umbral | hxxps://mega[.]nz/file/tCVmhBgS#AHKluC1LX_nq0q4yTOoRgDw4Wuuwj38s6Z592mNfFA8

Analysis

max time kernel
57s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-03-2024 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/tCVmhBgS#AHKluC1LX_nq0q4yTOoRgDw4Wuuwj38s6Z592mNfFA8

Score

10^/10

umbral xworm persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:7000

Attributes

Install_directory
%LocalAppData%
install_file
Cracked.exe

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023288-232.dat	family_umbral
behavioral1/memory/2876-240-0x000002C975580000-0x000002C9755C0000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0004000000023006-209.dat	family_xworm
behavioral1/memory/3348-217-0x0000000000CB0000-0x0000000000CC8000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cracked.lnk	Bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cracked.lnk	Bin.exe

Executes dropped EXE 6 IoCs

pid	Process
3348	Bin.exe
2876	Cracked.exe
2064	Cracked.exe
4436	Cracked.exe
3168	Bin.exe
2480	Cracked.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cracked = "C:\\Users\\Admin\\AppData\\Local\\Cracked.exe"	Bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133537939224325221"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4088	7zFM.exe
4088	7zFM.exe
4088	7zFM.exe
4088	7zFM.exe
4088	7zFM.exe
4088	7zFM.exe
4088	7zFM.exe
4088	7zFM.exe
4088	7zFM.exe
4088	7zFM.exe
4088	7zFM.exe
4088	7zFM.exe
4088	7zFM.exe
4088	7zFM.exe
4088	7zFM.exe
4088	7zFM.exe
3348	Bin.exe
3348	Bin.exe
3348	Bin.exe
3348	Bin.exe
3348	Bin.exe
3348	Bin.exe
3348	Bin.exe
3348	Bin.exe
3348	Bin.exe
3348	Bin.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4088	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4984	chrome.exe
4984	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: 33	4764	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4764	AUDIODG.EXE
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeRestorePrivilege	4088	7zFM.exe
Token: 35	4088	7zFM.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeSecurityPrivilege	4088	7zFM.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeSecurityPrivilege	4088	7zFM.exe
Token: SeDebugPrivilege	3348	Bin.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeSecurityPrivilege	4088	7zFM.exe
Token: SeDebugPrivilege	2876	Cracked.exe
Token: SeSecurityPrivilege	4088	7zFM.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4088	7zFM.exe
4088	7zFM.exe
4088	7zFM.exe
4088	7zFM.exe
4088	7zFM.exe
4088	7zFM.exe
4984	chrome.exe
4088	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3348	Bin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 4860	4984	chrome.exe	87
PID 4984 wrote to memory of 4860	4984	chrome.exe	87
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 4440	4984	chrome.exe	90
PID 4984 wrote to memory of 2596	4984	chrome.exe	91
PID 4984 wrote to memory of 2596	4984	chrome.exe	91
PID 4984 wrote to memory of 948	4984	chrome.exe	92
PID 4984 wrote to memory of 948	4984	chrome.exe	92
PID 4984 wrote to memory of 948	4984	chrome.exe	92
PID 4984 wrote to memory of 948	4984	chrome.exe	92
PID 4984 wrote to memory of 948	4984	chrome.exe	92
PID 4984 wrote to memory of 948	4984	chrome.exe	92
PID 4984 wrote to memory of 948	4984	chrome.exe	92
PID 4984 wrote to memory of 948	4984	chrome.exe	92
PID 4984 wrote to memory of 948	4984	chrome.exe	92
PID 4984 wrote to memory of 948	4984	chrome.exe	92
PID 4984 wrote to memory of 948	4984	chrome.exe	92
PID 4984 wrote to memory of 948	4984	chrome.exe	92
PID 4984 wrote to memory of 948	4984	chrome.exe	92
PID 4984 wrote to memory of 948	4984	chrome.exe	92
PID 4984 wrote to memory of 948	4984	chrome.exe	92
PID 4984 wrote to memory of 948	4984	chrome.exe	92
PID 4984 wrote to memory of 948	4984	chrome.exe	92
PID 4984 wrote to memory of 948	4984	chrome.exe	92
PID 4984 wrote to memory of 948	4984	chrome.exe	92
PID 4984 wrote to memory of 948	4984	chrome.exe	92
PID 4984 wrote to memory of 948	4984	chrome.exe	92
PID 4984 wrote to memory of 948	4984	chrome.exe	92

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/tCVmhBgS#AHKluC1LX_nq0q4yTOoRgDw4Wuuwj38s6Z592mNfFA8
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbbccc9758,0x7ffbbccc9768,0x7ffbbccc9778
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1872,i,12847433056345796226,2664132227156365195,131072 /prefetch:2
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1872,i,12847433056345796226,2664132227156365195,131072 /prefetch:8
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1872,i,12847433056345796226,2664132227156365195,131072 /prefetch:8
  2⤵
  PID:948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1872,i,12847433056345796226,2664132227156365195,131072 /prefetch:1
  2⤵
  PID:1076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1872,i,12847433056345796226,2664132227156365195,131072 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1872,i,12847433056345796226,2664132227156365195,131072 /prefetch:8
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 --field-trial-handle=1872,i,12847433056345796226,2664132227156365195,131072 /prefetch:8
  2⤵
  PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3852 --field-trial-handle=1872,i,12847433056345796226,2664132227156365195,131072 /prefetch:8
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 --field-trial-handle=1872,i,12847433056345796226,2664132227156365195,131072 /prefetch:8
  2⤵
  PID:5052
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Crack -- susano.rar"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zO8FFEFF97\Susano.bat" "
    3⤵
    PID:3292
- - C:\Users\Admin\AppData\Local\Temp\7zO8FF001E7\Bin.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO8FF001E7\Bin.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3348
- - C:\Users\Admin\AppData\Local\Temp\7zO8FF1CBE7\Cracked.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO8FF1CBE7\Cracked.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:3292
- - C:\Users\Admin\AppData\Local\Temp\7zO8FF39DE7\Cracked.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO8FF39DE7\Cracked.exe"
    3⤵
    - Executes dropped EXE
    PID:2064
- - C:\Users\Admin\AppData\Local\Temp\7zO8FFB5FE7\Cracked.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO8FFB5FE7\Cracked.exe"
    3⤵
    - Executes dropped EXE
    PID:4436

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4568

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x314 0x2c0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Crack -- susano\Susano.bat" "
1⤵
PID:2840
- C:\Users\Admin\Desktop\Crack -- susano\Bin\Bin.exe
  Bin.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Users\Admin\Desktop\Crack -- susano\Bin\Cracked.exe
  Cracked.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
28c3af2591134330535e8c2c5e183c05

SHA1
da4def833c573772e858b0af64602d45b1f4c855

SHA256
50b8d109edbe8f2d9159387740c3c7f4d4818cde1c6376f1aed20531f130be83

SHA512
1eca6074226ab63c4630954df8591a66e7b03d136daa325f2a1708c87a7846216698e88757bb4e467a5959b1ce04c7728ae813d01509e730e78d702bf97bfde6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f4e09df23409329fa82ce362eec0fcd6

SHA1
cb638ef50d63b93c8a6b96304bef5b197de19b48

SHA256
ea57a231dd9d3baab789aa29b0ddda16001fe58bad49b43e29fd8203170cdeb6

SHA512
71b94ad8d8a55ff7d8663005cf1cd796e1c36f0444c77774544922c78b90e5ffa920504afa79f9384f275f64761c821c0880f510ec4b55b389fdf3ac5908836d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
bb76ae5d28f332b8b7371fc0fb3dcc40

SHA1
8f5ac8ca85d7e034593acc80bf7b602c037801be

SHA256
601f166035620a34e3fe0abacd15fce5d08cba78df6493d7677e8719df3a7ba0

SHA512
020d078d4627d6511633254a0ebdd20d8e66318ac31c90c009b6893d54250f4d9ee74cba01231c99561a86d1cd336da68ec704ee2b50e580fd12ba0be9ff5157

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
079aaaa595f43de7b41b1f3f779a3e58

SHA1
9773d4a336bc8c7e1aefa9e2a20275e73370fd5d

SHA256
5da14395f4fe7d8d218a1621f5aa17c7c763786e0dd9d4e87623cdc045c16d0d

SHA512
da84d9f6a33d9838427ed1a1d1c564b1c76fe739202194f3aed838095aab76b31061dbc35896e7b76a1b9b25b564d99af056f2f5895f02d828be9dad6db6ce06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
12ccf0f38a5880d72c6508bf6239aeec

SHA1
2e7783c43b02748a6919eb1a8571c612ec37e567

SHA256
4c4fee293e04cd324ffe00f8d2e3b06159dc799d7797ba1ffcb4cf975596e5b0

SHA512
1e70dcd857d806d1bf6d2e16d992a00b4310e78ae4c43bbd69797db86260476e0ffa551e5f9217c86ffed5bc7cccdcaf882bf872427d9cb38cc7beee3c456523

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f82e85431372ce70d8586d00f4f9fc0c

SHA1
49e3c8f5a4026a43c32beb7af167b2a0d21368f5

SHA256
8cdba2445746f1a4f5021f9a66a7d0604f2db4c4182bc5a1b0e2dac151d4ee98

SHA512
16f4c5a0ecc3754b7cfd4ec385e5a47b4f0c702ff86b5e7e9ad16f076745dd2d4d6f185dea37ed56b73e515c19b4dd1f73d36914139a1ae8659a4bfeea9f4b09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
0dafc8968eb43161be2083953429f034

SHA1
e4c1384d9ce290cf2d921ddbe8f9755df2b1e046

SHA256
44583e4c9d44248c4555226e5fa0c1d599f1f8eb8566fe58715890413bab60d5

SHA512
39831dd0e358747f96c9e7bbf01f900c8d99d83f2f187cb5139a6921b9cdd9ce304466f2739cdb3878302361fd7d42b023425ba605e41f34b949b533bd7a3499

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57d11b.TMP

Filesize
48B

MD5
8b4490b0da01d0e5d54e8090b2ea5dbb

SHA1
dc3604bd379556041ca80eda1f339dcf25c1b596

SHA256
246182f9d01980ec4751369dc1e24bbd4465bf0b57e4f2eae25104ac428f001b

SHA512
d1b95bfd21c8c0b20e1d097f8152c0f5a23951a7d62b0b35696d091159c80cc94928dd151ead572fdf9cbc577623c94f515d7b72ac2b963d8f76cee737f30e8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
036a5606214363789f5a34d6d09438c9

SHA1
98a44ac34b46d477296cae2fea10f723c65e533b

SHA256
2f764cec98da54da653e0579aaa2c313b250fb7693f7453d412910553b01ef23

SHA512
3723989733e2eae144c73700ee119156507a74952ef167e03d743dfd22d01cc30385f179391a9374ba95b1464d638b2a7f5d52bc44b28c9f98ed494ef619f52c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
0845475f9379260589a89ddef600276c

SHA1
30ac17d2c725e73ed2e41cfd63a3c104a80fd56a

SHA256
ab54172d236fc1394bdef9852b257ca446d307b25d096beb746cbf8c6d5699fa

SHA512
a27985c64598d5940a8bc01a65d6cb192a4dc0979820b9a96934c3fad854833a0d3aea11b126aca1ba744eeb3bf84fb7b2cc554773f3ea799ab3be2a34d64324

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Cracked.exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8FF001E7\Bin.exe

Filesize
68KB

MD5
0743e04a03acc5c72f3b4c8ae6dbf6dc

SHA1
99d6c8227c395fdd08e8cb02dd00872bac822e86

SHA256
c6d38dc41979db7aadf805405a523168b07aa84c8c0b937013da610114be1262

SHA512
ad6e4cd5bbeb092bd5f64be5fed6f80f60e8841a6a88ff9f2b0b0ee2fd2bd75ffd0a7c3f106c38e89721eed8c3a6eb9a6b757a91bccb2e9361c260bbcac5bbdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8FF1CBE7\Cracked.exe

Filesize
231KB

MD5
4c31a97d031ffe90e9d9ed9c4738c5ed

SHA1
0e7afe20c73d8e8b2e3a8f0511693c8b690871d8

SHA256
15be6199cd8f78fa9aa824c3b92f34e9106c51c46151b7b618ecb25f596e2285

SHA512
5ba09cde704a92a45b866553a400ed5dda92fa15dee3fbcb8701b4e59933e8a7475ab9304f62542d3011780980ba4dfd3fb9ce348c77bacea8470f88669cac3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8FFEFF97\Susano.bat

Filesize
101B

MD5
171c929216e8850e2fdb248af59ca030

SHA1
10fedbe62776b1c6cfdd7d33a72d64d0064272bb

SHA256
7602815d019d05d657c783811123e4599b589fd04db3eb058b9a42a237b8e700

SHA512
46835acce0b8fe9b3905345dcf6ea37bdc390d0aa1867c138586c4f2e9597a2c60d89490a114dfed8d338c399304faf13ec472cf5661b9468912d91d57689771

Download Submit
C:\Users\Admin\Downloads\Crack -- susano.rar

Filesize
123KB

MD5
d3156625bbdfb0edb4aaf5eda008d74f

SHA1
8e751903075b17d2944a15e384c33bc0f9793e12

SHA256
927b18541188d5a979ea20506759b772d9f10846a8674e342dd0bd5f1a5e27d1

SHA512
7f2df8b28f741b383fe7ad9fe70e121dc357f60b53ac8ccf245cc1c6f704efc4b2d4c77dc1ca76545d56ae0711c84256d13733af851a619355ef9ed76de32181

Download Submit
memory/2064-399-0x00007FFBA8E50000-0x00007FFBA9911000-memory.dmp

Filesize
10.8MB

Download
memory/2064-256-0x00007FFBA8E50000-0x00007FFBA9911000-memory.dmp

Filesize
10.8MB

Download
memory/2480-401-0x00007FFBA8E50000-0x00007FFBA9911000-memory.dmp

Filesize
10.8MB

Download
memory/2480-400-0x00007FFBA8E50000-0x00007FFBA9911000-memory.dmp

Filesize
10.8MB

Download
memory/2480-398-0x000001B3FC8D0000-0x000001B3FC8E0000-memory.dmp

Filesize
64KB

Download
memory/2876-242-0x000002C977E00000-0x000002C977E10000-memory.dmp

Filesize
64KB

Download
memory/2876-272-0x00007FFBA8E50000-0x00007FFBA9911000-memory.dmp

Filesize
10.8MB

Download
memory/2876-241-0x00007FFBA8E50000-0x00007FFBA9911000-memory.dmp

Filesize
10.8MB

Download
memory/2876-240-0x000002C975580000-0x000002C9755C0000-memory.dmp

Filesize
256KB

Download
memory/3168-397-0x00007FFBA8E50000-0x00007FFBA9911000-memory.dmp

Filesize
10.8MB

Download
memory/3168-403-0x00007FFBA8E50000-0x00007FFBA9911000-memory.dmp

Filesize
10.8MB

Download
memory/3348-381-0x00007FFBA8E50000-0x00007FFBA9911000-memory.dmp

Filesize
10.8MB

Download
memory/3348-217-0x0000000000CB0000-0x0000000000CC8000-memory.dmp

Filesize
96KB

Download
memory/3348-227-0x00007FFBA8E50000-0x00007FFBA9911000-memory.dmp

Filesize
10.8MB

Download
memory/4436-270-0x00007FFBA8E50000-0x00007FFBA9911000-memory.dmp

Filesize
10.8MB

Download
memory/4436-404-0x00007FFBA8E50000-0x00007FFBA9911000-memory.dmp

Filesize
10.8MB

Download