5f316cf619f266cad568cef01b6db246556cc6df5d1f70764480e5afb0cfb6cb

Analysis

max time kernel
77s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14/04/2023, 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Noil.exe
Size

75KB
MD5

270aca061222d321f75a55f6101effdf
SHA1

59a05a423b281731925d48eed64bd085e5160415
SHA256

5f316cf619f266cad568cef01b6db246556cc6df5d1f70764480e5afb0cfb6cb
SHA512

2de8330e978d32a0280018cba390d5b48893bca99cbfbf37ee3a57ddd43fd6b391edeb7cadc7019ae302b3c029c071edd336eb06177af160eb9fb3d823d3f759
SSDEEP

1536:zFVe2NtQEYi5qLAgNUnXTIE5YoKbkB9ozdm6c0DnOO+WAqMk:zFUwcmqLNyTYTbkbSZnOO+Bk

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Noil.lnk	Noil.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Noil.lnk	Noil.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\Noil = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Noil.exe"	Noil.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
436	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1728	powershell.exe
948	powershell.exe
828	powershell.exe
1100	Noil.exe
1976	chrome.exe
1976	chrome.exe
1100	Noil.exe
1100	Noil.exe
1100	Noil.exe
1100	Noil.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1100	Noil.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	828	powershell.exe
Token: SeDebugPrivilege	1100	Noil.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeDebugPrivilege	2928	Noil.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1100	Noil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 1728	1100	Noil.exe	28
PID 1100 wrote to memory of 1728	1100	Noil.exe	28
PID 1100 wrote to memory of 1728	1100	Noil.exe	28
PID 1100 wrote to memory of 948	1100	Noil.exe	30
PID 1100 wrote to memory of 948	1100	Noil.exe	30
PID 1100 wrote to memory of 948	1100	Noil.exe	30
PID 1100 wrote to memory of 828	1100	Noil.exe	32
PID 1100 wrote to memory of 828	1100	Noil.exe	32
PID 1100 wrote to memory of 828	1100	Noil.exe	32
PID 1100 wrote to memory of 436	1100	Noil.exe	34
PID 1100 wrote to memory of 436	1100	Noil.exe	34
PID 1100 wrote to memory of 436	1100	Noil.exe	34
PID 1976 wrote to memory of 1972	1976	chrome.exe	37
PID 1976 wrote to memory of 1972	1976	chrome.exe	37
PID 1976 wrote to memory of 1972	1976	chrome.exe	37
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1348	1976	chrome.exe	38
PID 1976 wrote to memory of 1364	1976	chrome.exe	39
PID 1976 wrote to memory of 1364	1976	chrome.exe	39
PID 1976 wrote to memory of 1364	1976	chrome.exe	39
PID 1976 wrote to memory of 1064	1976	chrome.exe	40
PID 1976 wrote to memory of 1064	1976	chrome.exe	40
PID 1976 wrote to memory of 1064	1976	chrome.exe	40
PID 1976 wrote to memory of 1064	1976	chrome.exe	40
PID 1976 wrote to memory of 1064	1976	chrome.exe	40
PID 1976 wrote to memory of 1064	1976	chrome.exe	40
PID 1976 wrote to memory of 1064	1976	chrome.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Noil.exe
"C:\Users\Admin\AppData\Local\Temp\Noil.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Noil.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Noil.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Noil.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:828
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Noil" /tr "C:\Users\Admin\AppData\Local\Temp\Noil.exe"
  2⤵
  - Creates scheduled task(s)
  PID:436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef2609758,0x7fef2609768,0x7fef2609778
  2⤵
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1328,i,8771134553109181044,11669460214791120479,131072 /prefetch:2
  2⤵
  PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1560 --field-trial-handle=1328,i,8771134553109181044,11669460214791120479,131072 /prefetch:8
  2⤵
  PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1680 --field-trial-handle=1328,i,8771134553109181044,11669460214791120479,131072 /prefetch:8
  2⤵
  PID:1064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2348 --field-trial-handle=1328,i,8771134553109181044,11669460214791120479,131072 /prefetch:1
  2⤵
  PID:704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2316 --field-trial-handle=1328,i,8771134553109181044,11669460214791120479,131072 /prefetch:1
  2⤵
  PID:904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1180 --field-trial-handle=1328,i,8771134553109181044,11669460214791120479,131072 /prefetch:2
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1348 --field-trial-handle=1328,i,8771134553109181044,11669460214791120479,131072 /prefetch:1
  2⤵
  PID:2304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3760 --field-trial-handle=1328,i,8771134553109181044,11669460214791120479,131072 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3908 --field-trial-handle=1328,i,8771134553109181044,11669460214791120479,131072 /prefetch:8
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2328 --field-trial-handle=1328,i,8771134553109181044,11669460214791120479,131072 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2768 --field-trial-handle=1328,i,8771134553109181044,11669460214791120479,131072 /prefetch:8
  2⤵
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4316 --field-trial-handle=1328,i,8771134553109181044,11669460214791120479,131072 /prefetch:8
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2684 --field-trial-handle=1328,i,8771134553109181044,11669460214791120479,131072 /prefetch:8
  2⤵
  PID:2424

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1228

C:\Windows\system32\taskeng.exe
taskeng.exe {90FB1F7F-3E67-46C8-80D2-CE466DEEA14F} S-1-5-21-1563773381-2037468142-1146002597-1000:YBHADZIG\Admin:Interactive:[1]
1⤵
PID:2888
- C:\Users\Admin\AppData\Local\Temp\Noil.exe
  C:\Users\Admin\AppData\Local\Temp\Noil.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Users\Admin\AppData\Local\Temp\Noil.exe
  C:\Users\Admin\AppData\Local\Temp\Noil.exe
  2⤵
  PID:2224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\01398814-d08b-49f3-9c3c-16d89377f840.tmp

Filesize
4KB

MD5
d0379fac9402e115a6b6cec454060b11

SHA1
021b0062eb5b373ea8c652a446cc06b5d67a4242

SHA256
6e37d0144dc581582344e67160cede148d894d4f1e562972b479e6d3a060fd62

SHA512
360900643156f23ed9f5b3a5332ef253d74f4b5e5c53f21f10563f5419133c8af5cd35fb9e9ff3165c60e2a0dabd4a9a97c713a14c7314076a1116b56549bcf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT~RF6ddbcf.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
612baeff457e915746b30fb71c2bddab

SHA1
c59e6f0c18ac4b8bed908e7b7c36e0ee6c88ac07

SHA256
eb27c35292f25465cc32b9d70ad220d551696b8775f519e8a536a8ff47e07529

SHA512
310e2812ef7dd5092082cfb403e751e80578854327596799cea12915b1419908a2b9fb4ae367d1741c8a45f5ef121668f278fd22f3f5413948eb825f4f19effa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
b1e5d8a98527e8d8e368beea0d347451

SHA1
116e8c520c9f77106235b86373be5b51f2c48e91

SHA256
318f3d7004504a28770ff36d915a41c99670e72438aaba7cdfe58578cdf74071

SHA512
4058e8b03e7cabf2d3c803459c8d1f1b06fa7bff3effa52e345bcb9cb28fdad7d15a19ec18a778e8d553fcf544702b570e2968c41fc582251065898eaf353813

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
57760b10f7375a5e0109af51b0becbf1

SHA1
95ccc0d9bcd322698f5f9fb87227f352d3833cd0

SHA256
73278a834f916ac5ad22d77bf097c10135d21508b08e01baf5a22b1cea8960c2

SHA512
73e0c54774878207bfa790f96ca8e1a400ba1c225ac34d9f7a8080d0c7651adfd8b8a5470e5ba9da8806f42ba8f53815e530b69dc126a9667beb9bd57013d935

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8ab8b832aa0b57b0c1a7b2652332392f

SHA1
7f995d6fb0092c3db80c8b80030c79ca725c9d53

SHA256
9318111d73e4bad4a50d4b771f8fb6cf1c4456592bc68cdc3969c953b7f9150e

SHA512
33704f80043d799017fddc07ed0dea6ef5df7e7c7339fb5b37fd486a80feb07c8fb3aa851ab3d8a820945d586515292c2961a719e0d33ed39f1b2b43b3136411

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8ab8b832aa0b57b0c1a7b2652332392f

SHA1
7f995d6fb0092c3db80c8b80030c79ca725c9d53

SHA256
9318111d73e4bad4a50d4b771f8fb6cf1c4456592bc68cdc3969c953b7f9150e

SHA512
33704f80043d799017fddc07ed0dea6ef5df7e7c7339fb5b37fd486a80feb07c8fb3aa851ab3d8a820945d586515292c2961a719e0d33ed39f1b2b43b3136411

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\THSQAVQTTDT47WASCOK8.temp

Filesize
7KB

MD5
8ab8b832aa0b57b0c1a7b2652332392f

SHA1
7f995d6fb0092c3db80c8b80030c79ca725c9d53

SHA256
9318111d73e4bad4a50d4b771f8fb6cf1c4456592bc68cdc3969c953b7f9150e

SHA512
33704f80043d799017fddc07ed0dea6ef5df7e7c7339fb5b37fd486a80feb07c8fb3aa851ab3d8a820945d586515292c2961a719e0d33ed39f1b2b43b3136411

Download Submit
memory/828-80-0x00000000029B4000-0x00000000029B7000-memory.dmp

Filesize
12KB

Download
memory/828-81-0x00000000029BB000-0x00000000029F2000-memory.dmp

Filesize
220KB

Download
memory/948-69-0x000000001B250000-0x000000001B532000-memory.dmp

Filesize
2.9MB

Download
memory/948-71-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/948-74-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/948-73-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/948-70-0x00000000022F0000-0x00000000022F8000-memory.dmp

Filesize
32KB

Download
memory/948-72-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/1100-85-0x000000001B250000-0x000000001B2D0000-memory.dmp

Filesize
512KB

Download
memory/1100-54-0x00000000012F0000-0x000000000130A000-memory.dmp

Filesize
104KB

Download
memory/1100-55-0x000000001B250000-0x000000001B2D0000-memory.dmp

Filesize
512KB

Download
memory/1728-63-0x000000000235B000-0x0000000002392000-memory.dmp

Filesize
220KB

Download
memory/1728-62-0x0000000002354000-0x0000000002357000-memory.dmp

Filesize
12KB

Download
memory/1728-61-0x0000000002550000-0x0000000002558000-memory.dmp

Filesize
32KB

Download
memory/1728-60-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download