hxxp://mediafire[.]com/file/fvt9fpe00w9iikq/BootstrapperNew[.]zip/file

Resubmissions

01-02-2025 16:54

250201-veg6xa1mgw 10

01-02-2025 16:26

250201-txnwqsslgm 10

Analysis

max time kernel
153s
max time network
155s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01-02-2025 16:54

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://mediafire.com/file/fvt9fpe00w9iikq/BootstrapperNew.zip/file

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	mediafire.com
1	mediafire.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133829024664288745"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "16"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-946476529-1335986830-1090511001-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4644	chrome.exe
4644	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4664	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4084	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 4460	4644	chrome.exe	83
PID 4644 wrote to memory of 4460	4644	chrome.exe	83
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 2548	4644	chrome.exe	84
PID 4644 wrote to memory of 3092	4644	chrome.exe	85
PID 4644 wrote to memory of 3092	4644	chrome.exe	85
PID 4644 wrote to memory of 2744	4644	chrome.exe	86
PID 4644 wrote to memory of 2744	4644	chrome.exe	86
PID 4644 wrote to memory of 2744	4644	chrome.exe	86
PID 4644 wrote to memory of 2744	4644	chrome.exe	86
PID 4644 wrote to memory of 2744	4644	chrome.exe	86
PID 4644 wrote to memory of 2744	4644	chrome.exe	86
PID 4644 wrote to memory of 2744	4644	chrome.exe	86
PID 4644 wrote to memory of 2744	4644	chrome.exe	86
PID 4644 wrote to memory of 2744	4644	chrome.exe	86
PID 4644 wrote to memory of 2744	4644	chrome.exe	86
PID 4644 wrote to memory of 2744	4644	chrome.exe	86
PID 4644 wrote to memory of 2744	4644	chrome.exe	86
PID 4644 wrote to memory of 2744	4644	chrome.exe	86
PID 4644 wrote to memory of 2744	4644	chrome.exe	86
PID 4644 wrote to memory of 2744	4644	chrome.exe	86
PID 4644 wrote to memory of 2744	4644	chrome.exe	86
PID 4644 wrote to memory of 2744	4644	chrome.exe	86
PID 4644 wrote to memory of 2744	4644	chrome.exe	86
PID 4644 wrote to memory of 2744	4644	chrome.exe	86
PID 4644 wrote to memory of 2744	4644	chrome.exe	86
PID 4644 wrote to memory of 2744	4644	chrome.exe	86
PID 4644 wrote to memory of 2744	4644	chrome.exe	86
PID 4644 wrote to memory of 2744	4644	chrome.exe	86
PID 4644 wrote to memory of 2744	4644	chrome.exe	86
PID 4644 wrote to memory of 2744	4644	chrome.exe	86
PID 4644 wrote to memory of 2744	4644	chrome.exe	86
PID 4644 wrote to memory of 2744	4644	chrome.exe	86
PID 4644 wrote to memory of 2744	4644	chrome.exe	86
PID 4644 wrote to memory of 2744	4644	chrome.exe	86
PID 4644 wrote to memory of 2744	4644	chrome.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://mediafire.com/file/fvt9fpe00w9iikq/BootstrapperNew.zip/file
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffd73b2cc40,0x7ffd73b2cc4c,0x7ffd73b2cc58
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2084,i,14936575385523789492,18086568176194015492,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=2080 /prefetch:2
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1908,i,14936575385523789492,18086568176194015492,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=2520 /prefetch:3
  2⤵
  PID:3092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2168,i,14936575385523789492,18086568176194015492,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=2628 /prefetch:8
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,14936575385523789492,18086568176194015492,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3100 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3096,i,14936575385523789492,18086568176194015492,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3908,i,14936575385523789492,18086568176194015492,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:3800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3528,i,14936575385523789492,18086568176194015492,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4764,i,14936575385523789492,18086568176194015492,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3852 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5392,i,14936575385523789492,18086568176194015492,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4972,i,14936575385523789492,18086568176194015492,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5176,i,14936575385523789492,18086568176194015492,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4932

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3528

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3080

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\BootstrapperNew\" -spe -an -ai#7zMap25184:92:7zEvent25822
1⤵
- Suspicious use of FindShellTrayWindow
PID:4664

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:4504

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a25855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
b31720ee759b9c7bd2487877bc7d11f5

SHA1
7c243d4ee277430b8a5a0eb4c1d8db26a510d462

SHA256
568046b4bb23c94a0d3ba78d764bd4f98f4c1f413112a933040b8d092e84d4c3

SHA512
b4155e004e1d045922276251b9a9c2774becc2294617a8daeee423589430cc48621ff5abb3859cc142ec104fd7c0039bc17221a4380749e26405cb1774eac1a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
8a6d20f0596e4bd9b405e7324f578636

SHA1
46338207371e00d324fba856580578969aa82ef1

SHA256
71b3b47840cf5824bf1d57f354986220276ca2324496f7c032273aecb77c8acb

SHA512
8bafcd425e9b64a6d0a8a545b7b8131ad8b2c577e7c1126e94f5ca94bf9d36c40449a615437eacd7b2c3429a1a3aaf899e4936cd1eeaa7d28f02f09572fff86d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
dc14d25997dd5658682cb46950a1a2af

SHA1
9883e727ca686d04ad0471c4f3ea0def8e62c735

SHA256
090ae875cf92955ef52dc27c350f7ae0585298f72def22eeed37d6288cbfc501

SHA512
da51a60defc8ea9df85157880dadba2d391a3df3d5f04b4b4de2d8948d3e7d5e65e3a9607d8740195beaf590d605fc45919614da7d748e8b682d034e217f0804

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
852B

MD5
1d39d883abca4762fb125d357506d165

SHA1
5323fef23e7e0828020c9885eb568fae265215a0

SHA256
6dac71c038aef299488b9eced34486e375016f9dc92c21dbd522c3e2cf3c2cc2

SHA512
b7eb1178da37b1a3d708a996a097a55ba7fc549b2b1296f2bd7d1dd5e650408dcba14f90046c3e5356bde95c9e399c13f0f96c35c8ab26e8a0514ffdbf63b1e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
81f9a52188bc9fb1aa78e629f4b50ee8

SHA1
561b88e7cd322e7846d2c8e12f4ff6243b075d60

SHA256
2fbfdfe2ebb20ad4eefca830a97b915c90e68efb824386b542081c6bcac23daf

SHA512
4543cb79c6407cbd5e58092408c6a9e1e417f9a5e21a4918911a9673f0017b018c6f9d75193bc5ef07a9e484e58d031e4fea7afa4ed025c9a3103321d1ec3bc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e6fb775fc876266c91db80a81b1c5807

SHA1
914bcbf37088f09ffb008edcfdc2b784406227ce

SHA256
67eec9195be2884d8cf854c60af3908f073904c067de7e4c1a20515eabc713c2

SHA512
41a480272833f8dca305c0e1e186a43e29766429553b8e5da21c3d7914cb0e60c8a514ebed1bbbbdceb02a3a135bc3813386db00ca30785fd407036078f55ffd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8fa9b2ba5755d1630e8a5578f3937843

SHA1
09b9f147601ee30bd8c894a2ace5f561bfa62506

SHA256
e8f5c3efbca269c4308447cfebd7f6644b27937d371d3dd6d9804a747eedcb63

SHA512
e5ba00d4522a7cfd52dff7118e774632e942a0150004de6be67be15aa1308054194b386d7c0c3dbb344a03914cbea104b5a271a838e1cfc932cf86e7691b2612

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
541902e0a408ad9edeecc6e0c912ea22

SHA1
06635ae20c58d735eb47389ad315e4bf1ad628cc

SHA256
7dd67880405fbd4d1fcef0c33a2fb9b2856dc62f4ad98339586fba87348eafb3

SHA512
c7683a7b34d395a7d3fac1fe3aab53986ce8dc8221dbc606b4cdf51fbbebf2df1448229640b4b141d67368607fee432e4a22f55a7f159aa68b0afd1d2b77b762

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2744c8f287327ca3bb68d44dc57bb419

SHA1
79b26970a347c2ee7d5c920c4bcda4d48ca7b0ed

SHA256
31a96da090f45c721ec95b8b128b2106d311684a3ecda37af11ce28b3aadbc22

SHA512
a1fff9ea7ada4da3d7778b84452cfc1a9ec9533ad0c05f81b11d3fcaa12b0fa972c05741e6c8e47d7637d160ca65098c5afc6c9a351ea4c70e49221de8782a0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fb72a69c46ecd58b939e817e12107847

SHA1
9ee06eaf0c08c4739f6a8610d8658f199da289c5

SHA256
7c6f36b784bd70875e754a273232ec2e6284e0636343da3646e677d223334af9

SHA512
0167ffd16df9392ce3259aec62c96672963f66cdb606ef1f523772c4cdca1f517096f854a3aa9bbb2a1383b93909dca5e435841c8bb42efcd0c3d347848dc01f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0f4ccdc5677bfc975d44b60f4890217d

SHA1
a3cceb9ae10f64398f5247b39c3feea5048ae5f2

SHA256
0bda8695e7796c1f0c9b096c2d00b36c858f06df812f6673fd59347b31ccaf72

SHA512
cad65b2296aa41449bddbb826ea46b394c08ae6f98ee44e6c4809248810df7a32ad9a89c6ccebfb1f05f5877f95702247c963ede2801a5dcbd7f40af59ca729a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
64ade33996d1d77d796b0e0f00db2a26

SHA1
059f33cec395013b332f0ca059fb1366c7344c86

SHA256
4625ff0110ebb3d0ed21db5764a16aebdf8b06fc4f31b75091a8e25b9ad2ec69

SHA512
e3c801b7519211315aafa6c982db58d95020f855f708882510066f576770dd865eb0e6e5a93df771f6610aa173c56edf03ef6b18a213782f8b04a54e00775383

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
73249ce666176506241a68d6d76e420c

SHA1
0ba5ab3751b28130a1999fb7029a0775d309d835

SHA256
a0b42a11c4b22f9e9b5869c6a99cc77adbd93cec3214358209fcbb71deea28a0

SHA512
3296ee86e4db306d7d507d23e36f3b843399625d0167cfda08dcf20f111223e4e7c164c5486bedd9b9dc797d7c5dba496d3522cf8e67b90bb68cf0138676b65a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\b0424e5b-a3b5-4bc5-a66c-d1c139d29443.tmp

Filesize
8KB

MD5
1c70c63e5ff842ddfdc1877859379d46

SHA1
c333e3b12dfbc31ecd64aff65a0c513f787be1e9

SHA256
f43885c7cf8eb9ed34d3f5d4d78e65295aae7debaf860310b875a04361b493b5

SHA512
728def044c5a8d4a6e4f059f29bfb7f9bffb650f5ee274f8cedf70febc12a264d2ac19640291e81d40aa174cc3209149ed1350e3edfd08ceaa494d56854f29bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
121KB

MD5
bd79fa0f8a3ae68cb16097fa1a82acd8

SHA1
90e751eda2b49be2df5d2c531f50c18afa0844bb

SHA256
451c25ea22fc88b8c64eeb225db0026bf2266c531176eb66117cdd6d4d13541a

SHA512
78db6362508c6f55447c1c0b4d84cdeae3775e0220e939169f99b83b49f630ab8981a5f86a82c72f66f8e58e9182306f649eb8b162a457a7b338e2c0fedda1b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
121KB

MD5
26e7b2c4e93894a3bffb2ba04c3834ac

SHA1
d480a5f80d0a9f425c55bb4090411728055d84ce

SHA256
1056e5eac7a1dac959934398842b8557a3c8b3a7b8605d781495a2fa103a067c

SHA512
6a5c79694c3a06b80d2aea20c86314476eb7579b1837490c8afc1aaaeef9288df181bacb56069b5f8fc0d86562367f92fdf68d2de883cd33ad5ccdcfffa0b268

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
121KB

MD5
4f31a632b43fea6218c24d3015c4344d

SHA1
9f7b768a46fc93fc386da2e43e6ab6e02fdae07c

SHA256
c4f7dfba452c07eb31c0b96b4807157b905efad7bb6948b5d3d48baa22319798

SHA512
be818883de71b6f90d27e4b7660b07cf1fff3d118c700cc33dbba7321b2a3d3334c9f35141860eaced6584c3f42222b5b5969127d1414c03d187b4bb96ddf6a1

Download Submit
C:\Users\Admin\Downloads\BootstrapperNew.zip

Filesize
3.3MB

MD5
dd5e9614239c69c704ea2838d63bb743

SHA1
2a8e636928c86af5adcde714491c24e87fe0368c

SHA256
98cf9b7ae54dbc4cfa596dfe977c2742579cc5a7a4cf0a631a7bd4874d4ad9d5

SHA512
2cad91209d65bd58903239547912f29fa8165800dc321f5ebb24995fe72ac500a6a49ccb5bde7c124e31e3ac9be084b3ad8855d61141df9549bd15d1b7ec95f5

Download Submit