgAnACwAJwAnACwAJwBPAEsAJwAsACcAVwBhAHIAbgBpAG4AZwAnACkAPAAjAHcAawBoACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAcABiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAdgBlACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AcQB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAcgB3ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3612
- C:\Users\Admin\AppData\Local\Temp\Winhlp64.exe
  "C:\Users\Admin\AppData\Local\Temp\Winhlp64.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:772
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3560
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:4044
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:2404
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:3320
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:2580
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:1336
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "FROFLCHD"
    3⤵
    - Launches sc.exe
    PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
cc4f4fa1ab7a0852a0be0af0e3f9ff02

SHA1
51078ea82acefc1019c036bdf129265e6c6d4a07

SHA256
116d119c7a54754fc28c7f9ee5983b44126f89bd45e44ecd06483e30b053f1a6

SHA512
85a47cf30408d91842757d929ed2bb7fce57d8e1dae16c6e1407c60b33cb8098b0ca15d43c5cb54624e609d4fd28d8167fd9cc32b26a0a0c3624cf204b53b585

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
211KB

MD5
e7226392c938e4e604d2175eb9f43ca1

SHA1
2098293f39aa0bcdd62e718f9212d9062fa283ab

SHA256
d46ec08b6c29c4ca56cecbf73149cc66ebd902197590fe28cd65dad52a08c4e1

SHA512
63a4b99101c790d40a813db9e0d5fde21a64ccaf60a6009ead027920dbbdb52cc262af829e5c4140f3702a559c7ac46efa89622d76d45b4b49a9ce01625ef145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\06de37724221a002_0

Filesize
280B

MD5
70ef31ac83337c5d7db7f7988c56b020

SHA1
9530868ce43367ac565cc10ef650bc9a6db9c907

SHA256
13908ca0644cc2463fb50b6f73cf99985011de43234a7b0a8335b91cbc1a46d6

SHA512
fc3ed9015d7c7e3e26c28809fb46828a669081e1c373892c76b29d0cadbd82e515d4f8e30c242d79c3c5d2862ae8815e883ceaf4736d10ba42381bc4c81caa2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\85ac39649b043c06_0

Filesize
19KB

MD5
0c3a8ed52e65c0c008ab076d7460009a

SHA1
d94c13a822d1483eaff6eaab53f973830aa46437

SHA256
bca604464dd671fcf95b4eb669effe6f16454ad683b41016a72acf3226feb83a

SHA512
ab679cfcc4f9c7390dd9235d99a6d699efc4f297611311b8dcae11503aadee776eeaed3f57ed815c08620e86b607062921e34cad25ede192159f71102e668f8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
9fd6922a79cca1b5d82e3f238a4e1e88

SHA1
3d65d7b13ec90f2e724b23c110ea27158f2aa179

SHA256
eccf53018655a5926ce55e67503ca71c290cc68930dfe2d62267ee0c7954dc5c

SHA512
0a38dba752ad6506a7748ba40a8efbfbc427930ac3e0c43fa3d1c3e967da63ff99c55f7e9351a761867b0b1d4afd9def2b57fd1dd6bad71034a577eb33712d44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
8c6ac1947cc59c46db744b2802b5b039

SHA1
7c7c116d52f2264bf1007ddc33e349c1b8960489

SHA256
5d603c7fdbe1211b31acc34a53206db04ca50c5ee0aadba0d03c6af4e48e17d2

SHA512
9f54b45756dc77134e0d9aa86b0fa03771a3fc9bcd596ecc72a41dcea01bb851c8c9126dcf685f2db82322c3ef439fa796f7c2f34e1529d20aed596fa929f0c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
75b880b195d6a5549ba851dade554213

SHA1
ed21d574a47a7f51cc7bb22f6a85745a2492ba82

SHA256
d44bd899ac967e2da61066799eb0a0b7ba36873ec3cd1db2e2c7caa8c3b9208f

SHA512
2ae1afb60bcc755362da01b031912c0dd039329fb20a33e15ebf7c7383eaf20b3d57205b73a5c012baa143cb97c5966810af44943d3e07403a088c5217b9b9fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
0baf1eef6ce02a5876e6f83ab0097cd2

SHA1
64de57c40592577114e67a6204e5ac5a1da3cc96

SHA256
7bba54c2a34c90555467f96215926e92f0adb0b3140685209d773657ed1c5066

SHA512
725ceaca7fc5b65e8b7530b8cadc34e315d0dab3f79167faad681d85976750c1889386ab849d0c76ecc6c78df570bfa1ee5acac620f3bad462fb8c498bce25ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
c90a31913a10e74c9e654ecf7e85cc4a

SHA1
bfa7cf45fd1c98e5f69c4fff86b38820e3490e1c

SHA256
326f1310104b7aa516e5f204b19030c783df22f7ed1e19da595f204f87e27572

SHA512
b9073055d3d1ce4b20864ccee41afc7a4e69721dacb0d9072ff53d0e713f443780223e9d52c7e2691a47086fc9acdfc401c0a7e7d611a1991cd43576b4c63791

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
ef60b7be0bb475adb7266a4c81e9214c

SHA1
81e29bcbd4cbe9becb0e9fc02ced0e0c3dea2d64

SHA256
1c7ba217c037e527523c802c4afdee188968a9f821254e282dcee2250acc1cba

SHA512
2f0d7b8836562413b6ea486aef224dd7a1c90a933586957db609b832627d35b3eec73d368635c74b24007fd8a942be76d91bfec16896320ba8efd10bd3cc0e73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
853B

MD5
dc66da1216e3403cbfe319c5da14b4e8

SHA1
0327ce572d161277148efe2bc82c73efae8df03c

SHA256
1dc781077f822f2023c50f365e07dcdb6b67d1e56daaeab9aed6fce8d756e3c1

SHA512
b02b30fd745b5dac53e83e941a7fe9ba6d54e01424433725c40e5f34b7d0c760c8306e921fd66e64f0882edb7170a7c106e8ab1a833005114ae15619a3fbaeef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
853B

MD5
28560687b24b3afc311e1ae13a30e9ed

SHA1
41e2f685d3641bede38f06724d07c760488a5acd

SHA256
3b365a6007c560f285a9327defb05f6d12e65e1113bddbd3b3e9cef3641a8e10

SHA512
6a7c43c34348e5e392c24aa0cdce992d522cfe0b4275f7d58b9f3c8e710bb22acc99d56431612f0dadf39d648a87ed7332cd586cd9f035d2f922e762fa89b430

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c4e93335962b9335587a64b8c9f13bd8

SHA1
90b7bb1c62f9e453bab826c8be7e5035a4012059

SHA256
095f52e8257b387187fa3fff2c84662ed5d66298371586a5693ae1cafba6f49e

SHA512
0ecf760d341e4517bd468088b804dcb9dd4697338df0b2604a61ac9b3f50efe94062d5969a988bf23ff884852acacc79506466fdfb11410e36b3f0ef805b7664

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fbeb49c2477078c1ef5cdc92aafc8390

SHA1
d8f8d7c6803819dcc6718b8526089303f4d16d30

SHA256
ef3012d4e576d04c123bf266075c4667a61829a6cd35af2be02e4d42295940b1

SHA512
9dd845973d26676d55381351dfe6fdb968b2ad25535a289e3698a94bf5dc4a3db709edb395110a1d66deaa84a98f2d8865375f0c44aad5dd91464ee0d328e7cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8abdb6bc9f7dd11343ea0785fc38fee9

SHA1
a8f2ef369428e7ec53139f34f9b2da2e8849db7a

SHA256
4fccc0c331bed7dc00cf20266ae4c50c0ac609a5687a942bfc398a4f05239a84

SHA512
0aefb9e7f1c75a1fcf0555f5a7cab37a381b900b4d72d43ae056d2685a278047f2f19c13266cd846e2bff34c88d5fe1213af0a3dd671d4d5f3f1db5459b54882

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
066fd0028ac63ecc15f1556ca37ae4ad

SHA1
136e03f7fc1842ef0a56ddc6679a42385b8d84d7

SHA256
65fecc3b3e8e128f81bd0741b0f2f234d949a01f8210cb3b6c3660f2460c9903

SHA512
9aa1578eb54922769ff8c5d727d424480ffd6c86aed1cbf60e60e201d24e7caab435414c15ed47a7da62d42ff09ab3ef15814447a9bc5b1acc7d2e1a740e9e0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
45f5b863af7c9d79a7e4b03f86ad5282

SHA1
a7f0860f21cd716b2b9b6b543c580ac9b96d0f8b

SHA256
7f3efe43733301f14a6a1a148a33f0166e8ef36bdb6c7a3538abbbc7e07bb058

SHA512
7e70f337b58de7ceedf247f957ed5fa5e959c9f7fc91b98b1dd02f9f4dff5921134ffc71dce59cb3b7593da55031860e5524d076168dfe5043635c84d67794a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c76a04f60bb3dc52ee99dd45dee48436

SHA1
5419c91b084a5f89aa19b1b2268df1e59a77cfc3

SHA256
d98170048d34ab85c4d95143a8c36e6f57e5c4cfc7bf850b4767b1031b5cf1ff

SHA512
296c1f46363fc781e64fbb5b7b89daa19e19cf8b6e77863d246fa77d0bf6111257be57f1772d57705243d013730df11862cfe06489d6d6c177b177bb717b7fea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e0a6f256cc46e21ccc4db79e6f8e8260

SHA1
9a83187c1f62725bca66418cbb6245cf41c480ea

SHA256
eccb29d65d06c3ed7e0bf8a5456e646a65e6dce2ad380c9514175728612785c2

SHA512
7b1044b0b58b3d646193921c52ebf9840af67b4c165c732847725852ef5d6eb8e7726614cafebe787e144d00e608b2ea922bff677deba1775044321c43111a25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
54f133b184354364cba6d2bf5033926e

SHA1
12b4c35ff0e6ecb2d346ee3d5f893a477bdb0e24

SHA256
49f54995d30620f1508b3e6702ef435c6becb16f2ef9c8a57bea5c4d50607ac8

SHA512
edc0ca8ae172c1423f647e2003929ec14f0873d5b15fc9a5bba33356248dce3685aa0cc7440be966fd9f8b54c3b234619f4ce0a6c2c8294166c50c6256e9000a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bff8e27c098c2bb82dd4c6bb2077512c

SHA1
74521e3c87f8ee252d383a11b8f6d59e3e7b073c

SHA256
6853f40b07acb0d47fef240b8179d21f437ad4d7f37d4d40b80f487ed99a5233

SHA512
4d8308a1e445eede4a00263d5e798b3709389e3dbfd4fcb644e9f2a3b9c0f062f2bc17ba77ef0aeb6cc327c071ed3719d1bbab3c8f883b4f147ba10f5ffa08a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e42947a7c9db922d8011c10feb7711cf

SHA1
12f10693052b740f4024b9405f7d01faa6633f05

SHA256
300d7b90e03c2c0f2f972576954cd01aa6ac83b9e4c9066a8fa57a905c15a67d

SHA512
1f7d83d409cbe21dc19fac76dcd4ca83ee1fdd76082a161c95ba410c1d180852f48fa8a26ae9a9f72484524fc73fe20658099151ab4a947bfb1a8478e20ffa8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
092e71228e6c59f13dde150e5e1de6cd

SHA1
15e83bbab64bd749fead52c3f5c0402f25d7789a

SHA256
d29d3a7a17a76a33bea9a65164979a75606231f6c21d1bc4cc1e8eddfb40abcb

SHA512
51875fff3a400299972725437d90d51f5bd64064829b025c451e78219fb5373c6e5d011ccdc910bf5dc3e6745838b3bfff3b08bdfdbde11d004e484801ac36b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
133988f5e88db4ae4c76a80823f075c3

SHA1
fb1dc213a05fbfeac03a3bfd034c598e79000c60

SHA256
766f275a149d2b8455569e270ab24cb380a84895aa96963874a14790cdda1aa4

SHA512
8bba00d6b1ae0de7af15dd2e6c7308990824368967aef46c68d8ca6594fd71d56cbf6278a64cdf1e281d1c01f4fd8130688a861eb0db213f7454a11d36094f92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0aaa26746633b658e91be7d9d835da69

SHA1
18eec1e61e3d09affb522067c7ddcf1159df3769

SHA256
2b3f9a3196b3f261f71c89e5c683ce5264cc90d78c88375846274519ab73cb40

SHA512
5f3b53df3eb7352b9d7d00ce657d7274fa37de070c05637410f914e36de748e55ae2f101c68ec2c86399dc03272a334117998d928558b2bf35decc5e885ef220

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
69c6e22c97803bcbb0d96977c5650f84

SHA1
2f98eed8421d4b4e1664a9be9bd3005c869a5099

SHA256
e7e53e5ec2d68fccddfb22c1f9bcf40d9c317ad2cf08bed335712ba22bdfc13f

SHA512
1f17e0a71a073d8fd996e139a2a900caaac78b8ec61356c7b870b43e3a6d2462e97efae79c63b8aac2572fc9e517d1116fa939bddccb8b4995b0f1f27d6daa09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e2d89067bf66e3c805bb71ce8be0d993

SHA1
55c737fadedf9d44fa71c07325dfef422ebae02b

SHA256
c0e3268b13db824da9aac717131cf6bf5689db8f46392d78f09dda53d09041c0

SHA512
891682099347fa3192507074abf88dce49d011a3de7fe1b97a634943ce2a8ea0b33d6c9c47ee6bc4a83033a7ca353ec6d66f98285da774db139e03c4fd02f6a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
ac033622fd6205ea84b8df37b0820149

SHA1
e020a68a57692242406844ee3ba523ba8473c169

SHA256
34438f35fd5d963c5f969d647eeb97232b17f782ce5907188ebfe8bf2ec9bb49

SHA512
9c75c2cbdb36c4e6283517b3ee27d52e60e5e8a3127684b44f9b5f5f8323bce5380274b11c457cb621662f465b4e5398e9734cbdf1eb1f4548922b223761ad91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
9e16c150c7ae7fffaf3afe3492489151

SHA1
1f162ec3e60ddc24aa24a6c9954d50efdd0c0365

SHA256
979cc6aef7d4d000c0b8858a6d63fd55b22d98bf834eddbf5b1404c3f4a8b709

SHA512
a5f7f6bedfc962457ecb73285fcba343a0ce1524770a6224bbc55cf69237874b7d9cc362ad5bd124beda84ae795e6e9a6f354ed48d44b240bfc6fc96d0443105

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5b3776759d5487a4d98618f1e2cfbac6

SHA1
a852f8853f4acaf7db4253cbb475eb5ea2665721

SHA256
378805d4333f4bd02f02f1177940d0460a805cf1d828632c4051a41374ea70ec

SHA512
2f674f357ee074f287fee8d87b2a2735a15b8786106d520a1366e49517271096cea42348e6bdf221f19283309fc41d28222ef6482e2edf5613c190c001c81819

Download Submit
C:\Users\Admin\AppData\Local\Temp\Winhlp64.exe

Filesize
2.8MB

MD5
5c27c51b474d57f1883f2298a8836bea

SHA1
6fdde3a9a407956233d155ff6539b077c6276c17

SHA256
07109f615df2cd62be63b87de207803a64eb0d01f688a1be52be40ad198e455d

SHA512
0a0fd8c3a35c737e1b8fc3e1e2e7d3634e1a4360322c4bbb145e37ae750741a2b5dab70435772d34ecf3f1c6d5d4615995cd7232d7aec239fb1899d3124925bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1rlpyiiy.prq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\AquaticV3.zip.crdownload

Filesize
2.8MB

MD5
ef8dced8d977e729c63520bd0fad27b2

SHA1
c0a7dedba8c991a67a70179e7ebd6239017ade0b

SHA256
549de153f32b4660669be19a55314b904f13a5a2a75a2be6afb6b35bc46b0a2b

SHA512
13be362d030c91eeddc40773f02e3d527b22e44970aa4b6daf8a9e28eaaa512d46ac852e206474ac06de09b92b84cf5584d4e30e319eeca0c75898c66ebd8edb

Download Submit
C:\Users\Admin\Downloads\AquaticV3.zip:Zone.Identifier

Filesize
57B

MD5
4da4cd3783c739ef96772678137cdb6a

SHA1
cea05a38eafb4a4125236d643e840196c0ac3e79

SHA256
729a2bcd8e51391e9af07eec8f692a08256edaf55c8542a19711833f2517ad29

SHA512
e9ccfa9ce8bb95af45048b9872245bfa343a632c882ecafabfc59b32d7e4e3911905c80c2e27c9afd0aff2ba530d3581094d29c510497dbb30467e36daa82f39

Download Submit
memory/1336-412-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1336-411-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1336-409-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1336-410-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1336-414-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3612-383-0x000002A130840000-0x000002A130862000-memory.dmp

Filesize
136KB

Download
memory/4288-366-0x00007FFAEB090000-0x00007FFAEBB52000-memory.dmp

Filesize
10.8MB

Download
memory/4288-351-0x0000000000AF0000-0x0000000000DD2000-memory.dmp

Filesize
2.9MB

Download
memory/4288-350-0x00007FFAEB093000-0x00007FFAEB095000-memory.dmp

Filesize
8KB

Download
memory/4288-389-0x00007FFAEB090000-0x00007FFAEBB52000-memory.dmp

Filesize
10.8MB

Download