gcleaner | hxxp://5[.]42[.]65[.]64

Resubmissions

17/06/2024, 23:28

240617-3gbe5syekf 8

13/06/2024, 21:40

240613-1jl9ba1dmh 10

13/06/2024, 21:29

240613-1bx1va1amd 8

10/06/2024, 22:28

240610-2d5ddatejn 10

Analysis

max time kernel
299s
max time network
244s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://5.42.65.64

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

185.172.128.90

5.42.65.64

Attributes

url_path
/advdlc.php

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	inte.exe

Executes dropped EXE 1 IoCs

pid	Process
3768	inte.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
3976	3768	WerFault.exe	102
648	3768	WerFault.exe	102
4868	3768	WerFault.exe	102
1060	3768	WerFault.exe	102
4588	3768	WerFault.exe	102
4800	3768	WerFault.exe	102
2728	3768	WerFault.exe	102
2876	3768	WerFault.exe	102
1936	3768	WerFault.exe	102

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
972	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133625321468719996"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4472	chrome.exe
4472	chrome.exe
5096	chrome.exe
5096	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4472	chrome.exe
4472	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeDebugPrivilege	972	taskkill.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 380	4472	chrome.exe	81
PID 4472 wrote to memory of 380	4472	chrome.exe	81
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 3692	4472	chrome.exe	82
PID 4472 wrote to memory of 2688	4472	chrome.exe	83
PID 4472 wrote to memory of 2688	4472	chrome.exe	83
PID 4472 wrote to memory of 3188	4472	chrome.exe	84
PID 4472 wrote to memory of 3188	4472	chrome.exe	84
PID 4472 wrote to memory of 3188	4472	chrome.exe	84
PID 4472 wrote to memory of 3188	4472	chrome.exe	84
PID 4472 wrote to memory of 3188	4472	chrome.exe	84
PID 4472 wrote to memory of 3188	4472	chrome.exe	84
PID 4472 wrote to memory of 3188	4472	chrome.exe	84
PID 4472 wrote to memory of 3188	4472	chrome.exe	84
PID 4472 wrote to memory of 3188	4472	chrome.exe	84
PID 4472 wrote to memory of 3188	4472	chrome.exe	84
PID 4472 wrote to memory of 3188	4472	chrome.exe	84
PID 4472 wrote to memory of 3188	4472	chrome.exe	84
PID 4472 wrote to memory of 3188	4472	chrome.exe	84
PID 4472 wrote to memory of 3188	4472	chrome.exe	84
PID 4472 wrote to memory of 3188	4472	chrome.exe	84
PID 4472 wrote to memory of 3188	4472	chrome.exe	84
PID 4472 wrote to memory of 3188	4472	chrome.exe	84
PID 4472 wrote to memory of 3188	4472	chrome.exe	84
PID 4472 wrote to memory of 3188	4472	chrome.exe	84
PID 4472 wrote to memory of 3188	4472	chrome.exe	84
PID 4472 wrote to memory of 3188	4472	chrome.exe	84
PID 4472 wrote to memory of 3188	4472	chrome.exe	84
PID 4472 wrote to memory of 3188	4472	chrome.exe	84
PID 4472 wrote to memory of 3188	4472	chrome.exe	84
PID 4472 wrote to memory of 3188	4472	chrome.exe	84
PID 4472 wrote to memory of 3188	4472	chrome.exe	84
PID 4472 wrote to memory of 3188	4472	chrome.exe	84
PID 4472 wrote to memory of 3188	4472	chrome.exe	84
PID 4472 wrote to memory of 3188	4472	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://5.42.65.64
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb42beab58,0x7ffb42beab68,0x7ffb42beab78
  2⤵
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1564 --field-trial-handle=1936,i,2080523213939685136,4498744433673580073,131072 /prefetch:2
  2⤵
  PID:3692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1892 --field-trial-handle=1936,i,2080523213939685136,4498744433673580073,131072 /prefetch:8
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=1936,i,2080523213939685136,4498744433673580073,131072 /prefetch:8
  2⤵
  PID:3188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2756 --field-trial-handle=1936,i,2080523213939685136,4498744433673580073,131072 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2764 --field-trial-handle=1936,i,2080523213939685136,4498744433673580073,131072 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4444 --field-trial-handle=1936,i,2080523213939685136,4498744433673580073,131072 /prefetch:8
  2⤵
  PID:632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 --field-trial-handle=1936,i,2080523213939685136,4498744433673580073,131072 /prefetch:8
  2⤵
  PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4940 --field-trial-handle=1936,i,2080523213939685136,4498744433673580073,131072 /prefetch:8
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5084 --field-trial-handle=1936,i,2080523213939685136,4498744433673580073,131072 /prefetch:8
  2⤵
  PID:3276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 --field-trial-handle=1936,i,2080523213939685136,4498744433673580073,131072 /prefetch:8
  2⤵
  PID:3760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4448 --field-trial-handle=1936,i,2080523213939685136,4498744433673580073,131072 /prefetch:8
  2⤵
  PID:436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4840 --field-trial-handle=1936,i,2080523213939685136,4498744433673580073,131072 /prefetch:8
  2⤵
  PID:3776
- C:\Users\Admin\Downloads\inte.exe
  "C:\Users\Admin\Downloads\inte.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 740
    3⤵
    - Program crash
    PID:3976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 780
    3⤵
    - Program crash
    PID:648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 740
    3⤵
    - Program crash
    PID:4868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 828
    3⤵
    - Program crash
    PID:1060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 904
    3⤵
    - Program crash
    PID:4588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 1004
    3⤵
    - Program crash
    PID:4800
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 1124
    3⤵
    - Program crash
    PID:2728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 1348
    3⤵
    - Program crash
    PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "inte.exe" /f & erase "C:\Users\Admin\Downloads\inte.exe" & exit
    3⤵
    PID:4748
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "inte.exe" /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 1444
    3⤵
    - Program crash
    PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 --field-trial-handle=1936,i,2080523213939685136,4498744433673580073,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5096

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3768 -ip 3768
1⤵
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3768 -ip 3768
1⤵
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3768 -ip 3768
1⤵
PID:784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3768 -ip 3768
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3768 -ip 3768
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3768 -ip 3768
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3768 -ip 3768
1⤵
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3768 -ip 3768
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3768 -ip 3768
1⤵
PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
851B

MD5
4b8d07c512aebee20b96bb0b4631091d

SHA1
5abdc800035a9c2df2e94cf3a5589c85661c4e49

SHA256
b640cd62e1ef997b74c9ac05ea2afdea451de42e9ad161864b876632c01d434c

SHA512
59cb543c6534a7ccc9e923865674197e261cf22b045a70d2324dbdebb575f822761c6bb27a22999a0453bd59fe9a45b1bc96a763584f043c70dea0c58dffe6ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
92e764573e970a977c2f6aab03495705

SHA1
f585f9a0bc1c792de9d1e90323579a66ff1b74c5

SHA256
0e8632eb4a634ed7a02984788dc15e1074bddb01f99302ba9b515ba766a9f373

SHA512
3d169c8cf2d47bc21e9695a13b05cd6c9352300763c1e44f2a016723107dc9bdd572667b2a3a7a6743ffe2dc8168476a51cec618700bf38505de3df1a9d24f5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5a678e986826b7171865d67e302e0c7d

SHA1
f34435da68d5237650a622d9fbf95cd8e391c445

SHA256
4ad8fe3bbbaafbb7793bbb3a9d6c5f030e1bac5e30d5e7df928e9e22669058d3

SHA512
19bf8801973d53d68fbd9405a1e058376b8e3e1448fa92085ef7ed2c5559e51f56e3518a6f8ffc3474ebebc532486d8c24acc4e34f0e8448a8d52c080c07ef28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
dbee8967e29813f4c479113e42d19d90

SHA1
17e44b36caa1465216ce3b2390e66418e5b80216

SHA256
056f1c4c8940958bdc93fd30610232f3bd3f0a22eaba024bd7b7f01ef2d24f54

SHA512
6217fcab776835824d041e254840ef30982c40dbb37773a1b4cb939ed0e1f65daa60f684dee3798ab8b18b8d76606411257db15106a988a78791700754ec2551

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 212446.crdownload

Filesize
220KB

MD5
cd0fd465ea4fd58cf58413dda8114989

SHA1
2ae37c14fa393dcbd68a57a49e3eecacf5be0b50

SHA256
a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe

SHA512
b05f3e05762a86aa672d3f4bed9dde6be4e9c946c02d18f470ee2542a1d5da1fa5eb4e6a33bffa8ba39e754e34cb53aa1accca8107aae218001c1a1110af371f

Download Submit
memory/3768-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3768-65-0x0000000003BA0000-0x0000000003BCD000-memory.dmp

Filesize
180KB

Download
memory/3768-64-0x0000000002200000-0x0000000002300000-memory.dmp

Filesize
1024KB

Download
memory/3768-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3768-68-0x0000000000400000-0x0000000001F82000-memory.dmp

Filesize
27.5MB

Download