crimsonrat | faad2bc8e61b75e595a80ff2b6d150ff8b27187a8ba426cc1e5e38e193ab6d42

Resubmissions

16/03/2025, 11:20

250316-nfmz8asqw8 6

16/03/2025, 04:27

250316-e2977s1wes 10

16/03/2025, 04:26

250316-e2ndfavmt5 6

Analysis

max time kernel
374s
max time network
385s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
16/03/2025, 04:27

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

795KB
MD5

365971e549352a15e150b60294ec2e57
SHA1

2932242b427e81b1b4ac8c11fb17793eae0939f7
SHA256

faad2bc8e61b75e595a80ff2b6d150ff8b27187a8ba426cc1e5e38e193ab6d42
SHA512

f7ba1353e880213a6bdf5bd1dfdfd42a0acf4066a540a502e8df8fec8eac7fb80b75aa52e68eca98be3f7701da48eb90758e5b94d72013d3dff05e0aaf27e938
SSDEEP

12288:GYa9sBhIBdCdbX1USoeQDj/VNpA+dZIznBpGTEy:Pa98hIBdjSoeQDj/VNpZdZIznBpg

Score

10^/10

crimsonrat agilenet defense_evasion discovery evasion ransomware rat trojan upx

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001900000002b4c6-746.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
5720	bcdedit.exe
5764	bcdedit.exe

Enables test signing to bypass driver trust controls 1 TTPs 1 IoCs

Allows any signed driver to load without validation against a trusted certificate authority.

defense_evasion

Code Signing Policy Modification

T1553.006

pid	Process
5764	bcdedit.exe

Executes dropped EXE 9 IoCs

pid	Process
4252	website ip grabber.exe
5504	CrimsonRAT.exe
1528	dlrarhsiva.exe
3760	AgentTesla.exe
1072	Lokibot.exe
2572	Lokibot.exe
1408	MrsMajor3.0.exe
3528	eulascr.exe
5768	Spark.exe

Loads dropped DLL 2 IoCs

pid	Process
3528	eulascr.exe
5768	Spark.exe

Obfuscated with Agile.Net obfuscator 3 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/1072-847-0x0000000005880000-0x0000000005894000-memory.dmp	agile_net
behavioral1/files/0x001900000002b4eb-972.dat	agile_net
behavioral1/memory/3528-974-0x0000000000550000-0x000000000057A000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
1	pastebin.com
2	pastebin.com
12	raw.githubusercontent.com
47	raw.githubusercontent.com
48	raw.githubusercontent.com
71	drive.google.com
126	drive.google.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1072 set thread context of 2572	1072	Lokibot.exe	135

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001c00000002b3f7-323.dat	upx
behavioral1/memory/4252-355-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral1/memory/4252-368-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral1/memory/4252-610-0x0000000000400000-0x0000000000476000-memory.dmp	upx

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Briano\UWPHook\VDFParser.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.xml	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\SharpSteam.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe.config	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignColors.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\Microsoft.Management.Infrastructure.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.xml	AgentTesla.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\File Cache\Spark.exe	Spark.exe
File opened for modification	C:\Windows\File Cache\Spark.exe	Spark.exe
File created	C:\Windows\File Cache\Spark.exe\:Zone.Identifier:$DATA	Spark.exe
File created	C:\Windows\File Cache\Initialised	Spark.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\File Cache\DLL.dll	Spark.exe
File created	C:\Windows\File Cache\IFEO.exe	Spark.exe
File created	C:\Windows\File Cache\Driver.sys	Spark.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 6 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Spark.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\website ip grabber.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\AgentTesla.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Lokibot.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	website ip grabber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentTesla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lokibot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Spark.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
688	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133865728915214743"	chrome.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3920535620-1286624088-2946613906-1000\{278657E4-2591-43C8-9D5E-7E16C2425651}	chrome.exe

NTFS ADS 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Lokibot.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Spark.exe:Zone.Identifier	chrome.exe
File created	C:\Windows\File Cache\Spark.exe\:Zone.Identifier:$DATA	Spark.exe
File opened for modification	C:\Users\Admin\Downloads\website ip grabber.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\AgentTesla.exe:Zone.Identifier	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
688	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4524	chrome.exe
4524	chrome.exe
1072	Lokibot.exe
1072	Lokibot.exe
1072	Lokibot.exe
1072	Lokibot.exe
5768	Spark.exe
5768	Spark.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	860	Bootstrapper.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1704	MiniSearchHost.exe
3760	AgentTesla.exe
1408	MrsMajor3.0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 2624	4176	chrome.exe	84
PID 4176 wrote to memory of 2624	4176	chrome.exe	84
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2600	4176	chrome.exe	85
PID 4176 wrote to memory of 2312	4176	chrome.exe	86
PID 4176 wrote to memory of 2312	4176	chrome.exe	86
PID 4176 wrote to memory of 4572	4176	chrome.exe	87
PID 4176 wrote to memory of 4572	4176	chrome.exe	87
PID 4176 wrote to memory of 4572	4176	chrome.exe	87
PID 4176 wrote to memory of 4572	4176	chrome.exe	87
PID 4176 wrote to memory of 4572	4176	chrome.exe	87
PID 4176 wrote to memory of 4572	4176	chrome.exe	87
PID 4176 wrote to memory of 4572	4176	chrome.exe	87
PID 4176 wrote to memory of 4572	4176	chrome.exe	87
PID 4176 wrote to memory of 4572	4176	chrome.exe	87
PID 4176 wrote to memory of 4572	4176	chrome.exe	87
PID 4176 wrote to memory of 4572	4176	chrome.exe	87
PID 4176 wrote to memory of 4572	4176	chrome.exe	87
PID 4176 wrote to memory of 4572	4176	chrome.exe	87
PID 4176 wrote to memory of 4572	4176	chrome.exe	87
PID 4176 wrote to memory of 4572	4176	chrome.exe	87
PID 4176 wrote to memory of 4572	4176	chrome.exe	87
PID 4176 wrote to memory of 4572	4176	chrome.exe	87
PID 4176 wrote to memory of 4572	4176	chrome.exe	87
PID 4176 wrote to memory of 4572	4176	chrome.exe	87
PID 4176 wrote to memory of 4572	4176	chrome.exe	87
PID 4176 wrote to memory of 4572	4176	chrome.exe	87
PID 4176 wrote to memory of 4572	4176	chrome.exe	87
PID 4176 wrote to memory of 4572	4176	chrome.exe	87
PID 4176 wrote to memory of 4572	4176	chrome.exe	87
PID 4176 wrote to memory of 4572	4176	chrome.exe	87
PID 4176 wrote to memory of 4572	4176	chrome.exe	87
PID 4176 wrote to memory of 4572	4176	chrome.exe	87
PID 4176 wrote to memory of 4572	4176	chrome.exe	87
PID 4176 wrote to memory of 4572	4176	chrome.exe	87
PID 4176 wrote to memory of 4572	4176	chrome.exe	87

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc2ca3dcf8,0x7ffc2ca3dd04,0x7ffc2ca3dd10
  2⤵
  PID:2624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1912,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2228,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2236 /prefetch:11
  2⤵
  PID:2312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2356,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2332 /prefetch:13
  2⤵
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3228,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:2028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3256,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4200,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4212 /prefetch:9
  2⤵
  PID:5596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4676,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5188,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5204 /prefetch:14
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5456,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5472 /prefetch:14
  2⤵
  PID:5656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5608,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5752,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3284,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3232 /prefetch:14
  2⤵
  PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3400,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5760 /prefetch:14
  2⤵
  PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3392,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5784 /prefetch:14
  2⤵
  PID:5980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5996,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6004 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4016
- C:\Users\Admin\Downloads\website ip grabber.exe
  "C:\Users\Admin\Downloads\website ip grabber.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DBA5.tmp\website ip grabber.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4956
  - - C:\Windows\SysWOW64\PING.EXE
      ping https://youareanidiot.cc/
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=872,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5300,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6176 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=6300,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4192 /prefetch:1
  2⤵
  PID:3516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=6400,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6276 /prefetch:1
  2⤵
  PID:424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5744,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6328,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:1072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=3236,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:5916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6140,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5716,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6604 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=3420,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:3232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6308,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6752 /prefetch:14
  2⤵
  - Modifies registry class
  PID:3148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6392,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6700 /prefetch:12
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=6924,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=6104,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6468 /prefetch:1
  2⤵
  PID:5356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=6252,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6584 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=6116,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6180 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=7052,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6332 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6368,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6708 /prefetch:14
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=7220,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=7232 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1932
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Executes dropped EXE
  PID:5504
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=7320,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6256 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1292
- C:\Users\Admin\Downloads\AgentTesla.exe
  "C:\Users\Admin\Downloads\AgentTesla.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=7300,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3460 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:756
- C:\Users\Admin\Downloads\Lokibot.exe
  "C:\Users\Admin\Downloads\Lokibot.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1072
- - C:\Users\Admin\Downloads\Lokibot.exe
    "C:\Users\Admin\Downloads\Lokibot.exe"
    3⤵
    - Executes dropped EXE
    PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=7368,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:5216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=4248,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=7472 /prefetch:1
  2⤵
  PID:5592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --field-trial-handle=6256,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=7436 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=7376,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6376 /prefetch:1
  2⤵
  PID:5804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=7252,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6960 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:5540
- C:\Users\Admin\Downloads\MrsMajor3.0.exe
  "C:\Users\Admin\Downloads\MrsMajor3.0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1408
- - C:\Windows\system32\wscript.exe
    "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\DD96.tmp\DD97.tmp\DD98.vbs //Nologo
    3⤵
    - UAC bypass
    - System policy modification
    PID:3628
  - - C:\Users\Admin\AppData\Local\Temp\DD96.tmp\eulascr.exe
      "C:\Users\Admin\AppData\Local\Temp\DD96.tmp\eulascr.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6964,i,2284253546486439980,5984981277020055649,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6180 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1152
- C:\Users\Admin\Downloads\Spark.exe
  "C:\Users\Admin\Downloads\Spark.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5768
- - C:\Windows\System32\bcdedit.exe
    "C:\Windows\System32\bcdedit.exe" -set nointegritychecks on
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:5720
- - C:\Windows\System32\bcdedit.exe
    "C:\Windows\System32\bcdedit.exe" -set testsigning on
    3⤵
    - Modifies boot configuration data using bcdedit
    - Enables test signing to bypass driver trust controls
    PID:5764

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2300

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x000000000000047C
1⤵
PID:5456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Code Signing Policy Modification

T1553.006

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
304fd933341414e7f2a08966a0f98313

SHA1
95b88448bceb95111904a8f2ea9898249d6bb375

SHA256
6e9b1bae2c84a878ca7157c3672f3fa28ee27942d36b02d339b5d174196cd4f7

SHA512
ebf0ea8afb84703dd94a952348c0082daa2c97553c01ad118acd9a1e84f00c859e5d97763fc484bd88153207335cd62d105bafc28ac09c557ef77fc5f6e9226f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
414B

MD5
69c4d2aa057cdff9b8df6c0a2d8a8703

SHA1
e1d7107e671dfa9e782e6000473fbd39e9363748

SHA256
6a7b34b36b2135d819d2fe3f6162ae030ea472c4fc76433b961b89b4973f7d9f

SHA512
807af5a99394425bef7f484f5ea5bf4b2a172b65665bbfcc9a1d0a32cd60418ca0a9b3da853a8077a02c587122fec5ebd1e18f738fa30d565b6236f8f3cdea1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000026

Filesize
215KB

MD5
d8899b1c0aa7c8e5836708fa76dfb119

SHA1
3ac6fbb49e7350221da7ee4d658efa239f2985eb

SHA256
106b6d9e8fab32613ec95b387848efc1a8b411ae4609237004009bd330e1a67f

SHA512
9f97e9187e145377992ecce519189fac8a3d13ee1c8fcef31b7aa1b2e5d1aacf0275fa031fddd40ab1bdfc855d549053f4dc43b65e6baf985924cad146d2bd2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
225fb014e6ac2c978911173459238ee2

SHA1
5797d80928ae122a10b6fa9c130e5198745e9457

SHA256
250b67614ddfca705300979e67fd39d270ef514fa7d4f1d04d02442a364aa894

SHA512
94173deb71e45abbfcafe3cf5eba9af0eacac80223601b5fd70ee40d04d8b64a6c93e6fc676089b08baa26fdac792f0800ab9eba034c39817476bb3a0adaf2c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
77b12271e879cc01dd28acf2fbe4f17d

SHA1
94607b43990e068dc4f5a66eac8309b3e9f50068

SHA256
4eddf24c921e59ef24f7c4d3fac3ba6f1b62d2e4afb60fdf42044b79b5bb7ab7

SHA512
b89b3edb460088ebe2822b2e692b4af7bd85d5b8dd6c53097473be4ab954cef33b62f35816f94b55f0b2873ab29c56b2f74361d431e7227b9e22c47b88ee49c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2d86bb43967b4bd8c41f51a856b81818

SHA1
b5d905371eb0385f85d74a2329f8eb68a137ff0b

SHA256
1d274c2e9e0cff945ee41c92c9fd531670eec75e9a89a79695d9e6eed54909d6

SHA512
197aeeff3e7135323ae04f5dc22cd1c23e7300a3b3b03a8f996dd8f770d47efa2c5be95ddbe70c7e8b4cb66e00bd2ee755482bd8298f6db815f459f2dd38fe6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
b592af83d06acf9e0123e0d90916e7e2

SHA1
c5805646207124c8cda24242464e701754fd6cfd

SHA256
f222528ce5ddaaf328aaab263d3e1c121ea885c356ea2750bbd463cd29a2a1d0

SHA512
4642f023682946cd9aae535dcff6d732d4e17bc122c5cd8c53510cc398c43038a61e9d0ab1e5d199aa0a94dc3abcfc409822e6f73698fb798dc7509104879b0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
c7a65d52530b3eb5e5072e607b5a6fd4

SHA1
b2666b0e36252530d4c49dfb5e013651a5dbc7b0

SHA256
005df454a7610469e1953693fb6e22337d20baf840a51764b6104bfddf2a9731

SHA512
8cf171c13e372ee28cb067864024d91f5847ffe4f588645704e75a5ab58d909486967df80969d66ee6f67602a6a67397b97c83fb7f770f16a07c9e9809957563

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
9c6eb524ae4e98aa02b829328ba1875c

SHA1
edb588b1f7908776248a0c80b8c2a3e382a43a44

SHA256
e3363f3683edac1b6640da50fd1c5182d891ab042129acda92078cb5aca7875a

SHA512
e710b579d2a3f575e3496a38283996bd1ad615fbe943fa7d8e3e0e640d62b65982a8876b0283de5c6ca481851a974baa432a4b03f4f90b19b237e89087a840f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
b7993e807c0746f0432dd7f5b2272787

SHA1
a6658eab82c684d9bc5bc151a483e8df3409df98

SHA256
bb846c34ab1624323d6fb2993ce3e7b3c940ade6898712103f34f5ef8cc35fa9

SHA512
8b4595adeb4bb6d7c1d738bddf270610195b40f292bcc91954d57b8164307b1f8dfc91f8fd0bf6cc2b85fa25cc7978b26feb4a1116140987efe8c76acf75d953

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
00676e4919a604683da915894c525e54

SHA1
2ab70536cff3205f8ad553c62e7420e7f9e2416a

SHA256
7c473757379994280185ed05a2bfd71b2a77653c1130c3a03151847ed3eaee59

SHA512
16141aff1ea09cba5dba46393e2ed5f4cc160ea17abc2fd2d7b10f944a4874e46c0df5ab298d5073f529db24948b9b883538c7597038162e6855fa98aa2da812

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
2569f1d8d2a6982c519632b1bf81486d

SHA1
9927c3563f02101fc082f879023d7f9639ef7e84

SHA256
346a1ec4845c23eecb64c06c8f9bcd8c35ca87a5f913a63f0effdd3dfe5c95aa

SHA512
4a6f02ed80f0a984c922fdf6c90d2e3a9e0b159384ef3ed42062fefe074e22ecb8f972c410e8873995c246ec248335ffd97bf17d2a3c47c4b5cb7ab392beae8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
8f852e8d9620697daa5c16a87d47462c

SHA1
5682ffd37d579d53ce4f6cb04dfdd92ea7b54e8b

SHA256
1715d2209421576c191c202d58d3dc0e0cfed2259ecaf5c6ff6011e4c6d608f4

SHA512
56a74af2e0d4cb090537e91911911add417ead9bbfc2c67d6338e8987f9bd900885074df57c62b4c298eb8ed3be07807a3b7163a1a611c891346e45f204919e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
c007d38eb8ce9ef7b9ec3dd66c74b7a8

SHA1
c4c2e8376a531ab86303cbaffcd105b1e5c62d94

SHA256
5df33ccf9771723328309b1987d47a18a0246769c06210568fa63cdb7a79cc14

SHA512
c2325dca6d1882e10a4052586e3b512646e6d2c8ed855467076ba52cc2bea7f7b1b74f213f09ab684ace7d081728b67b5cbec42b71714f04b40755bc88430aa5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
e3a18835d17d9d5dd475d562c076d8c1

SHA1
f08c092e80d5a1a0aa58095c16d4b1e050930a7c

SHA256
b5a3820c1d5c78ff8f614cfc0948e442451183ebdf879e5eae8bab996512b14f

SHA512
820227418352b7af6fcdb1a87580e202b2c0af1f2cd6096e63e3daaf79083611d74b5da3398323704e95e96b9506b87de3467599ddb2f3276d89b5e8a63832f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
f0c79b4c1d5e5e69038866d2ab2962a6

SHA1
ba6a9903903db04eac944d999dc38b640a032f60

SHA256
12d705ee9eecbee4ba81ba887963ace3069f44c1f2515dbd1c0f28b9a5fd513d

SHA512
6bc055ea9494ec3f20b92b0becd8994d4fde325ec847f08779a68bd2e7e6b58a9f6273a369518c0b32681a8e05bc8ef969f34b10df9b533ee1ec0a621a05e38b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
620fac97b6fdcfddbfa87c39dfc1b8f8

SHA1
734ab3869cab486b54a5e76c227e902925f801cc

SHA256
1d89223d101f4a334db06528957b0fd4a7b8d12e03e7628f2224d8e5419bcc6a

SHA512
ed37014825159b7d2dc65b64a326b3a355aebd92f4c3e1f9f7aab20217ebf1e55361a7ce473ed7f26e48f182899b252f3bcea34e1f08662b56c4ed2bf67f6ebe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
d7bc67f0c8eefd47cd68c8fc2f696fb8

SHA1
037f5681da37c880bf71bf5083cf67a10052b1ba

SHA256
857a214ac7df37ab0d8a2d901b638dbc313729a752f00d94213235e85d259897

SHA512
e809040bbb7cc4fc3dfcef20bf77a144e1ee45d41373bf2431094aca5ef24aa55b76e3d4f45204f3cadf1d4aaa8b5640abc3828212e275bb1c5c6e6dc86f23c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
3ac28319ec21e821d63602e3bd5b4cb3

SHA1
db4379665cc39965d00d759c147eee96ee0adbd5

SHA256
2e1020f231105cf347405103be08565e9dc87af03a88ba514ca971bd55981dea

SHA512
2b89b9229e894155ff71aec879e4689dc2406464fb93159a99be7fd9a1a70c2179ca669244558d0f5d46de0b304ae3f75eda38d30a927ca9217a1e9fc307fbce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
502594b464710366b87cb50d74fc29e8

SHA1
05534439076e94c7e414ba8a434cda39d4714da8

SHA256
8695d28eb4c6f2d36c35d02c0da8221f256cf9b447e1ee46ed8cb92310a677b4

SHA512
52e289e4c070c6b606e8971f22fca5770dd985d28a58089b017a94f464ea9f13653bb9904ad2fa7c700c5f4c1c99cb347af054f5287ac61372f741b67584cbe3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
1a46065e79286119cfdb81dc85278d7d

SHA1
b852662db79aabb661c0fa1519643baaf6341798

SHA256
151a7594a0aa9b895238021c690e4a3b5ba7aa6a44aa6474997d32119102c4b6

SHA512
b61e908ef1144d009cf2fffaa70195f3d6a06646a370be6db1094bb4a0f7b3a7aebcb60e14d8d274df0f7f92672c962111df870d69353db65d4a54908f738c69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
41ada1a716c322666779b64c1b6f8cf2

SHA1
7c56c29abe4dd58719ab04480252f7d9b05562eb

SHA256
7876c6fbbcf4038bda5ea3d16ae4d26841160f17999bfd993447e75c4bee885a

SHA512
ed01537d6dd2ea073ceaf5da16940b4492c8b00652def041cc7e8af27ac526342e08334e4c3eb9a0ccf20b879798d5f0757064a29ef4bc10290c0bcaf2ebcc73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
14KB

MD5
3b248307b2b70b8be619e2c985f8b2e5

SHA1
eb277f4a78501c55edd13f50861e6fb225efb7b8

SHA256
eccfa5ec7fee486a0e2ef7f318856520fdc21f65444cbae0d0c2b3b1197f46f9

SHA512
9e89ae658da021730166f8eb9587a5d97222f24c955583e28e16056a0cf9dea6919502434bafcaf369a0cb49dd72246f1175103d5ada0bbd522769b6ea802a33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
14KB

MD5
1b8b8460f5aafcb386d445196507ff1e

SHA1
3e9723e28828d39ac75ac9f6c3af44ae2c63f366

SHA256
63bad4bf12f3f76b032f3380ed91de475ca4e80f8b7b6eb8304c5ba80c940fad

SHA512
46190fab5a1f08bee4d6049b9ba61070c05958e468a2598553f1258a94618a338c7e3abf31865accbe8d4ad22bb27d0f1d47fdfabe7917567ca6f1c1b0e46264

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
e8b1233bad226e23ef97f2906c506073

SHA1
5d5689c08f0cacb1fb529c2aa8a1d205c026b050

SHA256
040d8fcc4a6275cf0e551f2f6ef93eedc8ae638833ad9c108761ca341e1e539a

SHA512
3aa1d32d524dbbd3bf54af649133fe69f1dcba6b374022a58b4e3e2e8d7368b1cccc2f0a48623928eed0d72a177cbea49f219b15ba773eed6a9a793dd505af56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
837b88a186385adbc006400168c79378

SHA1
54ff38fe75989ecc05980e037031e05814942931

SHA256
ec94d04cffa039ad016ca1c55fcd22f6e5cd481baf8ae395a2dd9ca86c992620

SHA512
eccd1765e7e1fc9a50ea267e9d3ead100ec683b245ba761117cfe8b386d3e22ecfb723711109e9ce99e6c599602e671898ec978c1c4b10b59ab9fa9723f2cb6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b0966226657c2bdab93456ab459c7c86

SHA1
8039f713f808743cc87e1cffa59110368f216bad

SHA256
45e7c52f10a9e30232b79c36975e11e2fdf9a02a89483bd2b1af45ab553f37e5

SHA512
73657a4397e316218c77d9cae1fba0dbf46a67cbd07948e8be1d4cb548eb9439cadfec1163ac6b17f320f4ea58d194d299bb3d645560e8f6df1b55aa22da7894

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
6fb92eded27d479c4c1e9e3e1ce00675

SHA1
e1379dd1e72e2914067a2737f90fc40da0877d63

SHA256
bd7946f0076d2e53e6ea1ca1800bb968e4251936ab2fbfd4a00a05b0ac22596d

SHA512
140ae4586a229d8b7d43c383d9407e00e0fe0758352f50a049b9c7ed16d161fdf3288342e53a46d5162828c58456a88addaf24799506b67fd72b321b2a547432

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
616e87f519d37dde0cfb0f7359a39dad

SHA1
aeeac453d485f153e72fc40f7c2c9731057edf98

SHA256
0f6ef71579d5e41e488d22026806d79c63b0b6491db145ca03e9ab5806084b7b

SHA512
6e2decf48c77b3e364b9f593a26ed91b2c97b2401e74c995c6b218fc5ab1d50d97c067fe8e65e0c82fc3b5916aaaf984f1016b67e50ff249c9221ab3da6c155c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
14KB

MD5
e5ca022cf5304b6649aa7121e1cbad61

SHA1
3b301619946ee75e032ebb7529de401cdc3a7311

SHA256
56aa4b9e1bbe8b5bde59b8aaafa4a389d830f67ee8db28354ab38d77428cba2c

SHA512
8622c52a0e83746b944aff635407fefd9cc02064b1ba76e9de2210b0289087f04d73ef20a18cdc631339e15e971339e5f86581de0e5666366ed9bdc2abaf6acc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
460cbf7b15b9023ffdede54b1a70e19a

SHA1
0cefb38b582a8527cf364b6f0acc850e1ea076e6

SHA256
7ae40705495882662def84c124089709d4356cb4deb6d70fb7e76682ca87a966

SHA512
9c0e7aed2a1d0bbe44c4ae13720d3a332bb9fa4ca1fc7243e00ec94d0e00fd461c128ea8f1c57114e28b4ad9a05cf5345c435d519d69aae94c9d64beaff7c2a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
76d70cbdc232a33b7e993fc12c5c0226

SHA1
922536a018a73afba8b988b558bc94948ab3d8d9

SHA256
be995f93f7e33c36f7db6546e10a9d40f5a0c6e1213dba14814d98d543056d2f

SHA512
b194bff60780541e007a3b2b0f3d8771d57df6b46579dbc8467449f9ff56563b34d87d8f89a23524049ce2a8ef5b12c7fddd0129157060dcda1d07b5e942f98d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe587460.TMP

Filesize
48B

MD5
ef2b07506e1c36b11f53c35136101522

SHA1
05f77b876350f4afbd72fea007dec2e8e08a6aab

SHA256
cba1eccb9a4ead188116042872fec2878de1da1ed1b8a6a71fa8429892a1ac41

SHA512
38c99b07345f9183a7e6989c4a3e92f0f7b8da4ee8d87634d59b70de92726c61de79cbee2ab224753144d0a4cc0b03fa02662b30cbd3d0a74c422e4509b01394

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
b881ec27fcce591736a91d5a35ae7913

SHA1
518f2262528bd934e3823e8958e6856c091f7714

SHA256
7a7dae8af8a15696b45160f48c8dd17b4473565426efb5168b59267b98b92f11

SHA512
29ca2effb8abb66e2448c7c790ab4ec16c7b8cc8eb36e4670b621a0c7d2f388fde1199f6ef4c3c3baad9c60d9617df29b71169e4439291c9b4c476aac2e8096e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
c275173a346510ad5a5e3ae1464be938

SHA1
bac25d61cac7cad05a8ca1cb8d2aec2dbcfbadc0

SHA256
c5d31e3fa0367d1ea43826cb9c5a12aafe18ea9086acc14c7517e96285fcd728

SHA512
d7176af86635d55aeaa4d18aa2dbbd6ef1bdba8e4e2327d12e8849e1a0e1397c9c66fb4ce842ad6f62a01e6e4ecbcccf83e142921dcae58934990ba8c6da26eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
156KB

MD5
0700aeaf3f02ed6236200f37836a11bd

SHA1
94108bc1da88b84fdab3cf4f8c5ae3f523fc3435

SHA256
d06f2c8c4fa9268c58a653d4c6e94a9fced0c348ac23e6ad3f7c2973d4a18a11

SHA512
60ad75bb8081a75658a3e96a7a4d25ed082d8567db693ce5421157c7b0f3dd48585c24a0e9bf7850cbe4e1d0297d5eca637b60cde48054e255a116f731ce19a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
44d013c07c63261214873f0e6235a095

SHA1
add655f3f31bcae617d9ae2d597ea2d374f4f5e5

SHA256
2b5992c1146141d3907f4f3c1667bb6e849ba4bde927518112c7b393535fb1b6

SHA512
436817789c11767e87d036ca717a26f3c0962a7af24bd921160a4d5f49136d37649aa4dc5ac206c2c355edff4abbc3b0f63ed7688bdb591ee436e672f4c7e16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll

Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\DBA5.tmp\website ip grabber.bat

Filesize
484B

MD5
de825eb742f2d9cb06edb6a19cb54a54

SHA1
77b92f377f4b79fba5ec793eb80c573d2b906e58

SHA256
9b141c2fdea8e31f8ce501c8517f1915e98ee12be3e67fe629f122b1f6e3e32a

SHA512
69ad990c825adb7892cc7e164c61eb983b4d5e0928b9acc384a089e99971c38a51327bf18bcfca3016b8f0f6acbd41bccea2d96b2a495d92df12c4a141e53fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DD96.tmp\DD97.tmp\DD98.vbs

Filesize
352B

MD5
3b8696ecbb737aad2a763c4eaf62c247

SHA1
4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5

SHA256
ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569

SHA512
713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DD96.tmp\eulascr.exe

Filesize
143KB

MD5
8b1c352450e480d9320fce5e6f2c8713

SHA1
d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a

SHA256
2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e

SHA512
2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
8KB

MD5
fc2f5521f196a9b8d6845d5e810063b1

SHA1
229d14e635d0560644f4eeb9369ac3c540b9c26b

SHA256
5e51136204cc777ef37fd958790e9ae5c6b7e719217cade3e07dc553df9843db

SHA512
f6833162d73b00f3e8f66cce085a17ef5da492887af7ef813312ccade7e99dae9a004946f0b29d6434027dbe826f3dd6b3d09ec601c11eae9b80e0376d761fc6

Download Submit
C:\Users\Admin\Downloads\AgentTesla.exe

Filesize
2.8MB

MD5
cce284cab135d9c0a2a64a7caec09107

SHA1
e4b8f4b6cab18b9748f83e9fffd275ef5276199e

SHA256
18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9

SHA512
c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f

Download Submit
C:\Users\Admin\Downloads\AgentTesla.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\CrimsonRAT.exe

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier

Filesize
257B

MD5
3171702a831b683ba34ba3f58a85275a

SHA1
373e35df587d06414112c67e679c500fe9dbb004

SHA256
d2bc5b5158844480fbe4d9a8b461bd2126093248f36bd9898e54f329b4bf95fb

SHA512
08a81def75052d84d52cd78bc9fccc8a1f82b2b8ed28823ffa7b35c63dcce58ae8b09cf6bf27e0ec9dcae7d35ed1634a8e214007402a6c71f2f8e939c05e11c9

Download Submit
C:\Users\Admin\Downloads\MrsMajor3.0.exe

Filesize
381KB

MD5
35a27d088cd5be278629fae37d464182

SHA1
d5a291fadead1f2a0cf35082012fe6f4bf22a3ab

SHA256
4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69

SHA512
eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5

Download Submit
C:\Users\Admin\Downloads\Spark.exe:Zone.Identifier

Filesize
137B

MD5
3f751db2707304c616166031f7df6ce2

SHA1
838e36cd873ae7db719ac291cd3ee836bc96f56b

SHA256
a71a6f883be72a060a5050298a79d9398ec79918c6774f7e731c2592c7e3bcb9

SHA512
bcfd73307d346864251071077cd8945291c1d480233de6e3e3f91e59629762724e520821ae4751e2cbe6f2e77a46cad4a3c7d2e2278843a1a306f8ce4da7e72a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 155054.crdownload

Filesize
300KB

MD5
f52fbb02ac0666cae74fc389b1844e98

SHA1
f7721d590770e2076e64f148a4ba1241404996b8

SHA256
a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683

SHA512
78b4bf4d048bda5e4e109d4dd9dafaa250eac1c5a3558c2faecf88ef0ee5dd4f2c82a791756e2f5aa42f7890efcc0c420156308689a27e0ad9fb90156b8dc1c0

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 897633.crdownload

Filesize
225KB

MD5
6520d9ab650c992b25c6467324baa2b2

SHA1
0a1f8a830228eb8f6229fed60b1171b2cdbfa5c1

SHA256
1100b197992c499e5ae8d484ab83ef06e20e46d4f74847e2f838c98ee1c0caeb

SHA512
2d8be4db599f735869fc5e9f0357fb5559e828c551399eeee7b9530850bd23577d27d0554e13ceb43ed3c9e7eb933e5509c2bee8408407f01f966e6ca858609b

Download Submit
C:\Users\Admin\Downloads\website ip grabber.exe:Zone.Identifier

Filesize
335B

MD5
860ef3898a1490911875812572f1df28

SHA1
35a4c814d0b2eebfca18385b401e7b6327dee9a8

SHA256
bfba04120b00d4c9ac241aee5d4da8fdcc072d0835df4577c1bb52c0b69c2155

SHA512
6cd54abdfb17b3297caaff58c44ebf6b3542f87b651e9ae6a56a9efee1850e5fb6fb164c7ef1591d1a3d5527d603deedab273b63de5c64646ce0328b316adf15

Download Submit
C:\Windows\File Cache\Spark.exe

Filesize
495KB

MD5
181ee63003e5c3ec8c378030286ed7a2

SHA1
6707f3a0906ab6d201edc5b6389f9e66e345f174

SHA256
55bfcb784904477ef62ef7e4994dee42f03d69bfec3591989513cccbba3fc8fe

SHA512
e9820f60b496d6631e054204c6fc5b525527d40a578faac1d5cdb116abcb4a35aacf4f4354ff092a2b455c5d9c2e0f29a761d737d9c9ad3d59d70b51d0583d92

Download Submit
memory/860-6-0x0000000074490000-0x0000000074C41000-memory.dmp

Filesize
7.7MB

Download
memory/860-0-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/860-4-0x0000000074490000-0x0000000074C41000-memory.dmp

Filesize
7.7MB

Download
memory/860-3-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/860-2-0x0000000074490000-0x0000000074C41000-memory.dmp

Filesize
7.7MB

Download
memory/860-1-0x00000000005B0000-0x000000000067E000-memory.dmp

Filesize
824KB

Download
memory/1072-850-0x0000000006730000-0x00000000067C2000-memory.dmp

Filesize
584KB

Download
memory/1072-871-0x0000000006840000-0x0000000006862000-memory.dmp

Filesize
136KB

Download
memory/1072-852-0x0000000006C10000-0x0000000006C54000-memory.dmp

Filesize
272KB

Download
memory/1072-851-0x0000000006720000-0x0000000006728000-memory.dmp

Filesize
32KB

Download
memory/1072-849-0x0000000005AB0000-0x0000000005AB8000-memory.dmp

Filesize
32KB

Download
memory/1072-848-0x0000000005F60000-0x0000000006506000-memory.dmp

Filesize
5.6MB

Download
memory/1072-847-0x0000000005880000-0x0000000005894000-memory.dmp

Filesize
80KB

Download
memory/1072-846-0x0000000000FD0000-0x0000000001022000-memory.dmp

Filesize
328KB

Download
memory/1528-755-0x000001C7B7390000-0x000001C7B7CA4000-memory.dmp

Filesize
9.1MB

Download
memory/3528-981-0x00007FFC05180000-0x00007FFC052CF000-memory.dmp

Filesize
1.3MB

Download
memory/3528-974-0x0000000000550000-0x000000000057A000-memory.dmp

Filesize
168KB

Download
memory/3528-982-0x000000001CEA0000-0x000000001D062000-memory.dmp

Filesize
1.8MB

Download
memory/3528-983-0x000000001D5A0000-0x000000001DAC8000-memory.dmp

Filesize
5.2MB

Download
memory/4252-355-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4252-368-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4252-610-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/5504-723-0x000001E51D590000-0x000001E51D5AE000-memory.dmp

Filesize
120KB

Download
memory/5768-1021-0x0000000000410000-0x0000000000490000-memory.dmp

Filesize
512KB

Download
memory/5768-1027-0x00000000051E0000-0x0000000005234000-memory.dmp

Filesize
336KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads