hxxps://www[.]4sync[.]com/web/directDownload/S06W9sUX/Xnj9cMHB[.]8fe7375c02815b856cddb787ae1c67e1

Resubmissions

19-02-2025 12:03

250219-n782rs1jan 8

Analysis

max time kernel
150s
max time network
141s
platform
windows11-21h2_x64
resource
win11-20250218-en
resource tags

arch:x64arch:x86image:win11-20250218-enlocale:en-usos:windows11-21h2-x64system
submitted
19-02-2025 12:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.4sync.com/web/directDownload/S06W9sUX/Xnj9cMHB.8fe7375c02815b856cddb787ae1c67e1

Score

8^/10

defense_evasion discovery

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
50	1108	chrome.exe

Executes dropped EXE 1 IoCs

pid	Process
3244	winrar-x64-710.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-710.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133844402266413263"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Applications\7z.exe\shell\open	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 = 5000310000000000525ad5481000372d5a6970003c0009000400efbe525ad548525ad5482e000000556502000000040000000000000000000000000000000cf1b10037002d005a0069007000000014000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Applications	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Applications\7z.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7z.exe\" \"%1\""	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Applications\7zG.exe\shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Applications\7zG.exe	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\MRUListEx = ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Applications\7zG.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zG.exe\" \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Applications\7z.exe\shell\open\command	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\NodeSlot = "3"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Applications\7zG.exe\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Applications\7z.exe\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0100000000000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Applications\7zG.exe\shell\open\command	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\NodeSlot = "2"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-710.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\scan_doc_000_501.rar:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3608	chrome.exe
3608	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
3376	OpenWith.exe
948	OpenWith.exe
1580	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeRestorePrivilege	3188	7zG.exe
Token: 35	3188	7zG.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
5340	7zG.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
3376	OpenWith.exe
3376	OpenWith.exe
3376	OpenWith.exe
3376	OpenWith.exe
3376	OpenWith.exe
3376	OpenWith.exe
3376	OpenWith.exe
3376	OpenWith.exe
3376	OpenWith.exe
3376	OpenWith.exe
3376	OpenWith.exe
3376	OpenWith.exe
3376	OpenWith.exe
3376	OpenWith.exe
3376	OpenWith.exe
3376	OpenWith.exe
3376	OpenWith.exe
3376	OpenWith.exe
948	OpenWith.exe
948	OpenWith.exe
948	OpenWith.exe
948	OpenWith.exe
948	OpenWith.exe
948	OpenWith.exe
948	OpenWith.exe
948	OpenWith.exe
948	OpenWith.exe
948	OpenWith.exe
948	OpenWith.exe
948	OpenWith.exe
948	OpenWith.exe
948	OpenWith.exe
2560	OpenWith.exe
2560	OpenWith.exe
2560	OpenWith.exe
2560	OpenWith.exe
2560	OpenWith.exe
2560	OpenWith.exe
2560	OpenWith.exe
2560	OpenWith.exe
2560	OpenWith.exe
2560	OpenWith.exe
2560	OpenWith.exe
2560	OpenWith.exe
2560	OpenWith.exe
2560	OpenWith.exe
2560	OpenWith.exe
2560	OpenWith.exe
2560	OpenWith.exe
3244	winrar-x64-710.exe
3244	winrar-x64-710.exe
3244	winrar-x64-710.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 1852	3608	chrome.exe	88
PID 3608 wrote to memory of 1852	3608	chrome.exe	88
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 3884	3608	chrome.exe	89
PID 3608 wrote to memory of 1108	3608	chrome.exe	90
PID 3608 wrote to memory of 1108	3608	chrome.exe	90
PID 3608 wrote to memory of 4940	3608	chrome.exe	91
PID 3608 wrote to memory of 4940	3608	chrome.exe	91
PID 3608 wrote to memory of 4940	3608	chrome.exe	91
PID 3608 wrote to memory of 4940	3608	chrome.exe	91
PID 3608 wrote to memory of 4940	3608	chrome.exe	91
PID 3608 wrote to memory of 4940	3608	chrome.exe	91
PID 3608 wrote to memory of 4940	3608	chrome.exe	91
PID 3608 wrote to memory of 4940	3608	chrome.exe	91
PID 3608 wrote to memory of 4940	3608	chrome.exe	91
PID 3608 wrote to memory of 4940	3608	chrome.exe	91
PID 3608 wrote to memory of 4940	3608	chrome.exe	91
PID 3608 wrote to memory of 4940	3608	chrome.exe	91
PID 3608 wrote to memory of 4940	3608	chrome.exe	91
PID 3608 wrote to memory of 4940	3608	chrome.exe	91
PID 3608 wrote to memory of 4940	3608	chrome.exe	91
PID 3608 wrote to memory of 4940	3608	chrome.exe	91
PID 3608 wrote to memory of 4940	3608	chrome.exe	91
PID 3608 wrote to memory of 4940	3608	chrome.exe	91
PID 3608 wrote to memory of 4940	3608	chrome.exe	91
PID 3608 wrote to memory of 4940	3608	chrome.exe	91
PID 3608 wrote to memory of 4940	3608	chrome.exe	91
PID 3608 wrote to memory of 4940	3608	chrome.exe	91
PID 3608 wrote to memory of 4940	3608	chrome.exe	91
PID 3608 wrote to memory of 4940	3608	chrome.exe	91
PID 3608 wrote to memory of 4940	3608	chrome.exe	91
PID 3608 wrote to memory of 4940	3608	chrome.exe	91
PID 3608 wrote to memory of 4940	3608	chrome.exe	91
PID 3608 wrote to memory of 4940	3608	chrome.exe	91
PID 3608 wrote to memory of 4940	3608	chrome.exe	91
PID 3608 wrote to memory of 4940	3608	chrome.exe	91

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.4sync.com/web/directDownload/S06W9sUX/Xnj9cMHB.8fe7375c02815b856cddb787ae1c67e1
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbfaf9cc40,0x7ffbfaf9cc4c,0x7ffbfaf9cc58
  2⤵
  PID:1852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1800,i,12076132214002033682,5049023042209405059,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=1796 /prefetch:2
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2068,i,12076132214002033682,5049023042209405059,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=2092 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2132,i,12076132214002033682,5049023042209405059,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=2372 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,12076132214002033682,5049023042209405059,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=3100 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3088,i,12076132214002033682,5049023042209405059,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4676,i,12076132214002033682,5049023042209405059,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4720 /prefetch:8
  2⤵
  PID:868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4232,i,12076132214002033682,5049023042209405059,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4432 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4220,i,12076132214002033682,5049023042209405059,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5324,i,12076132214002033682,5049023042209405059,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5488,i,12076132214002033682,5049023042209405059,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5480 /prefetch:8
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5472,i,12076132214002033682,5049023042209405059,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5176,i,12076132214002033682,5049023042209405059,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3480,i,12076132214002033682,5049023042209405059,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3096,i,12076132214002033682,5049023042209405059,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=3732 /prefetch:8
  2⤵
  PID:3428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5824,i,12076132214002033682,5049023042209405059,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=3160 /prefetch:8
  2⤵
  PID:2540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5836,i,12076132214002033682,5049023042209405059,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=3148 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1672
- C:\Users\Admin\Downloads\winrar-x64-710.exe
  "C:\Users\Admin\Downloads\winrar-x64-710.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5460,i,12076132214002033682,5049023042209405059,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5756 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1084

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4236,i,6925591690600939166,85426131164229687,262144 --variations-seed-version --mojo-platform-channel-handle=4648 /prefetch:14
1⤵
PID:4784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3604

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=4116,i,6925591690600939166,85426131164229687,262144 --variations-seed-version --mojo-platform-channel-handle=5088 /prefetch:14
1⤵
PID:3292

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3376
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" "C:\Users\Admin\Downloads\scan_doc_000_501.rar"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3188

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:948
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\scan_doc_000_501.rar"
  2⤵
  PID:2168

C:\Program Files\7-Zip\7z.exe
"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\scan_doc_000_501.rar"
1⤵
PID:1228

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2560
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" "C:\Users\Admin\Downloads\scan_doc_000_501.7z"
  2⤵
  PID:3368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5508,i,6925591690600939166,85426131164229687,262144 --variations-seed-version --mojo-platform-channel-handle=4924 /prefetch:14
1⤵
PID:1732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=4024,i,6925591690600939166,85426131164229687,262144 --variations-seed-version --mojo-platform-channel-handle=3808 /prefetch:14
1⤵
PID:4644

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1580
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" a -i#7zMap29552:92:7zEvent21452 -ad -saa -- "C:\Users\Admin\Downloads\scan_doc_000_501_2"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:5340

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\248c772b-426c-46fb-8d8c-4ea23047a8c0.tmp

Filesize
9KB

MD5
f7c2822e08b99dff763f8d1edf4a89b7

SHA1
ffbae0d2a6d2c289c74b20e0b1f62402f29503de

SHA256
f840c6fbb2d8352a2b87803b633afcdd6952d4385f900411eb05c18723f7961f

SHA512
623a40da0e495a45db539fe8c331dd278b649b6d42b96cd25af239898722d7e6c766afd569ccdc379778e48f89b6e55e9cf09ed46847465ed9e15aac7c579a06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
720B

MD5
3a5b78380858b62c853e4452b8c7096b

SHA1
a473e8a19539ab6b78a5d8c1439759a6c711c01e

SHA256
84f345f1eca2a76d77e652dccbde24ace7c3db4faf6d3e561e1ba04baf7e38c5

SHA512
0f5d4537e12737cf5732316e1c55a20ae0c286ed35deb8749975eed06c8e7b1e4b09038659ec5f31ccb042976a3e19c20e6a7cc9e95f2f24c901e776293b30b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
8a5b5da540ca94609491a616b0d05e72

SHA1
208f95cb24839bbfc1b975ecea47d12a888ebf6b

SHA256
7305f65f25c7688b8cc98d12550907a966f9babfb0bcc1615692949fb78ff0bb

SHA512
e1b41dd79b7022288ab76b05b40f242bdcc74b06bacce32fdaaa1f41ac15031791705c50f0168dcd72c362d5be1632e265c9ca43b9f3fb9535bac4c346b6a0ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
360bbbf0843a38a20e4bb87be061e0a2

SHA1
7097bb1b8949d04993f87d361dcfa9a7e407fff9

SHA256
da09a7629303348bb139449c9c352544e0e787e0a136e2fb75d15a13e096aa38

SHA512
bc37b6291d8722a602e282b765fd418e9296919d713467a2b5bc2ab890c4a38cfc836bdd151df7462d67d0eddfbb30a44b96d0d6b20cb094fb8f5f1b46cde623

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
6dad0e8e87793a873883b4a6e77463d6

SHA1
a4a4217a3134f741f5783e36ed06acf3052ed3c7

SHA256
f75ab63380ed0245cb670b56a094fc398736c9d9de81f29b6a4fd3403e715f8d

SHA512
df946866428225f01638cfda7242717069eb2c03596295ff5aa7fe629f78b43e88813adef0da4a4ab49da63e0fbfff86f6e925d74d9e68de0d54468f8f36f3bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
e016b7efe7b6053c41b4da89a772842c

SHA1
0b5958a84788dac2bfe1e8b6e3225b4027bd2894

SHA256
e352a66eb3929b12b72b2e33a6575fc2144f6fececa4ad7612f2155d979327d9

SHA512
7b7219f45219597327a72c0729a7cea9b9483bf50aa02b50a87de885c1ddb3c914b79335a12805ebb8c3e362646caaf13b3bd4c90190fdb996c332f3d2b08007

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
bc08740ddd0ad7a4f5467d24c1b65397

SHA1
03fd8892124184806cf28bac04127427871e5215

SHA256
09ef22682bc0ab4dcc9a22db8fbc1a927ca55da8b67d9007cf9851e83cfb52de

SHA512
bc979cec1e4388cc191b6caae8b3bfae421e4b969a7fa416b594f06c56189fa11eaaf48828a7715a3f363e4f32959e90ade4b64657f7d2140c90e55f04a06f3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f5f668ea161bf62f1fb6bbd741f1d760

SHA1
cb3a500211b74715de9fed3a580791bed8813bf6

SHA256
f3336454c1067a025a21c9a85278fe24c91b43559dff820ee53609a12d414a21

SHA512
23387bda54563678b37a4d4a2c1e2a4e9da7a7d0fef3195383190a34979ed8ea46b40023d052d71a61c3554a5c46de72bfcc0bf7fcd27b28522c40d33acafe6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f868d6678a48d6e16c28ead833ebdfde

SHA1
d933d4534ab282ca079359001f85738146af4470

SHA256
d5bcc0fe87d562e7521b74de09cee2e646a934766803d0cd35fdaa126e2a3f20

SHA512
81d490921aa0b80076038cda2e55904133e78cd9998479aa2ffbe5f824a20e188741bf008df32d3b019264eb81f953b02ce8a1341687ce1a6452c0c32bb10002

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f4230fcebb000d0cb496a4cd3466a9b3

SHA1
01ca424a1f00596b89c3f0d217bd9e975376d93d

SHA256
309c86f2494ee38b412595fd0a8a46d8adae1d912f9d86d6f89d8e71281ac06a

SHA512
2e4ce6e46e89bef2405a400e09a7bba7f44764ac63267f074455c131f286c85a500695f1ed872f0a9cc11bada605177bc53784e8db484f724c29e861358f30a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
c2f3a6e72d176cb9f6cf89ac647d9683

SHA1
47b995f80bcf63fce31ad4ab765b030a22562870

SHA256
189902d704f6b8e3e741b744fe0f2fcefc15b8916b3e08d9fb5508109e0d016c

SHA512
bf26d212de37516f80b92f932c30fa692c60184509d4c94b55bd0f109321f8836561efd538e37e6ea9e476200712416d9b1d9d03af5df39f3779f91676054778

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d9ace22637cc881c94e4c93ec94a47f6

SHA1
8bcc0c49d651c8d1229ace4a3a16e82fef828913

SHA256
01cdbecc65fa970f409a7368e015499fe4530ad96ffdeba62986e8d022bd9fc2

SHA512
64c293e45137c78aeebebbe3a0be51e0ca45c85d40a7438d427c710387aff0e3c4c16f8b9afad34e35eda567dbb8c3229c7b5b7c687859be6db04683e2e4139e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
22d05c6eab94f9375bc675abef9f7dd9

SHA1
5fbb906a14b86010de18c7479cedc170ce6468ed

SHA256
6d3e72b6c0a7ba6f4b63f75db918c69bb4dad74b5dcdfe161ec9fa16f699acd7

SHA512
1778f3fcd14a3df48c487b8c4090d3a21f77bfcc59a4a3c28021ba778d796f243bbb18086ba7333aaa5c72da6957b768e582cda4cb0f9b6b4c1ddb61d9a9f711

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c74522a3592681032ddac81a1e4092ee

SHA1
050e7295ad5bfca8b10118f3a8d0d62e1b1b48e3

SHA256
ba82555710195382d9fc3aceaf8c5376e694ffb053ba754e7708ef29c04cc462

SHA512
0744b4dbfff674d10bf28c9f56f78cb2cc3ce605a62956e423e19cefd37bb462cbec43fdcbfd788e6537a123942a7cd46e83afe74267e92c9e7e0ffff03d4a7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cd34847ec8818f190f2c8c6aca7abc57

SHA1
c3eb7b7c23aa2acdc28d2f5f51d5e52dccc64864

SHA256
f51455e2dd8283e5c736913eaaaddd9cb26c875704c3556951e33dd53ea40149

SHA512
36279c883b0feb3c2f5f8cbebe78b24cc8783f2984a9d7cae36c23d26eb698f206341ee2d997c8e77abee66411198d0b4619b5a941d4bc1a006b64a550598b5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
9416d885a178712215a5bb8ac01c498f

SHA1
836e7f35c21574474b9477b454195e4ce3a6220f

SHA256
b62de7f62910c4346100e3e62808f2360b4bafc9a15c6dece9fd891189d6c13c

SHA512
ef03d65abf5bd441d77fd5643dbbdaf432f082d0d781e4dc8cfd8e6347ffed9e1bd3d89023e54cc2439b5aeabeb69d91c6363cd8f859daa5a038f17bae3d92bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
219f0463e2da85c9b30d35ed79fff2d5

SHA1
454dcb715efda32da3d083ba0119ffe25ad6dd11

SHA256
5a4fb6c4c14fe72184933e837b7f6951905c13ccef52dd992f573d36fe77908e

SHA512
2083533799efdb165edb264fc06ae9a17c71af80129635789c42a755b19df9a572f3ae9108f235f7f478ffd879c3c1ddd58bd9ae283597b94b5b8f3f7e89180d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
021a9685755d4a12bcd07a2cd77b0498

SHA1
86d4ddb87eda0afb57bde64494532f5dffee2b83

SHA256
0cb4115bc32e898bb996600ea328b0cf141f76cf878a7bdefabd10381801fcea

SHA512
87c487239be0722c72f1f909e8485cd8f49c808d0abfb8d5236416e5fd5b2960bcce9bfb697ca87b9e345a075047dd0b9e7e45a1f788400ad58697fb1d8354fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ac7bd464-4af3-46bc-9c36-36c01377d4f9.tmp

Filesize
123KB

MD5
81810df9ff2edf055bd77c2c66113e1b

SHA1
2b4aa0cd8da570957d890831279c7fbeccc27ca8

SHA256
c8fd93dadaed501bf3d4015f9bdea1724924db17b8dba64c71f456da9fc435e9

SHA512
7ede36788bcd25ab250bca067495a7c7fdc8fb716d642488c448f517325a3c3a1dcd261c8d890cadd015eb53d9bf8b6353d9fcae3a792d8c73d7e0c51bb4be69

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\199efe5e-4bbb-4766-8672-7d98abcbcbbc.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\Downloads\scan_doc_000_501.rar.crdownload

Filesize
152KB

MD5
1822c0f3bb4e718e9a05e4d7f79f7993

SHA1
d89f23f5522804e780a8f54ea92e1d7e64c09813

SHA256
1dae991043442a0cc66f6e13c96b2a81ac737b0533d4e6843fcc4411ad492858

SHA512
d9cc34ee73a0840c2ef37e6e1d9849aee491ce47c47ecc7713f93fb786e75c6b9ea4817dbefa63d6936380bd948a52cfc85e0b2862febbcbf1d5a09a40cf9757

Download Submit
C:\Users\Admin\Downloads\scan_doc_000_501.rar:Zone.Identifier

Filesize
218B

MD5
4714a6bda7bf306c4ab96a01d7d8a3ba

SHA1
64de6c6fd825930e45c13e080c426576524699c8

SHA256
bffbff389b39ca63e8883bcaf9a4555448f2ba08e7761e7d8c821c9f16cd114d

SHA512
5b1ee6d43f5e882ca4853d337d05bf8f0b858fe397b1a86207247cfb42f0245840f1eafc40e2cfcb0979be2b1caef13c84e8f540083b0a90a8637e7e04408926

Download Submit
C:\Users\Admin\Downloads\winrar-x64-710.exe

Filesize
3.6MB

MD5
32595caa2a6bbbf58e9cc3c145e2aafe

SHA1
a85f67867e000d7bb3a074bb2b84fa3a143d0663

SHA256
d9fc9e75e174f309efbbb0a4fe13ea27e50c0d1eac65e0ddc858a80a3a4c49a7

SHA512
151748c2c0971d0c9cebc9e4cf3dc0f36e72d9a4f288fff1979729851e6e4ec1ba41e6c4e20f5e13448ac1b9e940a3aa2bc2b097800e9640759f442c95eb4017

Download Submit
C:\Users\Admin\Downloads\winrar-x64-710.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit