09976fd76ae40a608f424655cda82b2be77c426c88ea95af78378b47630397bf

Analysis

max time kernel
149s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LastActivityView.exe
Size

130KB
MD5

f27a284ef9b018cdd2a98a7b78ccdcb3
SHA1

67e260b11e6227c18cae8925b4f6899103c607f2
SHA256

af86dc3f76d39b67b967a3b714e9e70ed43eec8d3871e9691cb45d84372b53fb
SHA512

9a8811f13517748539308a70933b126a3348407f397bf30f903019379f927532c64015853b94acf21bdbc554d638a0265d4394d026e289103db06fe93fe5524b
SSDEEP

3072:5e69eWHZXp1nPDhhloZqX6EsSiEF4Gw1aqL1p7BZ5CJ/:5e/+1nrhPKqX6EsS94H8B

Score

7^/10

discovery execution upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/0x0004000000022f0c-78.dat	upx
behavioral4/memory/2804-189-0x00007FF7DF6F0000-0x00007FF7E12D641B-memory.dmp	upx
behavioral4/memory/2804-218-0x00007FF7DF6F0000-0x00007FF7E12D641B-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Executes dropped EXE 1 IoCs

pid	Process
2804	qvzqhfqc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5088	powershell.exe
4460	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LastActivityView.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133714245285702034"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3532	chrome.exe
3532	chrome.exe
5088	powershell.exe
5088	powershell.exe
4460	powershell.exe
4460	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3160	LastActivityView.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeBackupPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeBackupPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe
Token: SeSecurityPrivilege	3160	LastActivityView.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe
3532	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 4016	3532	chrome.exe	94
PID 3532 wrote to memory of 4016	3532	chrome.exe	94
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 1500	3532	chrome.exe	95
PID 3532 wrote to memory of 2080	3532	chrome.exe	96
PID 3532 wrote to memory of 2080	3532	chrome.exe	96
PID 3532 wrote to memory of 4800	3532	chrome.exe	97
PID 3532 wrote to memory of 4800	3532	chrome.exe	97
PID 3532 wrote to memory of 4800	3532	chrome.exe	97
PID 3532 wrote to memory of 4800	3532	chrome.exe	97
PID 3532 wrote to memory of 4800	3532	chrome.exe	97
PID 3532 wrote to memory of 4800	3532	chrome.exe	97
PID 3532 wrote to memory of 4800	3532	chrome.exe	97
PID 3532 wrote to memory of 4800	3532	chrome.exe	97
PID 3532 wrote to memory of 4800	3532	chrome.exe	97
PID 3532 wrote to memory of 4800	3532	chrome.exe	97
PID 3532 wrote to memory of 4800	3532	chrome.exe	97
PID 3532 wrote to memory of 4800	3532	chrome.exe	97
PID 3532 wrote to memory of 4800	3532	chrome.exe	97
PID 3532 wrote to memory of 4800	3532	chrome.exe	97
PID 3532 wrote to memory of 4800	3532	chrome.exe	97
PID 3532 wrote to memory of 4800	3532	chrome.exe	97
PID 3532 wrote to memory of 4800	3532	chrome.exe	97
PID 3532 wrote to memory of 4800	3532	chrome.exe	97
PID 3532 wrote to memory of 4800	3532	chrome.exe	97
PID 3532 wrote to memory of 4800	3532	chrome.exe	97
PID 3532 wrote to memory of 4800	3532	chrome.exe	97
PID 3532 wrote to memory of 4800	3532	chrome.exe	97
PID 3532 wrote to memory of 4800	3532	chrome.exe	97
PID 3532 wrote to memory of 4800	3532	chrome.exe	97
PID 3532 wrote to memory of 4800	3532	chrome.exe	97
PID 3532 wrote to memory of 4800	3532	chrome.exe	97
PID 3532 wrote to memory of 4800	3532	chrome.exe	97
PID 3532 wrote to memory of 4800	3532	chrome.exe	97
PID 3532 wrote to memory of 4800	3532	chrome.exe	97
PID 3532 wrote to memory of 4800	3532	chrome.exe	97

C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe
"C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa6779cc40,0x7ffa6779cc4c,0x7ffa6779cc58
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1744,i,16773719085121416212,7282939554728919569,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1732 /prefetch:2
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1916,i,16773719085121416212,7282939554728919569,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2292,i,16773719085121416212,7282939554728919569,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2524 /prefetch:8
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,16773719085121416212,7282939554728919569,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3260,i,16773719085121416212,7282939554728919569,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3740,i,16773719085121416212,7282939554728919569,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3728 /prefetch:1
  2⤵
  PID:3228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4840,i,16773719085121416212,7282939554728919569,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:1684
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff622014698,0x7ff6220146a4,0x7ff6220146b0
    3⤵
    - Drops file in Program Files directory
    PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4424,i,16773719085121416212,7282939554728919569,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:1288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5216,i,16773719085121416212,7282939554728919569,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4412 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3308,i,16773719085121416212,7282939554728919569,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4500 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3380,i,16773719085121416212,7282939554728919569,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5332 /prefetch:8
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5332,i,16773719085121416212,7282939554728919569,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4076 /prefetch:8
  2⤵
  PID:4888

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3860

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1136

C:\Users\Admin\Downloads\qvzqhfqc.exe
"C:\Users\Admin\Downloads\qvzqhfqc.exe"
1⤵
- Executes dropped EXE
PID:2804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 0a && mode con: cols=90 lines=26
  2⤵
  PID:828
- - C:\Windows\system32\mode.com
    mode con: cols=90 lines=26
    3⤵
    PID:2544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Get-AppPackage -Name Microsoft.MinecraftUWP | Select-Object -ExpandProperty Version"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Get-AppPackage -Name Microsoft.MinecraftUWP | Select-Object -ExpandProperty Architecture"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
abc10c8b4d0ef3f10aef79d3d9b6459d

SHA1
45a3955ad6ec910eea0be060c5ad8e91d8913525

SHA256
42df517a055db40648f1fc7ece719dda5bb8b948578ac76dac3e5cae1c999e06

SHA512
cc4b5d2fb4748b9384f0b2cf083a9c6243d6a0a31b8ffad0418a7fed59f88e54036fa6821043f4976ce3fc92e0339b055fec5dee31ed536601bb58052464fcd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
3093a0ff1ab42f2e30f20cf916565476

SHA1
d1f235b48a8f63510a2e038b9172ccb3fbc7f021

SHA256
0ac410a3bcacfc4c5328c8af3cca845e2b06568ab0cd86abdb4c5eaeae34a0d9

SHA512
6deeaffc89201710891fcc242d6fd4e723827e36b483fa40c26326504c658e5d5d1c1964c4a6c8b4a0ce9ec946db5128339fb11090fd2af5e57edb7bf5f9f104

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c105047f55464c40b5e620b003f625d1

SHA1
94c1222eb96116377fe8d7ba31bf001eb50248a6

SHA256
f17c3072533cf203214e8916d89abad5a4bb2c26be15422ec18325008e161a5f

SHA512
90c2009e585fb54dca1ef458b17444074d54e0343a4c2cdc6bed81ddef21676de91a44a82b4061035ea0e4fa4c1889a5414ff2a5f52ca74a9952dd7bd68cf0a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
293b038ab6f45fad093dc8c731d012c1

SHA1
ee8c8d3fb10732ccefce94c64ffea69de2f71d27

SHA256
33b9915d61c0c12d9e775828fcf375f4be681b639e7010633ab0c56d9d9f09e3

SHA512
6db29177698963f630917aa9233f82eb824598b96117091e29e087e60c72a55e804f554aa659b052f64fe50c8d93b1f88c8406400ab9a8bf9fe3370d4038f97e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4734474818686bbc9645b4c9ad689d00

SHA1
22735e02caba87821e4153c213ae6860b1b92aa8

SHA256
361d3bb09c8bb4d94bc67d9524dc2b4c32750c91e31d04bbdd2fbff7e568f4c9

SHA512
ccf7fc7dc745cead8a99e322147fa5d493d683e5444b9b3dc0c31aaaafd8a012f7a1b02dc9aa1965af2df22a8d7a7b557a32082b7580ae1e5fa1c4eee29baf98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
77ba1f2ee348e15fb46d1faacf88f364

SHA1
532647295fc4e462f95b47a673258112ce8dc1ad

SHA256
539ca791e0bb4302401eb4bda40019f0d335c67ded584d5aa00d0bd84c885633

SHA512
9ca0700f71b3b42babc95dde5ee14fcbc9e014c7b3a51d6dab4fb7b10621063f5ad1ea292e6020bae2321481c363c4db38304981f8b98254f8fba23a776fa69e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a2b7998af75c0fa35048cda8e64424f2

SHA1
e5e9146b05c8decb73b7d35f087f3b9798c8acb4

SHA256
b92539a306e396ef276a88d412805c4b4318da8efc4ffc0920d5540970ad0172

SHA512
fe0b8896ac76bb5af4610076f3691e7258de94324f2a43c36ea4704a30b85aaff271b5e7592399fcf081454e5b707d75c9a61a2fb69fdcd926b8d74cdceceb1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
6403636f306d89c47d8669a3507bd3bf

SHA1
956ebba62e638bf2507cdab14d5d9d33d107f247

SHA256
f730b3a9cbcd95f0ae26b770f067e8ded4f64bda70472a1b890e61538fb10463

SHA512
d40e85c15ac03f10993c1a6b4517490e360e7459d57e797f27d90d8a8beca7e0d8227514803d427ab30b0334251e6d1a2cdff952c3aa70ebd04eefe669fe13ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
04b3144576cc90cf64184455bc6b6c93

SHA1
b42687c5db43c96833f6ad0cae699d06d09ffc2e

SHA256
9253944bc406af19dd6d055f5356eeb5a35c2964d48c26644e9aac0b4758d61a

SHA512
94e9c25217fbb320c2af9574f714903c0f092b6af40c8069104982cfb1793a3e88981440ee21375f7e57d1a3c406e5bc01d1e513715772c085780df874c7127b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
958ec9d245aa0e4bd5d05bbdb37475f4

SHA1
80e6d2c6a85922cb83b9fea874320e9c53740bd9

SHA256
a01df48cd7398ad6894bc40d27fb024dcdda87a3315934e5452a2a3e7dfb371d

SHA512
82567b9f898238e38b3b6b3cdb2565be8cac08788e612564c6ac1545f161cd5c545ba833946cc6f0954f38f066a20c9a4922a09f7d37604c71c8f0e7e46a59ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
30ca1192af3a43c34c8bb7161056dd0a

SHA1
5e661d39ecfc721e563d987afee5c61bbfa88780

SHA256
38ac199d3aec87a6ad95f385eb01b513c9fa84d68b93dd7ec68887d3865ca6a6

SHA512
50814f0d6f62ae274870e125af5ef95d04f78fe61f6c643307a87878364287311f6be139689dc5fabca2b422e823635cf2ffcd7337a63416a4b04f59d2893574

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1fiknphh.trr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 222890.crdownload

Filesize
2.1MB

MD5
16d2316330d3dd86b0f19edc0a6a0895

SHA1
855ca75da35943438f98ec0cc52c6b6e8dd950be

SHA256
b263772a7ee09d6251d91072b926f5d7e15b587949e567aa14bcf1cdb68ffb90

SHA512
9560536b7fc82cfa9298f3abeea4b2fd31aab386b5610339b3275a689fc50aa405b0395e8086281f67d6376e7dcbc7e6581105bd94db84e1659bb0f3f9fb0456

Download Submit
memory/2804-189-0x00007FF7DF6F0000-0x00007FF7E12D641B-memory.dmp

Filesize
27.9MB

Download
memory/2804-218-0x00007FF7DF6F0000-0x00007FF7E12D641B-memory.dmp

Filesize
27.9MB

Download
memory/5088-201-0x000002ACFCDD0000-0x000002ACFCDDA000-memory.dmp

Filesize
40KB

Download
memory/5088-202-0x000002ACFCFB0000-0x000002ACFCFD6000-memory.dmp

Filesize
152KB

Download
memory/5088-200-0x000002ACFCDF0000-0x000002ACFCE06000-memory.dmp

Filesize
88KB

Download
memory/5088-195-0x000002ACFC130000-0x000002ACFC152000-memory.dmp

Filesize
136KB

Download