c7c9658716d69b50009eb23459c62fa6305a1102f01e197a04cc82fba333290a

Analysis

max time kernel
65s
max time network
145s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-06-2024 00:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fatalservices.rar
Size

2.8MB
MD5

ddebc77ef72c95f07d3dc0f0018e1c8e
SHA1

4ab642a7d73885f5702c1a10dfb20bf00c41c683
SHA256

c7c9658716d69b50009eb23459c62fa6305a1102f01e197a04cc82fba333290a
SHA512

92b97782d7dd45cbaa392bbcba97fde3370597d910fb2ac39feccaaa2e85db65c5118b9bc8c82d78b0944213565150491b708c7d4da4769a25af59d880d3bcd8
SSDEEP

49152:eYO6W/JsA0rUfVcFV3X5XB7JaGu2fkNyEoqSvJfQm4SG6qakPlQ39CvNZEFWjYPu:eYO6W/JH8UOFV3pBIX2fkQEeNQQG3Pms

Score

7^/10

agilenet

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Fatalservices.exe

pid process

2568 Fatalservices.exe
Loads dropped DLL 2 IoCs

Processes:

Fatalservices.exe

pid process

2568 Fatalservices.exe
2568 Fatalservices.exe

pid	process
2568	Fatalservices.exe

pid	process
2568	Fatalservices.exe
2568	Fatalservices.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\7zOC1AEEB16\024C2773.dll	agile_net
behavioral1/memory/2568-44-0x0000000005050000-0x00000000052D4000-memory.dmp	agile_net

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

Fatalservices.exe

pid process

2568 Fatalservices.exe
2568 Fatalservices.exe
2568 Fatalservices.exe
2568 Fatalservices.exe
Drops file in Windows directory 1 IoCs

Processes:

Fatalservices.exe

description ioc process

File created C:\Windows\Fonts\Poppins.ttf Fatalservices.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2568	Fatalservices.exe
2568	Fatalservices.exe
2568	Fatalservices.exe
2568	Fatalservices.exe

description	ioc	process
File created	C:\Windows\Fonts\Poppins.ttf	Fatalservices.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

7zFM.exechrome.exe

pid process

2588 7zFM.exe
2588 7zFM.exe
2616 chrome.exe
2616 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

2588 7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exeFatalservices.exechrome.exe

description	pid	process
Token: SeRestorePrivilege	2588	7zFM.exe
Token: 35	2588	7zFM.exe
Token: SeSecurityPrivilege	2588	7zFM.exe
Token: SeDebugPrivilege	2568	Fatalservices.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

Processes:

7zFM.exechrome.exe

pid	process
2588	7zFM.exe
2588	7zFM.exe
2588	7zFM.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe7zFM.exeFatalservices.execmd.exechrome.exe

description	pid	process	target process
PID 2992 wrote to memory of 2588	2992	cmd.exe	7zFM.exe
PID 2992 wrote to memory of 2588	2992	cmd.exe	7zFM.exe
PID 2992 wrote to memory of 2588	2992	cmd.exe	7zFM.exe
PID 2588 wrote to memory of 2568	2588	7zFM.exe	Fatalservices.exe
PID 2588 wrote to memory of 2568	2588	7zFM.exe	Fatalservices.exe
PID 2588 wrote to memory of 2568	2588	7zFM.exe	Fatalservices.exe
PID 2588 wrote to memory of 2568	2588	7zFM.exe	Fatalservices.exe
PID 2568 wrote to memory of 1792	2568	Fatalservices.exe	cmd.exe
PID 2568 wrote to memory of 1792	2568	Fatalservices.exe	cmd.exe
PID 2568 wrote to memory of 1792	2568	Fatalservices.exe	cmd.exe
PID 2568 wrote to memory of 1792	2568	Fatalservices.exe	cmd.exe
PID 1792 wrote to memory of 2008	1792	cmd.exe	choice.exe
PID 1792 wrote to memory of 2008	1792	cmd.exe	choice.exe
PID 1792 wrote to memory of 2008	1792	cmd.exe	choice.exe
PID 1792 wrote to memory of 2008	1792	cmd.exe	choice.exe
PID 2616 wrote to memory of 2608	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2608	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2608	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 1908	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2300	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2300	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2300	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2772	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2772	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2772	2616	chrome.exe	chrome.exe
PID 2616 wrote to memory of 2772	2616	chrome.exe	chrome.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Fatalservices.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:2992

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Fatalservices.rar"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2588

C:\Users\Admin\AppData\Local\Temp\7zOC1AEEB16\Fatalservices.exe
"C:\Users\Admin\AppData\Local\Temp\7zOC1AEEB16\Fatalservices.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\7zOC1AEEB16\024C2773.dll" /A:H
4⤵
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:2008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7649758,0x7fef7649768,0x7fef7649778
2⤵
PID:2608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1320,i,17609006624633126655,4285707830283537262,131072 /prefetch:2
2⤵
PID:1908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1320,i,17609006624633126655,4285707830283537262,131072 /prefetch:8
2⤵
PID:2300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1320,i,17609006624633126655,4285707830283537262,131072 /prefetch:8
2⤵
PID:2772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2296 --field-trial-handle=1320,i,17609006624633126655,4285707830283537262,131072 /prefetch:1
2⤵
PID:2248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2308 --field-trial-handle=1320,i,17609006624633126655,4285707830283537262,131072 /prefetch:1
2⤵
PID:1948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1476 --field-trial-handle=1320,i,17609006624633126655,4285707830283537262,131072 /prefetch:2
2⤵
PID:1304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1332 --field-trial-handle=1320,i,17609006624633126655,4285707830283537262,131072 /prefetch:1
2⤵
PID:2844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3416 --field-trial-handle=1320,i,17609006624633126655,4285707830283537262,131072 /prefetch:8
2⤵
PID:1364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3444 --field-trial-handle=1320,i,17609006624633126655,4285707830283537262,131072 /prefetch:8
2⤵
PID:2192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3460 --field-trial-handle=1320,i,17609006624633126655,4285707830283537262,131072 /prefetch:8
2⤵
PID:2940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1044 --field-trial-handle=1320,i,17609006624633126655,4285707830283537262,131072 /prefetch:8
2⤵
PID:1444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=708 --field-trial-handle=1320,i,17609006624633126655,4285707830283537262,131072 /prefetch:8
2⤵
PID:2312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3700 --field-trial-handle=1320,i,17609006624633126655,4285707830283537262,131072 /prefetch:1
2⤵
PID:1736

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1600

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:2536

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2304

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005
Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006
Filesize
24KB

MD5
1fc15b901524b92722f9ff863f892a2b

SHA1
cfd0a92d2c92614684524739630a35750c0103ec

SHA256
da9a1e371b04099955c3a322baee3aeee1962c8b8dabe559703a7c2699968ef4

SHA512
5cdc691e1be0d28c30819c0245b292d914f0a5beaed3f4fc42ac67ba22834808d66a0bfc663d625274631957c9b7760ada4088309b5941786c794edad1329c75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\61d18351686111ed_0
Filesize
280B

MD5
4b1f787f12c17f6187677774bc585f60

SHA1
91919e39ba6eb96faa67c73840e7090ec690fbd0

SHA256
90b60ffc6b013ae30388dbb247278fa169c6839dd0698a0f7168acda911cc429

SHA512
6aec0d024248359bac4f9ec64a39b41a63413820c0561ba76c758e94349cbb63d3fa1ac2d33aab188f798c24ebf9c4815afa10516ecf7376382f5cafe3c244a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\7dce29eafe45d75b_0
Filesize
19KB

MD5
10b5a053b11e9599a6fdaa20a63857fe

SHA1
a1da7f43fdc59a8c2ec96e94d806e24af747fa50

SHA256
78ae141091cc2ec565aca6f9440873172f278482b7297bf41cdf2421bd3a261b

SHA512
bb15f8ae650a76a493d7e9caf667397e67a58afeef13f3dfae28e805f1505c65f68286a834dd5bed5f96af84d95213561cbd50a3b77b983c96eeb656d54af068

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\e587796468f8e051_0
Filesize
339KB

MD5
bbf7e5c82dc6109e2cbc70a78844d324

SHA1
e1dd911c047408fc043a7791ece91f03e430ce59

SHA256
27099a56a4c04d1d14c5f8494a26571b8e30f0fc447fceb35fdbcabea01d6bb1

SHA512
822d2d835fd703f5a140e0e5b9de58ee0a05feb5df16ac3a90e88ffed3d3c173ac5fddef233b22e95168873017a1a347c567aaccc6d1b77fd0b2e39beb91d3e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\f8aae2cc087fdba3_0
Filesize
289B

MD5
6111fbe30278fc2b5203f0e0ede8cae3

SHA1
48eac6461175aea713a9ddc9afa105ae9fbe84c2

SHA256
7c84bf31489f8f7474780328cfcfa11b4796cb8a56b97b09718001d7663218fc

SHA512
2d70d2f504957bfabec13d526ae2c5d95660091a105a4cff57c97096382b5040510c3c7c0f3570a6e6663ee18623a4d37efe3101c9da923d1123c3a4799db2a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
168B

MD5
37f521bd61a8097e8abcbcb515a7e2af

SHA1
b21b4e21d2b0c7cea20e5fa86e902bed81b7f86b

SHA256
2bcdc352c000bc92eded28d5bd1680a6cb0d9f57424fa10dc429ccb577d695d1

SHA512
fe2a0112cfe191c612a9a59ebd5ffa175620ecb71ed1b531e26546de24231bb9d8ac25994592c9acbd1e9cfb347d4a041ce4a3adcb973ef29cc9e8cc4c14a665

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
361B

MD5
160ed28b7f515c0dcb3df0b02686781b

SHA1
5a3f2916b82cc83fb16f274b44c6e8e22268f1e8

SHA256
eaa0999a9d1392e1408bb9d7d390aa2f2afc2615c882d55d2266c9cea299e7db

SHA512
fba333d5672f863f2a00971c3565c70e4b1c385f5369ada2ec001637ed562b6cf08e5c6bce4cccbf0036b6830a9309ed80bdac18192db206e5eae6aa01291e78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
58e2ff3126ad32037bf1ca56899236bf

SHA1
1059845b5ad2dbdb0f2efcf68f0a3fdad7dc98f4

SHA256
f33b41e9289abcb7c303c0412a826e9aaa6fc2feefa7a6d6e836bbd06de4c0b9

SHA512
1019688d87b905ef6da8e6c78e9d6c97b76d056906ab389f09744e1b5068dbde4ed36c8fcb1ac2147a6cecb4fca2fdf29f705c88c08f14b366359d5397722768

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
8ef350e49ec15f5d106a0f3f30cbc218

SHA1
90abab618dc70cfbde8a20d493af6ff3748b3a04

SHA256
8c9dae315ae6fdc07c4c26bbc456523ecd2420cf8d3d6e4805453e16f4fd82ba

SHA512
457272668c128e78a121a04915540e5695bd2cc30e9238d6f37919325a8728e96138444b4c772543b87baa5700346e0445ee9d53edebc31053b115c606397eef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
31a0f7edb517e5e3024132c6beaf2e53

SHA1
1b04b7b83531482a274106ce9ec467b5659d81cd

SHA256
cc326c81cb885674ec95c6c02f7433dc69ede7b0ca6c00b46926197475ad9433

SHA512
87a57b00d635155155a6c21f2ab276d01129bb767a28fb729c8ba35dad0c298bc1809af582d8b447c0f35dbf15790180536f988445f822563c025f1d06f1e9f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
639a1d469afbe394a21ac31fc631a110

SHA1
396c09255061fa8f174f185928573e55cd66d12a

SHA256
410548a46b60d9d79aa981c7a4a9947f53fcf95841f50e72c4b5899302e06f28

SHA512
887788619514a1bc4c24b18124e3aec97d1161f8a074b5996353e9f23db9ad7c8c6449a00b1bc088f86dd035ed8450a73ee3e0f55e6e139fd7d4f53c1dfe7ec8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
271KB

MD5
3f9a7063bbd1599f9eb64c50d817cd0e

SHA1
fcf85e88c2c91b3f80fe0d9b45c24a9808c7c467

SHA256
5cdd9fa3069b0cc6d047c618f3db5bc83525780b30173d370d5f6aafaeb80230

SHA512
609e2d9031dad34bc462448154545318cc81ab52fc8300e2237e924ea964cad85db1678c7bc86cd5650fc9d85598ae1f8587acb7d676c7cb9e0cca38db709744

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC1AEEB16\Fatalservices.exe
Filesize
3.0MB

MD5
14ea67e7051b9f9bda361795e085f32f

SHA1
0975ced589e1775bd99da9896528a0a80b65dd6a

SHA256
02c0fffb9900ed92f42ab63e2a88f125683b45d518f05d78abd5543b1de52457

SHA512
d18532112792700b4eb29ff2cc6bfa5fd8ea020060272d3be5fb03760066912248794bece73b26eb635b9039d4f2372d76dac15403ba8e0eff0dbff6ed58b084

Download Submit
\??\pipe\crashpad_2616_EUNIEKKEJEVPIKZR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\7zOC1AEEB16\024C2773.dll
Filesize
1.2MB

MD5
46f7a7da231bbc610b2fbdc9825116d7

SHA1
c60ec59cd2e24df9ca0ad8dcbf2db91c0d2170c6

SHA256
3eaee0f0a25f8e6f88fea167ff28b079a3b6b46215012dbc862f621f891d03bc

SHA512
267cd2ed2991c17f36743ee4fa714b1be69fbc82b92d4411d84acfdc7c62884af47006d83677745be327115d86167a73826997a69fd53164c3597acb5610ebad

Download Submit
memory/2568-44-0x0000000005050000-0x00000000052D4000-memory.dmp

Filesize
2.5MB

Download
memory/2568-49-0x0000000006000000-0x00000000063D6000-memory.dmp

Filesize
3.8MB

Download
memory/2568-48-0x0000000000540000-0x0000000000546000-memory.dmp

Filesize
24KB

Download
memory/2568-46-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2568-38-0x0000000000D50000-0x000000000105A000-memory.dmp

Filesize
3.0MB

Download