f5f14b9073f86da926a8ed319b3289b893442414d1511e45177f6915fb4e5478

Analysis

max time kernel
1178s
max time network
1180s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
26-04-2024 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TempSpoofer.exe
Size

490KB
MD5

9c9245810bad661af3d6efec543d34fd
SHA1

93e4f301156d120a87fe2c4be3aaa28b9dfd1a8d
SHA256

f5f14b9073f86da926a8ed319b3289b893442414d1511e45177f6915fb4e5478
SHA512

90d9593595511e722b733a13c53d2e69a1adc9c79b3349350deead2c1cdfed615921fb503597950070e9055f6df74bb64ccd94a60d7716822aa632699c70b767
SSDEEP

6144:3PkcFUUUQHs5TlOhDuy4VjmSO6/tU4j06xeJyCjvhsXZ4m05d0qCsfBLuWWCV/rr:3McWUUysz/NhKjJPhM4/5bV/rvgE3

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 5 IoCs

Processes:

chrome.exeUserOOBEBroker.exe

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXEchrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133586419800863372"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

2424 POWERPNT.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

4636 chrome.exe
4636 chrome.exe
Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
680
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

4636 chrome.exe
4636 chrome.exe
4636 chrome.exe
4636 chrome.exe
4636 chrome.exe
4636 chrome.exe

pid	process
2424	POWERPNT.EXE

pid
4
4
4
4
4
680

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exe

pid	process
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

POWERPNT.EXE

pid process

2424 POWERPNT.EXE
2424 POWERPNT.EXE
2424 POWERPNT.EXE
2424 POWERPNT.EXE

pid	process
2424	POWERPNT.EXE
2424	POWERPNT.EXE
2424	POWERPNT.EXE
2424	POWERPNT.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4636 wrote to memory of 400	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 400	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1172	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 4916	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 4916	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2008	4636	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\TempSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\TempSpoofer.exe"
1⤵
PID:4184

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\StepUse.odp" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2424

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffe6ab7cc40,0x7ffe6ab7cc4c,0x7ffe6ab7cc58
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1780,i,9917735626809441699,1406113317162913035,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1776 /prefetch:2
  2⤵
  PID:1172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2120,i,9917735626809441699,1406113317162913035,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2204,i,9917735626809441699,1406113317162913035,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2240 /prefetch:8
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,9917735626809441699,1406113317162913035,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,9917735626809441699,1406113317162913035,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:1228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3580,i,9917735626809441699,1406113317162913035,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4692,i,9917735626809441699,1406113317162913035,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4704 /prefetch:8
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5096,i,9917735626809441699,1406113317162913035,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4612,i,9917735626809441699,1406113317162913035,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:3240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3424,i,9917735626809441699,1406113317162913035,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:4288

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:2080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2712

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3768

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
37ad7a962e6abc1ce81f27d7ba3f0aed

SHA1
25c403ca3decb6322322813b94364c894375aa8d

SHA256
c3497e85b340cee51d1a29b11da3e52d685830d86a497767a5a3ccbb7fbc326e

SHA512
ece178f396ead8eb96052d464d14c05f6fd6cefa372b2717b2d6b1e8d5e8cf409341cea9d84d7357a3f62ae87fc0b4feaadc217ba26eb09744c5cba543183d31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
07de54ee585f403a8801e02263296d24

SHA1
23dc8516b0af00dc29c2726f2b64fca138d8a878

SHA256
2f99e4e09157d9f648264af5a71464b715f20ccd6330262e697600fc05a3c2e2

SHA512
fb4cb8bb53731dfcbb52e72fe931fe54f5f8605e62c0ddbc1446a6d121a463bace565e7c0cfa89d938044d0dffefb813d5b247b79332daacae8b826a47bb1c93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4883b0dce2d6caba8ca8b2193f78e85c

SHA1
3b869197dbf6ae483ddc8b705ba744e24928cfe2

SHA256
b1e8aca5b33369092d06c0e4d53e0bd6e579a97516abef24e0bc114cb00e69c2

SHA512
e3102fb822a8072e647ab201cef375a0620a1bd18046baba49e345966ba824e6d4c18d8970e9ec9c3d48f0c14a85059ee61849343d1d52826290da58cc25c7e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
3f828a2022858ec0a2d711e993e4f8f9

SHA1
0d4ddc59551ddffd8a8ec1ddef89a0d266bd6129

SHA256
7a239ef6137ffef6ee5ceaec8880a467d01ca5b6f2880cfdadfb9b46ae8e88ec

SHA512
471b6630f6647e908e0ca3f96ecfe281df4ebd8daaacb8754c55f6ce868d13070c7d06aa9841447a43eb780f3d7ee5b6e92e18568816c900c611b97812a709d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
defcee6b517e4ccbcc7160a9eaa67e0a

SHA1
fd028c5bc50c0559f28c026214464bb65884cc44

SHA256
b8a64fab1b2ed8963b57363cbd6a48751a2db77641abd6f0848f01c6ffc2ab25

SHA512
5cff1d130585ac69a2d0ba800233655c7951f701c2b747c2da92ef6cff3bda36a7d945879be10918dcc3cf63238d94cc0106ce6180cc0d670ae7a669656f98be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\a013d66a-3f80-4f1a-a3bc-ba310e5b3371.tmp

Filesize
9KB

MD5
54f1b881e854c0f138ca177357824b14

SHA1
6151569cfb719bfd268572cb845ecfc9f429493f

SHA256
a4e38f929941c3188f0a31ab460fb8f6ccfe4faa4ced4cfa16749f692cd2ee18

SHA512
bfde951e841abbe298c32a86515af14a8d7700a563d988edfc6cdb21c8190234234f99a490b792ffc982d7c6644fdc56c4a116d202c15e0ad649cd4f0f0e2e65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
afeece6dd9b84ee42f9fd6454a850a13

SHA1
3290d6b0e1e9094921c20d4aa6f06f04c934fcc0

SHA256
ea2152e9aea4bac330965cdcd9f593b5b7b14baef747408abb2bf32654510727

SHA512
83d63347aa2118e787b7279bce304de07a3e5449dc05f9fc5c535c06cd77b6f004d2966b7ee660bac02f9ee34297ee73a9cf23bcd3d3f2bcab078a340d0f77a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
b751dfddc4a0b742d978ff80686a5ec1

SHA1
cbedce849036cdb30d5a194ec7dc29f35accba75

SHA256
76cf9ab0f6fec7cdd2d4d0e91f706c50b0679d0679046e5b29c3fe6cd2f53241

SHA512
7e447d487b95dd4b63e38ec21db2f490a833d19e988a86eb897c9eb66f7b327430c221d4e222354cd03870405d46db16e3e854e13c233f110718c2a4347a01b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
5d0eafc495d07a7342619aa718d9a7ff

SHA1
1b1257a2ef958fc87c379e47bb10f27eb6a0c14e

SHA256
b2b9305fc883029b828ef4dda022b6efaa6b4c7a4b2a2166c28517f556cb9174

SHA512
02727f96e3488ebf701ad1eea794f8f625ea78971eb54a12ffb69c61e09792d10272e22f198719cf59f136f9c003a0b0dd98e3be2af3fdb758e182a41c59e41d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
520b10c1d23f0ed69c0e92aa35886d1d

SHA1
0dfdd8cfd0b96e5a7bcddc9f64379cf66aeea22d

SHA256
c73f96d84e1444a29958344fe9d2d15135687da6bd8e44280166e43760752677

SHA512
09ef41ba7713de1333561b682542d0f9ce8b531cd00f2b7b30d66b53a18d245038bf51924cb2da647d156df14632a03766c7a7d9232c92120d949ba454787ebf

Download Submit
\??\pipe\crashpad_4636_YRRRDMJAWPKMJAHB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2424-33-0x00007FFE8BF00000-0x00007FFE8C109000-memory.dmp

Filesize
2.0MB

Download
memory/2424-30-0x00007FFE8BF00000-0x00007FFE8C109000-memory.dmp

Filesize
2.0MB

Download
memory/2424-18-0x00007FFE4BF90000-0x00007FFE4BFA0000-memory.dmp

Filesize
64KB

Download
memory/2424-20-0x00007FFE4BF90000-0x00007FFE4BFA0000-memory.dmp

Filesize
64KB

Download
memory/2424-19-0x00007FFE4BF90000-0x00007FFE4BFA0000-memory.dmp

Filesize
64KB

Download
memory/2424-21-0x00007FFE4BF90000-0x00007FFE4BFA0000-memory.dmp

Filesize
64KB

Download
memory/2424-22-0x00007FFE8BF00000-0x00007FFE8C109000-memory.dmp

Filesize
2.0MB

Download
memory/2424-23-0x00007FFE8BF00000-0x00007FFE8C109000-memory.dmp

Filesize
2.0MB

Download
memory/2424-26-0x00007FFE8BF00000-0x00007FFE8C109000-memory.dmp

Filesize
2.0MB

Download
memory/2424-25-0x00007FFE8BF00000-0x00007FFE8C109000-memory.dmp

Filesize
2.0MB

Download
memory/2424-24-0x00007FFE8BF00000-0x00007FFE8C109000-memory.dmp

Filesize
2.0MB

Download
memory/2424-27-0x00007FFE49D70000-0x00007FFE49D80000-memory.dmp

Filesize
64KB

Download
memory/2424-31-0x00007FFE8BF00000-0x00007FFE8C109000-memory.dmp

Filesize
2.0MB

Download
memory/2424-32-0x00007FFE49D70000-0x00007FFE49D80000-memory.dmp

Filesize
64KB

Download
memory/2424-44-0x00007FFE8A1B0000-0x00007FFE8A26D000-memory.dmp

Filesize
756KB

Download
memory/2424-36-0x00007FFE8BF00000-0x00007FFE8C109000-memory.dmp

Filesize
2.0MB

Download
memory/2424-37-0x00007FFE8A1B0000-0x00007FFE8A26D000-memory.dmp

Filesize
756KB

Download
memory/2424-35-0x00007FFE8BF00000-0x00007FFE8C109000-memory.dmp

Filesize
2.0MB

Download
memory/2424-34-0x00007FFE8BF00000-0x00007FFE8C109000-memory.dmp

Filesize
2.0MB

Download
memory/2424-17-0x00007FFE4BF90000-0x00007FFE4BFA0000-memory.dmp

Filesize
64KB

Download
memory/2424-29-0x00007FFE8BF00000-0x00007FFE8C109000-memory.dmp

Filesize
2.0MB

Download
memory/2424-28-0x00007FFE8BF00000-0x00007FFE8C109000-memory.dmp

Filesize
2.0MB

Download
memory/2424-40-0x00007FFE4BF90000-0x00007FFE4BFA0000-memory.dmp

Filesize
64KB

Download
memory/2424-42-0x00007FFE4BF90000-0x00007FFE4BFA0000-memory.dmp

Filesize
64KB

Download
memory/2424-41-0x00007FFE4BF90000-0x00007FFE4BFA0000-memory.dmp

Filesize
64KB

Download
memory/2424-43-0x00007FFE4BF90000-0x00007FFE4BFA0000-memory.dmp

Filesize
64KB

Download
memory/2424-45-0x00007FFE8BF00000-0x00007FFE8C109000-memory.dmp

Filesize
2.0MB

Download
memory/4184-10-0x0000000002F20000-0x0000000002F21000-memory.dmp

Filesize
4KB

Download
memory/4184-16-0x00000000011B0000-0x00000000011FB000-memory.dmp

Filesize
300KB

Download
memory/4184-15-0x0000000002D70000-0x0000000002DB0000-memory.dmp

Filesize
256KB

Download
memory/4184-14-0x0000000002D70000-0x0000000002DB0000-memory.dmp

Filesize
256KB

Download
memory/4184-13-0x0000000002D70000-0x0000000002DB0000-memory.dmp

Filesize
256KB

Download
memory/4184-12-0x0000000002D70000-0x0000000002DB0000-memory.dmp

Filesize
256KB

Download
memory/4184-0-0x00000000011B0000-0x00000000011FB000-memory.dmp

Filesize
300KB

Download
memory/4184-11-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/4184-7-0x0000000002D70000-0x0000000002DB0000-memory.dmp

Filesize
256KB

Download
memory/4184-8-0x0000000002D70000-0x0000000002DB0000-memory.dmp

Filesize
256KB

Download
memory/4184-6-0x0000000002D70000-0x0000000002DB0000-memory.dmp

Filesize
256KB

Download
memory/4184-9-0x0000000002D70000-0x0000000002DB0000-memory.dmp

Filesize
256KB

Download
memory/4184-5-0x0000000002F20000-0x0000000002F21000-memory.dmp

Filesize
4KB

Download