nworm | 729955eb4afcb332b615ee3d1b1cf4148b1c87566dc49ce804c1e1193e28f435

Analysis

max time kernel
74s
max time network
64s
platform
windows7_x64
resource
win7-20220414-en
submitted
22-04-2022 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quick SFV.exe
Size

20.1MB
MD5

123cd9c01676dac4081fbe2d3b6f8fc9
SHA1

455bd5f0741e74b3ba577d120384fa1de59b00ec
SHA256

729955eb4afcb332b615ee3d1b1cf4148b1c87566dc49ce804c1e1193e28f435
SHA512

c18ee8fedbb208d51ed4181705b243b8ed0ff94c52041660e718eb52129de1f080b42cfddc7c9f425f67c39f6808e1a6d457e8c477403f3f111a05e00b158ebf

Score

10^/10

nworm downloader worm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

176.122.121.199:80

Mutex

09b217be

Signatures

NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
worm downloader nworm
Executes dropped EXE 5 IoCs

Processes:

Axtn.EXELhivldkpkuxwk.exesvhost.exesvhost.exesvhost.exe

pid process

2028 Axtn.EXE
1968 Lhivldkpkuxwk.exe
968 svhost.exe
1064 svhost.exe
272 svhost.exe
Loads dropped DLL 1 IoCs

Processes:

Lhivldkpkuxwk.exe

pid process

1968 Lhivldkpkuxwk.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

svhost.exe

description pid process target process

PID 968 set thread context of 272 968 svhost.exe svhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2028	Axtn.EXE
1968	Lhivldkpkuxwk.exe
968	svhost.exe
1064	svhost.exe
272	svhost.exe

pid	process
1968	Lhivldkpkuxwk.exe

description	pid	process	target process
PID 968 set thread context of 272	968	svhost.exe	svhost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 31 IoCs

Processes:

Axtn.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Axtn.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Axtn.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	Axtn.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	Axtn.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Axtn.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	Axtn.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	Axtn.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg	Axtn.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_Classes\Local Settings	Axtn.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Axtn.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	Axtn.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Axtn.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Axtn.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	Axtn.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Axtn.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	Axtn.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Axtn.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Axtn.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Axtn.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	Axtn.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	Axtn.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Axtn.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Axtn.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	Axtn.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	Axtn.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	Axtn.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Axtn.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16"	Axtn.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	Axtn.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Axtn.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	Axtn.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

chrome.exechrome.exesvhost.exesvhost.exetaskmgr.exe

pid	process
1248	chrome.exe
628	chrome.exe
628	chrome.exe
968	svhost.exe
968	svhost.exe
272	svhost.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Lhivldkpkuxwk.exesvhost.exesvhost.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	1968	Lhivldkpkuxwk.exe
Token: SeDebugPrivilege	968	svhost.exe
Token: SeDebugPrivilege	272	svhost.exe
Token: SeDebugPrivilege	2356	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
628	chrome.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe
2356	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Axtn.EXE

pid process

2028 Axtn.EXE

pid	process
2028	Axtn.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Quick SFV.exeLhivldkpkuxwk.exechrome.exe

description	pid	process	target process
PID 1788 wrote to memory of 2028	1788	Quick SFV.exe	Axtn.EXE
PID 1788 wrote to memory of 2028	1788	Quick SFV.exe	Axtn.EXE
PID 1788 wrote to memory of 2028	1788	Quick SFV.exe	Axtn.EXE
PID 1788 wrote to memory of 2028	1788	Quick SFV.exe	Axtn.EXE
PID 1788 wrote to memory of 1968	1788	Quick SFV.exe	Lhivldkpkuxwk.exe
PID 1788 wrote to memory of 1968	1788	Quick SFV.exe	Lhivldkpkuxwk.exe
PID 1788 wrote to memory of 1968	1788	Quick SFV.exe	Lhivldkpkuxwk.exe
PID 1788 wrote to memory of 1968	1788	Quick SFV.exe	Lhivldkpkuxwk.exe
PID 1968 wrote to memory of 968	1968	Lhivldkpkuxwk.exe	svhost.exe
PID 1968 wrote to memory of 968	1968	Lhivldkpkuxwk.exe	svhost.exe
PID 1968 wrote to memory of 968	1968	Lhivldkpkuxwk.exe	svhost.exe
PID 1968 wrote to memory of 968	1968	Lhivldkpkuxwk.exe	svhost.exe
PID 628 wrote to memory of 1320	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1320	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1320	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1092	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1248	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1248	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1248	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1432	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1432	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1432	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1432	628	chrome.exe	chrome.exe
PID 628 wrote to memory of 1432	628	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\Quick SFV.exe
"C:\Users\Admin\AppData\Local\Temp\Quick SFV.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1788

C:\Users\Admin\AppData\Local\Temp\Axtn.EXE
"C:\Users\Admin\AppData\Local\Temp\Axtn.EXE"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Users\Admin\AppData\Local\Temp\Lhivldkpkuxwk.exe
"C:\Users\Admin\AppData\Local\Temp\Lhivldkpkuxwk.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Roaming\svhost.exe
"C:\Users\Admin\AppData\Roaming\svhost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Users\Admin\AppData\Roaming\svhost.exe
"C:\Users\Admin\AppData\Roaming\svhost.exe"
4⤵
- Executes dropped EXE
PID:1064

C:\Users\Admin\AppData\Roaming\svhost.exe
"C:\Users\Admin\AppData\Roaming\svhost.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6b34f50,0x7fef6b34f60,0x7fef6b34f70
2⤵
PID:1320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1112,5297400045361752516,8927221819110358694,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1128 /prefetch:2
2⤵
PID:1092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1112,5297400045361752516,8927221819110358694,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1264 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1112,5297400045361752516,8927221819110358694,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1664 /prefetch:8
2⤵
PID:1432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5297400045361752516,8927221819110358694,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2104 /prefetch:1
2⤵
PID:2032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5297400045361752516,8927221819110358694,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2076 /prefetch:1
2⤵
PID:1164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,5297400045361752516,8927221819110358694,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3280 /prefetch:8
2⤵
PID:1688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1112,5297400045361752516,8927221819110358694,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2636 /prefetch:2
2⤵
PID:2056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5297400045361752516,8927221819110358694,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
2⤵
PID:2100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,5297400045361752516,8927221819110358694,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3588 /prefetch:8
2⤵
PID:2164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,5297400045361752516,8927221819110358694,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3696 /prefetch:8
2⤵
PID:2200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,5297400045361752516,8927221819110358694,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3672 /prefetch:8
2⤵
PID:2208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,5297400045361752516,8927221819110358694,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3868 /prefetch:8
2⤵
PID:2216

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Axtn.EXE
Filesize
101KB

MD5
4b1d5ec11b2b5db046233a28dba73b83

SHA1
3a4e464d3602957f3527727ea62876902b451511

SHA256
a6371461da7439f4ef7008ed53331209747cba960b85c70a902d46451247a29c

SHA512
fcd653dbab79dbedca461beb8d01c2a4d0fd061fcfba50ffa12238f338a5ea03e7f0e956a3932d785e453592ce7bb1b8a2f1d88392e336bd94fb94a971450b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lhivldkpkuxwk.exe
Filesize
10.1MB

MD5
82f43f111041fcdb7df2c242aa1005ec

SHA1
958d9377e41c565205078940bbf0afe39767b414

SHA256
be50dab6250a7ee2dce67e78837fda503e680b739bcde9dc9372ad1631e101aa

SHA512
347095055bce6d1d7ec2098ae865b59e05367cdc0004d639a4b84b1d8aade801c6805ef447d711c1dc263692f495b17e162009fd9ff32dfd59aa807793e957dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lhivldkpkuxwk.exe
Filesize
10.1MB

MD5
82f43f111041fcdb7df2c242aa1005ec

SHA1
958d9377e41c565205078940bbf0afe39767b414

SHA256
be50dab6250a7ee2dce67e78837fda503e680b739bcde9dc9372ad1631e101aa

SHA512
347095055bce6d1d7ec2098ae865b59e05367cdc0004d639a4b84b1d8aade801c6805ef447d711c1dc263692f495b17e162009fd9ff32dfd59aa807793e957dd

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe
Filesize
10.1MB

MD5
82f43f111041fcdb7df2c242aa1005ec

SHA1
958d9377e41c565205078940bbf0afe39767b414

SHA256
be50dab6250a7ee2dce67e78837fda503e680b739bcde9dc9372ad1631e101aa

SHA512
347095055bce6d1d7ec2098ae865b59e05367cdc0004d639a4b84b1d8aade801c6805ef447d711c1dc263692f495b17e162009fd9ff32dfd59aa807793e957dd

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe
Filesize
10.1MB

MD5
82f43f111041fcdb7df2c242aa1005ec

SHA1
958d9377e41c565205078940bbf0afe39767b414

SHA256
be50dab6250a7ee2dce67e78837fda503e680b739bcde9dc9372ad1631e101aa

SHA512
347095055bce6d1d7ec2098ae865b59e05367cdc0004d639a4b84b1d8aade801c6805ef447d711c1dc263692f495b17e162009fd9ff32dfd59aa807793e957dd

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe
Filesize
10.1MB

MD5
82f43f111041fcdb7df2c242aa1005ec

SHA1
958d9377e41c565205078940bbf0afe39767b414

SHA256
be50dab6250a7ee2dce67e78837fda503e680b739bcde9dc9372ad1631e101aa

SHA512
347095055bce6d1d7ec2098ae865b59e05367cdc0004d639a4b84b1d8aade801c6805ef447d711c1dc263692f495b17e162009fd9ff32dfd59aa807793e957dd

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe
Filesize
10.1MB

MD5
82f43f111041fcdb7df2c242aa1005ec

SHA1
958d9377e41c565205078940bbf0afe39767b414

SHA256
be50dab6250a7ee2dce67e78837fda503e680b739bcde9dc9372ad1631e101aa

SHA512
347095055bce6d1d7ec2098ae865b59e05367cdc0004d639a4b84b1d8aade801c6805ef447d711c1dc263692f495b17e162009fd9ff32dfd59aa807793e957dd

Download Submit
\??\pipe\crashpad_628_PLMOOWPCGMCZEJPG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\svhost.exe
Filesize
10.1MB

MD5
82f43f111041fcdb7df2c242aa1005ec

SHA1
958d9377e41c565205078940bbf0afe39767b414

SHA256
be50dab6250a7ee2dce67e78837fda503e680b739bcde9dc9372ad1631e101aa

SHA512
347095055bce6d1d7ec2098ae865b59e05367cdc0004d639a4b84b1d8aade801c6805ef447d711c1dc263692f495b17e162009fd9ff32dfd59aa807793e957dd

Download Submit
memory/272-81-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/272-80-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/272-79-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/272-82-0x000000000040605E-mapping.dmp

Download
memory/272-77-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/272-76-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/272-85-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/272-87-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/968-71-0x00000000000C0000-0x00000000000D8000-memory.dmp

Filesize
96KB

Download
memory/968-74-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/968-68-0x0000000000000000-mapping.dmp

Download
memory/1788-54-0x00000000011B0000-0x0000000001BD4000-memory.dmp

Filesize
10.1MB

Download
memory/1788-55-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/1968-66-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/1968-64-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/1968-63-0x00000000011D0000-0x00000000011E8000-memory.dmp

Filesize
96KB

Download
memory/1968-59-0x0000000000000000-mapping.dmp

Download
memory/2028-58-0x0000000075DB1000-0x0000000075DB3000-memory.dmp

Filesize
8KB

Download
memory/2028-62-0x0000000073D71000-0x0000000073D73000-memory.dmp

Filesize
8KB

Download
memory/2028-56-0x0000000000000000-mapping.dmp

Download