nworm | 729955eb4afcb332b615ee3d1b1cf4148b1c87566dc49ce804c1e1193e28f435

Analysis

max time kernel
74s
max time network
64s
platform
windows7_x64
resource
win7-20220414-en
submitted
22-04-2022 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quick SFV.exe
Size

20.1MB
MD5

123cd9c01676dac4081fbe2d3b6f8fc9
SHA1

455bd5f0741e74b3ba577d120384fa1de59b00ec
SHA256

729955eb4afcb332b615ee3d1b1cf4148b1c87566dc49ce804c1e1193e28f435
SHA512

c18ee8fedbb208d51ed4181705b243b8ed0ff94c52041660e718eb52129de1f080b42cfddc7c9f425f67c39f6808e1a6d457e8c477403f3f111a05e00b158ebf

Score

10^/10

nworm downloader worm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

176.122.121.199:80

Mutex

09b217be

Signatures

NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
worm downloader nworm

Executes dropped EXE 5 IoCs

pid	Process
2028	Axtn.EXE
1968	Lhivldkpkuxwk.exe
968	svhost.exe
1064	svhost.exe
272	svhost.exe

Loads dropped DLL 1 IoCs

pid	Process
1968	Lhivldkpkuxwk.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 968 set thread context of 272	968	svhost.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 31 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Axtn.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Axtn.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	Axtn.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	Axtn.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Axtn.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	Axtn.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	Axtn.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg	Axtn.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_Classes\Local Settings	Axtn.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Axtn.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	Axtn.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Axtn.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Axtn.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	Axtn.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Axtn.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	Axtn.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Axtn.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Axtn.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Axtn.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	Axtn.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	Axtn.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Axtn.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Axtn.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	Axtn.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	Axtn.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	Axtn.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Axtn.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16"	Axtn.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	Axtn.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Axtn.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	Axtn.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1248	chrome.exe
628	chrome.exe
628	chrome.exe
968	svhost.exe
968	svhost.exe
272	svhost.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1968	Lhivldkpkuxwk.exe
Token: SeDebugPrivilege	968	svhost.exe
Token: SeDebugPrivilege	272	svhost.exe
Token: SeDebugPrivilege	2356	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2028	Axtn.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 2028	1788	Quick SFV.exe	27
PID 1788 wrote to memory of 2028	1788	Quick SFV.exe	27
PID 1788 wrote to memory of 2028	1788	Quick SFV.exe	27
PID 1788 wrote to memory of 2028	1788	Quick SFV.exe	27
PID 1788 wrote to memory of 1968	1788	Quick SFV.exe	28
PID 1788 wrote to memory of 1968	1788	Quick SFV.exe	28
PID 1788 wrote to memory of 1968	1788	Quick SFV.exe	28
PID 1788 wrote to memory of 1968	1788	Quick SFV.exe	28
PID 1968 wrote to memory of 968	1968	Lhivldkpkuxwk.exe	29
PID 1968 wrote to memory of 968	1968	Lhivldkpkuxwk.exe	29
PID 1968 wrote to memory of 968	1968	Lhivldkpkuxwk.exe	29
PID 1968 wrote to memory of 968	1968	Lhivldkpkuxwk.exe	29
PID 628 wrote to memory of 1320	628	chrome.exe	31
PID 628 wrote to memory of 1320	628	chrome.exe	31
PID 628 wrote to memory of 1320	628	chrome.exe	31
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1092	628	chrome.exe	32
PID 628 wrote to memory of 1248	628	chrome.exe	33
PID 628 wrote to memory of 1248	628	chrome.exe	33
PID 628 wrote to memory of 1248	628	chrome.exe	33
PID 628 wrote to memory of 1432	628	chrome.exe	34
PID 628 wrote to memory of 1432	628	chrome.exe	34
PID 628 wrote to memory of 1432	628	chrome.exe	34
PID 628 wrote to memory of 1432	628	chrome.exe	34
PID 628 wrote to memory of 1432	628	chrome.exe	34

C:\Users\Admin\AppData\Local\Temp\Quick SFV.exe
"C:\Users\Admin\AppData\Local\Temp\Quick SFV.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Local\Temp\Axtn.EXE
  "C:\Users\Admin\AppData\Local\Temp\Axtn.EXE"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2028
- C:\Users\Admin\AppData\Local\Temp\Lhivldkpkuxwk.exe
  "C:\Users\Admin\AppData\Local\Temp\Lhivldkpkuxwk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Users\Admin\AppData\Roaming\svhost.exe
    "C:\Users\Admin\AppData\Roaming\svhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:968
  - - C:\Users\Admin\AppData\Roaming\svhost.exe
      "C:\Users\Admin\AppData\Roaming\svhost.exe"
      4⤵
      Executes dropped EXE
      PID:1064
  - - C:\Users\Admin\AppData\Roaming\svhost.exe
      "C:\Users\Admin\AppData\Roaming\svhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6b34f50,0x7fef6b34f60,0x7fef6b34f70
  2⤵
  PID:1320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1112,5297400045361752516,8927221819110358694,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1128 /prefetch:2
  2⤵
  PID:1092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1112,5297400045361752516,8927221819110358694,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1264 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1112,5297400045361752516,8927221819110358694,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1664 /prefetch:8
  2⤵
  PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5297400045361752516,8927221819110358694,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2104 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5297400045361752516,8927221819110358694,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2076 /prefetch:1
  2⤵
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,5297400045361752516,8927221819110358694,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3280 /prefetch:8
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1112,5297400045361752516,8927221819110358694,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2636 /prefetch:2
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5297400045361752516,8927221819110358694,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,5297400045361752516,8927221819110358694,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3588 /prefetch:8
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,5297400045361752516,8927221819110358694,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3696 /prefetch:8
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,5297400045361752516,8927221819110358694,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3672 /prefetch:8
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,5297400045361752516,8927221819110358694,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3868 /prefetch:8
  2⤵
  PID:2216

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Axtn.EXE

Filesize
101KB

MD5
4b1d5ec11b2b5db046233a28dba73b83

SHA1
3a4e464d3602957f3527727ea62876902b451511

SHA256
a6371461da7439f4ef7008ed53331209747cba960b85c70a902d46451247a29c

SHA512
fcd653dbab79dbedca461beb8d01c2a4d0fd061fcfba50ffa12238f338a5ea03e7f0e956a3932d785e453592ce7bb1b8a2f1d88392e336bd94fb94a971450b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lhivldkpkuxwk.exe

Filesize
10.1MB

MD5
82f43f111041fcdb7df2c242aa1005ec

SHA1
958d9377e41c565205078940bbf0afe39767b414

SHA256
be50dab6250a7ee2dce67e78837fda503e680b739bcde9dc9372ad1631e101aa

SHA512
347095055bce6d1d7ec2098ae865b59e05367cdc0004d639a4b84b1d8aade801c6805ef447d711c1dc263692f495b17e162009fd9ff32dfd59aa807793e957dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lhivldkpkuxwk.exe

Filesize
10.1MB

MD5
82f43f111041fcdb7df2c242aa1005ec

SHA1
958d9377e41c565205078940bbf0afe39767b414

SHA256
be50dab6250a7ee2dce67e78837fda503e680b739bcde9dc9372ad1631e101aa

SHA512
347095055bce6d1d7ec2098ae865b59e05367cdc0004d639a4b84b1d8aade801c6805ef447d711c1dc263692f495b17e162009fd9ff32dfd59aa807793e957dd

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
10.1MB

MD5
82f43f111041fcdb7df2c242aa1005ec

SHA1
958d9377e41c565205078940bbf0afe39767b414

SHA256
be50dab6250a7ee2dce67e78837fda503e680b739bcde9dc9372ad1631e101aa

SHA512
347095055bce6d1d7ec2098ae865b59e05367cdc0004d639a4b84b1d8aade801c6805ef447d711c1dc263692f495b17e162009fd9ff32dfd59aa807793e957dd

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
10.1MB

MD5
82f43f111041fcdb7df2c242aa1005ec

SHA1
958d9377e41c565205078940bbf0afe39767b414

SHA256
be50dab6250a7ee2dce67e78837fda503e680b739bcde9dc9372ad1631e101aa

SHA512
347095055bce6d1d7ec2098ae865b59e05367cdc0004d639a4b84b1d8aade801c6805ef447d711c1dc263692f495b17e162009fd9ff32dfd59aa807793e957dd

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
10.1MB

MD5
82f43f111041fcdb7df2c242aa1005ec

SHA1
958d9377e41c565205078940bbf0afe39767b414

SHA256
be50dab6250a7ee2dce67e78837fda503e680b739bcde9dc9372ad1631e101aa

SHA512
347095055bce6d1d7ec2098ae865b59e05367cdc0004d639a4b84b1d8aade801c6805ef447d711c1dc263692f495b17e162009fd9ff32dfd59aa807793e957dd

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
10.1MB

MD5
82f43f111041fcdb7df2c242aa1005ec

SHA1
958d9377e41c565205078940bbf0afe39767b414

SHA256
be50dab6250a7ee2dce67e78837fda503e680b739bcde9dc9372ad1631e101aa

SHA512
347095055bce6d1d7ec2098ae865b59e05367cdc0004d639a4b84b1d8aade801c6805ef447d711c1dc263692f495b17e162009fd9ff32dfd59aa807793e957dd

Download Submit
\Users\Admin\AppData\Roaming\svhost.exe

Filesize
10.1MB

MD5
82f43f111041fcdb7df2c242aa1005ec

SHA1
958d9377e41c565205078940bbf0afe39767b414

SHA256
be50dab6250a7ee2dce67e78837fda503e680b739bcde9dc9372ad1631e101aa

SHA512
347095055bce6d1d7ec2098ae865b59e05367cdc0004d639a4b84b1d8aade801c6805ef447d711c1dc263692f495b17e162009fd9ff32dfd59aa807793e957dd

Download Submit
memory/272-81-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/272-80-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/272-79-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/272-77-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/272-76-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/272-85-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/272-87-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/968-71-0x00000000000C0000-0x00000000000D8000-memory.dmp

Filesize
96KB

Download
memory/968-74-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/1788-54-0x00000000011B0000-0x0000000001BD4000-memory.dmp

Filesize
10.1MB

Download
memory/1788-55-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/1968-66-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/1968-64-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/1968-63-0x00000000011D0000-0x00000000011E8000-memory.dmp

Filesize
96KB

Download
memory/2028-58-0x0000000075DB1000-0x0000000075DB3000-memory.dmp

Filesize
8KB

Download
memory/2028-62-0x0000000073D71000-0x0000000073D73000-memory.dmp

Filesize
8KB

Download